Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/12/2019
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Get Organized Like a Villain

What cybercrime group FIN7 can teach us about using agile frameworks.

This past September, Fedir Hladyr, the IT administrator for the cybercrime group FIN7 — which targeted American consumer data and sold it on the black market — pleaded guilty to wire fraud and conspiracy to commit computer hacking. This case stood out because the techniques and tool sets FIN7 leveraged are fundamentally similar to those that most engineering, help desk, and IT departments use to manage their work on a daily basis.

According to court documents, Hladyr coordinated FIN7's criminal efforts through several platforms that manage tickets, tasks, and real-time chat. Hackers uploaded stolen credentials and assigned next steps through Jira, shared malicious code and stolen PCI data on HipChat, and communicated in real time on JabbR. Through these means, FIN7 stole more than 15 million credit card numbers from US retailers and restaurants.

FIN7's well-coordinated attacks greatly contributed to its illegal success. Its techniques have inspired us to reflect on the tactics we use to stay organized during red teams and penetration tests, and the benefits we gain from leveraging agile frameworks and ChatOps (the use of chatbots to execute on custom scripts and plugins and receive metrics and alerts from automation) — whether we are a team of three or a large group spread across multiple time zones.

Increasing Efficiency
If properly executed, implementing an agile workflow increases efficiency of the engagement by eliminating the need to ask "what should I do next?" After completing a task, pen testers can check if they've been assigned a new job or can choose from a selection of unclaimed tasks.

Dividing and conquering tasks also allows team members to play to their strengths — one member may be better at cracking hashes for credentials, while another is great at finding where to use those credentials. When specialized testers can focus on tasks that align with their niche skills, downtime and confusion are reduced, and the whole team is more effective.

Spontaneous task creation is another game changer. If something interesting pops up midreview, a new task can be added to the backlog and reviewed later. This process captures the spark of hacker intuition while keeping the tester focused on the current objective.

Increasing Transparency
For most security engagements, there are countless starting places, each with a slew of attack vectors to test. Creating and assigning tasks in a centralized location not only provides a flexible structure for building lists of attack venues and monitoring progress, but it also increases transparency for teams and their clients.

During an on-site assessment, our four-person team created an impromptu Kanban board on a conference room wall, placing Post-it notes in three columns: TO DO, IN PROGRESS, and DONE. The initial tasks were based on high-level goals, and as we identified new opportunities, new Post-its were created. This improvised Kanban board helped us track our activities quickly and clearly. And when the client suggested new areas to investigate, those became new Post-its in the TO DO column. This level of real-time transparency communicated our progress, confirmed we were completing their high-level goals, demonstrated our custom approach to their environment, and showed them their input mattered. 

Ensuring Consistency
Inconsistent team behaviors can lead to missed critical exposures. Tickets become a central place to discuss how a task is completed and templates ensure that jobs are performed in a repeatable way.

Recently, security researcher Tom Hudson (a member of DISTURBANCE, a top bug bounty team) told us that Trello checklists created during team bug bounty challenges helped teams build a strong foundation:

It's really common to perform the same set of tasks against multiple targets or endpoints; for a given domain, we might want to enumerate subdomains, run port scans, screenshot web-server responses, and so on. Having a template card with a prepopulated to-do list means we can make our process consistent between team members and we don't forget things.

Setting up a reliable, agreed-upon framework includes choosing which ChatOps channels tor use (such as, JabbR, HipChat, Slack, IRC), and deciding how to classify and prioritize tasks.  A good administrator, like FIN7 had with Hladyr, is also needed to manage shared naming conventions, maintain well-labeled folders, and keep everything running smoothly.

Enabling Continuous Agility
By adopting agile project management techniques for our continuous testing engagements, we create a real-time feed of potential vulnerabilities that we can review in a structured way. Real-time leads generated by automation are automatically turned into tasks and can be immediately picked up by team members across time zones or delegated to specialists. Furthermore, bots can push vulns of a certain type or severity level to a group chat for manual investigation. As a result, we can act on high-impact issues immediately and create a backlog of tickets for other potentially dangerous indicators.

The organization and flexibility that comes with this continuous testing methodology allows us to alert our teams to new publicly disclosed CVEs and track recurring patterns over time.

No One System Fits All
Whether it's a one-time engagement or a continuous assessment, a minimal, flexible structure amplifies and accelerates the efforts of security professionals on both sides of the law. Whether you're using Jira, Trello, or a Post-it Kanban board, it's important to build a robust environment that includes clear ways to organize information and communicate with your team.

FIN7's infrastructure of tickets, botnets, and ChatOps allowed them to react to evolving situations and complete their backlog of exploit tasks. Without project management processes, organized channels, and tagged items, FIN7's crime likely wouldn't have paid as much. Disorganized crime just isn't as profitable.

Attackers are finding great success adopting these agile techniques. Shouldn't your offensive security team be doing the same?

Special thanks to Tom Hudson and Ori Zigindere for their insights on this topic and to Brianne Hughes for her editorial guidance.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Next Security Silicon Valley: Coming to a City Near You?"

Rob Ragan is a principal researcher at Bishop Fox, where he focuses on solutions and strategy as well as fostering industry relationships. His areas of expertise include continuous penetration testing and red teaming. He is developing research to improve Bishop ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4643
PUBLISHED: 2020-09-21
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590.
CVE-2020-4590
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVE-2020-4731
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
CVE-2020-4315
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
CVE-2020-4579
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.