In this section of the presentation Rafal Los thoroughly analyzes the offensive routine in the context of its purpose, prioritization, and points of attack.
When you’re looking at a system, you have to know what’s behind it, you have to know what the infrastructure is, so if you’ve got an Oracle server, you’ve got an Apache server, you’re not going to spend lots and lots of time throwing 0-day IIS attacks at it, this just doesn’t make a whole lot of sense. So, we’re going to talk about the 5 P’s of this.The first one, really, is the purpose, it’s kind of like the silent P. And what we’re really looking at is what the purpose of the attack is. This sounds like a foregone conclusion at some points, but it’s really not. We need to figure out what you are trying to get to, what your purpose is. Are you trying to infiltrate the network? Are you just trying to gain a foothold? Are you trying to fully compromise an asset, a specific machine? Are you going after a particular target, a particular data point? What are you going after? And you have to keep that in mind, put it on a post-it note at some place, in the center of your whiteboard, so you know what exactly it is that you’re going after. Make sure you don’t stray too far from that path. The first real P is pinpoint. You’ve got to create a high payoff target list; you’ve got to know what your targets are, the ones that are going to be the easiest to get a lot of value from. So, these are the assets that give what we’ll call the biggest bang for the buck. Assets in here include things like security personnel, senior executives, the IT staff etc. A while back, if any of you followed our SecBiz conversation on LinkedIn or on Twitter, we basically talked about whether security people follow their own policies. And the overwhelming, sort of scary response was: “No, because we know better”.
So, how many security people’s laptops out there are probably not running the corporate image, and running kind of custom software? Think about this for a second. How many DBAs think they know better? When asked these questions, a lot of people are smiling and nodding, that kind of worries me. So, looking at things like secondary targets, and how we are going to get into using an indirect attack vector: is there a web server out there some place that somebody forgot about that still has backchannel access into their main corporate network?
When people do asset defenses, in corporate IT you have a finite amount of resources, and you have to figure out what you’re going to defend. And generally people draw a nice little line around where dollar signs are, where your data is, they’re going to put a line of defenses around there. But because there’s a box out here that runs marketing or runs something that’s not exactly super important, but it does have a connection back to the network – those are really the least protected pieces. When we draw this map out, we threat-model this out, we can pinpoint the boxes they attack, because that’s the weakest point, and get our way in that direction. Pentesters do this all the time.
There’s also this list of opportunity, we call this a low-hanging fruit: the people that are still on Myspace from the company, those that are easily able to be friended, that accept everybody’s request on Facebook, that kind of stuff. And so, mapping out defensive capabilities is important because you’ve got to know where they’re going to be ready for you, to carefully avoid those or to overwhelm them, as we’ll go through further.Points of attack refers to decomposing the assets into the absolute, most basic components. So, when you look at the perimeter, what’s at that perimeter? It’s not trivial to decide that there is a firewall with an IPS behind it, a set of proxies and load balancers, and then the actual set of web servers.
I’ve watched attacks – in fact, I was on the defensive end of this, and it was kind of funny to watch – we had a vulnerable Apache server that hadn’t been patched, I swear, for around five years. And the only saving grace for us against this one attacker, who is actually really crafty, is the fact that he couldn’t seem to grasp the fact that we had a load balancer in front of this, in five of these boxes on the back end. So he kept sending multipart attacks, where he’d send a part of the attack, wait a bit and assume he gets the same box again, but the way the load balancers were set up was they would give him different machine each time. So half of this attack went here, half of it went here, eventually he finally popped one of them, but fortunately he couldn’t figure out how to get back to it. So, this is one of those situations where you have to know what you’re going after, otherwise you become the subject of somebody’s slides a couple of years later.
So, breaking down the physical and human assets. The physical assets, I think, are a lot easier: technology is more predictable than humans. If you picked anybody in this room right now and said: “I have a gun to your spouse’s head, I need all your information, I need everything you can possibly give about your company; I know it will cost you your job, but I really don’t care,” people react in different ways: some people might try to fight back, others might just give you everything they have and hope that you leave them alone. But you have to know what you’re going after and you have to know how people are going to respond. And this is, again, also not trivial.
You can look at things like family affiliations: what kind of hobbies they have; look at behavior on psychological profiling; sentiment analysis is always interesting if they’re on Twitter and Facebook. Port scans, vulnerability inventory, system maps, application analysis: these kinds of things that help us pinpoint exactly where to hit.