Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/26/2017
03:00 PM
John Strand
John Strand
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

How I Would Hack Your Network (If I Woke Up Evil)

How would an attacker target your company? Here's a first-person account of what might happen.

There's been a lot of talk about the recent hacks against the Democratic National Committee and many, many questions and arguments about who was responsible. 

There are some interesting things about this somewhat painful national conversation. First, it's widely believed that the attacks were launched by Russia. For most people, this resonates because they assume big attacks with big impacts must have been launched by big players. Attribution aside, this is just wrong. These attacks could have been successfully launched by anyone who spent an hour or two learning how to use the Social-Engineer Toolkit, available online.

Second, it shouldn't matter — at all. We must assume that advanced attackers are going to attack us. Further, we can't look at every successful attack as something that must have been mounted by an advanced nation-state actor. A few years ago, everyone was blaming China for attacks. Now, it's Russia. When we do this, it allows us to build a convenient straw man, and it becomes easy for us to brush off the attacks as though they were inevitable. Because surely, if China or Russia were behind the attacks, there is nothing anyone could have done to stop them. The attacks become a force of nature, an act of God.

But here's the thing: many of these attacks aren't advanced. Not at all. And, moreover, we should be able to defend against them.

Let's be very clear: your antivirus (AV) software won't protect you. Every year, we at Black Hills Information Security do a webcast called Sacred Cash Cow Tipping in which we bypass most of the major AV products and explain exactly how we did it. We do this because it's important for companies to understand that these points of defense, in and of themselves, aren't enough to stop a determined attacker. (The most recent video can be found here.)

So, I'm going to break down how, if I were evil, I would attack a network — possibly your network.

First, I will target your user population through phishing. This approach has been in the news quite a bit lately, because of the DNC attacks. It's interesting that many people are surprised by phishing. However, this is the same attack strategy we've been seeing for years. For most of our assessments, we find that roughly 20% to 30% of the user population will click on almost anything. Further, if we can couple our phishing attack with the information we learn from reconnaissance efforts, our probability of success goes way up. For example, if through recon we discover that one of your users is really into politics and often declares his political alliances on Twitter, Facebook, and LinkedIn, then we will use a ruse involving politics. 

That brings us to another point. The more a target posts on social media, the more we will focus on that user. People who are very into social media are more susceptible to targeted attacks. It could be that attackers have more information to work with when attacking. Or it could also be that these people feel the need for some level of affirmation. We feed that. That need makes them a greater risk to your organization.

I will also focus on external interfaces. I will password-spray your Web interfaces, your Outlook Web Access portals, your Secure Shell servers. (For more on password spraying, check out these blog posts by Beau Bullock.) This is where we use a single password (for example, Winter2017) and try that password on any user accounts we can enumerate online. Basically, I will attack things that shouldn't be exposed externally.

Next, I'll pivot as much as possible. Please check out Bloodhound and PowerShell Empire — these tools are fantastic for post exploitation, and could be the topic of a full series of articles. These tools allow an attacker to quickly identify other Windows systems and access their files and folders. This is the core goal of pivoting, using access on one system to access the resources on others.

So, How Can You Stop Me?
There has been a shift in security, and the old security fundamentals aren't effective any longer. The new security fundamentals include implementing application whitelisting, firewalls enabled down to the host level, and user behavioral analytics (UBA). UBA is exceptionally interesting because it is looking at user access patterns for indicators of compromise rather than just looking at program signatures. 

These are just some of the new things that security-minded organizations need to start implementing straight away. I understand that for many organizations, there are massive political and technical complexity challenges in play. But you must start looking into these methods right now. In fact, it's already too late — you should have started years ago. If you did, good for you. If you haven't started, get to it.

Let's summarize. First, your AV won't be a problem for me and will easily be bypassed. Second, I will phish your employees by using as much social media and reconnaissance as I can. Third, I will exploit all externally facing interfaces, portals, and servers. Finally, I will pivot as much as possible. How do you defend against me? Stop using your AV as a crutch, keep a smarter social media image (and encourage employees to do the same), implement whitelisting and firewalls, even at the host level, and UBA. Good luck.

(Note: John Strand will be giving a talk on this topic at upcoming SANS events in Scottsdale, Ariz., and Tysons Corner, Va.)

Related Content:

John Strand is a senior instructor with the SANS Institute. He teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Guard: ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:45:09 PM
Re: Faster and easier
"Well, sure, that's phishing too ..."

True, just tricking users to do something that they are not normally do. Clever.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:43:53 PM
Re: Faster and easier
Not only executive but for everyine, we will all wonder what we have in a lost and found flash drive.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2017 | 12:42:46 PM
Nature of attacks
The nature of attacks are two folds in my view. One you trick the user so you can get a privilege access to the system and another one you know a back door that most others do not. Government sponsored ones are more likely they have a back door to the systems. System vulnerabilities are not the main paths for the attacks.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2017 | 11:02:25 AM
%
The 20-30% figure isn't surprising.  At an MIT event I went to not too long ago, one presenter talked about an email sent organization-wide that said something to the effect of: "This is a phishing email.  It is fake.  Do not click on this link" -- and found that 10% of the recipients STILL clicked the link.

One C-suite executive who clicked on the link's response when asked why he clicked it: "I wanted to see what would happen."
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/28/2017 | 10:58:46 AM
Re: Faster and easier
@nosmo: Well, sure, that's phishing too -- just a more "physical" type of phishing, compared to email phishing.
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
1/27/2017 | 9:31:53 AM
Faster and easier
I find that tossing a few carefully crafted USB sticks into the executive parking lot is easier, cheaper and more effective.
<<   <   Page 3 / 3
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...