Transparency is a fundamental administrative principle for public institutions. One of its main implementations is the publication of goods and service acquisition tenders, as prescribed by EU and national legislation. This need of transparency can however undermine the security of public institutions, which are disseminating information that could be leveraged by advanced threat actors to bring disruptive attacks. In this paper, we analyse how threat actors can extract useful information from this publicly available information, taking advantage from transparency. We introduce a new technique named transparency-based reconnaissance, which implements a passive recognition process using transparency information published under law requirements. To better highlight the value of the gathered data, we experiment its effectiveness by simulating a transparency-based reconnaissance run against an Italian public institution, obtaining complete technological and supply chain inventories. The collected inventories enabled the creation of an unsophisticated malware bypassing the defences in place, along with a weaponization and delivery strategy. Finally, we propose a list of potential countermeasure areas, both technical and organizational, to protect information while still safeguarding transparency through a graduated approach.
Transparency-based reconnaissance for APT attacks / A. Rugo, C.A. Ardagna - In: 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)[s.l] : IEEE, 2023. - ISBN 979-8-3503-2697-0. - pp. 1652-1657 (( Intervento presentato al 47. convegno IEEE International Workshop on Security Aspects in Processes and Services Engineering, COMPSAC 2023 Workshops tenutosi a Torino nel 2023 [10.1109/compsac57700.2023.00255].
Transparency-based reconnaissance for APT attacks
C.A. ArdagnaUltimo
2023
Abstract
Transparency is a fundamental administrative principle for public institutions. One of its main implementations is the publication of goods and service acquisition tenders, as prescribed by EU and national legislation. This need of transparency can however undermine the security of public institutions, which are disseminating information that could be leveraged by advanced threat actors to bring disruptive attacks. In this paper, we analyse how threat actors can extract useful information from this publicly available information, taking advantage from transparency. We introduce a new technique named transparency-based reconnaissance, which implements a passive recognition process using transparency information published under law requirements. To better highlight the value of the gathered data, we experiment its effectiveness by simulating a transparency-based reconnaissance run against an Italian public institution, obtaining complete technological and supply chain inventories. The collected inventories enabled the creation of an unsophisticated malware bypassing the defences in place, along with a weaponization and delivery strategy. Finally, we propose a list of potential countermeasure areas, both technical and organizational, to protect information while still safeguarding transparency through a graduated approach.
| File | Dimensione | Formato | |
|---|---|---|---|
|
RA.COMPSAC2023.pdf
accesso aperto
Tipologia:
Post-print, accepted manuscript ecc. (versione accettata dall'editore)
Dimensione
511.4 kB
Formato
Adobe PDF
|
511.4 kB | Adobe PDF | Visualizza/Apri |
|
Transparency-based_reconnaissance_for_APT_attacks.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
1.15 MB
Formato
Adobe PDF
|
1.15 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
