This past September, Fedir Hladyr, the IT administrator for the cybercrime group FIN7 — which targeted American consumer data and sold it on the black market — pleaded guilty to wire fraud and conspiracy to commit computer hacking. This case stood out because the techniques and tool sets FIN7 leveraged are fundamentally similar to those that most engineering, help desk, and IT departments use to manage their work on a daily basis.
According to court documents, Hladyr coordinated FIN7's criminal efforts through several platforms that manage tickets, tasks, and real-time chat. Hackers uploaded stolen credentials and assigned next steps through Jira, shared malicious code and stolen PCI data on HipChat, and communicated in real time on JabbR. Through these means, FIN7 stole more than 15 million credit card numbers from US retailers and restaurants.
FIN7's well-coordinated attacks greatly contributed to its illegal success. Its techniques have inspired us to reflect on the tactics we use to stay organized during red teams and penetration tests, and the benefits we gain from leveraging agile frameworks and ChatOps (the use of chatbots to execute on custom scripts and plugins and receive metrics and alerts from automation) — whether we are a team of three or a large group spread across multiple time zones.
If properly executed, implementing an agile workflow increases efficiency of the engagement by eliminating the need to ask "what should I do next?" After completing a task, pen testers can check if they've been assigned a new job or can choose from a selection of unclaimed tasks.
Dividing and conquering tasks also allows team members to play to their strengths — one member may be better at cracking hashes for credentials, while another is great at finding where to use those credentials. When specialized testers can focus on tasks that align with their niche skills, downtime and confusion are reduced, and the whole team is more effective.
Spontaneous task creation is another game changer. If something interesting pops up midreview, a new task can be added to the backlog and reviewed later. This process captures the spark of hacker intuition while keeping the tester focused on the current objective.
For most security engagements, there are countless starting places, each with a slew of attack vectors to test. Creating and assigning tasks in a centralized location not only provides a flexible structure for building lists of attack venues and monitoring progress, but it also increases transparency for teams and their clients.
During an on-site assessment, our four-person team created an impromptu Kanban board on a conference room wall, placing Post-it notes in three columns: TO DO, IN PROGRESS, and DONE. The initial tasks were based on high-level goals, and as we identified new opportunities, new Post-its were created. This improvised Kanban board helped us track our activities quickly and clearly. And when the client suggested new areas to investigate, those became new Post-its in the TO DO column. This level of real-time transparency communicated our progress, confirmed we were completing their high-level goals, demonstrated our custom approach to their environment, and showed them their input mattered.
Inconsistent team behaviors can lead to missed critical exposures. Tickets become a central place to discuss how a task is completed and templates ensure that jobs are performed in a repeatable way.
Recently, security researcher Tom Hudson (a member of DISTURBANCE, a top bug bounty team) told us that Trello checklists created during team bug bounty challenges helped teams build a strong foundation:
It's really common to perform the same set of tasks against multiple targets or endpoints; for a given domain, we might want to enumerate subdomains, run port scans, screenshot web-server responses, and so on. Having a template card with a prepopulated to-do list means we can make our process consistent between team members and we don't forget things.
Setting up a reliable, agreed-upon framework includes choosing which ChatOps channels tor use (such as, JabbR, HipChat, Slack, IRC), and deciding how to classify and prioritize tasks. A good administrator, like FIN7 had with Hladyr, is also needed to manage shared naming conventions, maintain well-labeled folders, and keep everything running smoothly.
Enabling Continuous Agility
By adopting agile project management techniques for our continuous testing engagements, we create a real-time feed of potential vulnerabilities that we can review in a structured way. Real-time leads generated by automation are automatically turned into tasks and can be immediately picked up by team members across time zones or delegated to specialists. Furthermore, bots can push vulns of a certain type or severity level to a group chat for manual investigation. As a result, we can act on high-impact issues immediately and create a backlog of tickets for other potentially dangerous indicators.
The organization and flexibility that comes with this continuous testing methodology allows us to alert our teams to new publicly disclosed CVEs and track recurring patterns over time.
No One System Fits All
Whether it's a one-time engagement or a continuous assessment, a minimal, flexible structure amplifies and accelerates the efforts of security professionals on both sides of the law. Whether you're using Jira, Trello, or a Post-it Kanban board, it's important to build a robust environment that includes clear ways to organize information and communicate with your team.
FIN7's infrastructure of tickets, botnets, and ChatOps allowed them to react to evolving situations and complete their backlog of exploit tasks. Without project management processes, organized channels, and tagged items, FIN7's crime likely wouldn't have paid as much. Disorganized crime just isn't as profitable.
Attackers are finding great success adopting these agile techniques. Shouldn't your offensive security team be doing the same?
Special thanks to Tom Hudson and Ori Zigindere for their insights on this topic and to Brianne Hughes for her editorial guidance.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Next Security Silicon Valley: Coming to a City Near You?"