Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/26/2017
03:00 PM
John Strand
John Strand
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How I Would Hack Your Network (If I Woke Up Evil)

How would an attacker target your company? Here's a first-person account of what might happen.

There's been a lot of talk about the recent hacks against the Democratic National Committee and many, many questions and arguments about who was responsible. 

There are some interesting things about this somewhat painful national conversation. First, it's widely believed that the attacks were launched by Russia. For most people, this resonates because they assume big attacks with big impacts must have been launched by big players. Attribution aside, this is just wrong. These attacks could have been successfully launched by anyone who spent an hour or two learning how to use the Social-Engineer Toolkit, available online.

Second, it shouldn't matter — at all. We must assume that advanced attackers are going to attack us. Further, we can't look at every successful attack as something that must have been mounted by an advanced nation-state actor. A few years ago, everyone was blaming China for attacks. Now, it's Russia. When we do this, it allows us to build a convenient straw man, and it becomes easy for us to brush off the attacks as though they were inevitable. Because surely, if China or Russia were behind the attacks, there is nothing anyone could have done to stop them. The attacks become a force of nature, an act of God.

But here's the thing: many of these attacks aren't advanced. Not at all. And, moreover, we should be able to defend against them.

Let's be very clear: your antivirus (AV) software won't protect you. Every year, we at Black Hills Information Security do a webcast called Sacred Cash Cow Tipping in which we bypass most of the major AV products and explain exactly how we did it. We do this because it's important for companies to understand that these points of defense, in and of themselves, aren't enough to stop a determined attacker. (The most recent video can be found here.)

So, I'm going to break down how, if I were evil, I would attack a network — possibly your network.

First, I will target your user population through phishing. This approach has been in the news quite a bit lately, because of the DNC attacks. It's interesting that many people are surprised by phishing. However, this is the same attack strategy we've been seeing for years. For most of our assessments, we find that roughly 20% to 30% of the user population will click on almost anything. Further, if we can couple our phishing attack with the information we learn from reconnaissance efforts, our probability of success goes way up. For example, if through recon we discover that one of your users is really into politics and often declares his political alliances on Twitter, Facebook, and LinkedIn, then we will use a ruse involving politics. 

That brings us to another point. The more a target posts on social media, the more we will focus on that user. People who are very into social media are more susceptible to targeted attacks. It could be that attackers have more information to work with when attacking. Or it could also be that these people feel the need for some level of affirmation. We feed that. That need makes them a greater risk to your organization.

I will also focus on external interfaces. I will password-spray your Web interfaces, your Outlook Web Access portals, your Secure Shell servers. (For more on password spraying, check out these blog posts by Beau Bullock.) This is where we use a single password (for example, Winter2017) and try that password on any user accounts we can enumerate online. Basically, I will attack things that shouldn't be exposed externally.

Next, I'll pivot as much as possible. Please check out Bloodhound and PowerShell Empire — these tools are fantastic for post exploitation, and could be the topic of a full series of articles. These tools allow an attacker to quickly identify other Windows systems and access their files and folders. This is the core goal of pivoting, using access on one system to access the resources on others.

So, How Can You Stop Me?
There has been a shift in security, and the old security fundamentals aren't effective any longer. The new security fundamentals include implementing application whitelisting, firewalls enabled down to the host level, and user behavioral analytics (UBA). UBA is exceptionally interesting because it is looking at user access patterns for indicators of compromise rather than just looking at program signatures. 

These are just some of the new things that security-minded organizations need to start implementing straight away. I understand that for many organizations, there are massive political and technical complexity challenges in play. But you must start looking into these methods right now. In fact, it's already too late — you should have started years ago. If you did, good for you. If you haven't started, get to it.

Let's summarize. First, your AV won't be a problem for me and will easily be bypassed. Second, I will phish your employees by using as much social media and reconnaissance as I can. Third, I will exploit all externally facing interfaces, portals, and servers. Finally, I will pivot as much as possible. How do you defend against me? Stop using your AV as a crutch, keep a smarter social media image (and encourage employees to do the same), implement whitelisting and firewalls, even at the host level, and UBA. Good luck.

(Note: John Strand will be giving a talk on this topic at upcoming SANS events in Scottsdale, Ariz., and Tysons Corner, Va.)

Related Content:

John Strand is a senior instructor with the SANS Institute. He teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Guard: ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/31/2017 | 1:00:42 PM
Re: %
@Dr.T: Perhaps the thinking was "Well, the link says not to click, but it's clearly from my own organization, so it can't be *truly* bad."

The better way to do this is to send fake phishing emails (without letting the users know what they are), and then those who click are brought to a page where they are alerted that they fell for a phishing scam -- and their computer is locked up until they complete a 5-minute InfoSec training so they don't fall for it again.  This technique has been shown to reduce successful email phishing attacks by up to 75%.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/31/2017 | 11:24:00 AM
Re: Source of attacks
In the case of the DNC attack the evidence is very clear that the work was done by Russian speaking agents using Russian systems for C&C. This is not in dispute dispite what the author implies.

 

The theory that AV companies write all the best viruses is as old as AV software and has been demonstrated false any time it has been investigated.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/30/2017 | 3:06:55 PM
Reconnaissance, infiltration, exploitation, exfiltration: the 4 phases of a data breach
While the reconnaissance phase can take months even years, the exfiltration will take days.  So i agree strongly UBA is critical to flag anything abnormal.  Identity governance is another critical tool to mitigate data breach, especially from insiders , of whom government agencies have seen their share.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:56:34 PM
UBA
"user behavioral analytics (UBA)"

I agree, this may be a good starting point, at the end of the day everything starts with the user behavior.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:54:28 PM
security fundamentals
" old security fundamentals aren't effective"

This is a good point, industry has change, there is no more firewall to sell because everybody has it, they needs to sell something new.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:51:58 PM
passwords
"I will password-spray your Web interfaces,"

I see the points in the article, however I think making password compels is not a solution, they are not really cracking the passwords, that is too much unnecessary work, they are getting it from the users.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:48:51 PM
AV vs. DDOD or social engineering
Agree with the article, AV is an outdated strategy, nobody spends time to write a virus, there is more exciting ways of doing impact such as DDOD and social engineering.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:48:24 PM
Re: %
"I wanted to see what would happen."

I see their reasoning. There should be second level protection. I should be able to click the link and still be protected.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:47:23 PM
Source of attacks
Now that security attacks created a new industry I suspect that lots of security firms are behind of lots of those attacks to sell their products. I do not have a proof for it, it is just my guess. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:47:05 PM
Re: %
"Do not click on this link" -- and found that 10% of the recipients STILL clicked the link. "

I wonder, the reason they would click because of the question in their mind: "why would I get a link not to click?"
<<   <   Page 2 / 3   >   >>
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16978
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized &quot;id&quot; variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
CVE-2019-16979
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized &quot;id&quot; variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16980
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized &quot;id&quot; variable coming from the URL in an unparameterized SQL query, leading to SQL injection.
CVE-2019-16990
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized &quot;file&quot; variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.
CVE-2019-16530
PUBLISHED: 2019-10-21
Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution.