There's been a lot of talk about the recent hacks against the Democratic National Committee and many, many questions and arguments about who was responsible.
There are some interesting things about this somewhat painful national conversation. First, it's widely believed that the attacks were launched by Russia. For most people, this resonates because they assume big attacks with big impacts must have been launched by big players. Attribution aside, this is just wrong. These attacks could have been successfully launched by anyone who spent an hour or two learning how to use the Social-Engineer Toolkit, available online.
Second, it shouldn't matter — at all. We must assume that advanced attackers are going to attack us. Further, we can't look at every successful attack as something that must have been mounted by an advanced nation-state actor. A few years ago, everyone was blaming China for attacks. Now, it's Russia. When we do this, it allows us to build a convenient straw man, and it becomes easy for us to brush off the attacks as though they were inevitable. Because surely, if China or Russia were behind the attacks, there is nothing anyone could have done to stop them. The attacks become a force of nature, an act of God.
But here's the thing: many of these attacks aren't advanced. Not at all. And, moreover, we should be able to defend against them.
Let's be very clear: your antivirus (AV) software won't protect you. Every year, we at Black Hills Information Security do a webcast called Sacred Cash Cow Tipping in which we bypass most of the major AV products and explain exactly how we did it. We do this because it's important for companies to understand that these points of defense, in and of themselves, aren't enough to stop a determined attacker. (The most recent video can be found here.)
So, I'm going to break down how, if I were evil, I would attack a network — possibly your network.
First, I will target your user population through phishing. This approach has been in the news quite a bit lately, because of the DNC attacks. It's interesting that many people are surprised by phishing. However, this is the same attack strategy we've been seeing for years. For most of our assessments, we find that roughly 20% to 30% of the user population will click on almost anything. Further, if we can couple our phishing attack with the information we learn from reconnaissance efforts, our probability of success goes way up. For example, if through recon we discover that one of your users is really into politics and often declares his political alliances on Twitter, Facebook, and LinkedIn, then we will use a ruse involving politics.
That brings us to another point. The more a target posts on social media, the more we will focus on that user. People who are very into social media are more susceptible to targeted attacks. It could be that attackers have more information to work with when attacking. Or it could also be that these people feel the need for some level of affirmation. We feed that. That need makes them a greater risk to your organization.
I will also focus on external interfaces. I will password-spray your Web interfaces, your Outlook Web Access portals, your Secure Shell servers. (For more on password spraying, check out these blog posts by Beau Bullock.) This is where we use a single password (for example, Winter2017) and try that password on any user accounts we can enumerate online. Basically, I will attack things that shouldn't be exposed externally.
Next, I'll pivot as much as possible. Please check out Bloodhound and PowerShell Empire — these tools are fantastic for post exploitation, and could be the topic of a full series of articles. These tools allow an attacker to quickly identify other Windows systems and access their files and folders. This is the core goal of pivoting, using access on one system to access the resources on others.
So, How Can You Stop Me?
There has been a shift in security, and the old security fundamentals aren't effective any longer. The new security fundamentals include implementing application whitelisting, firewalls enabled down to the host level, and user behavioral analytics (UBA). UBA is exceptionally interesting because it is looking at user access patterns for indicators of compromise rather than just looking at program signatures.
These are just some of the new things that security-minded organizations need to start implementing straight away. I understand that for many organizations, there are massive political and technical complexity challenges in play. But you must start looking into these methods right now. In fact, it's already too late — you should have started years ago. If you did, good for you. If you haven't started, get to it.
Let's summarize. First, your AV won't be a problem for me and will easily be bypassed. Second, I will phish your employees by using as much social media and reconnaissance as I can. Third, I will exploit all externally facing interfaces, portals, and servers. Finally, I will pivot as much as possible. How do you defend against me? Stop using your AV as a crutch, keep a smarter social media image (and encourage employees to do the same), implement whitelisting and firewalls, even at the host level, and UBA. Good luck.