Understanding the corporate footprint is critical to fighting cyberattacks, writes Andrew Bushby, UK director at the cyber company Fidelis Cybersecurity.
When it comes to cyberattacks on an organisation, a critical factor can be the company’s corporate footprint. Security teams often begin their investigation process at the moment of infection, considering everything that happened after that moment and working out how to respond. After all, the goal of investigating cyberattacks is to find out how the attacker got in and what they did while they were inside.
However, since the process for advanced attacks includes significant research before the actual infection attempt is made, it’s critical that security teams can see what happens during the entire attack timeline. For the attacker, this ‘reconnaissance’ phase is usually the most important. This is where preliminary information is collected, attack scenarios are constructed, social engineering is employed and the target’s network topology is studied as much as possible to define methods of attack. As such, understanding the reconnaissance phase of attackers and the corporate digital footprint as a whole can be hugely advantageous for security teams.
One of the most important parts of the reconnaissance phase is the collection of ample data on the attacker’s target. One of the easier and more covert methods for this data collection is to gather all publicly available intelligence. Every organisation has an online corporate footprint. This includes all publicly available data on the company, including the web server, social network profiles and the virtual private network (VPN) server – and sometimes even private data that has become mistakenly exposed, such as employee lists, details of servers that are being used and lists of vendors or partners.
The search for public data typically starts with search engines and moves on to social media and other advanced tools or engines – such as Shodan, historic domain name system (DNS) data and more. Since the internet is archival, these searches often find human mistakes, misconfigured web servers, temporary files and in many cases, keys and credentials. Even if someone does not intentionally upload their passwords or keys to the web, a novice attacker will probably be able to find many of these online. Indeed, it is surprisingly easy to find credentials that were mistakenly uploaded to sharing sites, such as GitHub. Similarly, sometimes innocently scanning a file on a web-based virus check engine will cause the file to be searchable and available to all.
During the reconnaissance phase, advanced attackers will quietly and rigorously search for all data on a company. They will deeply review a corporate footprint and conduct other reconnaissance methods, such as social engineering, as well as use whatever they can to find holes in the corporate security framework.
Identifying
The first step to understanding the corporate footprint and protecting an organisation is to know exactly what must be protected. In the same way, to protect the organisation from the attacker’s reconnaissance activity, security teams need visibility into the company’s public facing terrain. Just as they regularly scan the network for vulnerabilities, security teams must scan the web to find what other people can learn about the enterprise. There are several online tools, such as VirusTotal and Maltego, that can help with this, and these are also the tools that many attackers will use for their own exploration.
Significant damage can be done by making a single mistake and uploading the wrong data to the wrong place at the wrong time. Most online services and tools will accept requests to remove private data from their databases, however this will probably be too late. Also, there is not always a comprehensive means of removing files from the web – deleting it does not mean it will be removed from other sites, engines that cached it, or attackers that already downloaded it. To counter this, businesses should aim to minimise the publication of future information that can put them at risk. Enterprises must first be aware of what is being uploaded to the web and educate its employees on the very real risks of doing so. With staff often being the weakest link in the cybersecurity chain, employee training and best practices will help to reinforce healthy security practices to prevent such issues.
Turn to advantage
With a complete understanding of the corporate footprint, organisations can take this information and turn it into an advantage over the attackers. Just as deception technology can be used to alter the terrain and catch attackers exploring the corporate network, it can be used to alter the public footprint to fool attackers and gain intelligence on their proposed attack methods. To illustrate this, an organisation can plant a breadcrumb trail of data that blends into its public footprint – and when followed, this trail would lead to public facing decoys. The decoys in this scenario could be fake servers, deployed on the public web, or the organisation’s demilitarised zone (DMZ) that resemble the servers and assets that make up parts of the public footprint. This breadcrumb data could include fabricated documents, passwords and IPs placed in different parts across the web, mimicking what is expected to be part of the corporate footprint.
In summary
Organisations must improve understanding of their online environment to prevent cyberattacks and mitigate the financial and reputational damage of a breach. By altering their footprint to trace attackers, security teams can gain intelligence to help prepare themselves for an attack and not waste time chasing internet noise. In order to get valuable intelligence on attackers, deception technology needs to alter the existing corporate footprint and not stand out. Corporate attack surfaces are only increasing – and having complete visibility will enable companies to uncover and respond to threats against their organisation.
