The attacker’s goal is to perform reconnaissance by harnessing the power of freely available information extracted using different intelligence gathering modes before executing a targeted attack.
The most widely used intelligence gathering resources are the Internet, traditional mass media including magazines and newspapers, publications such as journals and conference proceedings, corporate documents, and exposed networks.
Most resources post their information online so search engines such as Google and Bing can find the desired information. The attackers search and collect information about the targets by digging deep into the Internet.
The information gathering process harnesses the power of search engines and custom developed tools. The extracted information helps the attackers outline a target’s preferences, habits, and social culture. Intelligence gathering simply requires an Internet connection, with little additional cost incurred by the attacker.
How Do Cyber Attackers Gather Information Before Targeted Attacks?
From an attack modeling perspective, intelligence gathering is the transformation of raw data into useful information.
A very basic intelligence gathering model covers different phases that should be completed before starting a targeted attack.
The various phases are discussed below:
1. Selection and Discovery
In this phase, attackers use publicly available resources to collect details about the target. Online Social Networks (OSNs), web sites providing individuals’ identity data, government resources including reports and documents, and historical data about organizations and their employees are widely used to gather intelligence. With a data source in hand, the next step is to dig deeper to collect raw data about the target
2. Resource extraction and mining
Once appropriate public resources have been located, the process of searching and collecting the data about the target starts. The data consists of details of targets including personal data, geographical location, historical data, employer data, relationships, contacts, achievements, community contributions related to research, and supportive operations, etc.
A target could be an individual, group of people (such as employees in an organization and group of individuals on the social network) or a large organization, so the type of data of interest can vary.
For example, individual data can be gleaned from various online portals such as social networks or web sites providing individual information, whereas information about exposed networks (targets) requires completely different operations to perform reconnaissance to detect exposed or vulnerable systems in the target network.
With raw data in hand, it now must be converted into a form that is useful for the next stage of the attack. Data must be mined and correlated as appropriate for the attack.
3. Resource correlation and information processing
Once the raw data is collected from different resources based on the previous phases, the attackers spend time to correlate raw data before processing it. The motive is to unearth the associations of the targets and to draw a connecting line between them so that relationships can be exploited in the targeted attack.
It is a critical phase because a successful attack depends on the information derived in this phase. Data correlation before final processing provides a deep insight into the target environment and behavior. The derived information is then used to develop the targeted attacks.
4. Attack modeling
Attack modeling refers to the process of sketching an outline of the attack by using processed information from the previous phase. In this phase, the attacker defines how the information is to be used in the targeted attack.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM