Exploring Cyber Soft Target Indicators (CSTIs)

“Soft Target” is a term used to describe a person, place, or thing that is relatively unprotected and vulnerable to attack. Terrorists, criminals, and otherwise unscrupulous individuals often look for “soft target indicators” when selecting a target (potential victim). Doing so helps an attacker assess the level of personal risk and weigh it against the potential reward(s) in order to determine if the attack is viable as well as to increase the efficiency of the attack prior to carrying it out.

When it comes to personal protection many experts recommend being alert and aware of your surroundings, walking confidently with purpose, briefly making eye contact with those around you, etc. These recommendations aren’t purely theoretical but are actually based on real interviews with violent criminals about how they select their victims. In some studies, videos of people walking in public places were shown to convicted criminals so they could identify who they would likely select as a target. The criminals were then interviewed about their choices (which were often made in less than 10 seconds). In many cases, the selections were based on non-verbal cues perceived by the criminals that conveyed physical weakness, distraction, lack of confidence, and a host of other “soft target indicators”. Similarly, when a terrorist or criminal is selecting a location (rather than an individual) to carry out an attack the apparent absence of armed security personnel and posted signs banning patrons from carrying self-defense tools are also examples of “soft target indicators”.    

So called “Soft Targets” are not confined to the physical world. They exist in cyberspace as well. One of the first steps a malicious cyber threat actor performs prior to attacking a target is reconnaissance (something that I’ve personally done on countless occasions and a word that I’ve used hundreds of time yet somehow still manage to spell wrong even to this day). Cyber recon (yes, I’m abbreviating since I still can’t spell the full word) is often carried out using a combination of generic and specialized software tools. It a process that is well documented and taught as a fundamental skill in nearly every cybersecurity training course. Even so, there is an aspect to cyber recon that I seldom hear discussed. What you learn directly through conducting cyber recon is only one side of a coin. The full value of cyber recon can often only be realized by determining what you can reasonably infer about the target from the results. In other words, it isn’t only what the results of the cyber recon tells us about the target that’s important, but also what those results may imply

For example, DNS recon may tell us that the organization does not utilize SPF, DKIM, and DMARC, but it may also imply that the organization does not employ personnel that are familiar with basic cybersecurity hygiene. Other “cyber soft target indicators” (CSTIs) may be readily discovered which, collectively, can increase the level of confidence that our inferences are accurate. In this way, CSTIs can be used to aid in selecting the most likely successful attack vectors as well as the level of effort that should be employed in avoiding detection (which can greatly improve the efficiency of an attack). 

Some examples of CSTIs are:

  • Weak or non-existent SPF, DKIM, or DMARC settings
  • Weak SSL/TLS configurations on the target organization’s public website
  • Data breach records revealing weak passwords for personnel employed by the target organization
  • No indication of a web application firewall (e.g. Cloudflare) protecting the target’s main website
  • Vague and/or generic security / privacy policy
  • Lack of vulnerability disclosure guidance and/or bug bounty program
  • Absence of CAPTCHA on publicly accessible forms / sign-up pages
  • No support for multifactor authentication
  • HTTP requests are not redirected to HTTPS  
  • Potentially sensitive personnel information (e.g. Names, Positions, Emails, and Phone numbers) listed on the target organization’s public website
  • Personnel job title indicates Cybersecurity responsibility is being performed as a secondary role (e.g. “Head of custodial services and Cybersecurity”)

Cyber Soft Target Indicators are a relatively simple way of making inferences about a target’s cybersecurity posture. Identifying CSTIs and making inferences based on them can easily be incorporated into the cyber recon process and may greatly aid in planning and executing the subsequent phases of a cyber engagement. Furthermore, developing a software tool that aims to identify common CSTIs for a target organization (or incorporating CSTI scanning functionality into an existing tool / framework) should be relatively straightforward and would likely be valuable both in selecting attack vectors and planning for attack efficiency.