Professional Documents
Culture Documents
Fase de Reconocimiento en Pentesting Un Enfoque Práctico
Fase de Reconocimiento en Pentesting Un Enfoque Práctico
Fase de Reconocimiento en Pentesting Un Enfoque Práctico
net/publication/349589737
CITATIONS READS
39 2,451
2 authors:
All content following this page was uploaded by Luca Caviglione on 25 February 2021.
Cyber
as the ATT&CK framework proposes a
more fine-grained partitioning.27 De-
spite the reference model, the first step
Reconnaissance
always requires gathering information
on the target and it is commonly de-
fined as “reconnaissance.” Its ultimate
Techniques
goals are the identification of weak
points of the targeted system and the
setup of an effective attack plan.
In general, reconnaissance relies
upon a composite set of techniques
and processes and has not to be con-
sidered limited to information char-
acterizing the target at a technologi-
cal level, such as, the used hardware
or the version of software compo-
nents. Attackers also aim at collecting
details related to the physical loca-
tion of the victim, phone numbers,
ALMOST EVERY DAY, security firms and mass media names of the people working in the
targeted organizations and their
report news about successful cyber attacks, which are email addresses. In fact, any bit of
growing in terms of complexity and volume. According knowledge may be used to develop a
to Industry Week, in 2018 spear-phishing and spoofing software exploit or to reveal weak-
nesses in the defensive systems.
attempts of business emails increased of 70% and Unfortunately, the evolution of the
250%, respectively, and ransomware campaigns Internet, the diffusion of online social
networks, as well as the rise of services
targeting enterprises had an impressive 350% growth.19 for scanning smart appliances and IoT
In general, economic damages are relevant, as there
is the need of detecting and investigating the attack key insights
as well as restoring the compromised hardware ˽ An attack can be decomposed into some
general phases. The first step always
and software.15 To give an idea of the impact of the requires gathering information on the
problem, the average cost of a data breach has risen target, a.k.a. “reconnaissance.”
˽ There is a plethora of reconnaissance
from $4.9 million in 2017 to $7.5 million in 2018.19 To techniques available for an attacker and
make things worse, attackers can now use a wide range many of them do not even require a direct
contact with the targeted victim.
of tools for compromising hosts, network appliances ˽ Counteracting reconnaissance attempts
must be viewed within the framework
and Internet of Things (IoT) devices in a simple and of the “arms race” between attackers
effective manner, for example, via a Crime-as-a-Service and defenders.
˽ Defenders appear to be a step back with
business model.11 respect to attackers. Countermeasures
IMAGE BY DESTROLOVE
Usually, each cyber threat has its own degree of should aim to: strengthen training,
enforce proactive approaches, explore
sophistication and not every attack has the same goal, cyber deception as a defense tool,
engineer reconnaissance-proof-by design
impact, or extension. However, the literature agrees services, and rethink the privacy concept.
Figure 1. The most popular reference models used to decompose a cyber attack into phases. nodes, lead to an explosion of sources
that can make the reconnaissance
phase quicker, easier, and more effec-
The Tao of
Network Security Monitoring Cyber Kill Chain ATT&CK Framework tive. This could also prevent contact
(Richard Bejtlich) (Lockheed Martin) (MITRE) with the victim or limit its duration,
Reconnaissance Reconnaissance Reconnaissance
thus making it more difficult to detect
Evolution of the Attack
MA R C H 2 0 2 1 | VO L. 6 4 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 89
review articles
Another important goal of social en- attacker can gather important data
gineering is to get information about like employee names, email address-
the victim or enrich (uncomplete) bits es, telephone numbers or the physi-
of information gathered with other cal address of the target, which can
techniques, for example, compile a
custom dictionary to force the pass- The increasing be used to perform social engineer-
ing or drive other threats. Personal
word for a username/email observed
on a website. With the high exposure of
pervasive nature bits of information can be also “fused”
and enriched with data collected from
people to several communication of the Web and the online social networks. For instance,
channels and the variety of social me-
dia services, an attacker has a wide ar-
evolution of search upon retrieving the hierarchy of the
company and the list of the employ-
ray of opportunities to craft reconnais- engines surely ees, the attacker can move to Face-
sance campaigns, as he/she can use
face-to-face, telephone/VoIP, or instant
added new and book or LinkedIn to launch phishing
or vishing attacks.12
messaging services, as well as online powerful options Search engines are central for Inter-
scams and fake identity attacks on on-
line social networks. Such risks are ex- into the toolbox of net intelligence, since they can limit
the interaction between the attacker
acerbated by the Bring Your Own De- attackers. and the victim, thus making the data
vice paradigm, which makes it more gathering phase difficult to detect. For
difficult for an enterprise to control instance, the attacker might craft some
laptops, phones, and smart devices of scripts to perform screen scraping di-
their employees or to enforce access rectly from a website close to the victim
rules to shared resources like work- hence leaving some traces in the log of
spaces, wikis, forums, and websites. the Web server. However, cached ver-
Internet intelligence. Searching for sions of the webpage provided by ser-
publicly available information in the vices like Google or the Internet Ar-
Internet is probably the first step that chivea can be used to avoid traces of the
any attacker performs. The number of reconnaissance attempt.
sources that can now be queried makes Apart from details that can be re-
it possible to retrieve a huge amount of trieved in an organic manner from in-
apparently insignificant fragments, dexed pages (for example, hobbies,
which can become very informative if owned books and records or visited
properly combined. In this perspec- stores), search engines can be also
tive, Internet intelligence is the “offen- used to perform more fine-grained in-
sive” subgroup of Open Source INTelli- telligence activities. Google Hacking23
gence (OSINT) and it is specialized and is one of the most popular techniques
limited to the information available on and it exploits advanced operators to
the Internet and its services, such as perform narrow and precise queries
the Web, public databases, specialized mainly to reveal security breaches or
scanning services to map IoT nodes, configuration errors. For instance, the
and geographical or geo-referenced attacker can use operators like “inurl”
sources. Fortunately, the General Data to search within URLs. Google can
Protection Regulation partially miti- then be queried with “inurl:/hp/device/
gated such a risk since the access to this.lcdispatcher” to discover details
many public databases within the Eu- on a printer model to reveal potential
ropean Union is restricted. Internet In- vulnerabilities or search for a pre-
telligence can be also used to perform cooked exploit. Another possible re-
passive footprinting, that is, the collec- connaissance mechanism mixes the
tion of publicly available information aforementioned technique for
to identify a hardware and/or software “Googling the Internet,” that is, using
infrastructure. In the following, we will search engines to gather information
discuss the main usage trends of Inter- on endpoints involved in a communi-
net Intelligence. cation without the need of collecting
Web sources. The increasing perva- or analyzing network traffic.38
sive nature of the Web and the evolu- Public databases and sources. The va-
tion of search engines surely added riety of public records available online
new and powerful options into the is another important source of infor-
toolbox of attackers. Typically, a recon- mation. In fact, every IP address and
naissance campaign starts from the
website of the victim. In this way, the a https://archive.org/web/
MA R C H 2 0 2 1 | VO L. 6 4 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 91
review articles
traffic analysis. However, the increas- known as fingerprinting and may be used to disseminate incorrect infor-
ing diffusion of wireless technologies implemented both via active and pas- mation, thus (partially) voiding the
like WiFi, Bluetooth, and ZigBee to sive methods. For the case of OS fin- reconnaissance phase. Therefore, be-
connect smart things like lightbulbs, gerprinting, the main technique ex- ing able to detect confinement in a
various sensors, intelligent sockets ploits the fact that the network stack virtual/fictitious space is a core skill
and locks, makes the advent of a new of each OS exhibits minor differences expected for the development of suc-
form of techniques à la wardriving when replying to well-crafted probe cessful threats.21 To this aim, the at-
(that is, searching and marking for packets (for example, the initial se- tacker could check for the presence of
wireless signals for future exploita- quence number of the TCP segments, TUN/TAP devices or specific entries in
tion). For instance, due to an improp- the default TTL value for ICMP pack- the ARP cache in order to have signa-
er configuration of wireless access ets, among others).8 Such artifacts can tures to discriminate between real or
points, the electromagnetic signal be utilized to remotely determine the virtual settings.17 Another mecha-
may be “leaking” outside the physical type and version of the OS of the in- nism takes advantage of the “fair” be-
perimeter controlled by the victim, spected device. Application finger- havior of the honeypot, which im-
hence the malicious entity can expand printing uses a slightly different tech- pedes the node to harm a third-party
his/her potential attack surface. For nique. In this case, the attackers take entity. Thus, the attacker can try to
the purpose of scanning such a bal- advantage of a “banner,” which is a compromise a host and launch some
kanized technological space, tools es- sort of preamble information that a offensive patterns. According to the
pecially designed for IoT reconnais- server-side application sends before outcome, he/she can understand
sance are becoming available. For accepting a client. By stimulating a whether the node is real or fictitious.39
instance,33 proposing a passive tool host with connection requests, they Side-channels. Firstly envisaged by
for scanning multiple wireless tech- can harvest banners to reveal details Lampson,22 the term side-channel usu-
nologies. An interesting idea is the use on the active applications and services ally defines attacks to deduce sensi-
of the observed traffic to go beyond (for example, the version of the soft- tive information by abusing unfore-
the enumeration of devices by classi- ware can be used to determine the seen information leakages from
fying the type of the IoT node (for ex- known vulnerabilities). A typical tool computing devices. An interesting re-
ample, a camera or a smart speaker) used for active scanning in network search direction started in the 1990s20
and its state (for example, a smart information gathering is nmap.j with physical side-channels targeting
switch is turned on or off). This can Application-level reconnaissance. cryptographic algorithms and their
endow the attacker with very precise The class of techniques named appli- implementation. In essence, by in-
reconnaissance information. cation-level reconnaissance is recently specting apparently unrelated quanti-
Port scanning and fingerprinting. gaining attention, especially to infer ties, for example, the time needed to
Methods defined as port scanning are some high-level features of the target- encrypt a message, the power con-
designed to probe devices to deter- ed host. To this aim, the attacker can sumed by a host or the electromagnetic
mine whether there are open ports and utilize scanning tools to reveal certain field produced by the CPU of the de-
exploitable services. Even if the litera- weak points of the victim network. vice, attackers were able to infer infor-
ture abounds of methods, the most Possible examples of such tools are mation on the used algorithms and
popular take advantage of the differ- commercial suites like Nessus,k keys, thus making it feasible to exfil-
ent behaviors of the three-way-hand- Acunetix,l and Vulnersm or opensource trate encryption keys or conduct proba-
shake procedure of the TCP. Port scan- solutions like IVREn and Vega.o Anoth- bilistic guesses. Thus, in its original vi-
ning can then discover whether a er idea exploits probes to quantify the sion, a side-channel required a high
remote TCP port is open by trying to degree of protection of the victim. In degree of interaction with the victim.
send SYN/ACK packets, establishing a this case, the attacker can use the tim- This class of techniques is en vogue
complete transport connection, or ing of responses obtained to under- again especially for reconnaissance
abort the process in the middle.8 Its stand whether an antivirus is working purposes. For instance, it has been
main limitation is the need to main- on the targeted machine or if its signa- proven that information or signals
tain a large amount of TCP connec- tures are updated.2 leaked from screens,14 printers,4 and
tions, thus causing transmission bot- Honeypot detection. Honeypots are keyboards7 can be used to retrieve log-
tlenecks or exhausting the resources increasingly used to collect informa- in credentials or cryptographic keys.
of the used machine. Consequently, tion on malware to organize suitable Other types of side-channels are be-
the scanning rate is decreased and the defense techniques or counterat- coming increasingly used, especially
reconnaissance attempt could be de- tacks, especially in case of botnets. those allowing the attacker to control
tected. A recent trend exploits distrib- From an attacker point of view, they sensors located in close proximity of
uted frameworks able to reduce both represent a hazard since they can be the target or to infer keyboard inputs on
the scanning time and anomalous re- touchscreens,34 for example, to exploit
source usages that could lead to iden- j nmap.org fingerprints left by user to guess the
tifying the attacker.25 k www.tenable.com/products/nessus used unlock patterns or the PIN code.3
l www.acunetix.com
Scanning can be also used to recog- m vulners.com
Owing to the high interconnected and
nize the guest OS or the applications n ivre.rocks virtual nature of modern hardware
available in the target nodes. This is o subgraph.com/vega and software, side-channels attacks
can be also operated in a completely the Internet, an effective approach network interface card is set to promis-
remote manner, thus preventing the aims at reducing the impact of indi- cuous mode, that is, all the received
contact with the victim. For instance, viduals by proper training and educa- frames are passed to the higher layers
they can be used to map a cloud infra- tion.35 Specifically, training may limit of the protocol stack despite the host is
structure to understand whether ser- the exposure to social engineering not the intended destination. To this
vices are virtualized or containerized techniques by explaining to users aim, two main techniques exist: chal-
or to perform cache-timing attacks.30 what kind of information can be pub- lenge-based36 and measurement-based.37
To sum up, the use of a side-channel is licly shared and how. Training can be In challenge-based methods, the de-
a double-edged sword as it could re- also beneficial for technical staff that fender provokes a reply from the (sup-
quire some physical proximity and can learn the tools used by an attacker posed) sniffing machine by using ad-
this may increase the risk of exposure to reveal security breaches and design hoc crafted network traffic (typically,
of the attacker, thus the value of the workarounds. packets with a forged MAC address).
obtained information should be care- In parallel, security experts should In measurement-based methods, a
fully evaluated. perform public information monitor- host suspected to be controlled by the
ing on a continuous basis, that is, per- attacker is flooded with suitable traffic
Countermeasures form a sort of “protective” OSINT. Ob- patterns. In both cases, the provided
As has already happened in many other tained data can be used again to answer or its temporal evolution will
fields of cybersecurity, counteracting instruct users and technicians. More help the defender to identify the re-
reconnaissance must be viewed within importantly, public information moni- connaissance attempt. Alas, the con-
the framework of the “arms race” be- toring can help assess the degree of se- tinuous development of hardware and
tween attackers and defenders. Un- curity of the target, sanitize data leaks, OSs reduces the effectiveness of such
fortunately, due to the availability of a as well as feed more sophisticated techniques, mainly due to the need of
composite amount of techniques, it is countermeasures.18 having updated templates to compare
very difficult to completely prevent an Reactive technology-based counter- the received traffic.9
attacker from inspecting a target. Over measures. As hinted, reactive counter- Lastly, the advent of automatic and
the years, countermeasures evolved measures are the direct response against efficient scanning services like
and Figure 3 portraits a classification reconnaissance attempts, including Shodan revamped the importance of
(also in this case, techniques have been those exploiting side-channels. The carefully designing the addressing
located in the graph according to their main limitation of the approach is that scheme to be used. In fact, IoT and
estimated initial appearance). if the threat evolves in time, the defen- smart devices could take advantage of
As depicted, the evolution in the sive mechanism has to be adjusted to IPv6 both in terms of end-to-end
development of countermeasures ex- stay effective. The review of the main transparency and difficulties in per-
perienced three main époques. In the reactive methods is as follows. forming a brute-force scan to the entire
earliest, the prime method aims at Sniffing and scanning prevention. address space. However, IPv6 can di-
training and raising awareness of us- The literature showcases several ap- rectly expose portions of the network,
ers as to reduce the effectiveness of proaches to limit the ability of an at- thus the use of private IPv4 schemes
social engineering or prevent the tacker to sniff traffic for learning the jointly with Network Address Transla-
leakage of sensitive information. To configuration and the properties of tion is a common and early front line
complete this, constant auditing/ the network.36,37 The common idea is defense technique.28 Nevertheless,
monitoring campaigns of the infor- to discover whether a wired/wireless classical techniques (like firewalls and
mation publicly available in the In-
ternet should be performed on a reg- Figure 3. Classification and evolution of the reconnaissance countermeasures.
ular basis. The paradigm shift
happened when the design of coun- Human-based Technology-based
Countermeasures Countermeasures
termeasures moved from considering
primarily the technology rather than Reactive Proactive
the human. The first wave deals with
reactive countermeasures and aims at Social
Reconnaissance Technique
Engineering
directly responding to a specific re-
connaissance technique, for instance, Internet
Training
Public Information
and
scanning or sniffing. The more recent Intelligence Awareness Monitoring
trend deals with proactive counter- Cyber Deception
measures: in this case, the attacker is Network Sniffing
Information and Scanning
disturbed or hindered on a constant Gathering Prevention
Moving Target
basis, for example, by deliberately dis- Defense
Side-Channels
seminating misleading data. Side-Channels Sanitization
Human-based countermeasures.
To mitigate the bulk of information
Time
that can be gathered via social engi-
neering, including those available in
MA R C H 2 0 2 1 | VO L. 6 4 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 93
review articles
works on a larger scale by “simulat- a more broad manner to also include based Threat Analysis; http://disiem-project.eu/
wp-content/uploads/2018/06/D4.1v2.pdf
ing” a whole subnetwork. Thus, ob- protection mechanisms against ad- 19. Industry Week. Cyberattacks skyrocketed in 2018.
serving the attacker operating in such vanced and malicious data gathering Are you ready for 2019?; https://www.industryweek.
com/technology-and-iiot/cyberattacks-skyrocketed-
a strictly controlled environment al- campaigns. 2018-are-you-ready-2019
lows to infer indicators of compromise 20. Kocher, P. Timing attacks on implementations of
Diffie-Hellman, RSA, DSS, and other systems. In
that can be used both for anomaly de- Acknowledgments Proceedings of the Annual Intern. Cryptology Conf.
tection purposes as well as to protect This work has been partially supported Springer, Berlin, Heidelberg, 1996, 104–113.
21. Krawetz, N. Anti-honeypot technology. IEEE Security
the real network from information by EU Project SIMARGL, Grant Agree- & Privacy 2, 1 (Jan-Feb 2004), 76–79.
gathering attempts. ment No 833042 and by the Polish Na- 22. Lampson, B. A Note on the confinement problem.
Commun. ACM 16, 10, (Oct. 1973), 613–615.
Proactive countermeasures are ex- tional Agency for Academic Exchange 23. Lancor, L., Workman, R. Using Google hacking to
enhance defense strategies. ACM SIGCSE Bulletin,
pected to evolve into solutions able to (Grant No PPN/BEK/2018/1/00153). 2007, 491–495.
combine CD and MTD approaches.40 In 24. Lei, C., Zhang, H.Q., Tan, J.L., Zhang, Y.C., Liu, X.H.
Moving target defense techniques: A survey. Security
such setups both techniques can be References and Communication Networks 2018, 1–25.
1. Achleitner, S., La Porta, T., McDaniel, P., Sugrim, S.,
seen as complementary: MTD permits Krishnamurthy, S.V., Chadha, R. Cyber deception:
25. Li, Z., Yu, X., Wang, D., Liu, Y., Yin, H., He, S. SuperEye:
A distributed port scanning system. Artificial
to adapt a system or a network to in- Virtual networks to defend insider reconnaissance. In Intelligence and Security LNCS 11635. X. Sun, Z. Pan,
Proceedings of the 8th ACM CCS Intern. Workshop on
crease its diversity and complexity, Managing Insider Security Threats, Oct. 2016, 57–68.
E. Bertino, (Eds). Springer, Cham, July 2019, 46–56.
26. Lockheed Martin. The Cyber Kill Chain; https://www.
while CD directs adversaries into time- 2. Al-Saleh,M. Crandall, J.R. Application-level lockheedmartin.com/en-us/capabilities/cyber/cyber-
reconnaissance: Timing channel attacks against
consuming but pointless actions, thus antivirus software. In Proceedings of the 4th USENIX
kill-chain.html
27. MITRE, ATT&CK Framework; https://attack.mitre.org/
draining their resources. Conf. 28. Notra, S., Siddiqi, M., Gharakheili, H.H., Sivaraman,
Large-scale Exploits and Emergent Threats, 2011, 1–8. V., Boreli, R. An experimental study of security and
3. Aviv, A., Gibson, K., Mossop, E., Blaze, M., Smith, J.M. privacy risks with emerging household appliances. In
Conclusion and Outlook Smudge attacks on smartphone touch screens. In Proceedings of the IEEE Conf. on Communications
Proceedings of the 4th USENIX Conf. on Offensive and Network Security, 2014, 79–84.
This article has focused on the recon- Technologies, 2010, 1–7. 29. O’Hare, J., Macfarlane, R., Lo, O. Identifying Vulnerabilities
naissance phase, which is the basis for 4. Backes, M., Dürmuth, M., Gerling, S., Pinkal, M., Using Internet-Wide Scanning Data. In Proceedings
Sporleder, C. Acoustic side-channel attacks on of the 12th IEEE Intern. Conference on Global Security,
the totality of cybersecurity attacks. printers. In Proceedings of the USENIX Security Safety and Sustainability, pp. 1-10, 2019.
As a general trend, the evolution of Symposium, 2010, 307–322. 30. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.
5. Bazm, M., M. Lacoste, M., M. Südholt, M. and J. Hey, you, get off of my cloud: Exploring information
smart devices, social media, and IoT- Menaud, J. Side-channels beyond the cloud edge: New leakage in third-party compute clouds. In Proceedings
capable applications, boosted the isolation threats and solutions. In Proceedings of the 16th ACM Conf. Computer and Communications
1st Cyber Security in Networking Conf., Oct. 2017, 1–8. Security, 2009, 199–212.
amount of information that can be 6. Bejtlich, R. The Tao of Network Security Monitoring 31. Salahdine, F. Kaabouch, N. Social engineering attacks:
Beyond Intrusion Detection. Pearson Education, 2004,
gathered by an attacker and also multi- ISBN: 0-321-24677-2.
A survey. Future Internet 11, 4 (2019), 1–17.
32. Sayakkara, A., N.-A. L.-K., Scanlon, M. A survey of
plied the communications paths that 7. Berger, Y., Wool, A. Yeredor, A. Dictionary attacks electromagnetic side-channel attacks and discussion
using keyboard acoustic emanations. In Proceedings
can be used to reach the victim. There- of the 13th ACM Conf. Computer and Communications
on their case-progressing potential for digital
forensics. Digital Investigation 29 (2019), 43–54.
fore, the potential attack surface ex- Security, 2006, 245–254. 33. Siby, S., Maiti, R.R., Tippenhauer, N.O. IoTScanner:
8. Bou-Harb, E., Debbabi, M., Assi, C. Cyber scanning:
ploitable for reconnaissance tech- A comprehensive survey. IEEE Communications
Detecting privacy threats in IoT neighborhoods. In
Proceedings of the 3rd ACM Intern. Workshop on IoT
niques is expected to continue to grow, Surveys & Tutorials 16, 3 (3rdQ 2014). 1496–1519. Privacy, Trust, and Security, 2017, 23–30.
9. Cabaj, K., Gregorczyk, M., Mazurczyk, W., Nowakowski,
at least in the near future. P., Żórawski, P. Sniffing detection within the network:
34. Simon, L., Xu, W., Anderson, R. Don’t interrupt me
while I type: Inferring text entered through gesture
Regarding the development of Revisiting existing and proposing novel approaches. typing on Android keyboards. In Proceedings of
In Proceedings of the 5G Network Security Workshop Privacy Enhancing Technologies 3 (2016), 136–154.
countermeasures, defenders appear to to be held jointly with the 14th Intern. Conf. on 35. Siponen, M. A Conceptual foundation for organizational
be a step back with respect to attack- Availability, Reliability and Security, 2019. information security awareness. Information
10. Cabana, O., Youssef, A.M., Debbabi, M., Lebel, B., Management & Computer Security 8, 1 (2000), 31–41.
ers. To fill such gap, countermeasures Kassouf, M., Agba, B.L. Detecting, fingerprinting and 36. Trabelsi, Z. and Rahmani, H. Detection of sniffers in an
should aim to: tracking reconnaissance campaignst industrial control Ethernet network. Information Security, LNCC 3225
systems. Detection of Intrusions and Malware, and (Sept. 2004). K. Zhang, Y. Zheng (Eds) Springer, Berlin,
˲ strengthen training and monitor- Vulnerability Assessment, LNCS 11543 (June 2019) . Heidelberg, 170–182,
ing to also consider threats leveraging R. Perdisci, C. Maurice, G. Giacinto, M. Almgren (Eds.). 37. Trabelsi, Z., Rahmani, H., Kaouech, K., Frikha,M.
Springer, 89–108. Malicious sniffing systems detection platform. In
side-channels; 11. Caviglione, L., Wendzel, S., Mazurczyk, W. The future Proceedings of the Intern. Symp.Applications and the
˲ evaluate how to incorporate results of digital forensics: Challenges and the road ahead. Internet, 2004, 201–207.
IEEE Security & Privacy 15, 6, (Nov./Dec. 2017), 12–17. 38. Trestian, I., Ranjan, S., Kuzmanovic, A., Nucci, A.
obtained via public sources into proac- 12. Caviglione, L., Coccoli, M. Privacy problems with Web Googling the Internet: Profiling Internet endpoints via
2.0. Computer Fraud & Security 10 (2011), 16–19.
tive countermeasures; 13. Collins, M., Shimeall, T., Faber, S., Janies, J., Weaver,
the World Wide Web. IEEE/ACM Trans. Networking
18, 2 (2010), 666–679.
˲ expand solutions exploiting cyber R., Shon, M.D., Kadane, J. Using uncleanliness to 39. Wang, P., Wu, L., Cunningham, R., Zou, C.C. Honeypot
predict future botnet addresses. In Proceedings
deception also to counterattack social of the 7th ACM SIGCOMM Internet Measurement
detection in advanced botnet attacks. Intern. J.
Information and Computer Security 4, 1 (2010),
engineering (for example, when an em- Conference, 2007, 93–104. 30–51.
14. Genkin, D., Pattani, M., Schuster, R., Tromer, E.
ployee detects a scam attempt, he/she Synesthesia: Detecting screen content via remote
40. Wang, C., Lu, Z. Cyber deception: Overview and the
road ahead. IEEE Security & Privacy 16, 2 (M-A
intentionally mislead the attacker) and acoustic side channels. In Proceedings of the IEEE 2018), 80–85.
Symp. Security & Privacy, 2019
side-channels (for example, by deliber- 15. Goodman, M. Future Crimes. Anchor Books, New York,
ately leaking incorrect information); 2016, ISBN 9780804171458.
Wojciech Mazurczyk is University Professor at Warsaw
16. Holz, T., Gorecki, C., Rieck, K., Freiling, F. Measuring
˲ engineer a new-wave of reconnais- and detecting fast-flux service networks. In
University of Technology, Institute of Computer Science,
Warsaw, Poland.
sance-proof-by design services, for in- Proceedings of the 15th Network and Distributed
System Security Symp., 2008, 257–268. Luca Caviglione is a senior research scientist at
stance, by minimizing the impact of 17. Holz, T., Raynal, F. Detecting Honeypots and Other National Research Council of Italy, Institute for Applied
the addressing scheme, the use of IoT Suspicious Environments. In Proceedings of the 6th Mathematics and Information Technologies, Genova, Italy.
Annual IEEE SMC Information Assurance Workshop,
and the exposition to scanning services 2005, 29–36.
18. H2020 Project—Diversity Enhancements for Security
like Shodan; and, Information and Event Management. Project Copyright held by authors/owners.
˲ re-think the concept of privacy in Deliverable D4.1: Techniques and Tools for OSINT- Publications rights licensed to ACM.
MA R C H 2 0 2 1 | VO L. 6 4 | N O. 3 | C OM M U N IC AT ION S OF T HE ACM 95