Cyber attacks are a common occurrence these days. No organization is without risk, and everyone is doing their best to stop the next attack from happening.
Unfortunately, malicious actors are smart, creative and patient. They know what to look for, where to look for it, and how to maximize every advantage they get.
What can hackers do with the data they locate and gather?
From exploiting remote access services, to launching highly customized spear-phishing campaigns, or even using a high profile social media account to get others to lower their guard and expose themselves, or their employers. But the data we allow attackers to find? That is up to us.
Attackers meticulously monitor and track your assets.
When taking on a target, an attacker will strive to learn as much as possible about it.
The level of reconnaissance or due diligence on the side of the attacker will determine the outcome of the entire campaign. The higher the quality of the information, the higher the chances of success. Researching a target sounds easy enough, but is in fact very elaborate and methodical.
While a simple Google search is a good start to enumerate a target, “Google dorks” can deliver much more interesting results. When a Google search crosses with social media (e.g. Linkedin, Facebook, Twitter, TikTok, etc…), a well-defined and broad layout of the target can be generated. There are very efficient tools created in order to assist with this stage (Recon-ng, foca, and OSINT framework to name a few).
Mapping your assets for optimized hacking.
Once the attacker has mapped a basic layout of targets (aka your assets), the attacker will attempt to gather more accurate information about specific parts of your exposed assets. Using specialized search engines, scraping websites, digging into data leaks and even TXT records for targeted domains can reveal a lot of information, without risk of being detected.
Gaining insights into internal applications/tools/technologies used by you, the prime target might prove invaluable in the hands of a creative attacker. A well targeted phishing campaign, leveraging knowledge about internal tools (emails telling you to upgrade applications you use such as Office 365 / Jira / Zoom – from TXT records), or specific systems being used (Jenkins, AWS, Kibana specific infor extracted from the “nice to have” skill list in, for example a job opening you applied for) will have a much higher chance of succeeding because you are more likely to skim the message, see something familiar that you use, and click a deadly cyber attack link.
The best cyber defense is a good offense.
Targets (you, your organization) should not sit back and wait. You remain vigilant about mitigating risk of attacks by installing security measures to detect, prevent and respond to threats in real time.
You (and your cyber security team of your organizations) have to conduct training sessions, and educate employees on the threats and methods that will be used to trick them, and how to remain vigilant. Order penetration tests to make sure newly upgraded infrastructure is secure.
Vigilance must be ongoing, but can be semi-automated.
Why is vigilance a 24/7/365 effort? Because attackers are smart and persistent. Once they find several internet facing assets, they will continue to play, try to scan or worse. Attackers come from all over the world and every time zone.
And yes, free services might provide a partial picture of your vulnerable assets, but there is much more going on beyond what we know to look for – leaving us with blind spots that attackers love to low-key exploit. And when attackers do it correctly (and they usually do) it will not be easy to spot the patterns of for example, a port scan trying to detect even more exposed services. But no worries, attackers remain patient and vigilant continuously scanning and probing, for months (even years), to keep an eye on which new services and tools your teams are using across your org. It might just be a new test server for the Dev team, or the IT team testing out a shiny new VPN. Some inconsequential, temporary service that was meant to be taken down after a few days, and might not be directly connected to the production environment, but…someone wasn’t as vigilant as the attacker. And there you have an exposed, vulnerable attack surface.
What deters attackers?(as told by the attackers)
Remain vigilant. Layout the cyber risks that CISOs and cyber security teams need to monitor and implement some external attack surface management tools that map your known and unknown assets and assess your risk.