Part One: Reconnaissance

In the fast-evolving landscape of Web3 applications, cybersecurity is of paramount importance. To ensure the robustness and resilience of these decentralized applications, developers and cybersecurity professionals must stay vigilant and proactive. The MITRE ATT&CK framework, which as of this writing is at version 13, provides a comprehensive road-map for assessing and mitigating potential threats by evaluating attack vectors. This framework categorizes Tactics and breaks these down into particular Techniques, each of which are enumerated and include examples, mitigation and detection recommendations.

In this article we delve into the first tactic outlined in the Enterprise framework — Reconnaissance — and explore a translation into Web3 project security. We hope to guide Web3 developers and cybersecurity professionals through the top level tactics of reconnaissance by utilizing this mature, existing framework, to help uncover valuable insights and potential vulnerabilities. Future articles will dive more deeply into particular sub-techniques.

(Note: Before diving in it should be made clear that the MITRE ATT&CK framework is broken into three categories, two of which may be applicable to Web3. These are Enterprise and Mobile. For now we are only considering the Enterprise framework and correlating it with a Web3 project. The term “application” is also used fairly broadly and go beyond the code created by developers with the project and encompass all related networking and technological infrastructure associated with the functioning of the code created by developers.)

Reconnaissance: An Overview

First, let us take a look at what “reconnaissance” means in terms that apply to security around traditional communications, enterprise networking and Web3 decentralized systems by using broad strokes in four different areas:

• Public information gathering
• Network and infrastructure analysis
• Social engineering
• Threat intelligence

Public information gathering about the application and team is broken down into various parts in the MITRE ATT&CK Reconnaissance techniques. includes details about the organization behind the application such as a DAO, the development team, any hosting platforms, code repositories, community or support forums, and those of underlying technologies. In the case of Web3 applications, it is essential to analyze the associated smart contracts. Identifying and investigating these can be done using blockchain explorers if they are not available in a repository. An attacker will want to use as wide a net as in capturing potentially vulnerable code that is used by the application. Exploitation is often found in bugs that have already been identified in upstream code or other projects that share common parentage but that have not been properly mitigated in the target project. And of course, gathering of all relevant documentation, including white/yellow papers and code audits, that may provide insight into potential vulnerabilities.

Cybersecurity professionals have long utilized various tools network and infrastructure analysis tools to uncover the network topology and infrastructure supporting the Web3 application. There are all variety of long used web related techniques that may be employed to suss out a full picture of the available attack surface. DNS lookups, network mapping techniques, and infrastructure analysis methods can provide a more thorough insight into the available attack surface. With Web3 some of these may still apply but many are mitigated by design because of the use of cryptographically secure, decentralized systems. Still, other points of interest related to networking and infrastructure do exist and by looking at the specific techniques used in recent attacks we can make sure to have a thorough understanding of the areas of concern that may to be addressed.

Social engineering techniques can be practically applied across many parts of a Web3 projects organization to gather information from individuals. Observing the active participation in relevant online forums and social media platforms allows cybersecurity researchers to learn about known issues, potential threats, or discussions related to the application’s security. Moreover, phishing and other nefarious social engineering techniques are often utilized as a first step toward gaining a foothold into a kill chain. Although much of Web3 is focused on eliminating attack vectors involving trust it has been proven time and again that weaknesses are still very much present in this regard.

Lastly, threat intelligence plays a crucial role in reconnaissance. Gathering information about known threats, vulnerabilities, and exploits provides valuable context for assessing potential risks to the Web3 application. This can involve referencing databases such as the Common Vulnerabilities and Exposures (CVE) list, reports from cybersecurity firms, and information shared by other professionals in the field.

Reconnaissance in this respect means delving into the application’s source code, which is often publicly available for decentralized applications. By scrutinizing the code and analyzing the application’s behavior, potential vulnerabilities can be identified. Tools designed for vulnerability discovery are also utilized as parts of various techniques.

Given the integration of Web3 applications with blockchain networks, the reconnaissance on such systems obviously involves but is not limited to blockchain analysis, specifically transaction data, account connectivity, and smart contracts. By studying transaction patterns and the movement of data, cybersecurity professionals can identify potential vulnerabilities or opportunities for malicious activity before they happen and also surveil current activity for ongoing exploitation.

Hopefully by examining Web3 applications through the lens of this existing threat analysis framework, cybersecurity professionals can find ways to better understand, organize, mitigate and detect security issues before a significant breach.

Reconnaissance: Surveying the Web3 Application Landscape using MITRE ATT&CK

As we have already elaborated on in general terms, Reconnaissance serves as the initial step in evaluating the security posture of any application, including Web3 applications. It involves gathering information about the target system, its environment, and its users. In the case of Web3 applications, reconnaissance takes on a unique flavor due to the decentralized nature and reliance on blockchain technology. In order to make our comparison and find our correlations with MITRE ATT&CK, lets start with an overview of top level reconnaissance techniques that are part of the current version:

• Active Scanning
• Gather Victim Host Information
• Gather Victim Identity Information
• Gather Victim Org Information
• Phishing for Information
• Search Closed Sources
• Search Open Technical Databases
• Search Open Websites/Domains
• Search Victim-Owned Websites
• At first glance some of these seem to apply directly to Web3 while others appear to have little to no direct corollary. To clarify exactly how these apply we will expand upon each of these by analyzing the numerous sub-techniques we find under each and looking for applicability, analogs and differentiators in followup articles as part of this series.

Conclusion

Reconnaissance serves as the foundation for a robust security assessment of Web3 applications. By diligently following the steps outlined in the reconnaissance process, Web3 developers and cybersecurity professionals can gain valuable insights into potential threats and vulnerabilities. Armed with this knowledge, they can prioritize areas for further investigation, enhance their security measures, and proactively mitigate risks. The MITRE ATT&CK framework empowers security practitioners with a systematic approach to assessing and fortifying applications, ultimately leading to a safer and more resilient decentralized ecosystem and this is certainly something that can be applied to Web3 with the necessary modifications.