Hackers utilize a variety of methods and techniques to gather information before an attack. Knowing some of the more common methods can help a person or organization better prepare.
Social engineering, open-source intelligence, and dark web searches are the most common ways hackers find information prior to an attack. These methods can produce a significant amount of useful information hackers use to pretext and develop attacks such as phishing focused on the target’s interests, malware customized to the target’s software, and potential good username and password combinations.
These methods may feel like arcane wizardry but aren’t secret or difficult. Like any craft, they have been developed over decades of scams, cons, grifts, and modern technology usage.
How Hackers Find Information?
Hackers use a variety of methods and techniques to dig up, uncover, or extract information. This information is critical designing and planning attacks on many organizations. It’s the blade sharpening of chopping down the target tree.
Give me six hours to chop down a tree and I will spend the first four sharpening the axe.
Abraham Lincoln (maybe)
The most prominent methods used are social engineering (SE), open source intelligence (OSINT), and dark web “scans”. They are three ways to gather a lot of the same information needed to prep for an attack.
The kinds of information gathered are:
- Technical – operating systems, application versions, security tools, etc.
- Client information – technology, contract, contact info, etc.
- Employee information – emails, org structure, schedules, etc.
What is Social Engineering?
Social engineering is essentially a confidence game relying on basic phycological realities but with the distinction of aiming at computer systems or computer system information as the target. Kevin Mitnick is the oft cited great social engineer who has written a handful of books about his (and other SEs) exploits, and he defines SE as:
Social engineering is an extremely effective technique used by hackers worldwide to compromise internal systems and proprietary information assets.
Kevin Mitnick – What Exactly is Social Engineering
Here are three phycological principles a good Social Engineer can leverage to pull information from an unsuspecting target.
When it comes to social engineering make sure to train employees so there are aware of some basic social engineering techniques. Training, like all security controls, won’t stop all SE but it will put employees on alert and help reduce the risk.
The Law of Reciprocation
This is the desire to return a favor, often with greater return to the recipient of the returned favor. Social engineers are aware of this “law” and try and use it to their advantage to collect information.
Unbeknownst to the target, the SE can create a problem (real or imagined), they then become the solution for. They make contact with the target ostensibly to help but in reality, to they will extract information as a form of payment.
Contact can happen in person or over the phone, but the SE is looking to leverage this is always offering up something first. The moment you get wise to what is going on take the “free vacation” (or whatever they are doing for you) and send them packing with no useable information.
Fear of Authority
This is a ubiquitous issue when it’s the right authority figure. Plenty of people aren’t afraid of just any authority figure but most people are afraid of authority figures with some control over their life or career.
Instead of playing nice and hoping for a gift, the SE leveraging a fear of authority, plays like an authority that could ruin your life. They may still play nice, hoping the perceived rank has enough weight to get information, but they don’t have to.
The “authority” doesn’t have to be from the same organization. Calling as a frustrated, concerned, or angry client can often get as much or more important (and technical) information.
This one is difficult to spot because there is always a little birdy asking the important risk assessment question: what if this is for real? When in doubt tell the requester the information will take a few moments to gather and will be sent when ready. Then take some time check out source of the request.
Desire to Help
People like to be nice and to be seen as nice. Social engineers prey on this. They call or come in asking for help. They put it in terms, or phrases, or tones the get a helpful rise out of the target. The SE gets “helped” and the victim gets the joy helping someone in need.
This particular technique has lost some effectiveness due to widespread security awareness training, however, it can still work when employed under circumstances the SE thinks appropriate.
What is Open Source Intelligence?
OSINT for the hacker, and the target, is any information gatherable from any public source, used to understand and develop attacks against target organizations. Examples of these sources are search engines, social media, job postings, technical databases (such as WHOIS), and government records.
The total amount of OSINT collected is used to create plans for further attacks. All of this information helps the hackers develop better phishing emails with malware (like ransomware) customized to applications or operating system specific vulnerabilities.
Avoid giving out this data:
- Operating system information
- Application information like type and version
- Security tools used
- VPN technology
- Collaboration technology
- Any other information about technology the company uses
This means don’t tweet about the new cool application the company just purchased, create job postings for a new developer with application information, or get too specific on stack exchange when asking for help.
What are Dark Web Searches?
The dark web exists next the regular web like a parallel dimension. To access that parallel dimension someone needs the right kind of technology, in the case of dark web is a about protocols and browsers like the TOR browser.
Hackers, using the TOR browser (or other means) can cross dimensions, stay anonymous, and share stolen information with each other. Some of that stolen information is identity information usable for social engineering attacks, and stolen usernames and passwords usable for, well, accessing anything those usernames and passwords might access.
Stolen usernames and passwords are one of the most common methods hackers use to gain access to business emails, virtual private networks, and other systems. Knowing if that information is brokered on the dark web requires a so-called dark web scanning service. These types of services are still new and there are a lot of imposters selling snake oil. Purchase with caution.
What to do about Information Hackers Find
The recommendation is not to scrub everything a hacker could use. The result would mean zero participation in social media, various marketing campaigns, and otherwise withdrawing from the internet at large. Do not attempt to “go dark” in an effort to blind hackers.
Instead exercise caution when sharing information and don’t place any technical information into any public communications.
Once the adversary has the information there is no real way to “get it back”. However, knowing the kinds of information that has been put out there can inform the business on what security measures to put in place.
Update the technology or relevant elements to make the information worthless. For example, if an application version was shared in a job posting, update the application (if it wasn’t already), swap application (if feasible), or place a security control around it with appropriate monitoring and alerting.
Implement security controls to reduce the impact of using the information. For example, multi-factor authentication can help reduce the impact any username or password information leakage.
On the whole, a defense-in-depth approach were an ounce of caution with information is worth a ten pounds of recovering from a breach, is always the best approach. You don’t have to pretend you work at the CIA, but show restraint whenever information is shared.