Day 2-1.pptx

Transcript

Reconnaissance is a term used widely in the military operation. The literal meaning is “sending spies into an enemy's territory to gather data about where and when to strike”. If done right, the target will not be able to know that it has been performed. It is one of the most important stages of an attack life cycle. External reconnaissance is done outside of the organization's network and systems. It normally focuses on making use of the carelessness of users of an organization. ways to perform external reconnaissance is the following: Dumpster diving Social media Social engineering Dumpster Diving Organizations dispose of out of date or no longer used devices in several ways, such as through bidding, sending to recyclers, or dumping them in storage. By taking old external storage devices or obsolete computers which are not thoroughly handled, attackers may get the information like: structure, resources, processes and systems used to manage the organization Openly-stored passwords on browsers The privileges and details of different users Access to some systems that are customized for users used in the network Degaussing is the process of reducing or eliminating an unwanted magnetic field (or data) stored on tape and disk media such as computer and laptop hard drives → Does not work for SSD. Deleting the data using software is generally not a secure way. Basically uses a strong magnetic field to disrupt the data inside the disk and make it inaccessible. How to remove SSD? Encrypt it using a long random key and forget it. Then format it. Social Media can find huge amount of information about people. The best place to mine data concerning specific targets. Data related to the companies where users work for. Details about family members, relatives, friends, and residence and contact information. can create a fake account (identity theft). All you need is some fake photos and up to date details about the victim. By using that fake account, the attacker can get network information and statistics from the IT department and security Information of the Network. Hackers can guess passwords or answers to secret questions. Accepting “connections” or “friendships” with people you are not familiar with in your everyday life can put you at risk. User's date of birth, their parent's maiden name, names of the street that they grew up in, pet names, school names etc. Put a phishing post up or message from unfamiliar people using the Social Media. Those can be the attempts to install malwares in the target’s computer. Social Engineering Reciprocation: A victim does something for a social media user who in turn feels the need to return the favor. It is part of human nature to feel obligated to return a favor to a person, and attackers have come to know and make use of this. Scarcity: Threatening a short supply of something that the target needs. e.g., a trip package, a mega sale, or a new release of products. Consistency: people tend to stick to what they know or what they've been promised. So, if someone pretends to be a trusted company or person, like a vendor for an IT team, others might not question it because they're used to dealing with that vendor. In the example given, attackers might pretend to be that trusted vendor and give the IT team electronics that have harmful software on them. The team might not realize because they're used to working with that vendor and trusting them. So, it's a reminder to always be cautious and double-check, even with things you're familiar with. Social Engineering Liking: Humans are more likely to comply with the requests of people they like or those that appear attractive. Authority: Commonly used lever that has a high success rate. Generally, humans are obedient to the authority of those that are ranked above them even if they seem malicious. E.g. asking to give login credentials or to send some sensitive data over unsecured channels. Validation: Humans will readily comply to and do something if other people are doing the same, do not want to be an odd one. Social Engineering Pretexting is a form of social engineering where an attacker creates a false scenario or pretext to trick individuals into providing sensitive information or performing actions they normally wouldn't. It often involves impersonating someone else, such as a trusted authority figure or service provider, to gain access to information or resources. Diversion theft: Attackers persuade delivery and transport companies that their deliveries and services are requested elsewhere. Phishing: The oldest tricks that hackers have used over the years, but its success rate is still surprisingly high. A hacker sends emails to a target. It pretends to be a legitimate third-party organization. E.g. A link leading to a malicious or fraudulent website, Claiming a court order notice. The typical signs of Phishing emails include: Ask for sensitive information Use different domain Contains a link that is not consistent with the domain Is not personalized Use poor spelling and Grammar Always tries to panic the receiver Phone phishing (vishing) : The attacker uses phone calls instead of emails or as an extension of the email phishing attack. The attacker will use an illegitimate interactive voice response system that sounds exactly like the ones used by banks, service providers. Spear Phishing is specifically targeted to obtain information from users in an organization by performing several background checks on targets. Water holing: An attack strategy, in which the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Baiting: Exploiting the greed or curiosity of a certain target. An attacker will leave a malware-infected external storage device in a place where other people can easily find it or will leave files that a victim will be tempted to open such as “the executive summary of salaries and upcoming promotions”. Quid pro quo (a favour or advantage granted in return for something.): Attackers will keep calling random numbers claiming to be from technical support, and will offer some sort of assistance, which then gives the attackers access to the victims' computers or the ability to launch malware. Tailgating: An attacker will walk behind an employee that has legitimate access and enter behind them by 1) borrowing their RFID card, or 2) gaining entry by using a fake card under the guise of accessibility problems. Internal reconnaissance is done onsite. Attacks are carried out within an organization’s network, systems and premises. The main difference between external and internal reconnaissance: External reconnaissance is done without interacting with the system, but by instead finding entry points through humans that work in the organization.