1
00:00:06,650 --> 00:00:09,110
- [Instructor] Footprinting
is basically the first step

2
00:00:09,110 --> 00:00:10,890
in the hacking methodology.

3
00:00:10,890 --> 00:00:13,540
It's all about gathering information.

4
00:00:13,540 --> 00:00:16,070
A lot of people refer to footprinting

5
00:00:16,070 --> 00:00:18,780
as reconnaissance or recon.

6
00:00:18,780 --> 00:00:21,619
So if I start mentioning anything

7
00:00:21,619 --> 00:00:23,660
about reconnaissance or recon,

8
00:00:23,660 --> 00:00:26,940
you know that footprinting
is part of that, right?

9
00:00:26,940 --> 00:00:28,300
Now, most organizations

10
00:00:28,300 --> 00:00:31,710
share a lot of information online, right?

11
00:00:31,710 --> 00:00:35,878
And a lot of attackers take
advantage of that information

12
00:00:35,878 --> 00:00:38,061
and public records

13
00:00:38,061 --> 00:00:42,410
and also information from
things like DNS, WHOIS,

14
00:00:42,410 --> 00:00:44,150
and many other things that
we're gonna be covering

15
00:00:44,150 --> 00:00:45,840
in the next few lessons

16
00:00:45,840 --> 00:00:48,600
that an attacker can take advantage of

17
00:00:48,600 --> 00:00:53,140
to obtain somewhat of an idea
about their target, right?

18
00:00:53,140 --> 00:00:56,680
That's what we call open
source intelligence,

19
00:00:56,680 --> 00:00:59,730
which is basically
looking at public records,

20
00:00:59,730 --> 00:01:02,390
again, readily available information,

21
00:01:02,390 --> 00:01:05,277
information from social media sites,

22
00:01:05,277 --> 00:01:08,610
many different channels
from the company's website,

23
00:01:08,610 --> 00:01:10,141
information about acquisitions

24
00:01:10,141 --> 00:01:13,958
that potentially that
company has been doing,

25
00:01:13,958 --> 00:01:15,770
so acquiring other companies

26
00:01:15,770 --> 00:01:17,650
or that they actually have been acquired

27
00:01:17,650 --> 00:01:19,830
by a parent company, right?

28
00:01:19,830 --> 00:01:22,170
So we're gonna go through
a lot of different steps

29
00:01:22,170 --> 00:01:25,210
and methodologies throughout
the next few lessons

30
00:01:25,210 --> 00:01:26,770
related to this.

31
00:01:26,770 --> 00:01:28,840
Now, one thing that I want to introduce

32
00:01:28,840 --> 00:01:33,840
related to reconnaissance is
the MITRE ATT&CK framework.

33
00:01:34,230 --> 00:01:38,400
The MITRE ATT&CK framework is
basically a set of matrices

34
00:01:38,400 --> 00:01:39,330
or in this case,

35
00:01:39,330 --> 00:01:42,290
I'm actually showing the
attack matrix for Enterprise,

36
00:01:42,290 --> 00:01:47,290
that describes the tactics
and techniques from attackers.

37
00:01:47,520 --> 00:01:50,899
And by the way, every
time that you see TTPs

38
00:01:50,899 --> 00:01:54,600
referred to on the internet,
on documentation and so on,

39
00:01:54,600 --> 00:01:58,370
that stands for tactics,
techniques, and procedures.

40
00:01:58,370 --> 00:02:01,720
And those are the adversarial
tactics and techniques,

41
00:02:01,720 --> 00:02:03,834
and of course, procedures that are used

42
00:02:03,834 --> 00:02:08,834
to perform different things in
the life cycle of an attack.

43
00:02:09,150 --> 00:02:11,500
And talking about the
life cycle of an attack,

44
00:02:11,500 --> 00:02:15,750
what you see on the top here
are all the different tactics

45
00:02:15,750 --> 00:02:17,930
and tactics actually
have different techniques

46
00:02:17,930 --> 00:02:19,260
and sub-techniques.

47
00:02:19,260 --> 00:02:22,830
And what you're seeing here is
basically the day in the life

48
00:02:22,830 --> 00:02:25,900
of an attack or the
life cycle of an attack

49
00:02:25,900 --> 00:02:27,020
from reconnaissance,

50
00:02:27,020 --> 00:02:29,993
which is what we are actually
talking about here right now,

51
00:02:29,993 --> 00:02:33,820
all the way to the impact
to the organization

52
00:02:33,820 --> 00:02:36,760
and of course, everything in
between from initial access

53
00:02:36,760 --> 00:02:39,836
to execution of exploits
and minimal malware,

54
00:02:39,836 --> 00:02:43,859
maintaining persistence, doing
post-exploitation attacks

55
00:02:43,859 --> 00:02:46,980
and different tactics and techniques

56
00:02:46,980 --> 00:02:50,160
like previous escalation,
evasion, credential access,

57
00:02:50,160 --> 00:02:52,790
discovery, lateral movement, collection,

58
00:02:52,790 --> 00:02:54,500
command and control, and exfiltration.

59
00:02:54,500 --> 00:02:58,460
Even though I went very fast
in those different terms,

60
00:02:58,460 --> 00:03:02,760
we will cover each of
these elements of an attack

61
00:03:02,760 --> 00:03:07,760
definitely in very detail
throughout the next lessons.

62
00:03:07,890 --> 00:03:09,670
Now, talking about reconnaissance,

63
00:03:09,670 --> 00:03:11,670
which is what we're talking
about here right now,

64
00:03:11,670 --> 00:03:15,550
if I click on that, the cool
thing about the MITRE framework

65
00:03:15,550 --> 00:03:17,610
and the reason that I'm mentioning it here

66
00:03:17,610 --> 00:03:21,661
is because they provide a
very detailed documentation

67
00:03:21,661 --> 00:03:24,950
of each of those tactics and techniques,

68
00:03:24,950 --> 00:03:27,719
as well as each of the sub-techniques

69
00:03:27,719 --> 00:03:31,030
for each of the elements
of the attack, right?

70
00:03:31,030 --> 00:03:33,990
Now, in the case of
reconnaissance, as you see here,

71
00:03:33,990 --> 00:03:36,360
things like active
scanning, which, by the way,

72
00:03:36,360 --> 00:03:39,533
we will cover in detail
later in the presentation,

73
00:03:39,533 --> 00:03:43,141
or gathering information about a victim,

74
00:03:43,141 --> 00:03:47,120
including emails,
credentials, employee names,

75
00:03:47,120 --> 00:03:49,059
and many other things that remember,

76
00:03:49,059 --> 00:03:53,677
this is gathering
information both passively,

77
00:03:53,677 --> 00:03:58,677
so passive reconnaissance,
or active reconnaissance.

78
00:03:59,597 --> 00:04:02,275
And the main difference is of course,

79
00:04:02,275 --> 00:04:04,600
in active reconnaissance,

80
00:04:04,600 --> 00:04:08,340
you're basically sending IP
packets to your victim, right?

81
00:04:08,340 --> 00:04:10,270
So I put here V for victim.

82
00:04:10,270 --> 00:04:11,876
So in this case, of course,

83
00:04:11,876 --> 00:04:15,330
you're interacting with their systems.

84
00:04:15,330 --> 00:04:16,960
Now, in passive reconnaissance,

85
00:04:16,960 --> 00:04:21,060
you're actually going over what
we briefly mentioned before,

86
00:04:21,060 --> 00:04:25,950
open source intelligence,
public records, DNS information,

87
00:04:25,950 --> 00:04:27,350
even certificate information,

88
00:04:27,350 --> 00:04:30,310
information about the
certificates that have been issued

89
00:04:30,310 --> 00:04:33,510
for the web services of that company.

90
00:04:33,510 --> 00:04:35,610
It can be going through
social media sites,

91
00:04:35,610 --> 00:04:39,820
going through acquisition
and integration documents

92
00:04:39,820 --> 00:04:41,680
that may be public,

93
00:04:41,680 --> 00:04:44,550
also public financial
information that you will get,

94
00:04:44,550 --> 00:04:47,500
especially if the company
or the organization

95
00:04:47,500 --> 00:04:49,670
is a publicly traded company,

96
00:04:49,670 --> 00:04:51,850
and many, many, many other sources, right?

97
00:04:51,850 --> 00:04:55,250
And we will go over in
detail about those sources,

98
00:04:55,250 --> 00:04:58,840
the methodologies, and the tools
that will help you automate

99
00:04:58,840 --> 00:05:01,450
the reconnaissance process, right?

100
00:05:01,450 --> 00:05:04,060
But again, if I wanted
to actually summarize it,

101
00:05:04,060 --> 00:05:07,910
this resource from attack is invaluable.

102
00:05:07,910 --> 00:05:10,990
So I strongly recommend
for you to become familiar,

103
00:05:10,990 --> 00:05:12,880
not only because of reconnaissance,

104
00:05:12,880 --> 00:05:16,080
but throughout the attack life cycle,

105
00:05:16,080 --> 00:05:19,290
with the tactics and techniques
that are in the attack

106
00:05:19,290 --> 00:05:20,960
and framework for MITRE

107
00:05:20,960 --> 00:05:24,810
and specifically because
these are real life attacks

108
00:05:24,810 --> 00:05:28,370
and real life techniques that
we have seen in the industry.

109
00:05:28,370 --> 00:05:29,203
As a matter of fact,

110
00:05:29,203 --> 00:05:31,750
I have contributed to the
MITRE ATT&CK framework.

111
00:05:31,750 --> 00:05:34,580
That's why I'm a little
bit of a fan here as well.

112
00:05:34,580 --> 00:05:37,140
And specifically in the network attacks

113
00:05:37,140 --> 00:05:40,410
and some observables
and some documentation

114
00:05:40,410 --> 00:05:42,840
that we actually have for
the matrix for network.

115
00:05:42,840 --> 00:05:45,400
And we will go over a
lot of those details,

116
00:05:45,400 --> 00:05:47,163
again, later in the presentation.