Reconnaissance: A Walkthrough of the “APT” Intelligence Gathering Process

Rotem Kerner of RSA Research has penned a short paper, Reconnaissance: A Walkthrough of the “APT” Intelligence Gathering Process.   It is first in a series that we will publish the follows The Cyber Kill Chain[i].

The Cyber Kill Chain model was developed by Lockheed Martin’s Computer Incident Response Team earlier in the decade.   It breaks down stages of an attack:

  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Actions and Objectives

If you can break the chain at any link, you forgo having to deal with the subsequent links; theoretically.  The model, though not without its critics, has been widely cited throughout the last few years.  It’s logical; and simple.

Upon first hearing the term “Cyber Kill Chain,” I was reminded of my early days as a U.S. Army ROTC Cadet and later as novice tank platoon leader.  We used similar checklist models for acquiring and engaging targets, and establishing a defense.

Knowing your adversary, as Sun Tzu classically taught, is a necessity.

This series, therefore, will focus on the threat actor; his or her tools, tactics, and procedures for each phase of the attack.  It is an effort to illustrate the logic and resources of the threat actor, for the benefit of the cyber security practitioner.

In reading Rotem’s paper, I was struck by the availability of information and the tools to collect it.  What do the LinkedIn profiles of your employees say about your attack surface?


[i] CYBER KILL CHAIN is a registered trademark of Lockheed Martin Corporation

No Comments