Page 12 - Cyber Warnings August 2017
        P. 12
     External reconnaissance
               Your organization and its employees have public presences beyond your networks. The first
               step any attacker is going to take against an organization is to collect as much data as possible,
               looking for anything that can be used to pry open an entry point. Perform the same external
               reconnaissance an attacker would on your own organization:
                   •  Check WHO-IS info. Is there any important internal information being leaked, such as
                       an important technical contact who can be spear-phished or used as an assumed
                       persona to social engineer another employee?
                   •  Collect public information on your employees. Using advanced Google searching or
                       other tools like theHarvester, see what information is publicly available about employees,
                       such as names, titles, email addresses, phone numbers, etc. This information can be
                       used as a target list for phishing attempts, as well as helping to construct wordlists for
                       password cracking attempts. Email addresses often betray the organization’s username
                       scheme, which can allow a list of usernames to be generated if employee names are
                       known, also useful in password cracking and reset attempts.
                   •  Find domains / subdomains. Using advanced Google searching, exposed domains
                       and subdomains can be easily located. Sometimes there are forgotten subdomains
                       exposed, and some of these might be system management consoles or forgotten
                       servers used for software development or QA.
                   •  Find exposed documents. Again, using advanced Google searching, proprietary
                       information can often be obtained through documents that have been openly shared by
                       employees on Dropbox, Box, OneDrive, Google Drive, etc.
                   •  Examine your website for data leakage. Valuable organization / employee information
                       and even customer information can be unnecessarily exposed on a web site, providing
                       additional footholds for phishing, social engineering, or password attacks.
               External reconnaissance can be an eye-opening exercise. This is where threat actors begin
               their attack on your organization. It can instead be where you leave them empty-handed.
               test your perimeter
               An interesting thing I’ve observed about defensive mindsets: they typically check what should
               be configured, not what is configured.  Attackers don’t primarily concern themselves with what is
               intended – in fact, they specifically focus on what isn’t intended. Test your perimeter for what is
               actually there, not what you expect is there:
                   •  Port scan your entire public IP range. Administrators commonly configure their
                       scanners for systems that are intended to be on the network and only public IP
                       addresses that are known to be in use. Port scan the entire public IP range owned by
                       your organization – you might be presented with some unexpected surprises.
                       Unexpected systems usually mean unsecured or vulnerable systems.
                   •  Enumerate your DNS servers. Do your DNS servers allow unnecessary zone transfers,
                       or do they serve up entries which lead to other DNS servers which do? An improperly
                    12   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.





