Scoping the Phase
Every organization and red team assessment is different, and this is reflected in the way that a red team does reconnaissance. Under some circumstances, a red team assignment may even be considered a white-box or gray-box assessment, mirroring the level of preparedness and information an adversary may have. In a white-box red team assessment, the red team is provided all relevant information about the network and can use this information to guide their reconnaissance efforts. In a gray or black-box assessment, the red team may be searching a bit more blindly for relevant information about the organization. The goals and methodologies of the reconnaissance phase of a red team assessment are shaped by the goals of the assessment. The vast quantity of data available about an organization, its employees, and its business partners mean that it’s often impossible to collect and analyze all available data. To be effective, a red team performing reconnaissance must determine what questions that they have and look for data that may help to answer these questions. For example, in an assessment that disallows social engineering, it is probably unnecessary to build a complete profile on the CEO and their personal habits. However, knowing that the CEO is a proponent of cloud services may be useful for finding AWS S3 buckets that may be accessible and contain sensitive information.
Achieving Phase Goals
The goal of the reconnaissance phase of a red team assessment is setting up the red team members for success by providing them with access to the information that they will need to plan their attack. The main goals of this stage in the assessment are collecting the necessary information and managing it in a way that ensures that all necessary information has been collected and is available when needed.
Data Collection
The main goal of reconnaissance is collecting data about the target of the red team assessment. Since the red team wishes to remain undetected, this is mainly performed using “passive” methods, i.e., nothing that involves interacting with the target in a way different from the average customer. Sources for useful data for reconnaissance include (but are not limited to) open-source intelligence, digital and physical monitoring and social engineering.
Open-Source Intelligence (OSINT)
An extremely powerful and often undervalued source of information for a red team assessment is open-source intelligence or OSINT. OSINT includes anything that is publicly available and can be accessed without drawing excessive attention to the red team. Examples of commonly-used sources of OSINT include:
The company website
Product information (useful for social engineering and identifying valuable data) Organizational information (useful for identifying potential targets) Contact information (can provide an access point for social engineering or a starting point for finding “secret” contact information)
Social media
Employee relationships (useful for social engineering) Product information (useful for social engineering and identifying valuable data)
Job postings
Information about the company infrastructure (based on desired skill sets) Job vacancies (basis for social engineering and identification of security holes like lacking a CISO)
Public databases
The Wayback Machine: Historical information from the company website Pipl.com: Information about specific people ICANN: Information about IP addresses, domain registration and so on
A vast amount of information about an organization can be found using OSINT and applied to planning a red team assessment. Combining skill sets described in job posts and IP and DNS registration information can allow a red team to identify with a reasonable level of certainty the exact types of services running on a particular machine (and their potential vulnerabilities) without revealing any signs of their interest to the target organization.
Digital and Physical Monitoring
While active monitoring may be more efficient in gathering information about a target, it has the downside of being much more visible and likely to be detected and acted upon. Passive monitoring, whether of digital or physical attributes, can provide a great deal of information about an organization while being much more difficult to detect. Passive digital monitoring of an organization’s network requires the ability to observe the network traffic without taking any unusual actions or initiating connections. If the organization has an open Wi-Fi network, joining it with a NIC set in promiscuous mode can provide a great deal of information about the number, types and even software details of machines on the network. Even if a Wi-Fi network is protected, learning of its existence is useful for network mapping and provides a clear target for future information gathering. The physical side of security is just as important as the digital and often overlooked in cybersecurity planning. Physical access to an organization’s assets can lead to compromise of computers, planting of malicious devices and more. By monitoring the standard employee habits and physical security measures of an organization (security guards, cameras, smartcard-controlled access and so on), a red team can identify potential vulnerabilities that could lead to a way to bypass the site’s cybersecurity measures. While monitoring a site, the red team may even have to opportunity to collect or steal crucial information in the form of discarded or unguarded electronic or physical media.
Social Engineering
If permitted as part of the assessment, social engineering can be a powerful tool in a red team’s toolkit. Social engineering attacks take advantages of vulnerabilities in how humans think and act in order to bypass physical or digital defenses. Social engineering can help throughout the assessment process, but one of its main benefits is as a source of information that is otherwise not publicly accessible. People are willing to give away all kinds of information without realizing its importance. Want to know when someone will be out of the office? Try to schedule a meeting with them. Want to get detailed information about a company’s operations and maybe an on-site tour? Apply for a job post and hopefully land an interview. Social engineering is a powerful tool for a red team, taking advantage of how people undervalue certain information or levels of access.
Data Management
There are three main ways to mess up reconnaissance: fail to collect the data that you need, collect too much data, and collect the right data but not be able to find it when it’s needed. If the reconnaissance phase of the red team assessment is appropriately scoped, the first two issues shouldn’t be a problem. A strong data management policy ensures that a red team won’t fall prey to the third. Before beginning a red team assessment, the red team needs to decide on a system for storing the data collected throughout the assessment. This is valuable in every phase of the assessment, since the team may need to be able to access a fact at a moment’s notice and needs to be able to provide comprehensive records in the event of a mistake or when reporting to their customer. During the reconnaissance phase, all members of the team should follow the data management policy. This ensures that all of the necessary questions are answered (if possible), removes duplication of effort and sets the team up for success in later stages.
Setting the Stage
Reconnaissance is the second phase in a red team assessment. The goal of this phase is to collect the information that the team will need in order to successfully perform the rest of the assessment. A reconnaissance phase is successfully completed when the red team has collected and organized any available and pertinent information about the target in a way that maximizes its utility for future phases.
Want to read more? Check out some of our other articles, such as:
Red Team Assessment Phases: Overview Red Team Assessment Phases: Target Identification Everything You Need To Know About Red Teaming in 2018
Sources
10 social engineering exploits your users should be aware of, TechRepublic