Cloud

1/26/2017
03:00 PM
John Strand
John Strand
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How I Would Hack Your Network (If I Woke Up Evil)

How would an attacker target your company? Here's a first-person account of what might happen.

There's been a lot of talk about the recent hacks against the Democratic National Committee and many, many questions and arguments about who was responsible. 

There are some interesting things about this somewhat painful national conversation. First, it's widely believed that the attacks were launched by Russia. For most people, this resonates because they assume big attacks with big impacts must have been launched by big players. Attribution aside, this is just wrong. These attacks could have been successfully launched by anyone who spent an hour or two learning how to use the Social-Engineer Toolkit, available online.

Second, it shouldn't matter — at all. We must assume that advanced attackers are going to attack us. Further, we can't look at every successful attack as something that must have been mounted by an advanced nation-state actor. A few years ago, everyone was blaming China for attacks. Now, it's Russia. When we do this, it allows us to build a convenient straw man, and it becomes easy for us to brush off the attacks as though they were inevitable. Because surely, if China or Russia were behind the attacks, there is nothing anyone could have done to stop them. The attacks become a force of nature, an act of God.

But here's the thing: many of these attacks aren't advanced. Not at all. And, moreover, we should be able to defend against them.

Let's be very clear: your antivirus (AV) software won't protect you. Every year, we at Black Hills Information Security do a webcast called Sacred Cash Cow Tipping in which we bypass most of the major AV products and explain exactly how we did it. We do this because it's important for companies to understand that these points of defense, in and of themselves, aren't enough to stop a determined attacker. (The most recent video can be found here.)

So, I'm going to break down how, if I were evil, I would attack a network — possibly your network.

First, I will target your user population through phishing. This approach has been in the news quite a bit lately, because of the DNC attacks. It's interesting that many people are surprised by phishing. However, this is the same attack strategy we've been seeing for years. For most of our assessments, we find that roughly 20% to 30% of the user population will click on almost anything. Further, if we can couple our phishing attack with the information we learn from reconnaissance efforts, our probability of success goes way up. For example, if through recon we discover that one of your users is really into politics and often declares his political alliances on Twitter, Facebook, and LinkedIn, then we will use a ruse involving politics. 

That brings us to another point. The more a target posts on social media, the more we will focus on that user. People who are very into social media are more susceptible to targeted attacks. It could be that attackers have more information to work with when attacking. Or it could also be that these people feel the need for some level of affirmation. We feed that. That need makes them a greater risk to your organization.

I will also focus on external interfaces. I will password-spray your Web interfaces, your Outlook Web Access portals, your Secure Shell servers. (For more on password spraying, check out these blog posts by Beau Bullock.) This is where we use a single password (for example, Winter2017) and try that password on any user accounts we can enumerate online. Basically, I will attack things that shouldn't be exposed externally.

Next, I'll pivot as much as possible. Please check out Bloodhound and PowerShell Empire — these tools are fantastic for post exploitation, and could be the topic of a full series of articles. These tools allow an attacker to quickly identify other Windows systems and access their files and folders. This is the core goal of pivoting, using access on one system to access the resources on others.

So, How Can You Stop Me?
There has been a shift in security, and the old security fundamentals aren't effective any longer. The new security fundamentals include implementing application whitelisting, firewalls enabled down to the host level, and user behavioral analytics (UBA). UBA is exceptionally interesting because it is looking at user access patterns for indicators of compromise rather than just looking at program signatures. 

These are just some of the new things that security-minded organizations need to start implementing straight away. I understand that for many organizations, there are massive political and technical complexity challenges in play. But you must start looking into these methods right now. In fact, it's already too late — you should have started years ago. If you did, good for you. If you haven't started, get to it.

Let's summarize. First, your AV won't be a problem for me and will easily be bypassed. Second, I will phish your employees by using as much social media and reconnaissance as I can. Third, I will exploit all externally facing interfaces, portals, and servers. Finally, I will pivot as much as possible. How do you defend against me? Stop using your AV as a crutch, keep a smarter social media image (and encourage employees to do the same), implement whitelisting and firewalls, even at the host level, and UBA. Good luck.

(Note: John Strand will be giving a talk on this topic at upcoming SANS events in Scottsdale, Ariz., and Tysons Corner, Va.)

Related Content:

John Strand is a senior instructor with the SANS Institute. He teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Guard: ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/31/2017 | 1:00:42 PM
Re: %
@Dr.T: Perhaps the thinking was "Well, the link says not to click, but it's clearly from my own organization, so it can't be *truly* bad."

The better way to do this is to send fake phishing emails (without letting the users know what they are), and then those who click are brought to a page where they are alerted that they fell for a phishing scam -- and their computer is locked up until they complete a 5-minute InfoSec training so they don't fall for it again.  This technique has been shown to reduce successful email phishing attacks by up to 75%.
ClarenceR927
50%
50%
ClarenceR927,
User Rank: Strategist
1/31/2017 | 11:24:00 AM
Re: Source of attacks
In the case of the DNC attack the evidence is very clear that the work was done by Russian speaking agents using Russian systems for C&C. This is not in dispute dispite what the author implies.

 

The theory that AV companies write all the best viruses is as old as AV software and has been demonstrated false any time it has been investigated.
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
1/30/2017 | 3:06:55 PM
Reconnaissance, infiltration, exploitation, exfiltration: the 4 phases of a data breach
While the reconnaissance phase can take months even years, the exfiltration will take days.  So i agree strongly UBA is critical to flag anything abnormal.  Identity governance is another critical tool to mitigate data breach, especially from insiders , of whom government agencies have seen their share.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:56:34 PM
UBA
"user behavioral analytics (UBA)"

I agree, this may be a good starting point, at the end of the day everything starts with the user behavior.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:54:28 PM
security fundamentals
" old security fundamentals aren't effective"

This is a good point, industry has change, there is no more firewall to sell because everybody has it, they needs to sell something new.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:51:58 PM
passwords
"I will password-spray your Web interfaces,"

I see the points in the article, however I think making password compels is not a solution, they are not really cracking the passwords, that is too much unnecessary work, they are getting it from the users.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:48:51 PM
AV vs. DDOD or social engineering
Agree with the article, AV is an outdated strategy, nobody spends time to write a virus, there is more exciting ways of doing impact such as DDOD and social engineering.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:48:24 PM
Re: %
"I wanted to see what would happen."

I see their reasoning. There should be second level protection. I should be able to click the link and still be protected.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:47:23 PM
Source of attacks
Now that security attacks created a new industry I suspect that lots of security firms are behind of lots of those attacks to sell their products. I do not have a proof for it, it is just my guess. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:47:05 PM
Re: %
"Do not click on this link" -- and found that 10% of the recipients STILL clicked the link. "

I wonder, the reason they would click because of the question in their mind: "why would I get a link not to click?"
<<   <   Page 2 / 3   >   >>
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.