Survey and Taxonomy of Adversarial Reconnaissance Techniques

Adversaries are often able to penetrate networks and compromise systems by exploiting vulnerabilities in people and systems. The key to the success of these attacks is information that adversaries collect throughout the phases of the cyber kill chain.We summarize and analyze themethods, tactics, and tools that adversaries use to conduct reconnaissance activities throughout the attack process. First, we discuss what types of information adversaries seek, and how and when they can obtain this information. Then, we provide a taxonomy and detailed overview of adversarial reconnaissance techniques. The taxonomy introduces a categorization of reconnaissance techniques based on the technical approach, including target footprinting, social engineering, network scanning, and local discovery. This paper provides a comprehensive view of adversarial reconnaissance that can help in understanding and modeling this complex but vital aspect of cyber attacks as well as insights that can improve defensive strategies, such as cyber deception.

[1]  Marco de Vivo,et al.  A review of port scanning techniques , 1999, CCRV.

[2]  Decoy Document Deployment for Effective Masquerade Attack Detection , 2011, DIMVA.

[3]  V. N. Venkatakrishnan,et al.  Enhancing web browser security against malware extensions , 2007, Journal in Computer Virology.

[4]  Florian Schaurer,et al.  The evolution of open source intelligence , 2010 .

[5]  Ezer Osei Yeboah-Boateng,et al.  Phishing, SMiShing & Vishing: An Assessment of Threats against Mobile Devices , 2014 .

[6]  Didier Stevens Malicious PDF Documents Explained , 2011, IEEE Security & Privacy.

[7]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[8]  Leandros A. Maglaras,et al.  Vulnerability Analysis of Network Scanning on SCADA Systems , 2018, Secur. Commun. Networks.

[9]  Nihad A. Hassan Gathering Evidence from OSINT Sources , 2019, Digital Forensics Basics.

[10]  Thomas F. La Porta,et al.  Adversarial Network Forensics in Software Defined Networking , 2017, SOSR.

[11]  Yong Wang,et al.  Smartphone Security Challenges , 2012, Computer.

[12]  Teodor Sommestad,et al.  A quantitative evaluation of vulnerability scanning , 2011, Inf. Manag. Comput. Secur..

[13]  Jong Hyuk Park,et al.  Security Considerations for Smart Phone Smishing Attacks , 2014 .

[14]  Mohammed I. Al-Saleh,et al.  Application-Level Reconnaissance: Timing Channel Attacks Against Antivirus Software , 2011, LEET.

[15]  Katharina Krombholz,et al.  Investigating System Operators' Perspective on Security Misconfigurations , 2018, CCS.

[16]  Arun Vishwanath,et al.  Habitual Facebook Use and its Impact on Getting Deceived on Social Media , 2015, J. Comput. Mediat. Commun..

[17]  Arvind Mallari Rao,et al.  Technical Aspects of Cyber Kill Chain , 2015, SSCC.

[18]  Akashdeep Bhardwaj,et al.  Keyloggers: silent cyber security weapons , 2020, Netw. Secur..

[19]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[20]  Hossein Rouhani Zeidanloo,et al.  Botnet Command and Control Mechanisms , 2009, 2009 Second International Conference on Computer and Electrical Engineering.

[21]  Yada Zhu,et al.  Social Phishing , 2018, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[22]  Lakmal Rupasinghe,et al.  E-commerce (WEB) Application Security: Defense against Reconnaissance , 2016, 2016 IEEE International Conference on Computer and Information Technology (CIT).

[23]  N.C. Rowe,et al.  A model of deception during cyber-attacks on information systems , 2004, IEEE First Symposium onMulti-Agent Security and Survivability, 2004.

[24]  Ruian Duan,et al.  TARDIS: Rolling Back The Clock On CMS-Targeting Cyber Attacks , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[25]  Zhuo Lu,et al.  Cyber Deception: Overview and the Road Ahead , 2018, IEEE Security & Privacy.

[26]  Edmundo Monteiro,et al.  A Comprehensive Security Analysis of a SCADA Protocol: From OSINT to Mitigation , 2019, IEEE Access.

[27]  N. Feamster,et al.  An Internet-Wide View into DNS Lookup Patterns , 2010 .

[28]  Lech J. Janczewski,et al.  A Taxonomy for Social Engineering attacks , 2011 .

[29]  Patrick McDaniel,et al.  Deceiving Network Reconnaissance Using SDN-Based Virtual Topologies , 2017, IEEE Transactions on Network and Service Management.

[30]  Robert C. Atkinson,et al.  Shallow and Deep Networks Intrusion Detection System: A Taxonomy and Survey , 2017, ArXiv.

[31]  Salman Baset,et al.  Usable declarative configuration specification and validation for applications, systems, and cloud , 2017, Middleware '17.

[32]  Robert Taylor,et al.  Criminal profiling and insider cyber crime , 2005, Digit. Investig..

[33]  Joseph M. Hatfield Virtuous human hacking: The ethics of social engineering in penetration-testing , 2019, Comput. Secur..

[34]  Srikanth V. Krishnamurthy,et al.  Cyber Deception: Virtual Networks to Defend Insider Reconnaissance , 2016, MIST@CCS.

[35]  Jianhua Sun,et al.  DESIR: Decoy-enhanced seamless IP randomization , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[36]  Shridatt Sugrim,et al.  Measuring the Effectiveness of Network Deception , 2018, 2018 IEEE International Conference on Intelligence and Security Informatics (ISI).

[37]  Jugal K. Kalita,et al.  Network attacks: Taxonomy, tools and systems , 2014, J. Netw. Comput. Appl..

[38]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[39]  George R. S. Weir,et al.  User characteristics that influence judgment of social engineering attacks in social networks , 2018, Human-centric Computing and Information Sciences.

[40]  A Iqbal Ua Dar,et al.  The Silent Art of Reconnaissance: The Other Side of the Hill , 2018 .

[41]  Rui Zhao,et al.  All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design , 2013, CODASPY '13.

[42]  Jung-Shian Li,et al.  Novel intrusion prediction mechanism based on honeypot log similarity , 2016, Int. J. Netw. Manag..

[44]  Komminist Weldemariam,et al.  Early Detection of Security Misconfiguration Vulnerabilities in Web Applications , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[45]  Thomas E. Anderson,et al.  Reverse traceroute , 2010, NSDI.

[46]  Elizabeth V. Mulig,et al.  PHISHING, PHARMING AND IDENTITY THEFT , 2007 .

[47]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[48]  Stephen Checkoway,et al.  iSeeYou: Disabling the MacBook Webcam Indicator LED , 2014, USENIX Security Symposium.

[49]  Hassan Takabi,et al.  Toward an Insider Threat Detection Framework Using Honey Permissions , 2015, J. Internet Serv. Inf. Secur..

[50]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[51]  Richard J. Enbody,et al.  The art of mapping IoT devices in networks , 2018, Netw. Secur..

[52]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[53]  RYAN HEARTFIELD,et al.  A Taxonomy of Attacks and a Survey of Defence Mechanisms for Semantic Social Engineering Attacks , 2015, ACM Comput. Surv..

[54]  Dimitris Gritzalis,et al.  The Insider Threat in Cloud Computing , 2011, CRITIS.

[55]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[56]  Guy Pujolle,et al.  Fingerprinting OpenFlow Controllers: The First Step to Attack an SDN Control Plane , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[57]  Edgar R. Weippl,et al.  Advanced social engineering attacks , 2015, J. Inf. Secur. Appl..

[58]  Christoph Meinel,et al.  Advanced persistent threats: Behind the scenes , 2016, 2016 Annual Conference on Information Science and Systems (CISS).

[59]  Max Mühlhäuser,et al.  A review of network vulnerabilities scanning tools: types, capabilities and functioning , 2018, ARES.

[60]  Clifton Phua,et al.  Protecting organisations from personal data breaches , 2009 .

[61]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[62]  Denis Reilly,et al.  Footprinting: A Methodology for Auditing eSystem Vulnerabilities , 2010, 2010 Developments in E-systems Engineering.

[63]  Muttukrishnan Rajarajan,et al.  A survey of intrusion detection techniques in Cloud , 2013, J. Netw. Comput. Appl..

[64]  Daniel R. Simon,et al.  Secure traceroute to detect faulty or malicious routing , 2003, CCRV.

[65]  Xin Luo,et al.  Investigating phishing victimization with the Heuristic-Systematic Model: A theoretical framework and an exploration , 2013, Comput. Secur..

[66]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[67]  R. H. Smith Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems , 2015 .

[68]  Jianhua Yang,et al.  Ethical Hacking and Network Defense: Choose Your Best Network Vulnerability Scanning Tool , 2017, 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA).

[69]  Sushil Jajodia,et al.  A Probabilistic Logic of Cyber Deception , 2017, IEEE Transactions on Information Forensics and Security.

[70]  Arvind Narayanan,et al.  I never signed up for this! Privacy implications of email tracking , 2018, Proc. Priv. Enhancing Technol..

[71]  Ghassan O. Karame,et al.  On the Fingerprinting of Software-Defined Networks , 2016, IEEE Transactions on Information Forensics and Security.

[72]  Dmitri Loguinov,et al.  Hershel: Single-Packet OS Fingerprinting , 2014, IEEE/ACM Transactions on Networking.

[73]  Branka Stojanovic,et al.  APT datasets and attack modeling for automated detection methods: A review , 2020, Comput. Secur..

[74]  Fahimeh Tabatabaei,et al.  OSINT in the Context of Cyber-Security , 2016 .

[75]  Lawrence K. Saul,et al.  Who is .com?: Learning to Parse WHOIS Records , 2015, Internet Measurement Conference.

[76]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[77]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[78]  Chao Yang,et al.  Active User-Side Evil Twin Access Point Detection Using Statistical Techniques , 2012, IEEE Transactions on Information Forensics and Security.

[79]  Elisa Bertino,et al.  Profiling Database Application to Detect SQL Injection Attacks , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[80]  Weichao Wang,et al.  Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines , 2011, 30th IEEE International Performance Computing and Communications Conference.

[81]  Khalil El-Khatib,et al.  Phishing Susceptibility Detection through Social Media Analytics , 2016, SIN.

[82]  Barry Irwin,et al.  Towards a taxonomy of network scanning techniques , 2008, SAICSIT '08.

[83]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[84]  John S. Heidemann,et al.  Understanding passive and active service discovery , 2007, IMC '07.

[85]  Milos Manic,et al.  Cyber-Physical System Security With Deceptive Virtual Hosts for Industrial Control Networks , 2014, IEEE Transactions on Industrial Informatics.

[86]  Zhou Li,et al.  Catching predators at watering holes: finding and understanding strategically compromised websites , 2016, ACSAC.

[87]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[88]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[89]  Choonhwa Lee,et al.  PROTOCOLS FOR SERVICE DISCOVERY IN DYNAMIC AND MOBILE NETWORKS , 2001 .

[90]  Choon Lin Tan,et al.  A survey of phishing attacks: Their types, vectors and technical approaches , 2018, Expert Syst. Appl..