Cloud
1/26/2017
03:00 PM
John Strand
John Strand
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How I Would Hack Your Network (If I Woke Up Evil)

How would an attacker target your company? Here's a first-person account of what might happen.

There's been a lot of talk about the recent hacks against the Democratic National Committee and many, many questions and arguments about who was responsible. 

There are some interesting things about this somewhat painful national conversation. First, it's widely believed that the attacks were launched by Russia. For most people, this resonates because they assume big attacks with big impacts must have been launched by big players. Attribution aside, this is just wrong. These attacks could have been successfully launched by anyone who spent an hour or two learning how to use the Social-Engineer Toolkit, available online.

Second, it shouldn't matter — at all. We must assume that advanced attackers are going to attack us. Further, we can't look at every successful attack as something that must have been mounted by an advanced nation-state actor. A few years ago, everyone was blaming China for attacks. Now, it's Russia. When we do this, it allows us to build a convenient straw man, and it becomes easy for us to brush off the attacks as though they were inevitable. Because surely, if China or Russia were behind the attacks, there is nothing anyone could have done to stop them. The attacks become a force of nature, an act of God.

But here's the thing: many of these attacks aren't advanced. Not at all. And, moreover, we should be able to defend against them.

Let's be very clear: your antivirus (AV) software won't protect you. Every year, we at Black Hills Information Security do a webcast called Sacred Cash Cow Tipping in which we bypass most of the major AV products and explain exactly how we did it. We do this because it's important for companies to understand that these points of defense, in and of themselves, aren't enough to stop a determined attacker. (The most recent video can be found here.)

So, I'm going to break down how, if I were evil, I would attack a network — possibly your network.

First, I will target your user population through phishing. This approach has been in the news quite a bit lately, because of the DNC attacks. It's interesting that many people are surprised by phishing. However, this is the same attack strategy we've been seeing for years. For most of our assessments, we find that roughly 20% to 30% of the user population will click on almost anything. Further, if we can couple our phishing attack with the information we learn from reconnaissance efforts, our probability of success goes way up. For example, if through recon we discover that one of your users is really into politics and often declares his political alliances on Twitter, Facebook, and LinkedIn, then we will use a ruse involving politics. 

That brings us to another point. The more a target posts on social media, the more we will focus on that user. People who are very into social media are more susceptible to targeted attacks. It could be that attackers have more information to work with when attacking. Or it could also be that these people feel the need for some level of affirmation. We feed that. That need makes them a greater risk to your organization.

I will also focus on external interfaces. I will password-spray your Web interfaces, your Outlook Web Access portals, your Secure Shell servers. (For more on password spraying, check out these blog posts by Beau Bullock.) This is where we use a single password (for example, Winter2017) and try that password on any user accounts we can enumerate online. Basically, I will attack things that shouldn't be exposed externally.

Next, I'll pivot as much as possible. Please check out Bloodhound and PowerShell Empire — these tools are fantastic for post exploitation, and could be the topic of a full series of articles. These tools allow an attacker to quickly identify other Windows systems and access their files and folders. This is the core goal of pivoting, using access on one system to access the resources on others.

So, How Can You Stop Me?
There has been a shift in security, and the old security fundamentals aren't effective any longer. The new security fundamentals include implementing application whitelisting, firewalls enabled down to the host level, and user behavioral analytics (UBA). UBA is exceptionally interesting because it is looking at user access patterns for indicators of compromise rather than just looking at program signatures. 

These are just some of the new things that security-minded organizations need to start implementing straight away. I understand that for many organizations, there are massive political and technical complexity challenges in play. But you must start looking into these methods right now. In fact, it's already too late — you should have started years ago. If you did, good for you. If you haven't started, get to it.

Let's summarize. First, your AV won't be a problem for me and will easily be bypassed. Second, I will phish your employees by using as much social media and reconnaissance as I can. Third, I will exploit all externally facing interfaces, portals, and servers. Finally, I will pivot as much as possible. How do you defend against me? Stop using your AV as a crutch, keep a smarter social media image (and encourage employees to do the same), implement whitelisting and firewalls, even at the host level, and UBA. Good luck.

(Note: John Strand will be giving a talk on this topic at upcoming SANS events in Scottsdale, Ariz., and Tysons Corner, Va.)

Related Content:

John Strand is a senior instructor with the SANS Institute. He teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Guard: ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/17/2017 | 11:53:36 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Fascinating.  I wonder what would happen if you upped the frequency (say, once a week) for a month or so, and then dropped back down to "normal" levels.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
3/16/2017 | 12:29:55 PM
Re: Phishing emails (responding to Joe's comment)
The service we use allows for a number of templates, sender domains, subjects, etc. Given the wide variety of testing, I would lean towards the 16% being an accurate measure of susceptibility within the company as of that point in time. Note: I am seeing actual phishing emails being submitted for analysis using our phish tool on a daily basis, along with the usual spam and unwanted email, so at least some people are in fact paying attention.

"It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead." This is a very good point. The number did go up when I missed a month of testing, so people apparently let down their guard. Seems to me that is just part of human nature for some people - they won't discipline themselves unless someone else is watching them. That being said, it's still way better than the initial baseline test.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/16/2017 | 11:25:40 AM
Re: Phishing emails (responding to Joe's comment)
@Petar: Does the 16% refer to overall phishing susceptibility, or susceptibility to the fake phishing email itself?

How much of this do you think is potentially attributed to people "learning" what's a "fake" phishing email?

For instance, I wonder to what extent people are thinking, "Oh, that's that wily IT department again.  I don't want to have to do another 5-minute training" (or whatever), vs. "Oh, I shouldn't click on that because it might be bad"?

It's the difference between not slowing down on the highway as a matter of safety vs. slowing down on the highway because you think there's a speed trap ahead.
kasstri
50%
50%
kasstri,
User Rank: Strategist
3/1/2017 | 6:52:04 AM
keyboard
Sure, there are more exciting and terrible things that can happen to bypass antivirus, but if you're not even doing that, then that's pretty lax.
Petar Zivovic
50%
50%
Petar Zivovic,
User Rank: Apprentice
2/28/2017 | 2:00:30 PM
Re: Phishing emails (responding to Joe's comment)
Re: sending fake phishing emails to train: Exactly right. It's effective when done on an ongoing basis (at least once a month.) I have seen the susceptibility rate fall to below 1% and stay there, which I consider phenomenal - until I forgot to do it one month. Then next month, it went up to 16%.

As Jefferson said, the Price of Freedom is Eternal Vigilance.
Kumzy
50%
50%
Kumzy,
User Rank: Apprentice
2/19/2017 | 8:04:34 AM
Re: %
That is a very great idea. My organization did the same thing about last week IT security sent out an e-mail that webcams had been installed in tbe breakroom refrigerators to forestal people stealing other peoples lunches a link was then provided to view the cam when you click on this link it takes you to a log in page which asks for your log in credentials, needless to say rumor started going round among staff about the webcams and people were curious about the issue so some clicked on the link and supplied their credentials and a message popped up that they have just willingly given up their credentials for a phising attack.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/2/2017 | 4:07:24 AM
Re: AV vs. DDOD or social engineering
I wouldn't go so far as to say that antivirus = outdated -- at least as a sole lines of defense.

Maintaining up-to-date antivirus is like locking your door.  Sure, there are more exciting and terrible things that can happen to bypass antivirus, but if you're not even doing that, then that's pretty lax.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/31/2017 | 1:00:42 PM
Re: %
@Dr.T: Perhaps the thinking was "Well, the link says not to click, but it's clearly from my own organization, so it can't be *truly* bad."

The better way to do this is to send fake phishing emails (without letting the users know what they are), and then those who click are brought to a page where they are alerted that they fell for a phishing scam -- and their computer is locked up until they complete a 5-minute InfoSec training so they don't fall for it again.  This technique has been shown to reduce successful email phishing attacks by up to 75%.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/31/2017 | 11:24:00 AM
Re: Source of attacks
In the case of the DNC attack the evidence is very clear that the work was done by Russian speaking agents using Russian systems for C&C. This is not in dispute dispite what the author implies.

 

The theory that AV companies write all the best viruses is as old as AV software and has been demonstrated false any time it has been investigated.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/30/2017 | 3:06:55 PM
Reconnaissance, infiltration, exploitation, exfiltration: the 4 phases of a data breach
While the reconnaissance phase can take months even years, the exfiltration will take days.  So i agree strongly UBA is critical to flag anything abnormal.  Identity governance is another critical tool to mitigate data breach, especially from insiders , of whom government agencies have seen their share.
Page 1 / 3   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.