Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Connect Directly
E-Mail vvv

Get Organized Like a Villain

What cybercrime group FIN7 can teach us about using agile frameworks.

This past September, Fedir Hladyr, the IT administrator for the cybercrime group FIN7 — which targeted American consumer data and sold it on the black market — pleaded guilty to wire fraud and conspiracy to commit computer hacking. This case stood out because the techniques and tool sets FIN7 leveraged are fundamentally similar to those that most engineering, help desk, and IT departments use to manage their work on a daily basis.

According to court documents, Hladyr coordinated FIN7's criminal efforts through several platforms that manage tickets, tasks, and real-time chat. Hackers uploaded stolen credentials and assigned next steps through Jira, shared malicious code and stolen PCI data on HipChat, and communicated in real time on JabbR. Through these means, FIN7 stole more than 15 million credit card numbers from US retailers and restaurants.

FIN7's well-coordinated attacks greatly contributed to its illegal success. Its techniques have inspired us to reflect on the tactics we use to stay organized during red teams and penetration tests, and the benefits we gain from leveraging agile frameworks and ChatOps (the use of chatbots to execute on custom scripts and plugins and receive metrics and alerts from automation) — whether we are a team of three or a large group spread across multiple time zones.

Increasing Efficiency
If properly executed, implementing an agile workflow increases efficiency of the engagement by eliminating the need to ask "what should I do next?" After completing a task, pen testers can check if they've been assigned a new job or can choose from a selection of unclaimed tasks.

Dividing and conquering tasks also allows team members to play to their strengths — one member may be better at cracking hashes for credentials, while another is great at finding where to use those credentials. When specialized testers can focus on tasks that align with their niche skills, downtime and confusion are reduced, and the whole team is more effective.

Spontaneous task creation is another game changer. If something interesting pops up midreview, a new task can be added to the backlog and reviewed later. This process captures the spark of hacker intuition while keeping the tester focused on the current objective.

Increasing Transparency
For most security engagements, there are countless starting places, each with a slew of attack vectors to test. Creating and assigning tasks in a centralized location not only provides a flexible structure for building lists of attack venues and monitoring progress, but it also increases transparency for teams and their clients.

During an on-site assessment, our four-person team created an impromptu Kanban board on a conference room wall, placing Post-it notes in three columns: TO DO, IN PROGRESS, and DONE. The initial tasks were based on high-level goals, and as we identified new opportunities, new Post-its were created. This improvised Kanban board helped us track our activities quickly and clearly. And when the client suggested new areas to investigate, those became new Post-its in the TO DO column. This level of real-time transparency communicated our progress, confirmed we were completing their high-level goals, demonstrated our custom approach to their environment, and showed them their input mattered. 

Ensuring Consistency
Inconsistent team behaviors can lead to missed critical exposures. Tickets become a central place to discuss how a task is completed and templates ensure that jobs are performed in a repeatable way.

Recently, security researcher Tom Hudson (a member of DISTURBANCE, a top bug bounty team) told us that Trello checklists created during team bug bounty challenges helped teams build a strong foundation:

It's really common to perform the same set of tasks against multiple targets or endpoints; for a given domain, we might want to enumerate subdomains, run port scans, screenshot web-server responses, and so on. Having a template card with a prepopulated to-do list means we can make our process consistent between team members and we don't forget things.

Setting up a reliable, agreed-upon framework includes choosing which ChatOps channels tor use (such as, JabbR, HipChat, Slack, IRC), and deciding how to classify and prioritize tasks.  A good administrator, like FIN7 had with Hladyr, is also needed to manage shared naming conventions, maintain well-labeled folders, and keep everything running smoothly.

Enabling Continuous Agility
By adopting agile project management techniques for our continuous testing engagements, we create a real-time feed of potential vulnerabilities that we can review in a structured way. Real-time leads generated by automation are automatically turned into tasks and can be immediately picked up by team members across time zones or delegated to specialists. Furthermore, bots can push vulns of a certain type or severity level to a group chat for manual investigation. As a result, we can act on high-impact issues immediately and create a backlog of tickets for other potentially dangerous indicators.

The organization and flexibility that comes with this continuous testing methodology allows us to alert our teams to new publicly disclosed CVEs and track recurring patterns over time.

No One System Fits All
Whether it's a one-time engagement or a continuous assessment, a minimal, flexible structure amplifies and accelerates the efforts of security professionals on both sides of the law. Whether you're using Jira, Trello, or a Post-it Kanban board, it's important to build a robust environment that includes clear ways to organize information and communicate with your team.

FIN7's infrastructure of tickets, botnets, and ChatOps allowed them to react to evolving situations and complete their backlog of exploit tasks. Without project management processes, organized channels, and tagged items, FIN7's crime likely wouldn't have paid as much. Disorganized crime just isn't as profitable.

Attackers are finding great success adopting these agile techniques. Shouldn't your offensive security team be doing the same?

Special thanks to Tom Hudson and Ori Zigindere for their insights on this topic and to Brianne Hughes for her editorial guidance.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Next Security Silicon Valley: Coming to a City Near You?"

Rob Ragan is a principal researcher at Bishop Fox, where he focuses on solutions and strategy as well as fostering industry relationships. His areas of expertise include continuous penetration testing and red teaming. He is developing research to improve Bishop ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.