This is the final part of the presentation dedicated to nuances of exploiting various components of an adversary’s defensive posture for a successful attack.So, now we want to directly engage the defenses. A very effective thing is false flag operations. Does everybody knows what a false flag is? False flag operations are basically where you do something and it looks like somebody else did it. We execute multiple attacks to heighten the sense of danger, and we force the defenders to tune down their defensive posture because they’re getting hit from several different areas. We trick the defenders into questioning their defensive posture.
Opportunistically attack systems or physical assets: you know, we can do it during change windows, upgrade periods, off-hours, when defenses are the weakest, when defenders are incapacitated as we got them drunk or they are otherwise unable to defend. We exploit information overload or misdirection: noisy attacks against front-end systems while the back-end is quietly exploited are a good way to go. Create confusion and misdirection with overload of systems from high-noise or fake attacks. Exploit human mental frustration or fatigue.
For instance, a false flag attack: you can basically leave fake trails, fake bits that lead back to somebody within a company; attribute an attack to someone who’s within their own IT group – not enough to get them fired, but enough to get them questioned. And all of a sudden this guy is now isolated within the IT group and within the security group. And he’s going to get pissed off, because nobody trusts him, because there’s that reasonable doubt that’s been gained, that’s being raised. So, now he’s someone you can probably flip, and this has happened a few times.We identify defenders with negative behavioral patterns: an employee that fears their employer would fire them if they knew, that sort of thing. It’s a very dangerous avenue, it should be last resort, because you don’t know if it’s going to blow up in your face. Involving employees at the risk of being extorted or blackmailed – the vector often involves luck; like I said, you can target using some of those websites, the prostitution websites, the drug websites.
A lot of drug websites operate exactly the same way as prostitution websites: being a vendor versus being a customer. Some of them you need to pay down but, again, a burner credit card is more than acceptable to these guys. By utilizing websites specializing in illegal activities or alternative lifestyles you can really identify these guys. It’s highly illegal and really can blow up in your face. And attacks like this really require long times, long periods of planning, observation of the defenders, and sometimes deep pockets. This is something that nation states really work on.Again, exploiting employee’s sentiment: disgruntled employees are really easy to find; they don’t hide themselves, they post everywhere. Happy employees are often eager to help their employer or you, so if you are acting as an agent of the employer, they’ll certainly help you.
Social media makes it simple to find corporate employees and learn their sentiment: lots of websites to troll and find unhappy employees, like I said before. And these guys are easily manipulated into revenge.And again, exploiting misdirection: creating a situation of over-stimulation, confusion – we want to attack quietly when no one’s looking while making noise on the other side. So, DDoS forces the adversary to tune down. If you’re launching several different noisy attacks on one side, and your real goal is to get the silent attacks on the other side – that’s a way to go. The thing is most organizations cannot find one deadly needle in a stack of needles. So, if you overwhelm them, human fatigue sets in quickly and the defenders give up. And then the final stage, of course, is poll: we just keep monitoring and updating the asset list. Monitoring the compromised assets that we have is critical. I mean, you need to know what’s happening with those things. Has the asset changed? Has a compromised asset been fixed? If so, can it be re-compromised? If an asset is lost, we want to perform a basic damage assessment to ensure that no information leakage has occurred. In this context, we want to know whether a security bulletin was sent out, whether this was fixed as part of a routine remediation effort, or it was part of another process. That’s important.
You want to identify any possible replacement assets that will replace the compromised asset’s function in the attack. Then you want to perform what’s called an asset effectiveness assessment, and that basically tells you what assets are performing the best. You want to identify the risk to the asset that could lead to the asset being compromised. And if it’s critical, then you want to re-rank the effectiveness in a quantifiable manner, as applicable to the project.
So, you basically identify any underperforming or non-performing assets and decide: “Does the asset have any chance of coming around? Can we flip it into a good asset? If so, what is it going to take cost-wise and effort-wise?” Do a cost-benefit analysis and determine whether or not you should just cut the asset loose or just keep it on the line. I never really recommend cutting an asset loose unless it’s been compromised, because you never know down the road when it might come back in.
Finally, you want to identify what postures have changed of a previously non-compromised asset, because what you often find is assets that weren’t compromised are now actually compromisable. This happens frequently with employees, especially when the company is right size. The larger your team’s resources are, obviously the more assets you can manage, so deep pockets will determine the effectiveness of your attack.Online resources: we have a list of recommended OSINT aggregators and information gathering tools, also a list of sentiment analysis keywords (see image). These are the ones that I use rather than using the automated tools because, quite frankly, they suck. And ToneCheck, I mean if you really want to play with it, just to see how god-awful it is – feel free, but Muse from Stanford is the tool that I really prefer, it allows you to do chat, mbox email formats, mailing lists, and it’s got a much higher frequency rate than the Lybmix ToneCheck. Like I said, you still want to do it manually because manually you will see a lot of stuff that slips through these things.
That’s it for our presentation. Thank you!