Cyber-attacks keep increasing and evolving but, regardless of the degree of complexity used by hackers to gain access, get a foothold, cloak their malware, execute their payload or exfiltrate data, their attack will begin with reconnaissance. They will do their utmost to uncover exposed assets and probe their target’s attack surface for gaps that can be used as entry points.
So, the first line of defence is to limit the potentially useful information available to a potential attacker as much as possible. As always, the tug of war between operational necessity and security concerns needs to be taken into account, which requires a better understanding of the type of information typically leveraged.
What information are hackers looking for during recon?
When running recon on an organization, hackers – whether white or black hats – are “casing a joint.” To plan their attack, they will try and uncover as much information as possible about:
- The types of technologies you use – As there is no flawless technology, learning about those used to build and manage your infrastructure is hackers’ first step. They aim to find vulnerabilities to penetrate your infrastructure and shield themselves from detection. Hackers can gain information about your technologies and how they are used through listening to conversations in tech forums. DevOps participating in such discussions should refrain from divulging their real identity or information that might identify the organization.
- Your internet-facing servers – servers hold your organization’s vital information. Hackers will attempt to find vulnerabilities ranging from unused or unpatched services to open ports.
- Any system used as a server on a public network is a target, so system administrators must be extra vigilant in:
- Keeping all services current
- Opting for secure protocols whenever possible
- Limiting the type of network per machine to a strict minimum, preferably one per machine
- Monitoring all servers for suspicious activity
images from Hacker News