If you’re planning on taking the CyberSec First Responder (CFR) exam, you should have a basic understanding of reconnaissance incidents. For example, can you answer this question?
Q. An APT has launched an attack on an organization. At which stage of the attack would the APT gather as much information as possible about the organization, including information about the technology it uses, its personnel, and its online presence?
A. Fingerprinting
B. Footprinting
C. Enumeration
D. Scanning
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Phases of Reconnaissance Incidents
In a reconnaissance attack, the attacker attempts to gather as much information about the target as possible. As an example, imagine that an advanced persistent threat (APT) decides to launch an attack against the Springfield Nuclear Power Plant. Before launching the attack, they start with a reconnaissance attack. During this reconnaissance phase, they learn about the Power Plant and gather information about potential weaknesses.
For the CFR certification, think of the reconnaissance attack in the following three phases, footprinting, scanning, and enumeration. Each of these phases are explored in more depth in the following sections.
Reconnaissance Attack vs Reconnaissance Incident
Domain 3 of the CyberSec First Responder objectives (Analyzing Threats to Computing and Network Environments) specifically mentions reconnaissance incidents. Note that from the target’s perspective, a reconnaissance attack is a reconnaissance incident. If attackers identify vulnerabilities, they will likely try to exploit these vulnerabilities. For this reason, many organizations have steps within their incident response plan to respond to reconnaissance incidents.
Footprinting
In the footprinting phase of a reconnaissance attack, the attacker attempts to gather as much information about the target as possible. This includes information about personnel, technologies in use, and any online presence of the organization. Attackers use a variety of different methods during this phase.
- Searching public information sources. Simple Google searches can reveal a lot of information about a target, such as it’s geographic location(s), names of contacts, phone numbers, and sometimes even email addresses. Additionally, attackers can use Domain Name System (DNS) and Whois queries to gain technical information, such as IP addresses. Imagine the Springfield Nuclear Power Plant published a news release about a new supervisory control and data acquisition (SCADA) system that they purchased. Attackers can easily find this news release. If attackers learn about a vulnerability with the system, they can use this information to attack the SCADA system.
- Social engineering. Attackers might try to trick employees into giving up additional information. This might be from phone calls or email, or via social media outlets such as Facebook and LinkedIn.
- Dumpster diving. Attackers may choose simply to go through dumpsters to gather information.
- Discovering technologies in use. Simple things like the code used in a web page can reveal information such as the name of a back end database server.
Enumeration
The enumeration phase attempts to discover and list (or enumerate) each host within the network(s). The goal is to create a network map listing all the hosts. Externally, this includes all of the hosts within a demilitarized zone (DMZ). Once attackers gain access to the internal network, they repeat the processes internally. After identifying a host, attackers scan it to learn more about it.
Scanning
After gathering information on the target, attackers begin to use scanning tools to gather more information on hosts in the network. Two popular tools used for both scanning and enumeration are Nmap and Nessus. These tools often combine the scanning and enumeration phases in a single scan and can do much more. Scanning tools commonly look for:
- Open ports or running services. For example, if port 80 is open, the server is running Hypertext Transfer Protocol (HTTP) and may be a web server.
- Network access points. These may be used for virtual private networks (VPNs) and provide a path into the internal network.
- Operating systems. Relatively simple TCP/IP queries can reveal information about the hosts based on the bits set in the response.
Fingerprinting is an intensive scan that attempts to discover in-depth information about a single host. Tools often send specific queries to a host and analyze the returned packet. For example, Nmap can often identify the operating system of a host by analyzing returned packets.
Scanning and enumeration can be external or internal. External scans only scan hosts with a public IP address (accessible via the Internet). If attackers can get a foothold on the internal network, they will do similar scans on internal hosts.
Reconnaissance Summary
As a summary, a reconnaissance incident includes footprinting, enumerating, and scanning. Footprinting is broad and attempts to gather information about an entire organization. Enumeration focuses on a network and attempts to identify and list hosts within the network. Scanning narrows the focus onto a single host and fingerprinting is a more intensive scan of a single host.
Q. An APT has launched an attack on an organization. At which stage of the attack would the APT gather as much information as possible about the organization, including information about the technology it uses, its personnel, and its online presence?
A. Fingerprinting
B. Footprinting
C. Enumeration
D. Scanning
Answer is B. The footprinting stage of a reconnaissance attack attempts to gather as much information about the target (in this case an organization) as possible. An advanced persistent threat (APT) attempts to gather information about the technology it is using, its personnel, and any resources that are available via the Internet.
Fingerprinting focuses on a single host, not the entire organization.
Enumeration attempts to list hosts within a network.
Scanning attempts to gather more information about a host such as open ports.
Check out this post for more information about the CyberSec First Responder exam.
This post documents my experience taking and passing the CyberSec First Responder Exam. It also includes simple steps you can take to study for and pass this exam.
