Moving on with the subject, Rafal Los provides a step-by-step insight into preliminary measures and the right strategy for attacking the adversary’s assets.So, how do we use weaknesses of defenders as a weapon? I found a really cool quote that I like to use a lot: “To lack intelligence is to be in the ring blindfolded.” And I think, from the white hat perspective, the folks that are defending corporate network are still relatively flying blind, because we’re well educated on how to put an IPS filter; we know what the attacks are going to be when we know what they’re going to be. When we know what to expect, we can prepare ourselves for it. But, unfortunately, I think we’re sort of prepared for a very small subset of what we consider the determined attack, and the threat landscape, I think, is fundamentally changing. And so, what you’re getting is this gather-modeling-plan idea (see image).
Step 1 is to gather some intelligence, whether it’s passive or active. It’s an intelligence gathering exercise that prepares you, essentially, for the battle, I won’t say cyber battle. So, step 2, modeling the intelligence that you have, it’s kind of outside the scope of this, but if you’ve ever gotten a giant whiteboard and just started writing everything that you know about the system during, like, a pentest, you find an IP address and you figure out what’s at that IP address. If you got what’s that connected to and what’s on that system, and then who runs that system, and what they do, what their role is, and where their kids go to school, and who they vacationed with, all of a sudden you go: “You know, that’s interesting, I could probably do this, this and this to get all that data without having to actually lift a finger.”
This is kind of one of those perspectives, if you’ve ever heard of this in the news, and it’s happened pretty often, unfortunately. I think there is a movie called “Firewall”, a really bad movie. If all these awesome technical defenses are in place, impermeable firewall defenses and all these other kinds of stuff, what does a bad guy do? Shows up at the kid’s school, picks up the kid, calls the guy, the head of security, and says: “Hi, I’m the guy you’re going to give everything in your databases to,” and the guy says: “No, I’m not,” and he goes: “Say Hi to your kid for me.” Are you prepared for that? In most cases, most of the IT and most of the corporations out there have no idea what to do in a situation like that. Crisis management turns into, like, a circus. So, this is the plan part. We’re going to plan what we’re doing.So, this is really about knowing the adversary, mapping out the attack surface, and it’s mapping out the digital attack surface, sort of the fingerprint of the network, the applications, the systems, where they get their data feeds from, whether they have people on iPads and mobile devices that also go to the same gym you do? Can you hang out with them on the train and exploit the fact that their wireless is always open or they’re using a portable hotspot you can get on and pull all your data from those kinds of things?
And then, profiling the defenses, really, is a look at how their defenses are built. Too many times in the past we’ve seen somebody that wants to get some asset, whether it’s a database or personally identifiable information, credit card data, whatever. It’s that spray and pray mentality, so the attack is trying to exploit the app and hopefully not get caught. This is not what we’re starting to see, this is not the kind of attacker that is going to be prevalent in the future. When we have good defenses, you’re not going to get to spray and pray types; the SQL injection eventually will run out. I keep saying that, maybe one day it will be true. I guess it’s still wishful thinking.Gaining an advantage is about getting the upper-hand here. So, when we hit the attackers directly we’re going to actually hit them as they know it or as they don’t. We may just exploit them directly, go walk up to them and say: “Hey, I know this and this about you, but don’t panic, I don’t want to kill you, I just want some data from you.”
We can attack them without them knowing, and I’ll explain that in a little bit. And we can attack the target using the information about the defender. How do we get to a target, a hard target behind a well fortified system? Well, there have been at least 4 news articles in the past several years, where really well-designed defenses that go down for, like, 30 seconds a year, were exploited. You think that happened by accident? Probably not. If I know that the security infrastructure at ACME Widget Company is going to undergo a major upgrade or overhaul, because I know which vendor they use and I’ve talked to their vendor and I got them to tell me some information, I probably have a great way to get in, get out, and not get caught.So, if we’re looking at attacking the defenders directly, this is hitting the defender, the asset, using the weakness that they have against them. It’s more of a bold attack, it’s kind of in-your-face, “we’re going to come right at you,” sometimes it works. The idea is this requires a lot of advanced intelligence on the asset.
You need to really, really be prepared, because it’s really hard to walk up to a person if you don’t know everything about them, and basically attack them. I don’t mean physically attack them, but I mean just telling them: “Hey, I’m going to come after you.” Because humans can be rather unpredictable, unless you understand them well. So, this requires some prep time, a lot of preparation; the likelihood of the success of this kind of attack is very heavily dependent on the asset, and at this point I just say you forsake the element of stealth. You’re just going to give up the whole stealth idea; you’re coming full frontal at this point.
You’re likely to burn the asset – you guys know what that means? They’re not going to be your friend anymore. The odds of them getting fired or somehow otherwise compromised are pretty high if you come at them straight on. But this is generally a short-lived attack: if you know you want something from a company, you are a state sponsored attacker, and you know that, I’m using a general example, but if you’ve already read this in the papers, please don’t tell anybody else, I don’t want to be referred to directly.
Say, you want to steal a design of a jet turbine for the next big tactical air fighter, and you need to get that design information, because the nation state that you are chartered by tells you to go get it, whatever the cost. Well, something like this is probably the fastest way to do it. This is the quick and easy, or rather quick and dirty, I’d say. You gather all the intelligence on somebody that’s likely able to be turning inside that company; you go right at them, get to them directly, personally, get them to give up information, and then bolt. Odds are you’ll probably never want to run into them again: they may be likely to lose their job. You could probably ruin somebody’s life pretty quickly this way, but it is a short-term attack.So, attacking the defenders indirectly is exploiting the defender without their knowledge, and it basically assumes that the asset has access to the attack target, requires some prep time. This does hinge on you being stealth, so this is where, if you know somebody’s got the VP of engineering and has access to the engineering department, all the blueprints and stuff from their home because they have a permanent VPN from their house, and you know that they have a kid who plays the Xbox a lot, and the Xbox happens to use that same network – you can put 2 and 2 together, you can probably get in by not even having to ever talk to that VP. You know, you can make friends with their kid online playing whatever videogames people play online these days; send them a file, exploit either their kid’s laptop or something, or their system. Connect over, get all the data you want, write the network in, pull it out, and leave. Or you can leave something behind for yourself if you ever need to get back in there; but it’s nice and stealth. Attacking the target itself is less of a human-based attack, but it’s learning the weaknesses of defenders and defenses they have to plan the most strategic attack against the target. How many times have you guys looked through an IDS log or attack logs, and realized that somebody’s trying to run Oracle attacks against your SQL server, or there’s 10,000 requests a minute? So, we’re basically exploiting the weaknesses of a target.