Inside A Hacker's Playbook:Ten Targeted Techniques That Will Break Your Security
"If You Know How To Hack, You Know How To Protect"
Targeted attacks are successful because they are stealthy,
specific and disarmingly personal. If they do it right, advanced attackers can
quietly infiltrate a network and steal data or information at will for months
or even years. Learn how to stop them by
taking a page from their playbook— literally. This post presents a
never-before-seen copy of an advanced attacker’s technique manual. Use it well to design
security that counters their plays perfectly.
A
Playbook On Profiting From Targeted Attacks
Before we tackle the finer techniques of building a
money-making cyber scam, let’s talk a little about the basics of this gig,
shall we?
First of all here’s what we are not trying to do. We’re
not trying to blanket the internet with malicious V1agrow spam or mass SQL
inject a zillion websites.
We’re narrowing our work down to a specific company or
industry based on vulnerability opportunities that we scare up. The broadest
we’ll get is hitting a range of companies vulnerable to one precise vulnerability
— either never discovered by security researchers or just recently patched by a
vendor.
Do it right and you’ll get your hands on huge caches of
valuable customer data, and maybe even hit the jackpot with the target’s most
important intellectual property. With that, you can blackmail people or sell to
competitors — or even to nation states.
You won’t just be buying a new Ferrari.
You’ll be buying a fleet of ‘em.
Know
Your Adversary
With a little bit of research, some crafty writing and the right
technology, crooks make a good living running targeted attacks to steal
corporate and government data. The more we can learn about their techniques,
the better we can counter them.
As we sneak a look at each of the plays inside this bad guy
(BlackHat) instruction manual, let’s look for ways to turn this inside
knowledge on its head. This post will also offer advice on how to block each attack
technique (WhiteHat)
BLACKHAT {Section}
Play
1: Staging Your Attack
Let’s get to easy money! Most times, there are five
stages to a really gnarly targeted attack:
a)
Research: Start by doing
recon on the anticipated target. Dig for publicly available information and
socially engineer your way to exploitable info about their IT systems
b)
Intrude: Use that
information to find the right employee to spearphish and the right
vulnerability to target with your malicious payload—once the bait’s taken
you’ll have your initial toehold in the target’s network
c)
Propagate: When you pwn
one machine, use its network connections to spread malware onto other machines
so even if you’re detected in one place you’ve got control of other machines
d)
Infect: Once you get
the lay of the land through your different connections, install more tools to
really start to steal and aggregate data
e)
Exfiltrate: Finally, you’ve
got to get all that data out of there. Among other options, public web traffic
works well
WHITEHAT {Section}
Step one in the fight against targeted attacks is developing
executive awareness that these attacks really are happening. Because these
attacks are designed precisely to avoid detection, it’s easy to pretend you’re
not being targeted or attacked. But chances are you may already be compromised.
Facts
76% of
breached organizations needed someone else to tell them they'd been compromised
48% were told by
regulatory bodies
25% by law enforcement
1% by the public
2% by a third party
BLACKHAT {Section}
Play
2: Specialize And Outsource
It’s not what you know, it’s who you know. Put together
your own little mafia with specialists who work together to keep your
multi-step campaigns running. Just like cave men split labor into hunting and
gathering, you just have to break it up into hacking and scamming.
Build the team however you like. Hire people, outsource
to malware kit vendors, even work in an equal partnership.
Just remember what they say about honor among thieves…
Just think: no n00bs allowed. If they can’t spell or
find the caps lock, or code better than your average script kiddie can, its
hasta la vista, baby.
Play
3: Scale Your Attacks
Once you get together that A-team, you’re going to milk
every vulnerability dry.
Developed or bought an exploit for a new vulnerability
in some sorry old company’s retail point of sale (POS) system? Maybe it's for
some small-time grocery store in San Francisco, but then maybe that same exact
vulnerability and system configuration is going to work in POS machines at
other franchises of the same brand.
Then, son, your meal-ticket is punched. You’ll steal
ten times the data but only really do the work to break into one location.
WHITEHAT {Section}
The
FBI's List of Cyber Crime Specialties
Targeted attackers are building a business around stealing from
your business.
Just as you’d dedicate a lot of specialized employees and vendors
to solving your business problem, they’re sourcing skills necessary to crack
your defenses. Here are the top five out of 10 common specialties named by the
FBI:
Coders: write malware, exploits and data theft tools
Vendors: trade and sell stolen data, malware kits, footprints into
compromised networks
Criminal IT Guys: Maintain criminal IT infrastructure like servers and bullet-proof
ISPs
Hackers: seek and exploit application, system and network vulnerabilities
Fraudsters: create and execute social engineering ploys like phishing and
domain squatting
*********************************************************************
In order to stay a step ahead of the attackers, you’ve got
to start thinking like them. One key way to do that is to hire penetration
testers to barrage your systems with the same type of techniques the bad guys
use. Doing so can help you find widespread vulnerabilities like the POS example
highlighted above.
Facts
>1/3 More than a third
of data breach investigations
occur within franchise businesses
BLACKHAT {Section}
Play
4: Play The Player, Not The Game
There’s a good chance your target’s employees will be
oh-so-helpful without even knowing it. They’ll give you information, help you
upload malware on their machine and even hold the door open for you if you need
to sneak into a building. These peeps should be your best friends during the
first two stages of attack: research and intrusion.
So work this to your advantage. Here are some tips:
• If you want information-about the org chart, location
of a data center, technology they use or whatever—call someone who would know,
pretend to be from another department and just ask. Nine times out of ten
they’ll freely tell you out of the kindness of their hearts.
• Official-sounding emergencies work every time. Act
like you need help to get a ‘mission-critical’ project done or else heads will
roll. Works best if you know the name of their boss’ boss.
• If your target employee is high up the food chain and
too paranoid to take your bait, try working someone in their entourage. A lot
of admins—even temps—are sitting at workstations that can access the same
systems the boss’ computers are hooked into.
• Congrats—you just got a job in HR. Pretend to be a
recruiter. In this market, people’s judgment tends to get clouded if they think
there’s a new job on the horizon.
• Depending on how much you’ve got riding on this
attack, you may even invest in a little in-person social engineering. Put on a
delivery uniform, bring some flowers and see if someone will let you in the
building.
WHITEHAT {Section}
Your employees typically play a big role in a targeted
attack and their response to advanced attackers’ probes have the potential to
make or break your organization’s chances of keeping the bad guys at bay. In
spite of that, industry estimates show consistently that as few as a quarter to
a third of employees today are ever trained on how to respond to these social
engineering ploys.
Employee training can make it much harder for targeted
attacks to ever take shape—an adversary who can’t gather the right information
will find it imminently more difficult to customize an attack.
Facts
48% of large companies have
experienced 25 or more social engineering attacks in the past two years1
70% of
young workers regularly ignore IT policies2
30% of
large companies said social engineering cost them an average of $100,000 per
incident3
Source:
1)
www.securingthehuman.org/blog/2011/09/22/
justifying-your-awareness-program-with-social-engineering-survey
2)
www.eweek.com/c/a/Security/Younger-Employees-
Ignore-IT-Policies-Dont-Think-About-Security-Says-Cisco-274940/
3)
www.securingthehuman.org/blog/2011/09/22/justifying-your-awareness-program-withsocial-engineering-survey
BLACKHAT {SECTION}
Play
5: Get Social For Better Recon
Sometimes you don’t even need to ask employees for
information—they’ll offer it up right on their Twitter feed. Use social media
to find out all sorts of sweet Intel. Here’s what you can find out by making a
dummy Facebook account and tricking someone into friending it:
• Where they went to high school or college
• Their mother’s maiden name
• Their birthday
• Their dog’s name
• Facts about their job: title, promotions, boss’ name,
big projects coming up etc.
All of these are valuable hints at passwords, system
challenge question answers and information that are going to grease the skids
of your targeted campaign. Even if you don’t friend the person directly, you can
potentially dig up info by friending one of THEIR friends. Evil genius, no?
Social media also rules when it comes to building a
psych profile on an employee who might turn out to be the kind of tool to help
you roll out that first intrusion into a target company. If you know what his
or her hobbies are, what teams they root for or any other personal information,
you can craft the perfect bait that will get them to visit a site you’ve
infected or trick them into opening a malicious document.
WHITEHAT {Section}
“Elite cybercriminals are tapping into search engines and social
networks to help them target specific employees for social-engineering trickery
at a wide range of companies, professional firms and government agencies.” — Byron Acohido USA Today
*********************************************************************
According to recent numbers, more than half of enterprises
today have seen malware infections rise as a result of employees’ use of social
media. And that’s just the tip of the iceberg when it comes to how a persistent
attacker will use social media to their advantage. Social media as an
intelligence goldmine is an extremely effective method for hackers to start
planning their plan. There’s no silver bullet, but a combination of smart
social media policies, automated enforcement of these policies and a workforce
well-trained in the ways of social engineers can help stem the tide of these
attacks.
Facts
32.8% of
passwords contain a name in the top 100 girl and boy name lists
16.7% of
passwords contain a name on the top 100 dog names list (this is
the kind of info people readily give away on
their social media feeds)
BLACKHAT {SECTION}
Play
6: Probe For Every Weakness
Why break a window when you’ve got the key for the
front door? Look for user credentials at every step of the way.
Goal number two is to find clues about the architecture
of the target company’s IT infrastructure to choose the
right malware kit or custom build something that can help you pick the
proverbial locks if the keys aren’t lying around. This can be anything from
unencrypted password files to lists of company IP addresses to system version
information of deployed assets.
There are vulnerabilities in just about every corporate
network between here and the moon. If your target company doesn’t have them,
chances are a third party vendor or Partner Company with ties into the network
probably does.
Should you exploit zero-day vulnerabilities never
before discovered by the security industry or vulnerabilities that already have
a patch? Uh, yeah. Yeah, you should. If you’re smart, they’ll both play a part
in your plans.
Zero-day vulnerabilities rock. But they’re expensive to
find and exploit, and known vulnerabilities can be pretty wide open. Most IT
departments are too busy to plug their holes with patches.
In situations where you’re seeking very specific
information—say manufacturing schematics you’re stealing for a competing
company or nation state—and detection isn’t an option, then shelling out for
zero-day discovery and exploitation makes sense.
But if it is all about propagating malware in a company
you already know (or have a hunch about) has unpatched systems, it makes more
sense to take advantage of old vulnerabilities.
WHITEHAT {Section}
DEFENSE:
Hackers might not start with a client-side attack to gain
entry into your systems.
Sometimes the first step is to run a SQL injection on your
website to find unencrypted password files. Given users’ propensity to reuse
passwords, that early work may yield long term access to accounts across many
systems.
Strong password management—including enforcement of frequent
password changes—is a must to limiting damage in these instances.
On the vulnerability front, organizations have got to do a
better job patching their system to limit malicious software’s mojo. Zero-day
attacks are a tougher nut to crack and defense against exploitation will depend
upon security mechanisms at other security layers to prevent a widespread
attack from gaining much ground within the network or exfiltrating data
elsewhere.
Facts
42% of organizations have IT staff sharing
passwords or access to systems or applications4
48% don't
change their privileged passwords within 90 days5
40% or more
enterprises have informal or no patch management processes in place7
30% of
Apache Tomcat installations with accessible administrative interface have the
default credentials
The most common corporate password is
Password1, because it just barely meets the minimum complexity requirements of
Active Directory for length, capitalization and numerical figures6
Source:
4www.liebsoft.com/Password_Security_Survey/
5www.liebsoft.com/Password_Security_Survey/
6www.trustwave.com/global-security-report
7https://securosis.com/assets/library/main/quant-survey-report-072709.pdf
BLACKHAT {Section}
Play
7: Reinvent Old Web & Email Attacks
Once your crew has done its homework on a target, it’s
time to cast your line and wait for a bite. Some of the most effective initial
intrusion plays are fundamentally pretty old-school in nature—you’re just
phishing people with fake emails, IMs or social media messages to trick them
into visiting an infected site or downloading a malicious executable. Now use
the information you gathered to custom fit that interaction! Craft a lure
that’s believable and build a hook that seems so painless that no one even
notices they’ve been landed.
Do it like this:
Example
1:
Your hackers just found a killer vulnerability in a stock trading platform but
you need control of a machine with access to exploit it. Fortunately for you,
it’s football season and there are more than a few football fanatics in the
stock broker community. Since most of the companies you’re targeting are based
in Manhattan, you use SQL injection to strategically compromise the homepage of
two New York NFL teams with malicious code that downloads on visitors’
machines.
To keep pesky reputation-based filters from finding
your website infection, you set it up so that it will only interact with
machines working within a block of IP addresses originating from Manhattan.
Example
2:
You’ve found some middle manager in accounting who’s got access to systems that
hold tons of saleable financial and customer data. You chum it up with him on
Facebook, convincing him you met him at an accounting professional group
conference. Through your friend status you find out his real passion isn’t
ledger books but photography. So, you task your hackers and coders to build a
basic photography buff website with some hidden drive-by-download payloads.
While he looks at tips on digital SLRs, your malicious payload silently loads
in the background.
Example
3:
You’ve gotten your hands on the organizational chart of a target company and
read in a company blog about a strategic new hire of John Smith in the
marketing department. You create a Gmail account under the name of the HR
manager and use it to write an email that looks like HR blew it and gave
everyone info on Smith’s salary and benefits.
They open the attachment, “JohnSmithcompensation.xls,”
and bang, curiosity killed the network.
WHITEHAT {Section}
Intel
About The Enemy
Advanced attackers are increasingly using strategic web
compromises to infect their targets via drive-by download: “The goal is not
large scale malware distribution through mass compromises.
Instead the attackers place their exploit code on websites that
cater towards a particular set of visitors that they might be interested in.” –Shadowserver
*********************************************************************
The examples named above are just the tip of the iceberg in
terms of the type of creativity targeted attacks are employing to personalize
their intrusion attempts. Secure web and email gateways are critical to
stopping all manifestations of blended email and web attacks.
As Example 1 illustrates, old web filtering technology won't
always work—techniques like initiating IP address-specific malware downloads
can get around defenses that depend on reputation filtering. This is where
advanced technology with real-time code inspection comes into play.
Facts
50% of
targeted attacks initially occur through web use
48% of
targeted attacks initially occur through e-mail use
2% enter
through local devices
BLACKHAT {Section}
Play
8: Think Sideways
One backdoor into a corporate network might be good,
but more is always better. If you want to stay on a network for a long time,
you’ve got to use that initial client-side pwnage to move sideways through the
network.
That way, if your first intrusion is detected and your
malware package is eliminated from that machine, you’ll still keep your hands
on the steering wheel elsewhere.
The secret? You’ve got to propagate with diversity. You
need to use completely different types of payloads on different systems because
once one type is found out, odds are they’re going to scan the network looking
for everything that looks like that sample. But if you control a bunch of
endpoints with different types of malware, they’ll probably never even know
they’re still compromised.
WHITEHAT {Section}
Intel
About The Enemy
41.2% of the malware
uses HTTPS to exfiltrate data
29.4% uses FTP
11.8
%
uses SMTP
*********************************************************************
Targeted attacks are so ingenious these days that even with
the tools and practices we've suggested already, there's still a chance that
some attacks will slip through. Always operate under the assumption that you've
already been hacked and utilize practices and technologies that will seek out
existing infections, risky security configurations and any suspect file system
changes that could be a red flag of infection.
Facts
In 76% of
incident response investigations, a third party responsible for system support,
development and/or maintenance of business environments introduced the security
deficiencies.
88%
of targeted malware remains undetected by traditional anti-virus
BLACKHAT {Section}
Play
9: Hide In Plain Sight
Stealth is the name of the game in these targeted
attacks. Sometimes you just want to do the old smash and- grab, where you want
to get in and out of the network with as much loot as possible or with a very
specific piece of information. But generally the most profitable way is to
drain the database is a little at a time for a LONG time.
Put some technical noise dampeners on your intrusions.
You don’t want to knock over any expensive vases while
you digitally cat burgle the place, do you? Every movement should be planned to
avoid setting off any alarms. As you drop tools on systems to aggregate data
and control backdoors, here are some tips:
• Avoid self-replicating malware
• Hide malware in system folders and get them to look
like common processes
• Make use of webmail accounts to route SSL-encrypted
command-and-control traffic to your backdoors
• Use packer utilities to hide malicious binaries
• If you can, store some malware components in the
cloud
Play
10: Take Data Quietly
So maybe you’re a l33t spearphisher, you’re wicked good
taking over a network and you’ve got a nose like a bloodhound for juicy data.
It all amounts to nada if you can’t get the data out of the network. Be
patient!
Quiet and slow exfiltration makes it easier to steal
larger stores of information without setting off alarms that will shut you down
midstream.
Lucky for you, most companies today don’t set up their
firewalls to block outbound traffic so you have a lot of options.
Public web traffic can prove to be one of the most
efficient ways of slowly leaking data off the network. HTTPS traffic can have
added benefit of steering clear of data leak prevention tools by hiding data
under cloak of SSL.
WHITEHAT {Section}
Intel
About The Enemy
Because the endgame for any targeted attack is to steal data, it
only makes sense to depend on data-centric security tools to frustrate
adversaries. This can be accomplished by understanding the context of the data
and detecting malicious network application traffic that is dragging the data
out through application-aware, next generation firewalls.
The use of encryption to hide attacks and theft of data is on the
rise. Over 25 percent of all data exfiltrated by attackers is encrypted by
cyber criminals. Also critical are encryption techniques that render data
useless even if it is exfiltrated.
*********************************************************************
Network monitoring tools have advanced considerably over the
years to better find common signs of attacks, but attackers do a good job
staying one step ahead of alerting technology. One of the most effective tools
organizations have in their struggle to discover malicious activity is system
information—but we have to know what to look for. That means correlating small
events alerts from across the infrastructure so that one big alarm sounds when
enough of them happen at once. It's a specialty of security information and
event management (SIEM) tools and the skilled analyst that know how to use
them—both indispensible in the fight against
targeted attacks.
" You Have To get Your Hands Dirty To Know How To Keep Them Clean"
