Intelligence Preparation of the Battlefield: What is Your Footprint?
“If you know the enemy and know yourself you need not fear the results of a hundred battles” – Sun Tzu
Intelligence is defined as the gathering of information or raw data that has been analyzed for its validity and usefulness. One of the first exercises an analyst uses in the beginning of an operation is IPB, or Intelligence Preparation of the Battlefield. The Army field manual FM 31-130 describes IPB as “a systemic, continuous process of analyzing the threat and environment in a specific geographic area."
When preparing for the initial phase of Operation Iraqi Freedom, commanders and their staffs conducted several iterations of IPB. These included route studies to determine the best Lines of Communication (LOCs) to use in attacking north to Baghdad, as well as current and expected enemy positions and how best to neutralize them.
Many hours were spent researching Iraqi Order of Battle (OOB) to gain knowledge of the weapon systems in the Iraqi arsenal and where they were located. Analysts studied past engagements by both conventional forces and Republican Guard units to understand their tactics, techniques and procedures (TTPs) and where they were most likely to deploy.
By understanding the best courses of action to take and being able to predict and react to enemy movements, U.S. led Coalition Forces were able to quickly and decisively neutralize the threats and defeat Iraqi opposition and capture the Iraqi capital in 21 days.
Information security professionals should expect similar processes to be used by our enemies, but where would an attacker begin? One of the first ways that an attacker can determine an organization’s footprint and conduct an initial IPB is by performing Open Source Intelligence (OSINT) research against your organization. They will attempt to map out your network by utilizing the wealth of publically available information from sources such as the American Registry for Internet Number (ARIN) and WHOIS. They will use social media sites that your organization or employees engage in for marketing or personal use to obtain data that can be used for social engineering.
Once an attacker has finished their OSINT collection, they can begin the IPB phase. By running scans of the victim environment and using the information already collected such as full IP ranges and domains, they have the possibility of gaining system specific information by running various network device and service discovery techniques. This system information may include operating systems used, system architecture and purpose, different services running on the systems, and information on the applications and their versions installed on the systems. By having this information, an attacker can map out the true footprint and discover vulnerabilities that can later be exploited.
Just as Coalition Forces conducted several iterations of the IPB process as combat operations neared and began, so will the attacker. The attacker will need to know which course of action will work best to gain the access desired or to impact the target the greatest.
The strength of an organization’s security posture relies upon the intelligence you have of your own network and environment. The ability to prevent an attacker from gaining critical information that may allow them to successfully compromise your environment can be gained by running the same OSINT research against yourself and conducting an internal IPB. It would be beneficial for any organization to participate in periodic exercises as described above and run regular vulnerability scans. Companies should proactively monitor what content is available publically on social media sites and minimize that content to what is absolutely necessary.
If the enemy knows your environment better than you do, they already have the keys to the castle, and like the Marines in Baghdad, they will take down your statue. Prevent this by following best practices and limiting your online exposure to what is truly necessary. Ensure you have the right security tools implemented to protect your interests and have the ability to pro-actively react to the presence of an intruder.
Image copyright CNN from broadcast of U.S. Marines toppling a statue of Saddam Hussein, Wednesday, April 9, 2003, in Firdos Square, Baghdad, Iraq.