Footprints on the internet

Tristan Leiter
Cybersecurity Blog

"Know your enemy as you know yourself." This well-known quotation from Sun Tzu, a Chinese general who wrote the famous book "The Art of War", dates back to the 5th century BC.

Although Sun Tzu dealt primarily with military strategy, the principle is applicable to domains as varied as politics, economics, game theory ... or even information security. In fact, "Know your enemy as you know yourself" finds a direct application whenever a website or organisation fall victim to a cyberattack. Why ? A closer study of the methods used by hackers will help answer this question.

Plan of attack

Let's pretend we are hackers targeting an organisation we will call MyCompany. To begin with, we will try to gather as much information as possible about his target. The more we gets, the greater our chances will be of finding a potential entry point into their IT systems. This phase is often underestimated, even overlooked, by an "amateur" hacker. It is however decisive, as the success of an attack will depend on the quantity of useful information gathered.

An attacker has a major advantage over his victim : the data he is looking for is often publicly accessible on the internet. Social networks, DNS servers and websites are some of the sources commonly used by hackers. The source type is specific to each company and the amount of information gathered will be proportional to the length of time the attacker dedicated to the task.

Hackers have another advantage, which is this time in direct relation to the virtualisation of the "battlefield": their targets will in all likelihood remain unaware they are being thoroughly researched, since the data collected is freely available. Data collection from a website will disappear in the sheer volume of internet traffic, while data available on social networks is not under the control of the company. A spy no longer has to enter the enemy lines, then get out unharmed, to gather information...

Every single piece of data is valuable

The hacker may look for various types of information:

  • Business: Any data that helps him understand how the company operates, what type of services or products it offers, what are the means of communication between the company and its customers (web portal, VPN, email), what are the keywords related to the products and solutions sold by the company, etc.

  • People: For hackers, professional social networks such as LinkedIn, Viadeo and Xing are treasure troves of information about employees. Name, email address, telephone, position in the company are all useful pieces of information they will store and use later. Private social networks such as Facebook are also used to get private information about each employee, so that the hacker can piece together precise profiles of his targets.

  • Documents: The docx, xls, and pdf files which are often available on company websites contain metadata (i.e. information) about the document identity. They show who is the author, when it was created, using what software. The information, which is added automatically when the document is created, turns out to be extremely useful for the attacker. The author of the document often happens to have an account in the targeted domain. Besides, knowing the detailed OS or software version used in the company makes it much easier to select the precise vulnerability that will open the way into a user's workstation.

  • Network: Starting from a domain such as myCompany.com, the hacker then looks for related subdomains, such as: www.myCompany.com, or mail.myCompany.com. These are easy to guess and are therefore often in the firing line in the event of an attack. But they are also the most carefully protected by the IT team. As a result, other subdomains in turn become very interesting targets. They often expose very specific services that might not be secured as tightly as a web or mail service, such as test servers or even "forgotten" devices. Hackers use various methods to identify as many as possible of these subdomains.

The three main security angles

In our daily professional activities, we observe that there are two main security concerns for our customers:

  • The first, network security remains by far the most important, both in terms of financial an human investment. Firewall, Proxy, VPN and IPS remain the basis of any external corporate IT infrastructure.

  • Second concern: the human aspect of security. Organisations increasingly realise how important users are in a security strategy, but few of them do anything about it. In short: the IT team may be very well trained, but the rest of the company is not – or very little. Yet training users to understand the risks associated with the use of corporate IT tools is a key element of the company's security strategy.

  • However, a third concern must also be taken into account: the organisation's internet footprint. What data is available? And what is its impact on corporate security? Some elements make it possible to measure an organisation's footprint on the Internet: the number of company-related profiles, the number of e-mail addresses on the company website, metadata available in online documents, etc. While organisations can't know who accesses that information, they can at least partly control it. They should monitor it and carefully observe its evolution over time. The idea is not to remove any mention of the company from the internet, but rather to monitor what information is available to make sure a hacker can't use it for attacks.

Interesting links