HP Software’s Rafal Los now highlights the finishing touches to perform before the attack can be executed, and summarizes the entire offensive threat scenario.I hope you guys get the irony of hanging a piece of Swiss cheese in the Posture slide (see image). Identifying asset’s defensive posture: how well are they fortified and where? Just because they have a lot of defenses doesn’t mean they’re well fortified. Just because you have a lot of cool technical stuff in front of something, doesn’t mean any of it is working properly or that anybody’s going to watch the big flashing red light that says: “Hey, we’re under attack, help!”
A lot of these are critical and time-based components to this. Technical schedules: when are firewalls rebooted? When are systems rebooted? When are things down for maintenance? When does the data center have its next major mechanical repair time? When are they going to switch over to their next Internet provider? When can you get in under the guise of something else happening? Odds are if there’s an elevator that’s out in the building, you can pretty much get to any floor by saying: “Hey, I’m the elevator repair guy, look, that’s what it says on my shirt, trust me,” and people will let you in. “There is HVAC problem in your server room, I swear, look, it says Johnson&Johnson HVAC, I need to get in.” Sometimes people will let you in.
Does the enterprise understand security? Well, unfortunately, often the answer is No, but is there a proactive security posture or is it simply reactive? Does the company or the asset you’re trying to gain access to react to the way they get attacked, or they try to figure out what’s coming next? Very few organizations have a proactive security posture. They look at what happened in the news yesterday and they go: “Oh crap, we need to defend against that too.” This is, unfortunately, how a lot of our air safety is done.
Is incident response implemented? This is a really good thing to know, because odds are you’re going to run into incident response at some point: you’re going to do something that will trigger the defensive mechanism to get spring to life. You’re going to trip a firewall at some place, you’re going to trip an IPS, you’re going to blue-screen the machine somewhere, and they’re going to go: “Something’s up.” How do they respond?
If they have outsourced their frontline incident paneling, which means all their IDS and IPS and firewalls go to some outsource company, odds are they’re not going to be very responsive. What that probably means to me is either a) they’re overwhelmed; or b) they don’t have the in-house expertise to do it themselves. That’s an interesting place to start from because odds are, between the time you launch the attack and the time their call comes in to the client and they actually do something about it, there’s a window of opportunity there.So, Pwn is execute the attack, go after it, go do it, compromise multiple assets using varied attacks. This is an interesting way of getting at multiple assets: you want to make sure that you get more than one, because sometimes the good guys will find it, they’ll defuse the bomb, whatever attack you’re throwing at them. There’s logical attacks here – attack the logic of processes or applications. Hacking doesn’t just involve sending 0-day. Being able to exploit processes within technology or people is also very, very important.
Social engineering is a huge part of this: if you’ve ever watched anybody work a social engineering angle, it’s scary and terrifying how effective this stuff is. Leverage known weaknesses to compromise assets – again, stealth is extremely key when executing here. You don’t want to make a lot of noise, unless you do want to make a lot of noise.
There are times where it’s ok to create a lot of noise, sort of wake them up, get them going: “Look over there, lots of stuff going on,” as you pick the pocket from behind, makes sense? This is a tactic that’s used on busy streets, like in Times Square and downtown here a lot, when somebody wants to pick your pocket they’ll bump into you on this side while they reach out for your wallet on the back end because you’re focused on something else, the other immediate impact.
Don’t forget the whole bribery, blackmail and simple incentives. How many people have been polled to give out their password for a candy bar? A staggering amount! Kind of worries you.The last one is Poll. I use Poll here because it’s about continuously monitoring the things that you have attacked, compromised and successfully infiltrated. The idea here most of the time is to establish a long-term foothold, so if you’re going to get into a box and you want to get the data they have today, but odds are they’re going to get more data tomorrow and you want that too – keep at those assets that you have in there and established. We do a lot of this with BeEF, browser exploitation framework. It’s not just popping that browser and getting some data, it’s also being able to establish a longer-term foothold. Metasploit is really good for this. Perform damage assessment on lost assets: when you have an asset that you’ve established inside of an organization and somebody figures it out and they go: “Hey, holy crap, my laptop’s compromised, I should reimage,” – well, you’ve lost that asset and you have to compensate, come up with something else. Odds are you don’t want to exploit another asset the exact same way, because then you develop a pattern, and they can figure patterns out.
So, the threat scenario here is kind of like a little diagram of how to work through this (see image): Identify the asset, decompose, get the asset posture, compromise, monitor and update, rinse and repeat. And with that, I’m turning it over to my partner.