The Dark Detectives: How to Defeat Reconnaissance-as-a-Service

In almost any type of warfare, reconnaissance is a much-needed first step. This certainly holds true for cyberwarfare. The steps are frequently portrayed as progressing from left to right. Two examples that describe the tactics attackers employ in a campaign are the MITRE ATT&CK framework and the Lockheed Martin Kill Chain. Pre-attack tactics like reconnaissance, planning and development are included on the left side. The execution phases, which involve launching malware and stealing data, are on the right.

Since ransomware has become so profitable, cybercriminals are getting craftier and investing a lot more energy in reconnaissance. As they become more sophisticated and cybercrime syndicates grow and progress, we’re seeing the rise of reconnaissance-as-a-service (RaaS).

Good Reconnaissance is Good Business

Cybercriminals driven by financial gain will pay more attention to left-side operations as the number of incidents rises and gangs fight for a piece of the lucrative pie. These groups are expected to devote more time and resources to reconnaissance and looking for zero-day capabilities, similar to nation-state-funded APT outfits.

Bad actors can increase their chances of a successful attack by spending more time doing reconnaissance on the left side. They can often use the same reconnaissance methods against other enterprises after their first success. So, putting in a little work upfront might pay off in a big way.

Attack kits will make it simpler for other cybercriminals to reuse strategies and take advantage of vulnerabilities. Because more attackers and their affiliates will be launching assaults concurrently – as a result of these kits and the rise of malware-as-a-service – the total number of attacks is likely to increase. This, of course, increases the burden on security teams.

Operationalizing Reconnaissance

Because attacks are growing more targeted, it’s probable that attackers will employ “detectives” on the dark web to get intel on a specific target before launching an attack. Like the information one may glean by engaging a private investigator, reconnaissance-as-a-service could offer detailed attack plans. These might include an enterprise’s security plan, known external vulnerabilities, the number of servers they have, compromised credentials for sale, key cybersecurity personnel and other information.

These details will help malicious actors carry out highly targeted and effective attacks. Attacks powered by crime-as-a-service models make it crucial to halt adversaries earlier during reconnaissance.

How to Combat RaaS

Organizations require comprehensive, scalable security that supports visibility and network communication in order to defend against sophisticated attacks. Security systems should incorporate artificial intelligence because organizations need to recognize attack patterns, respond quickly and in a coordinated manner so they can and thwart attacks in real-time. Additionally, solutions must be scalable to deal with the rise in attacks.

Organizations need a combination of next-generation firewalls, anti-malware that includes AI detection signatures, endpoint detection and response, and advanced intrusion prevention system (IPS) detection. They should also look to digital risk protection (DRP) solution, which is created to stop attacks at the recon phase, as well sandbox solutions enhanced with MITRE ATT&CK mappings

Organizations can also look to deception for help. They can draw attackers in with the aid of deception technologies, which can be used to combat both RaaS and CaaS during the recon stage. Organizations can learn more about their assailants and get the upper hand by using cybersecurity deception in conjunction with a DRP solution.

Organizations can stay ahead of dangers and prevent cyberattacks by using a DRP service. DRP offers a perspective on the hazards posed to the organization from outside the network. It enables enterprises to see and mitigate digital asset risks, brand-related risks, and underground and imminent threats. It offers unified threat intelligence concerning the identity of the attacker, the resources they employ, their whereabouts and methods for defeating them.

Defeating the Dark Detectives

Recon is a tried-and-true tactic; it’s been used in conflicts around the world since the dawn of time. Now that warfare is occurring in the digital landscape, cybercriminals are increasing their use of this tactic. The success of ransomware has spurred on profit-minded attackers to up their recon game, which is leading to increased use of reconnaissance-as-a-service.

Organizations need to act quickly as attackers ratchet up their activity with additional attacks and recon attempts – especially as the cost of ransomware payments rises. Use the security recommendations noted above to create a holistic platform approach to cybersecurity. The resulting high visibility and external intel will create a solid security foundation from which to repel RaaS attacks.

Avatar photo

Douglas Jose Pereira dos Santos

Douglas Jose Pereira dos Santos is the advanced threat intelligence lead for Fortinet’s FortiGuard Labs. With close to two decades working with networking and security technology daily, with a significant portion of time spent designing, implementing and troubleshooting security and networking technologies, Douglas has considerable experience on the front lines of cybersecurity. Currently, he works as a security strategist for Fortinet’s FortiGuard Labs using his experience and skills to understand how the threat landscape is shifting and what it means for customers and partners of Fortinet.  Inside FortiGuard Labs, Douglas is helping shape the future of cyber threat intelligence, working with machine learning and big data to deliver contextual actionable security intelligence to the Fortinet Security Fabric.

douglas-jose-pereira-dos-santos has 1 posts and counting.See all posts by douglas-jose-pereira-dos-santos