CISO vs. ChatGPT: Round 2 Recon

Introduction

We are back with Round 2 of our CISO vs.?ChatGPT series, where we focus on a human?defender and AI attacker face-off.?To make?the battles (and the articles) more concise, I?am breaking the combat into four bouts (thus?four articles).?We will explore defense and?attack strategies for reconnaissance (recon),?active attack, exfiltration, and response.?Yes,?the Kill Chain is seven stages, but less is more in?this case.

Now let’s get this battle started….and to the?CISO in our story, as Billy Joel said…One, Two,?Three, Four, Pressure!

Recon: ChatGPT

Reconnaissance is an important step for any attacker targeting an organization. I asked ChatGPT what steps they would take to perform recon on a target. Here is what it said:?

1.???Footprinting: This involves gathering information about the target’s online presence, using tools like search engines and social media to find out as much as possible about the target’s website, IP address, domain name, email servers, and any connected networks.

2.???Scanning: This involves using port-scanning tools to identify open ports and services on the target’s network. By identifying these ports and services, a hacker can determine what vulnerabilities might be present and create an attack plan tailored to exploit them.

3.???Enumeration: This involves gathering more detailed information about the target’s systems, such as usernames, shared resources, and network shares. This can be done through techniques like banner grabbing, which involves collecting information from web server banners and other network protocols.

4.???Vulnerability analysis: This involves identifying potential vulnerabilities in the target's systems or software by analyzing weaknesses or potential weaknesses in a system or organization that can be exploited. This includes analyzing software, hardware, and people. The hacker might include conducting Google dorks to find hidden pages, directories, or files.

5.???Gathering information on employees and suppliers: A hacker might research employees on social media or LinkedIn to gather information about their job titles, roles, and responsibilities. Additionally, a hacker might research suppliers, partners, or customers of the target to find possible entry points in the network.

6.???Spear Phishing: Send targeted phishing emails or messages to employees of the target company to gain access to their networks.

Recon: CISO

Our CISO asked for his contribution to be submitted as anonymous, but let me give you a summary of his background.?Our CISO earned his BS and MS degrees in computer science and Ph.D. in Information Technology.?He teaches cybersecurity at a college and has also taught courses at the SANS Institute and the Institute for Applied Network Security.?Our CISO has led security programs at global financial institutions and is currently a CISO at a global bank.?

Now for his response….

The reconnaissance phase is the most difficult to prevent as it is largely an effort to collect information that is intended to be made public by targeted organizations.?So defensive measures here are to be conscious of the information you are exposing to the world and try to limit it to information that is technically required or otherwise serves a critical business interest.

?

1.???Footprinting: Organizations should actively monitor their online presence.?Specifically, they should be looking for the exposure of sensitive data that are unnecessary?to release.?An example of unnecessary?data release is specific names and email addresses of key staff.?Role-based inboxes should be used for most functions.?Employee social-media policies can be important here.?Make sure you are providing the right policy and education to your users on the safe ways to leverage social media.

Organizations should also be looking for opportunities to educate their customers/stakeholders on how to authentically engage with their organization and provide relevant security advice to help limit their susceptibility to socially driven attacks (e.g., phishing).?

2.???Scanning: ?The basic answer here is don't have ports open that you don't need and don't expose ports to the Internet (or other less trusted networks) that are not providing public services.?In addition, firewalls should be configured to detect and block scanning activity.

A key item, though, is frequently verifying what services you are exposing to the Internet and regularly remediating any service/port exposures you find.?Many organizations do not have effective asset management around their internet-facing estate.?Conducting your own network and port scans to detect systems that are internet-facing can help significantly reduce your risk.

?

3.???Enumeration: ?As with scanning, you should be using firewalls to block access to unnecessary ports, especially ports that provide configuration data about the system and its users (e.g., SMB, LDAP) and configuring servers to require authentication prior to establishing application layer connections whenever possible.??More generally, you should examine what information you are accidentally making discoverable that could be used within your organization for sensitive purposes.?A good example of this is usernames.?Many organizations assign usernames derived from the user's real-world name or email address which are highly discoverable through enumeration and footprinting techniques.

?

4.???Vulnerability analysis: ?Make sure your?VM program is effective and you can manage remediations within a tight SLA.?Easier said than done but using a risk-focused approach prioritized by exposure and criticality can make the task more achievable.??

?

5.???Gathering information on employees and suppliers: I'd normally put these activities under the footprinting category.?That said, 3rd party risk has become an?increasingly important part of security programs.?You should know who your suppliers are, what data from you that they have access to, what business processes they support, and what technical connections you share.?If you become aware of a breach (through notification or threat intelligence), you will need this information for you to assess the risk and respond appropriately and effectively.

?

6.???Spear Phishing: I'd consider spear phishing to be firmly in the attack part of the kill chain.?But a short answer is education/testing, labeling of external communications, and proxy restrictions for uncategorized or high-risk sites.

?

Conclusion

Round 2 goes to our CISO.?As cyber threats continue to evolve, it's important for Chief Information Security Officers (CISOs) to be vigilant about protecting their companies from hacker reconnaissance. There are several key steps that a CISO can take to safeguard their organization.

?

It's important for CISOs to educate their employees about the risks of hacker reconnaissance and provide them with training on how to identify and respond to potential threats. This could include training on phishing attacks, social engineering tactics, and best practices for password management.

?

By taking the steps described by our CISO, one can help to protect their company against hacker reconnaissance and mitigate the risk of a cyber-attack. However, it's important to recognize that the threat landscape is constantly evolving, and it's important for CISOs to stay up to date on the latest security trends and best practices.