Tuesday, March 28, 2017

The importance of reconnaissance to the targeted threat actor

A few days ago, I was in a conversation with a colleague who was explaining his understanding of the Cyber Kill Chain. This was not the Lockheed Martin Model (Hutchins, Cloppert, & Amin) but one that he envisioned. In his model, he did not place much emphasis on reconnaissance. As a result, I asked why? His argument was that while he understands the need for reconnaissance and that it is performed, he does not see it as important. While I respect his opinion, my belief is that the facts shows that reconnaissance is not just important but extremely important. Thus consideration must be given to ways an organization can reduce the amount of information which can be learned about it, so as to reduce the harm which can be caused to it.

To the script kiddie, reconnaissance means nothing. Script kiddie focuses on the low hanging fruits and does not add much focus towards strategy but are more tactical. However, to the targeted attacker, it means everything as their focus is more strategic and less tactical. Targeted attackers are more concerned about long term gains rather than short term. It is the difference between whether or not the attacker would spend 10 minutes or 10 years in your environment without being detected.

The importance of reconnaissance can be seen and even further understood from Symantec’s “Advanced Persistent Threats: A Symantec Perspective”. In this document Symantec stated that a large number of researchers may spend months studying their targets, gaining familiarity with the systems, processes and the people, including vendors and partners (Symantec.com). Assigning a large number of researchers to any task is no easy effort and emphasizes the importance of this phase in a targeted attack.

More importantly, for nation state threat actors, reconnaissance is even more important as their objective is to strike with precision and not to have mass impact but targeted impact. To further emphasize the importance of reconnaissance, we can look at these through the lens of Stuxnet (Symantec, 2011), Sony hack (BISSON, 2015), Darkhotel (KasperskyLab, 2014), Red October (GReAT, 2013), RSA attack (RSA Fraud Action Research Labs, 2011), Operation Aurora (STEWART, 2010), Titan Rain (Norton-Taylor, 2007), HBGary (BRIGHT, 2011). There also many others which can be considered. However, let’s pick on a Darkhotel, HBGary and Stuxnet.

Starting off with Darkhotel, this threat actor’s activity is tied to specific hotels and business centers Wi-Fi and physical connections. Additionally, spear-phishing is used against their targets (KasperskyLab, 2014). This attack targets specific victim categories such as corporate executives, high-tech entrepreneurs even those that may be situationally aware. Once connected to the hotel’s Wi-Fi, the guest would see what purports to be updates for their software. Some of the software targeted were from vendors such as Adobe, Microsoft, Google, etc. which are selectively distributed to targeted individuals (KasperskyLab, 2014). What is also interesting about this is that the first stage of the malware helps the attackers to learn the significance of the guest which contributes to the determination of whether or not a more advanced malware should be download (KasperskyLab, 2014).
Clearly, a significant amount of reconnaissance would have had to been done so as to be able to attack the right targets in the Darkhotel example. This can also be seen from the fact that even though guests were require to use their last name and room number to access the Wi-Fi, only some guests received the Darkhotel package (KasperskyLab, 2014). This is either a strange coincidence or a clear example of the aim of infecting specific targets or maybe just inconsistencies in the way the packages were deployed. If it was the aim of infecting specific targets, then great effort would have had to be made to initially learn about those targets.

Looking at HBGary example, their hbgaryfederal.com Content Management System (CMS) was vulnerable to SQL injection (BRIGHT, 2011). How did Anonymous know that it was vulnerable to SQL injection? The only way to do this would have had to be to perform reconnaissance. In this case, the reconnaissance was performing the various tests for SQL Injection flaws. On a side note and more to the focus of the significance to reconnaissance, according to (ANDERSON, 2011), the CEO of HBGary Aaron Barr did a presentation at a closed Department of Justice (DOJ) conference on leveraging specific techniques to target collect and exploit targets with a 100% success leveraging social media. More specifically, Barr had proposed a talk titled “Who needs NSA when we have social media” (ANDERSON, 2011). This shows the importance of social media’s role in reconnaissance. Point being it shows the importance of reconnaissance, matters not what the medium is used to perform it.

The final example we will look at is Stuxnet. Now without a doubt, reconnaissance had to have played an extremely large role in this attack. The focus of Stuxnet was to target organizations in Iran which were believed to be operating Iranian nuclear facilities (Symantec.com). For this attack to be successful, the attackers had to perform reconnaissance to the extent that they had to learn the schematics of each Programmable Logic Controller (PLC) as each one is configured in a unique manner. Once this schematics was known, each feature of Stuxnet was implemented for a specific reason (Symantec, 2011). How more targeted could this have been? Clearly this is reconnaissance and had great significance.

I think I’ve taken quite a few example to demonstrate the importance of reconnaissance to the targeted attacker. While we need to ensure our infrastructures are protected from the script kiddies, we need to take even greater measures as it relates to protecting it from the targeted attacker.


ANDERSON, N. (2011, 02 09). How one man tracked down Anonymous—and paid a heavy price - Aaron Barr, CEO of security firm HBGary Federal, spent a month tracking down …. Retrieved from arstechnica.com: https://arstechnica.com/tech-policy/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price/

BISSON, D. (2015, April 22). Sony Hackers Used Phishing Emails to Breach Company Networks. Retrieved from tripwire.com: https://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/

BRIGHT, P. (2011, 2 15). Anonymous speaks: the inside story of the HBGary hack - After interviews with the hackers from Anonymous who invaded HBGary Federal …. Retrieved from https://arstechnica.com: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/2/

GReAT. (2013, January 14). “Red October” Diplomatic Cyber Attacks Investigation. Retrieved from securelist.com: https://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/

Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (n.d.). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Retrieved from lockheedmartin.ca: http://www.lockheedmartin.ca/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

KasperskyLab. (2014). THE DARKHOTEL APT A STORY OF UNUSUAL HOSPITALITY. Kaspersky Lab. Retrieved from securelist.com: https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf

Norton-Taylor, R. (2007, September 5). Titan Rain - how Chinese hackers targeted Whitehall. Retrieved from theguardian.com: https://www.theguardian.com/technology/2007/sep/04/news.internet

RSA Fraud Action Research Labs. (2011, April 01). ANATOMY OF AN ATTACK. Retrieved from blogs.rsa.com: http://blogs.rsa.com/anatomy-of-an-attack/

STEWART, J. (2010, January 19). Operation Aurora: Clues in the Code. Retrieved from secureworks.com: https://www.secureworks.com/blog/research-20913

Symantec. (2011). W32.Stuxnet Dossier. Symantec. Retrieved from symantec.com: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/security-response-w32-stuxnet-dossier-11-en.pdf

Symantec.com. (n.d.). Advanced Persistent Threats: A Symantec Perspective. Retrieved from symantec.com: https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf