1
00:00:06,370 --> 00:00:08,690
- [Instructor] The first
type of attack category

2
00:00:08,690 --> 00:00:12,530
that we will cover here,
are reconnaissance attacks.

3
00:00:12,530 --> 00:00:16,270
So reconnaissance attacks
include the discovery process

4
00:00:16,270 --> 00:00:19,870
used to basically find
information about the network,

5
00:00:19,870 --> 00:00:22,510
their users, and the victims.

6
00:00:22,510 --> 00:00:23,970
So if you're an attacker

7
00:00:23,970 --> 00:00:26,710
and you want to gather
information about the victim,

8
00:00:26,710 --> 00:00:31,080
you can launch what we call a
passive reconnaissance attack

9
00:00:31,080 --> 00:00:34,090
or an active reconnaissance attack.

10
00:00:34,090 --> 00:00:36,140
In a passive reconnaissance attack,

11
00:00:36,140 --> 00:00:39,090
the threat actor investigates the victim

12
00:00:39,090 --> 00:00:44,090
without actually launching an
active scan to their network.

13
00:00:44,440 --> 00:00:48,520
And they do this by searching
key users, executives

14
00:00:48,520 --> 00:00:50,670
or any other victims
within the organization

15
00:00:50,670 --> 00:00:54,880
that they want to attack, in social media,

16
00:00:54,880 --> 00:00:58,958
things like using tools like Spokeo,

17
00:00:58,958 --> 00:01:01,520
to search online public records

18
00:01:01,520 --> 00:01:06,010
and also using more
automated tools like Maltego.

19
00:01:06,010 --> 00:01:07,353
Now that I mentioned Maltego,

20
00:01:07,353 --> 00:01:10,290
Maltego is a great tool that analyzes

21
00:01:10,290 --> 00:01:12,160
real world relationships

22
00:01:12,160 --> 00:01:15,300
between information that is
actually publicly accessible

23
00:01:15,300 --> 00:01:16,360
in the internet.

24
00:01:16,360 --> 00:01:19,870
So this includes footprinting
the internet infrastructure,

25
00:01:19,870 --> 00:01:22,850
as well as gathering
information about the people

26
00:01:22,850 --> 00:01:25,230
and the organization who owns it, right?

27
00:01:25,230 --> 00:01:29,374
So Maltego can be used to
determine these relationships

28
00:01:29,374 --> 00:01:33,910
between many different
entries or entities,

29
00:01:33,910 --> 00:01:35,660
including people;

30
00:01:35,660 --> 00:01:39,550
So gathering information
about specific person,

31
00:01:39,550 --> 00:01:42,640
like their names, their email addresses,

32
00:01:42,640 --> 00:01:45,430
any type of alias that they have used,

33
00:01:45,430 --> 00:01:47,920
personal identifiable
information if they can,

34
00:01:47,920 --> 00:01:50,135
you know, things like physical addresses,

35
00:01:50,135 --> 00:01:54,373
the date of birth, what are
the users likes and hobbies,

36
00:01:55,640 --> 00:01:58,350
who do they work before for,

37
00:01:58,350 --> 00:02:01,820
and what are their specialties;

38
00:02:01,820 --> 00:02:04,370
so let's say they
actually find information

39
00:02:04,370 --> 00:02:08,810
about a user that is a sales
manager in an organization.

40
00:02:08,810 --> 00:02:11,640
And then, you know, was able
to correlate information

41
00:02:11,640 --> 00:02:15,500
from things like LinkedIn
and see that the person

42
00:02:15,500 --> 00:02:18,500
actually had a job at a different company

43
00:02:18,500 --> 00:02:19,770
about two years ago,

44
00:02:19,770 --> 00:02:24,420
they can actually personalize
their attack later on,

45
00:02:24,420 --> 00:02:26,840
by actually gathering this information.

46
00:02:26,840 --> 00:02:31,090
So again, tools like Maltego
actually makes this really easy

47
00:02:31,090 --> 00:02:33,380
to determine these type of relationships

48
00:02:33,380 --> 00:02:37,480
and also correlate those with other users

49
00:02:37,480 --> 00:02:38,830
or groups of people, right?

50
00:02:38,830 --> 00:02:40,328
So, using social networks,

51
00:02:40,328 --> 00:02:44,420
looking at what are your Facebook friends,

52
00:02:44,420 --> 00:02:46,950
what other connections
you have on LinkedIn,

53
00:02:46,950 --> 00:02:49,250
Who do you interact with in Twitter,

54
00:02:49,250 --> 00:02:50,220
You know, the companies, again,

55
00:02:50,220 --> 00:02:52,460
that you actually have worked for,

56
00:02:52,460 --> 00:02:54,978
any organizations that you belong to,

57
00:02:54,978 --> 00:02:58,140
any websites that actually
have information about you,

58
00:02:58,140 --> 00:03:00,720
any personal websites as well,

59
00:03:00,720 --> 00:03:04,670
internet infrastructure
information like domains,

60
00:03:04,670 --> 00:03:09,080
DNS names, net blocks and IP
addresses of that organization;

61
00:03:09,080 --> 00:03:12,100
And then associate that
with the specific users

62
00:03:12,100 --> 00:03:15,910
any type of affiliations that are there.

63
00:03:15,910 --> 00:03:18,730
And of course, anything that
you can find on the internet

64
00:03:18,730 --> 00:03:22,770
as far as documents and
files related to that victim.

65
00:03:22,770 --> 00:03:25,550
So connection between
these pieces of information

66
00:03:25,550 --> 00:03:30,130
are actually found using open
source intelligence techniques

67
00:03:30,130 --> 00:03:35,130
by querying sources, such as
DNS records, WHOIS records,

68
00:03:35,250 --> 00:03:40,250
search engines, social networks,
and various online APIs

69
00:03:41,020 --> 00:03:44,340
and extracting metadata about the victims.

70
00:03:44,340 --> 00:03:46,220
Another great tool that is actually used

71
00:03:46,220 --> 00:03:51,010
for passive attacks, is the
Social Engineering Toolkit.

72
00:03:51,010 --> 00:03:53,354
People call it SET, right? SET.

73
00:03:53,354 --> 00:03:56,170
This is a tool that was
created by Dave Kennedy.

74
00:03:56,170 --> 00:03:58,040
He's actually a personal friend of mine,

75
00:03:58,040 --> 00:04:02,765
and is used by many pentesters
and real-world attackers

76
00:04:02,765 --> 00:04:05,992
to perform social engineering attacks.

77
00:04:05,992 --> 00:04:09,890
So, Social Engineering
Toolkit is a menu driven

78
00:04:09,890 --> 00:04:12,581
attack based system,
which is fairly unique,

79
00:04:12,581 --> 00:04:15,850
because it supports multiple scenarios,

80
00:04:15,850 --> 00:04:18,170
options and different consumerization

81
00:04:18,170 --> 00:04:19,550
that you can actually do.

82
00:04:19,550 --> 00:04:21,410
So for example, you can launch

83
00:04:21,410 --> 00:04:23,840
a spear-phishing attack even, right?

84
00:04:23,840 --> 00:04:27,460
Or send target email
attacks against a victim.

85
00:04:27,460 --> 00:04:31,530
You can send multiple emails
based on what you learn

86
00:04:31,530 --> 00:04:35,320
about that victim or individual
through your searches,

87
00:04:35,320 --> 00:04:38,160
or by using Maltego,
like I mentioned before,

88
00:04:38,160 --> 00:04:41,930
or you can even send malicious
attachments to the victim

89
00:04:41,930 --> 00:04:45,470
to actually try to compromise
their system as well, right?

90
00:04:45,470 --> 00:04:47,900
So, since the Social Engineering Toolkit

91
00:04:47,900 --> 00:04:49,970
is integrated with Metasploit,

92
00:04:49,970 --> 00:04:54,340
it actually makes it easy to
carry this type of attacks.

93
00:04:54,340 --> 00:04:55,520
Now that I mentioned Metasploit,

94
00:04:55,520 --> 00:04:57,990
Metasploit is an exploitation framework.

95
00:04:57,990 --> 00:04:59,886
You will learn a little bit more about it

96
00:04:59,886 --> 00:05:03,274
later in several other lessons.

97
00:05:03,274 --> 00:05:06,640
But again, it's actually
a tool or a framework

98
00:05:06,640 --> 00:05:11,640
that includes many tools that
are used by many pentesters

99
00:05:12,130 --> 00:05:16,550
and of course also attackers nowadays.

100
00:05:16,550 --> 00:05:19,020
Now that I mentioned social engineering,

101
00:05:19,020 --> 00:05:23,450
let's go over what exactly
is social engineering, right?

102
00:05:23,450 --> 00:05:25,950
So, and what are these
type of attacks, right?

103
00:05:25,950 --> 00:05:30,950
So this attacks leverage
what we call the weakest link

104
00:05:30,950 --> 00:05:32,220
which is a human, right?

105
00:05:32,220 --> 00:05:34,070
So there's a saying out there

106
00:05:34,070 --> 00:05:36,570
that there's actually no
patch to human stupidity.

107
00:05:36,570 --> 00:05:38,000
It's actually kind of true.

108
00:05:38,000 --> 00:05:42,750
If the attacker can get the
user to reveal information,

109
00:05:42,750 --> 00:05:46,880
it's way easier for the attacker
to actually cause some harm

110
00:05:46,880 --> 00:05:49,300
rather than using some other
method or reconnaissance

111
00:05:49,300 --> 00:05:50,250
or some tools, right?

112
00:05:50,250 --> 00:05:51,840
Some sophisticated tools.

113
00:05:51,840 --> 00:05:55,730
So, this could be done
through just an email

114
00:05:55,730 --> 00:05:58,060
or a misdirection of a webpage;

115
00:05:58,060 --> 00:06:02,670
So the result is in the
user actually clicking

116
00:06:02,670 --> 00:06:05,820
something that leads the to the attacker

117
00:06:05,820 --> 00:06:07,760
getting information about that user

118
00:06:07,760 --> 00:06:10,649
or to a malicious link or so.

119
00:06:10,649 --> 00:06:14,270
Social engineering can also be
done in person by an insider

120
00:06:14,270 --> 00:06:17,850
or an outside entity or over the phone.

121
00:06:17,850 --> 00:06:19,700
You know, primary example of that,

122
00:06:19,700 --> 00:06:24,700
is if you get a phone call of
somebody impersonating a bank

123
00:06:25,120 --> 00:06:28,300
asking you or telling you
that your bank account

124
00:06:28,300 --> 00:06:29,950
has been compromised

125
00:06:29,950 --> 00:06:33,630
or there has been some fraudulent charges;

126
00:06:33,630 --> 00:06:36,407
And then of course they want you to verify

127
00:06:36,407 --> 00:06:39,322
your account information and
provide personal information

128
00:06:39,322 --> 00:06:41,320
over the phone.

129
00:06:41,320 --> 00:06:44,340
And another primary example

130
00:06:44,340 --> 00:06:49,040
is the attacker leveraging
normal user behavior.

131
00:06:49,040 --> 00:06:50,400
So let's think for a second

132
00:06:50,400 --> 00:06:52,376
that you're a security professional,

133
00:06:52,376 --> 00:06:55,360
you're in charge of network firewalls,

134
00:06:55,360 --> 00:06:58,580
or other infrastructure
equipment in your company,

135
00:06:58,580 --> 00:07:02,050
an attacker actually can post a job offer

136
00:07:02,050 --> 00:07:05,110
for a fairly lucrative and
attractive position, right?

137
00:07:05,110 --> 00:07:08,710
So, and it makes it very
attractive to the victim,

138
00:07:08,710 --> 00:07:11,700
in this case you, the
security professional.

139
00:07:11,700 --> 00:07:14,777
And they can put in the job description,

140
00:07:14,777 --> 00:07:19,777
you know, list of pretty good
benefits and compensation,

141
00:07:19,842 --> 00:07:22,540
far beyond what you're
probably already making

142
00:07:22,540 --> 00:07:23,700
at your company,

143
00:07:23,700 --> 00:07:26,785
then whenever you apply for that position,

144
00:07:26,785 --> 00:07:29,300
the criminal or the attacker,

145
00:07:29,300 --> 00:07:31,780
even schedules an
interview with you, right?

146
00:07:31,780 --> 00:07:33,678
And then some of these
criminal organizations

147
00:07:33,678 --> 00:07:38,369
actually have local folks,

148
00:07:38,369 --> 00:07:40,060
you know, that doesn't look like,

149
00:07:40,060 --> 00:07:42,250
actually they are calling
from a different country;

150
00:07:42,250 --> 00:07:45,300
If not that they actually
will persuade you

151
00:07:45,300 --> 00:07:49,640
to actually tell you to tell information

152
00:07:49,640 --> 00:07:51,600
about yourself and about
the company, right?

153
00:07:51,600 --> 00:07:54,760
So since you're likely to, quote-on-quote,

154
00:07:54,760 --> 00:07:57,700
show off your skills and your work, right?

155
00:07:57,700 --> 00:07:59,841
To get a job, he may ask you,

156
00:07:59,841 --> 00:08:02,620
how do you configure those firewalls?

157
00:08:02,620 --> 00:08:04,429
What other networking
infrastructure devices

158
00:08:04,429 --> 00:08:06,670
your company actually has?

159
00:08:06,670 --> 00:08:10,759
What other security products
they actually have deployed

160
00:08:10,759 --> 00:08:13,030
and how they have deployed?

161
00:08:13,030 --> 00:08:14,700
So you may even disclose information

162
00:08:14,700 --> 00:08:16,410
about the firewalls using your network,

163
00:08:16,410 --> 00:08:19,500
how you configure them,
how you design them.

164
00:08:19,500 --> 00:08:21,370
And this definitely gives the attacker

165
00:08:21,370 --> 00:08:26,180
a lot of knowledge and
information about the organization

166
00:08:26,180 --> 00:08:29,772
even without performing
any type of scanning

167
00:08:29,772 --> 00:08:33,560
or active reconnaissance
in the network, right?

168
00:08:33,560 --> 00:08:36,290
So, other social engineering techniques

169
00:08:36,290 --> 00:08:38,470
include phishing;

170
00:08:38,470 --> 00:08:39,540
You know, whenever the attacker

171
00:08:39,540 --> 00:08:41,406
actually presents a link

172
00:08:41,406 --> 00:08:46,406
that looks like a valid trusted
resource to a user, right?

173
00:08:46,810 --> 00:08:47,870
Through an email.

174
00:08:47,870 --> 00:08:50,100
And then whenever that
user clicks on the link,

175
00:08:50,100 --> 00:08:53,610
he's is prompted to disclose
confidential information

176
00:08:53,610 --> 00:08:55,783
such as user names or passwords.

177
00:08:56,680 --> 00:08:58,530
Another one is pharming;

178
00:08:58,530 --> 00:09:01,770
And that's whenever the
attacker uses this technique

179
00:09:01,770 --> 00:09:06,770
to direct the customers
URL from a valid resource

180
00:09:08,240 --> 00:09:11,037
to a malicious one that
could be made to be appear

181
00:09:11,037 --> 00:09:14,650
as its the valid site for the user, right?

182
00:09:14,650 --> 00:09:17,270
So from there, an attempt is actually made

183
00:09:17,270 --> 00:09:20,020
to extract confidential
information from the user

184
00:09:20,020 --> 00:09:21,350
and from the organization, right?

185
00:09:21,350 --> 00:09:26,350
So, and another one, another
example is malvertising;

186
00:09:27,250 --> 00:09:29,970
Malvertising is the act of incorporating

187
00:09:29,970 --> 00:09:32,680
malicious acts on trusted website.

188
00:09:32,680 --> 00:09:34,290
So, you know, that's a key.

189
00:09:34,290 --> 00:09:39,290
And trusted websites which
definitely will fool the user

190
00:09:39,620 --> 00:09:43,970
and results in the user's
browsing or the browser

191
00:09:43,970 --> 00:09:48,070
being redirected to sites
hosting malware, right?

192
00:09:48,070 --> 00:09:49,916
So, that's what it...

193
00:09:49,916 --> 00:09:51,920
Is very important.

194
00:09:51,920 --> 00:09:55,740
So it is extremely important
that a security aware culture

195
00:09:55,740 --> 00:09:58,548
must include ongoing
training that consistently

196
00:09:58,548 --> 00:10:02,920
informs all employees about
the latest security threats,

197
00:10:02,920 --> 00:10:05,380
as well as policies and procedures

198
00:10:05,380 --> 00:10:08,240
that you can reflect the overall vision

199
00:10:08,240 --> 00:10:10,310
and mission of the corporate
information security

200
00:10:10,310 --> 00:10:11,853
in your organization.

201
00:10:12,860 --> 00:10:16,933
This emphasis on security, helps employees

202
00:10:16,933 --> 00:10:20,480
understand the potential risk
of social engineering threats,

203
00:10:20,480 --> 00:10:23,800
how they can prevent again such attacks

204
00:10:23,800 --> 00:10:27,170
and why their role within
the security culture

205
00:10:27,170 --> 00:10:31,440
is critical for the overall
corporate health, right?

206
00:10:31,440 --> 00:10:33,500
So, security aware employees

207
00:10:33,500 --> 00:10:35,720
are definitely better
prepared to recognize

208
00:10:35,720 --> 00:10:38,770
and avoid rapidly changing

209
00:10:38,770 --> 00:10:39,954
and increase in the sophisticated

210
00:10:39,954 --> 00:10:42,130
social engineering attacks,

211
00:10:42,130 --> 00:10:44,510
are more willing to take ownership

212
00:10:44,510 --> 00:10:46,640
of security responsibilities, right?

213
00:10:46,640 --> 00:10:49,260
So, one of the things that
actually we do at Cisco,

214
00:10:49,260 --> 00:10:51,486
is that from time to
time, we actually send

215
00:10:51,486 --> 00:10:54,860
what it looks like a regular email,

216
00:10:54,860 --> 00:10:56,790
perhaps through a survey

217
00:10:56,790 --> 00:11:01,790
or to benefits for different employees;

218
00:11:02,170 --> 00:11:05,940
And we send these emails
throughout the corporation,

219
00:11:05,940 --> 00:11:07,900
and not only to see how many users

220
00:11:07,900 --> 00:11:10,880
of course are actually clicking
on those links that we send

221
00:11:10,880 --> 00:11:12,740
and/or probably attachments,

222
00:11:12,740 --> 00:11:15,002
but also to train the users

223
00:11:15,002 --> 00:11:18,454
that not all emails are equal, of course,

224
00:11:18,454 --> 00:11:20,710
and that you should not
be clicking on things

225
00:11:20,710 --> 00:11:23,040
that you should not trust, right?

226
00:11:23,040 --> 00:11:25,760
Or it may be good to be good,

227
00:11:25,760 --> 00:11:28,730
too good to be truth,
in some cases, right?

228
00:11:28,730 --> 00:11:31,747
So, now official security
policies and procedures,

229
00:11:31,747 --> 00:11:35,556
take guesswork out of operations.

230
00:11:35,556 --> 00:11:39,420
So, helps employees make
direct security decisions.

231
00:11:39,420 --> 00:11:42,080
And this type of policies
actually includes,

232
00:11:42,080 --> 00:11:44,170
you know, things like password management,

233
00:11:44,170 --> 00:11:49,170
you know, of course, more
authentication capabilities

234
00:11:50,400 --> 00:11:55,400
for VPN users and local users;

235
00:11:56,150 --> 00:11:58,221
Like two factor authentication,

236
00:11:58,221 --> 00:12:01,590
that also includes of course,
the anti-phishing defenses

237
00:12:01,590 --> 00:12:04,450
and antiviruses, change management:

238
00:12:04,450 --> 00:12:07,525
a documented change-management process

239
00:12:07,525 --> 00:12:11,200
is actually more secure than
an ad hoc process, right?

240
00:12:11,200 --> 00:12:14,300
Which is more easily to be
exploited by an attacker

241
00:12:14,300 --> 00:12:16,556
who claims to be in a crisis,

242
00:12:16,556 --> 00:12:19,630
information classification,
you know, policies,

243
00:12:19,630 --> 00:12:22,240
document handling and
destruction policies,

244
00:12:22,240 --> 00:12:25,253
and of course, physical
security policies as well.