Basic Cyber Operations Activity Concepts
For attacking, hacking, or offensive operations, there are different stages in which such operations are conducted. Foot-printing, scanning, and enumerations are usually initial or early steps any offensive operation will start with. This early stage is usually called “information gathering” stage.
Penetration, or usually abbreviated as Pen, testing, typically conducted by security teams to ensure that systems, networks, assets, servers, etc. are immune against the different types of attacks.
They follow somewhat the similar stages typically occur in attacks: information gathering, vulnerability assessment and analysis, and third exploitation phase. The term “ethical hacking” is used sometimes to indicate penetration testing or defense team testing activities. It implies also learning the same hacking methods, but usually for defensive goals.
Penetration testing usually starts with a clear agreement between parties clarifying:
(1) the Dos and Don’ts
(2) the systems or assets to be tested
(3) any exceptions to be excluded from the testing process in those assets
(4) details about the testing team, the workflow process, data privacy issues, exploiting and reporting mechanisms, etc.
The main output of the penetration testing process, a detailed report indicates the different types of discovered vulnerabilities that can be related to the network, the systems, the software, the personnel, or the workflow. Further, recommendations are important from the testing or auditing team to show how such vulnerabilities can be fixed.
Penetration testing can be black-box or blind where testers will not be provided with details about the systems and assets they are going to test and the employees and users of those assets will not be informed about the ongoing penetration testing. In white-box approach, both teams will have knowledge about each other (i.e., full disclosure).
Partial disclosure or gray-box is also a third variation. As a service, penetration testing can also be by external parties with variations from simple information gathering activities to full organization audit.
Foot-printing: Foot-printing is an early phase of information gathering (to give you a foot-print) that involves interactions with the target in order to gain information to know details about that target such as: web server version, IP addresses, phone numbers, emails, namespaces, subnet info, OS info, and subdomain information for the given URL.
Examples of some tools that can be used at foot-printing stage: Netcraft (helps obtain web server version, IP address, subnet info, OS info, and subdomain information), Link Extractor (a utility to extract links or URLs), Google Maps for address details, Echosec and Maltego for online social media search, EDGAR for public company and financial information extraction, and LexisNexis for people search.
In most cases, foot-printing tools are considered passive; receiving traffic and information without actively sending the target any
signal. This helps attacker to keep interaction with the target to
the minimum to avoid detection.
Next to foot-printing scanning activities try to get more details about the target. Ping sweeps, traceroutes, port scans are examples of scanning tools and methods. Nmap, with its different flavors is one of the very popular scanning tools to scan TCP/UDP ports looking for open ports that can be used to access target systems.
In the next phase, enumeration, much more detailed information is extracted the target systems. The information gathered during phase 3 typically includes, but is not limited to, the following: login or usernames, passwords, hidden shares, device information, network topology, protocol information, servers, services, etc.
White/black listing methods, especially for URLs and IP addresses are popular and simple to eliminate known attacking addresses. For threat detection systems, it is important to monitor URLs that are known for previous malicious attempts.
Many websites and links exist that report on periodic bases malicious IP addresses or URLs. Those malicious activities can be related to hacking, spam, Denial of Service (DoS), or being part of any type of attack or malware dissemination. Some threat detection systems create black lists of such URLs (e.g., to be blocked in the network access controls). However, using such black lists can cause several problems or challenges:
The number of URLs or links in this black list database can be huge, millions of links. This will cause significant overhead or performance issues on security access controls. For a network with many users or internet connections, to require that each traffic request will be tested first against the malicious list can be a serious overhead problem.
Many of those URLs or IP addresses may change with time due to different reasons. Attackers may do that intentionally to avoid detection. They may use spoofing methods to change or fake their IP addresses. Additionally, those URLs and IP addresses can be sold from time to time to different users or owners.
As an alternative to dictionary-based malicious URLs’ detection, rule-based detections methods can be used to study patterns of attacks.
While the previous method can be more accurate in known malicious URLs’ territories, methods of detection based on attack common features can work more effectively in unknown territories.