Tuesday, March 28, 2017

The importance of reconnaissance to the targeted threat actor

A few days ago, I was in a conversation with a colleague who was explaining his understanding of the Cyber Kill Chain. This was not the Lockheed Martin Model (Hutchins, Cloppert, & Amin) but one that he envisioned. In his model, he did not place much emphasis on reconnaissance. As a result, I asked why? His argument was that while he understands the need for reconnaissance and that it is performed, he does not see it as important. While I respect his opinion, my belief is that the facts shows that reconnaissance is not just important but extremely important. Thus consideration must be given to ways an organization can reduce the amount of information which can be learned about it, so as to reduce the harm which can be caused to it.

To the script kiddie, reconnaissance means nothing. Script kiddie focuses on the low hanging fruits and does not add much focus towards strategy but are more tactical. However, to the targeted attacker, it means everything as their focus is more strategic and less tactical. Targeted attackers are more concerned about long term gains rather than short term. It is the difference between whether or not the attacker would spend 10 minutes or 10 years in your environment without being detected.

The importance of reconnaissance can be seen and even further understood from Symantec’s “Advanced Persistent Threats: A Symantec Perspective”. In this document Symantec stated that a large number of researchers may spend months studying their targets, gaining familiarity with the systems, processes and the people, including vendors and partners (Symantec.com). Assigning a large number of researchers to any task is no easy effort and emphasizes the importance of this phase in a targeted attack.

More importantly, for nation state threat actors, reconnaissance is even more important as their objective is to strike with precision and not to have mass impact but targeted impact. To further emphasize the importance of reconnaissance, we can look at these through the lens of Stuxnet (Symantec, 2011), Sony hack (BISSON, 2015), Darkhotel (KasperskyLab, 2014), Red October (GReAT, 2013), RSA attack (RSA Fraud Action Research Labs, 2011), Operation Aurora (STEWART, 2010), Titan Rain (Norton-Taylor, 2007), HBGary (BRIGHT, 2011). There also many others which can be considered. However, let’s pick on a Darkhotel, HBGary and Stuxnet.

Starting off with Darkhotel, this threat actor’s activity is tied to specific hotels and business centers Wi-Fi and physical connections. Additionally, spear-phishing is used against their targets (KasperskyLab, 2014). This attack targets specific victim categories such as corporate executives, high-tech entrepreneurs even those that may be situationally aware. Once connected to the hotel’s Wi-Fi, the guest would see what purports to be updates for their software. Some of the software targeted were from vendors such as Adobe, Microsoft, Google, etc. which are selectively distributed to targeted individuals (KasperskyLab, 2014). What is also interesting about this is that the first stage of the malware helps the attackers to learn the significance of the guest which contributes to the determination of whether or not a more advanced malware should be download (KasperskyLab, 2014).
Clearly, a significant amount of reconnaissance would have had to been done so as to be able to attack the right targets in the Darkhotel example. This can also be seen from the fact that even though guests were require to use their last name and room number to access the Wi-Fi, only some guests received the Darkhotel package (KasperskyLab, 2014). This is either a strange coincidence or a clear example of the aim of infecting specific targets or maybe just inconsistencies in the way the packages were deployed. If it was the aim of infecting specific targets, then great effort would have had to be made to initially learn about those targets.

Looking at HBGary example, their hbgaryfederal.com Content Management System (CMS) was vulnerable to SQL injection (BRIGHT, 2011). How did Anonymous know that it was vulnerable to SQL injection? The only way to do this would have had to be to perform reconnaissance. In this case, the reconnaissance was performing the various tests for SQL Injection flaws. On a side note and more to the focus of the significance to reconnaissance, according to (ANDERSON, 2011), the CEO of HBGary Aaron Barr did a presentation at a closed Department of Justice (DOJ) conference on leveraging specific techniques to target collect and exploit targets with a 100% success leveraging social media. More specifically, Barr had proposed a talk titled “Who needs NSA when we have social media” (ANDERSON, 2011). This shows the importance of social media’s role in reconnaissance. Point being it shows the importance of reconnaissance, matters not what the medium is used to perform it.

The final example we will look at is Stuxnet. Now without a doubt, reconnaissance had to have played an extremely large role in this attack. The focus of Stuxnet was to target organizations in Iran which were believed to be operating Iranian nuclear facilities (Symantec.com). For this attack to be successful, the attackers had to perform reconnaissance to the extent that they had to learn the schematics of each Programmable Logic Controller (PLC) as each one is configured in a unique manner. Once this schematics was known, each feature of Stuxnet was implemented for a specific reason (Symantec, 2011). How more targeted could this have been? Clearly this is reconnaissance and had great significance.

I think I’ve taken quite a few example to demonstrate the importance of reconnaissance to the targeted attacker. While we need to ensure our infrastructures are protected from the script kiddies, we need to take even greater measures as it relates to protecting it from the targeted attacker.


ANDERSON, N. (2011, 02 09). How one man tracked down Anonymous—and paid a heavy price - Aaron Barr, CEO of security firm HBGary Federal, spent a month tracking down …. Retrieved from arstechnica.com: https://arstechnica.com/tech-policy/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price/

BISSON, D. (2015, April 22). Sony Hackers Used Phishing Emails to Breach Company Networks. Retrieved from tripwire.com: https://www.tripwire.com/state-of-security/latest-security-news/sony-hackers-used-phishing-emails-to-breach-company-networks/

BRIGHT, P. (2011, 2 15). Anonymous speaks: the inside story of the HBGary hack - After interviews with the hackers from Anonymous who invaded HBGary Federal …. Retrieved from https://arstechnica.com: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/2/

GReAT. (2013, January 14). “Red October” Diplomatic Cyber Attacks Investigation. Retrieved from securelist.com: https://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/

Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (n.d.). Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Retrieved from lockheedmartin.ca: http://www.lockheedmartin.ca/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

KasperskyLab. (2014). THE DARKHOTEL APT A STORY OF UNUSUAL HOSPITALITY. Kaspersky Lab. Retrieved from securelist.com: https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf

Norton-Taylor, R. (2007, September 5). Titan Rain - how Chinese hackers targeted Whitehall. Retrieved from theguardian.com: https://www.theguardian.com/technology/2007/sep/04/news.internet

RSA Fraud Action Research Labs. (2011, April 01). ANATOMY OF AN ATTACK. Retrieved from blogs.rsa.com: http://blogs.rsa.com/anatomy-of-an-attack/

STEWART, J. (2010, January 19). Operation Aurora: Clues in the Code. Retrieved from secureworks.com: https://www.secureworks.com/blog/research-20913

Symantec. (2011). W32.Stuxnet Dossier. Symantec. Retrieved from symantec.com: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/security-response-w32-stuxnet-dossier-11-en.pdf

Symantec.com. (n.d.). Advanced Persistent Threats: A Symantec Perspective. Retrieved from symantec.com: https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf


  1. There is nothing to disagree with what is postulated here. What can also be considered is the fact that we will always be short of resources to deal with security incidents, no matter what stage the ongoing attack is identified. With tonnes of incidents popping each hour, often we need to prioritize some over others. Each organization's security engineers should have their own way to prioritize.
    With that said, I think with constant failures in maintaining security (obvious with incessant breaches happening every month) I think we are getting more towards the stage to adopt the approach of offensive defense.

    I think if we are focusing on the context of kill-chain, there can be a clear measure if we want to pick what is in there for Cyber Security personnel. Forcing the investigative thought on that, why the recon step can be given a part skip, in my lone-wolf opinion, is perhaps the fact that we should now let the bad guys do what they can from their side--and focus on what good guys can do from their side. There is little chance we can track reconnaissance. A good reconnaissance has often gone unnoticed. The fact that breaches are happening with increased frequency is an obvious comment that reconnaissance was successfully conducted in each case, and any attempt whatsoever (assuming there were some resources deployed to sense the initial recon activity) by the good guys failed. That may make one think that perhaps reconnaissance has taken too much of the scarce resources (time, money, human resources etc) we normally have.

    I think tasks for good guys should begin from any step subsequent to recon. We desperately need some actionable items in our kitty to be attentive and pick something to hunt with. We need that first phishing mail (recon done by this time), first slow web response observations by app guys (recon done and attack in a different stage now), first instance of odd flash drives reportedly seen in drive ways (recon done and items weaponized), first reporting of skeptical facebook links seen by marketing guys (recon done as Bob's facebook wall now has that bad link from his own friend who is the bait here) and so on. Tasks for good guys more often than not begins from this point. It is in this line of thought that we can say that let recon be skipped from meetings. Let's assume it will happen. To avoid it would mean ask employees to not use facebook, not use word, not surf online, etc etc. We know we have lost this part of battle already. Let's start what kill-chain says after the recon is done: what CCs are active if any, what malware signatures are floating now, what big chunks are being ex-filterated if any. We have visibility there. We have machines on our side on this and perhaps more. We can't see recon--especially socially engineered. And recon is also, to say in a cheeky tongue, boring as well :) We have more visibility only after the first step in kill-chain if the first step is recon; and we know very well that we can only secure what we can see. In the end, I can only say let bad guys do the reconnaissance. They are very good at it. Cyber history proves that, and bad guys have miserably failed at that, also proven. So let us do best what we can!
    But one thing is for sure: bad guys would have recon as their first step, which they will always have; we, if we are good guys, would rather be waiting on them to finish with that so that we can start what we have learnt best in our approach to defend anything defendable.

  2. well written and researched!
    Would dedicate some summer mornings to read all your blogs!