Targeted (D)DoS

This attack can be employed if the attacker is politically motivated and wants to shut down a service/website/operations of the organization, but also as a tool of extortion. The danger of this is inherent in servers connected to the Internet; hostnames are quick to resolve and target, but if public IP’s not meant to be exposed/used by regular users, are found through e.g. Shodan or public pastes of stolen data, the right security measures might not be present.

It can also be a problem if internal IP-addresses are found from e.g. internal documents or in website descriptions, as it can be used to claim credibility (by proving knowledge of internal network components). Additionally, techniques exist to route traffic through public IP’s to unintended servers inside the network.

4.5.1 Summary of findings

Overall it is found that ACME A/S is not vulnerable to this common social engineering attack scenario.

This scenario consists of 2 requirements of which it is expected that 1 of the requirements need to be satisfied in order for ACME A/S to be vulnerable.

During the investigation on ACME A/S, data satisfying 0 of the scenarios’ requirements were identified.

In Table 7 each requirement for the scenario “Targeted (D)DoS” is listed. In the following subsections, all data found to be contributing to satisfying the specific attack scenario requirement

Page 11 of 16

Intelligence gathering on ACME A/S “Summer” 2017

are listed, s.t. it is possible to gain an insight into exactly what piece of OSINT-data contributed to these findings.

Requirements for this scenario Satisfied?

Internal IP’s or hostnames False

External IP’s False

Table 7: The individual requirements for the cyber attack scenario “Targeted (D)DoS” and the findings of the intelligence gathering satisfying them.

The individual requirements satisfied are considered so by the following findings:

4.5.2 Individual requirements

• ‘Internal IP’s or hostnames’ is not considered satisfied based on the findings.

• ‘External IP’s’ is not considered satisfied based on the findings.

Page 12 of 16

Intelligence gathering on ACME A/S “Summer” 2017

5 Standards

This section relates the findings of Section 3 to 8 standards and guidance applicable to ACME A/S as an organization operating under Danish legislation.

The standards and guidance are identified through a master thesis project, where industry standards and -guidelines from reknowned institutions were considered. In particular, material applicable to Danish organizations were considered.

The material chosen are published by government bodies as NCSC (UK), Federal CIO Council (US) and CFCS (DK) and standardization groups as NIST (US) and the ISO-group. Finally,

industry veteran Kevin Mitnick’s guidance are used.

The content of this section aim togive guidanceto ACME A/S to understand the findings in context of the standards and guidance that are likely to influence the daily operations of the organization as imposed by legislation or in other ways.

The stanarads and guidance in turn can help shed a different light on how specific data (under some circumstances) or can enable a OSINT-enabled attack against ACME A/S.

8 standards/guidance were considered – each consisting of a number of controls/policies/rules.

ACME A/S are considered vulnerable to a standard/guideline of one controls/policies/rules are violated. We consider ACME A/S in violation as shown in Table 8.

Details of each of the 8 standards/guidance and the findings that lead to this conclusion, are found in the following subsections considereing each standard individually¹

Standard/guideline Violated?

DS/ISO 27001 – Direct violations False

Mitnick’s guidelines False

Table 8: The standards/guidance considered in this report and whether ACME A/S are considered in violation of them.

5.1 Federal CIO Council

Overall it is found that ACME A/S is in violation of this standard/guideline.

This standard/guideline consists of 2 individual controls/policies/rules; if one of these are violated, we consider ACME A/S in violation of this particular standard/guideline.

During the investigation on ACME A/S, data satisfying 1 of the controls/policies/rules were identified.

In Table 9 each control/policy/rule for the standard/guideline “Federal CIO Council” is listed.

In the following subsections, all data found to be contributing to violating the specific con-trol/policy/rule are listed, s.t. it is possible to gain an insight into exactly what piece of OSINT-data contributed to these findings.

1Please note that standard/guideline 1-5 are not reflected in the current implementation of the code generating

Page 13 of 16

Intelligence gathering on ACME A/S “Summer” 2017

Control/policy/rule within this standard/guideline Violated?

Separate professional and personal life: Don’t use corp. email addresses for personal accounts (SoMe, school contact sheet etc.) – especially not in relation with other personal details

True

Present yourself properly online (including not disclosing valuable

infor-mation to an adversary) False

Table 9: The controls/policies/rules of the standard/guideline “Federal CIO Council” and the findings of the intelligence gathering considered in violation of them.

The individual controls/policies/rules are considered violated by the following findings:

5.1.1 Individual controls/policies/rules

• The control/policy/rule ‘Separate professional and personal life: Don’t use corp.

email addresses for personal accounts (SoMe, school contact sheet etc.) – especially not in relation with other personal details’ is considered violated based on the following findings:

– ‘Renault Captur dCi 90’(found from/in/on “AB12345”)

• ‘Present yourself properly online (including not disclosing valuable information to an adversary)’ is not considered violated based on the findings.