KEEPNET LABS > Blog > Keepnet Labs’ Threat Sharing Module: How to identify attackers in reconnaissance stage

Keepnet Labs’ Threat Sharing Module: How to identify attackers in reconnaissance stage

Fewer and fewer businesses can protect themselves and the sensitive data under their control as a result of the rapid pace of digitalization, increased attack surfaces, and variety of vulnerabilities and attack methodologies. To stop the attacks, several successful and effective recent cyberattacks brought up the question of sharing threat intelligence once more. The government […]

Fewer and fewer businesses can protect themselves and the sensitive data under their control as a result of the rapid pace of digitalization, increased attack surfaces, and variety of vulnerabilities and attack methodologies. To stop the attacks, several successful and effective recent cyberattacks brought up the question of sharing threat intelligence once more. The government and industry are hoping that timely threat intelligence exchange will provide a pro-active means of defending against cyberattacks.

Organizations can take advantage of the combined expertise, experience, and skills of that sharing community by exchanging cyber threat information within that community in order to obtain a more thorough picture of the threats their firm may face. A company can use this information to decide on defensive measures, threat detection methods, and mitigation tactics while considering the threat.

An organization can also enrich existing information and make it more useful by correlating and evaluating cyber threat information from various sources. An organization can also enrich existing information and make it more useful by correlating and evaluating cyber threat information from various sources. By independently verifying the observations of other community members, this enrichment may be attained.

What is the reconnaissance stage in the attack life cycle?

It is important to enhance awareness from the very primary stage so that attackers cannot build upon repetitive threats. One of the primary stages of any cyber attack lifecycle is the reconnaissance stage. This is the stage at which a potential cyber adversary gathers intelligence and information in order to plan their attack. Cyber adversaries could also gather intelligence on specific target websites or collect emails to and from employees. The reconnaissance phase includes network research and intelligence gathering, data security, and coding within relevant applications or websites.

Consider the different stages of reconnaissance employed by cyber-attackers.

·       Phase one: Attackers attempt to learn as much as they can about their target. Identifying DNS names that reflect the entire target organization, including all of its brands, divisions, and local representations, is part of this process.

·       Phase two: Collected DNS host names are mined and translated into IP addresses or IP address ranges.

·       Phase three: Obtaining as much information about the people associated with the organization as possible, including names, job titles, contact information, and other personal details

·       Phase four: Attackers validate the information gathered in previous phases, removing any invalid data and adding any new information gathered as a result of the verification.

The final step is to confirm that the IP addresses identified in previous phases are reachable.

Why is threat sharing important?

·      Cooperation and mutually beneficial connections: Sharing threat intelligence can improve collaboration, establishing mutual respect and trust.

·      Context and viewpoint: There are several points of view held by different persons. Sharing threat intelligence can result in intriguing and diverse conclusions from members of the community and business with a wide range of settings.

·      Elimination of bias: Everyone is prone to prejudice, which can result in exaggerated optimism or confidence while making judgments. Sharing threat intelligence might assist in identifying any blind spots.

What types of threats should be shared?

Only threat intelligence that can be used should be shared. Threat intelligence that is actionable is:

Technical indicators: Technical artifacts or observables that indicate an impending or ongoing attack, or that a compromise may have already occurred, such as occurred, such as 

·      Vulnerability

·      Malware’s name and hash values

·      Previous attacks’ IP addresses

To exploit systems, the following tactics, techniques, and procedures are used:

·      Tactic: Using malware to steal credit card information 

·      Technique: Sending an email containing keystroke logging malware in order to capture credit card data

·      Procedure: Registering a domain in order to create legitimate-looking email accounts that may evade antivirus and spam blockers.

How to Stop Attackers during the reconnaissance stage?

 An adversary must succeed at each stage of the cyber-attack lifecycle. To prevent bad actors from carrying out their nefarious plans, a potential victim only needs to stop the intrusion at any of the cyber-attack lifecycle stages. Naturally, the reconnaissance stage is not out of the equation.

Attackers’ ability to perform reconnaissance begins with network design, which is the front door to any company.

Companies should shift their point of interaction (internet access) away from their physical location and into a number of geographically dispersed locations. This entails concealing and varying network pathways used at those interaction points, as well as regularly changing these interaction points and their IP addresses.

Furthermore, multiple service providers and network connectivity types (internet, dedicated circuits, etc.) should be used. Place sensitive data in a cloaked alternate identity and location enclave. Enforce strict access controls and employ diverse, disguised network connectivity to protect the location and pathway to crown jewels data stores.

If an organization has been identified as a target, this prevents reconnaissance and adds an extra layer of protection.

Threat sharing module of Keepnet Labs

It is critical that an organization employs multi-layered security products to protect the business throughout the life cycle of email-based attacks. Keepnet Labs, as such a service provider, realized that there was very limited attention in the industry to detect and block cybercriminals when they planned their attacks. There was less chance to stop them when they launched an attack. When the criminals were able to infiltrate the institutions, there was no effective tool to detect and contain the breach.

One of the most prominent product features that Keepnet Labs has is Threat Sharing. With Threat Sharing, users will no longer need to directly identify a malicious attack to initiate inbox investigations, resulting in faster response times and proactive protection against previously unknown threats.

Let us move on to talk about real life implementation of the Threat Sharing feature by Keepnet Labs. A sector that this feature needs to be implemented upon undoubtedly is the financial service sector. Financial services can share many email attacks in a variety of ways that rely on technical automation. Keepnet Labs assists in the formation of a private Threat Sharing community and invites those involved in financial services to join and share email-threats. This is a major breakthrough.

Advantages of establishing a private Threat Sharing community using Keepnet Labs

·      Immediate insight into community threats and the risks they pose to the organization.

·      Active awareness reduces threats, and email threats targeting financial services are monitored.

·      Demonstrates protection through design architecture, illustrating to potential partners how seriously security is taken.

·      When placing the order, it is easy to determine which providers are willing to adhere to contract security requirements.

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.