Analyzing Your Attack Surface Like A Hacker

When most people think of hacking, they think of what Hollywood portrays. In a dark basement, a hooded, perhaps tattooed outcast rapidly types nonsensical keystrokes at a flashy computer monitor for several seconds before snidely muttering, “I’m in.”

By that representation, the hacking process seems pretty straightforward: find a vulnerability, exploit it and ride off into the sunset with a bunch of credit card numbers, passwords or Bitcoin wallets. Despite its inaccuracy, that’s actually the model a lot of companies use to perform penetration tests.

The reality is that a real cyber attack requires a lot more planning and research. Understanding the target, how it works and who is involved in making it work gives hackers a much better idea of how to break in. They achieve this by doing reconnaissance work and gathering information from publicly available sources.

Much of those pieces of information are harmless by themselves. However, when combined together, they can provide useful insights to malicious actors.

Is Phishing Possible?

According to research done by PhishMe, 91 percent of cyber attacks and data breaches began with spear phishing attacks (i.e. phishing attacks based on specific targets, and not just executives).

Determining whether or not a target can be easily phished is trivial. Tools like MXToolBox allow anyone to check for email security measures like DMARC, the latest standard for preventing email spoofing. If DMARC isn’t implemented on the domain, impersonating someone in the target company and bypassing spam filtering is simple.

By impersonating an executive or team leader, hackers can harm business relationships, get privileged information from unaware employees and more.

Social Media Faux Pas

Information about a target is hard to gather without finding relationships along the way. Digging through databases and listings can yield a ton of information points, but they aren’t useful unless they relate to each other somehow.

Social media makes this easy. Let’s say the target is a systems engineer for a particular company based in New York. To make things difficult, the target’s name is “John Smith.” Searching through listings of people for the right person in New York would be a nightmare without social media.

But since the company has LinkedIn profiles attached to it, we can narrow the search down to a couple of useful criteria if we can find John’s profile:

  • Age (based on college graduation date)
  • Region of residence (based on proximity to company HQ)

Those two data points can turn a search for John Smith in New York from an endless Google results library to a handful of possibilities on Pipl.

Suddenly, searches for people in tools like skiptracer start to yield email accounts, family members and more. With email accounts, checking password leak databases (not linked here for ethical reasons) for those addresses can yield some pretty interesting results.

The target company can only hope he doesn’t use the same password on his work email account as he did on his Myspace page he made in 2006.

When Google Is Too Good At Its Job

Google’s web crawler is eerily good at its job. You don’t become the best at finding relevant information for people without inadvertently indexing some exposed secrets.

It’s so good, an entire database of useful searches and queries was created and is actively contributed to. It can even find passwords.

While the odds of finding a company’s passwords via a Google search are low (I hope), the same principles of the Google Hacking Database can be applied to other repositories of information:

  • Exposed web server directories
  • GitHub source code
  • Error pages (i.e. web vulnerabilities)

Reducing your publicly visible attack surface won’t necessarily mitigate attacks from determined threats, but it will reduce the likelihood that you’ll become someone’s low-hanging fruit target.

Leave a Reply