The processes and tools behind a true APT campaign: Reconnaissance

Reconnaissance marks the first step in the APT campaign, where attackers identify their targets and how to attack them

1 2 Page 2
Page 2 of 2

A service used to track the various social and media networks associated with a username or company brand. Once the target's social profiles are discovered, personal and business data can be collected, starting with the top three social networks: Facebook, LinkedIn, and Twitter. Images on these networks may also contain metadata; Instagram is an alternative source of metadata. You can also add services such as Foursquare, HootSuite, GitHub, for additional details.

ImageOps (

This site hosts a collection of tools for images, including EXIF data extraction, forensics, image search, and more.


This search engine lets you find any device that's connected to the Web. Once the device is located, you can then look for services running on it, or a list of related exploits and vulnerabilities. Full features of the site are unlocked rather cheaply, but the free version will do for most situations.

Organizing the collected data

When it comes to organizing all of the various data collected during the reconnaissance phase, the recommended tool is Maltego.

Maltego is an OSINT tool, one that hacktivists, law enforcement and security professionals, and even professional criminals, use to manage information chains. It offers a visual overview of data, and comes in handy when hunting for links between people, groups, organizations, network information (DNS, IP addresses, URLs), and more.

The free version of Maltego works well for most people, but a well-funded attacker wouldn't think twice about purchasing a legit copy under a false identity if it was needed.

Common tools and software

When it comes to the tools that attackers use during the reconnaissance phase, as well as other phases in the attack chain, they tend to be easily obtained and simple to work with. Many of the same tools used by professionals are the same ones favored by criminals, because they get the job done.

SQLMap (

SQLMap automates the process of detecting and exploiting SQL Injection flaws. It has support for every major database on the market, and many SQL Injection techniques. This is a popular tool for professionals and criminals, as it is easy to use.

BackTrack Linux (

BackTrack is a go to tool for professionals and criminals. While some of the tools in this release are too advanced for some attackers, there are plenty of tutorials available online to help them get a solid start.

Professionals love BackTrack because it's easy to use, has a strong community for support and development, and enables access to all of the common penetration tools in one installation. Much of what BackTrack has to offer can be used for all of the phases in an attackers campaign, including reconnaissance, exploitation, and exfiltration.

Metasploit (

Professionals love it, and so do criminals, with good reason. Metasploit is the most known exploitation and penetration testing tool in the world. Like BackTrack, it too can be used for many phases of an attacker's campaign. At this stage, you should familiarize yourself with HD Moore's Law.

Wrapping things up:

Preventing reconnaissance is near-impossible. You can mitigate some of the success a potential attacker has, but the nature of the Internet itself means that information in one form or another will exist, somewhere, and it will be found eventually. So when it comes to mitigation, here are some things to consider.

[IPS market to grow on back of worry over APT attacks]

Monitor logs and analytics apps for unusual spikes in traffic to download materials that fall outside of the normal usage. For example, if downloads to a new sales guide are usually from the U.S., then naturally downloads from places such as Russia, China, Mexico, Taiwan, or India would be suspect, unless they can be reasonably explained. The same can be said for unusual spikes in downloads outside of a normal geographic pattern, such as downloads from California, when the company primarily deals with customers and businesses in Indiana or Ohio.

Never allow internal portals (Intranet), documents, or storage centers to be accessed from outside of the network. Manage access to these resources via restricted IP or corporate VPN, as well as ACL policy. Moreover, a good IAM (Identity and Access Management) process will also act as a solid defense, noted Rik Ferguson, the VP Security Research at Trend Micro, during an interview with CSO.

"Enabling multiple-factor authentication, and managing ageing accounts and passwords effectively, should be standard on sensitive data repositories or servers," he said.

Likewise, monitor ICMP traffic on the network, and familiarize yourself with the ways the protocol can be used for reconnaissance efforts. A good primer for this was published by SANS, and is available here. Further, watch for scans that sweep the network's subnet. This is rare, and rather noisy, but it happens. Probes on seemingly random ports should also be checked.

When it comes to OSINT, another defensive technique is to limit the amount of information that is displayed publically; including phone directories, staff directories, overly specific staff and leadership profiles, project plans, business and channel partnerships, and customer lists.

While such data is viewed as harmless, and often as a key resource for sales initiatives, it allows ties and connections to be made, and offers a wider attack surface. As mentioned previously, filtering metadata is also a key mitigation step, and one that organizations should be in the habit of doing. In both cases however, the limitation of such data will need to be determined by a robust risk assessment, and such an effort should include all areas of the business.

[Researchers find APT malware that monitors mouse clicks to evade detection]

Be mindful of banner grabbing, which is a common and easily used technique that enables someone doing reconnaissance work to learn a good deal about your organization's technical environment.

"A quick telnet to listening ports of servers will very often reveal product versions and patch levels of external facing mail, Web or FTP servers for instance, and allow the attacker to compromise with selected vulnerabilities or known common misconfigurations," Ferguson explained.

Once the attacker has performed reconnaissance, the next step is weaponization and delivery. Part two of this series will examine that aspect, as well as how it can be addressed.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)