Footprinting

What is footprinting?

Footprinting is a way to gather information about locations of interest, targets of interest, specific technologies used by an organization. It can also be described as the basic detective work of finding out about an organization before you attack it.

While footprinting might sound like something that any attacker would want to do, some attackers are mainly “speculative” attackers – they will scan every IP address on the internet looking for vulnerabilities to exploit. They do this quickly and haphazardly with no real plan or design in mind. Other attackers are more “targeted” – they have a reason for attacking a particular target and may do extensive research on that target before attempting to infiltrate it. This makes targeted attacks more successful than speculative attacks, but it also takes more time.

In order to conduct a successful footprinting exercise against your organization you need to know what kind of attacker to expect and that means knowing something about the methods attackers use.

Methods used by hackers for information gathering

Attackers can find out a lot about an organization or individual without ever leaving their home (laptop) based offices. Here are some of the most common strategies:

• Search engines
• Whois database lookups
• Social media searches
• DNS records
• Maltego research
• Traffic cameras/Google street view
• Searching for proprietary information leaks
• Discussion forums related to your technology or processes about industry gossip, news and rumors

Search engines

Attackers can use search engines to find information about you, your website, email addresses, employees, partners, etc. Information leakage is a major problem for many companies and often what attackers are looking for is simply something that was unintentionally shared with the public.

Whois database lookups

Most domain name registrars will keep some basic address/contact information up to date in a Whois database. From this information, an attacker may be able to gather the sub-contractor company used by another company or he might discover that your company shares an IP subnet or even an office building with another target of interest.

Social media searches

Social media has transformed how people communicate online. It has also provided a treasure trove of information for intelligence gatherers and attackers alike. It is very easy to learn all about someone by simply watching their social media activity. Attackers can find out what technologies an organization uses, what kind of organizational structure they have, who the executives are and even where their office is located. Even your employees may be revealing this information without knowing it.

DNS records

Most organizations use the internet to communicate with customers, suppliers, employees and even other departments within their own company. Attackers are able to find out all about your organization simply by looking at your DNS records. The MX or mail exchange record will tell an attacker what mail server you use for receiving email. The A record shows what IP address is associated with a specific hostname (i.e. www.mycompany.com). Your reverse DNS record may show which ISP you use or it might have the name of the sub-contractor that provides your IT support services – both very valuable pieces of information to an attacker who wants to send spoofed emails in order to gather additional data from your company’s employees or customer lists in order to launch a phishing attack later.

Traffic cameras/google street view

Attackers can use Google Maps or traffic cameras to get a rough idea of where your office is located and they may also be able to take photos of the ground floor windows of your office or of your employees working at their desks.  Attackers are able to do this without ever leaving home simply by googling for images using queries like “traffic cam [enter city name]”. If you have worked at or visited any organization in that area then it is likely that you will find some photos floating around on the web just waiting to be found by attackers interested in knowing more about where you work, learn more about why you would want to remove personal data from social media accounts.

Searching for proprietary information leaks

Attackers are very interested in any proprietary information that may be leaking from your company. In order to find this information, attackers will search for keywords like “proprietary”, “business plans” or even details about specific products. You may inadvertently publish some of this information on the web by including it in job postings, Tumblr blog posts, Twitter updates or even GitHub repository descriptions.

Discussion forums

Attackers can use discussion forums (Reddit/stack exchange/etc.) to find out more about you and what you do; all they have to do is make up a plausible-sounding story and see if anyone bites. There are many other strategies employed by attackers but the above will give you an idea of how information gathering works.

By now, most people understand just how much footprinting can reveal about a target organization and the impact footprinting has on cybersecurity where it concerns adversaries finding out more about their targets before they launch an attack. Footprinting is very important to understand once you start working with IT security.  As you work with your IT company, this knowledge will help you devise strategies to protect your company’s assets and users from any form of cyberattack including advanced persistent threats (APTs), which require special attention when footprinting is involved.

Frequently asked questions about footprinting

What is footprinting?

When an attacker footprint a target organization to learn more about what kind of people work there, how they communicate with each other inside and outside the office, what technology is being used by the company, etc. It’s important to note that footprinting has nothing to do with footprinting found in nature or footprints left behind as a result of illegal activity.

How does footprinting work?

An attacker will use footprinting to find out who your IT support company is, figure out which ISP you use and even see where your office is located physically using traffic cameras. In order for footprinting to be effective attackers have to know as much as possible about their target without ever actually having been inside the target organization.

Is footprinting effective?

Yes, footprinting is very effective because it can be carried out using publicly available information that you inadvertently share about yourself online. This makes footprinting an inexpensive but very effective method of reconnaissance. There are other methods employed by attackers to gather intelligence about their targets before launching an attack but the above will give you an idea of just how footprinting works and why footprinting has become so popular among attackers targeting businesses these days.

What can I do to protect my company from footprinting attacks?

The best way to prevent footprinting from affecting you is to remove any reference of your workplace on social media messaging apps like Slack and HipChat. Also avoid images with identifiable logos, photos where people can see who is working at the company and any information that could help attackers find out details about how your company is run. If you find footprinting information online, it’s best to reach out to the affected parties and let them know about the footprinting.

What is footprint analysis?

Footprint analysis is another term used by attackers footprinting a target organization in order to learn more about what kind of people work there, how they communicate with each other inside and outside the office, what technology they use at their company etc.  Simply put footprint analysis has nothing to do with footprints found in nature or left behind as a result of illegal activity.