Hacking the World’s Most Secure Networks.
There is an old yet erroneous belief that fortune favors the brave. Fortune has and always will favor the prepared. When your organization experiences a serious security incident (and it will), it’s your level of preparedness based on the understanding of the inevitability of such an event that will guide a successful recovery. It doesn’t matter if you’re responsible for the security of a local community college or if you’re the CISO of an international bank—this fact will always remain true.
To quote Howard Ruff, “It wasn’t raining when Noah built the ark.”
The first step to being prepared is being aware.
Coming Full Circle.
There has always been the impression that you have to patch your systems and secure your networks because hackers are scanning vast address ranges looking for victims who haven’t done these things and they’ll take whatever vulnerable systems they can get. In a sense that’s true—there have always been those who are satisfied with low hanging fruit. It was true back in the 80s as well—war dialing on the PSTN and such attacks are usually trivial to guard against if you know what you’re up against. However, if you are specifically targeted by someone with time and resources, you have a problem of an altogether different magnitude. Put simply, gaining access to corporate systems by patiently targeting the users was usually the best way to go in the 80s and it’s usually the best way now. However, the security industry, like any other, is constantly looking to sell “new” products and services with different names and to do that, a buzzword is required. The one that stuck was advanced persistent threat.
Advanced Persistent Threat (APT).
What differentiates an APT from a more traditional intrusion is that it is strongly goal-oriented. The attacker is looking for something (proprietary data for example) and is prepared to be as patient as is necessary to acquire it. While I don’t recommend breaking complex processes down into simple lists or flowcharts, all APTs generally have the following characteristics:
- Initial compromise—Usually performed or assisted by the use of social engineering techniques. An attack against a client will include a core technical component (such as a Java applet), but without a convincing pretext, such an attack is usually doomed to failure. A pretext can be anything but is successful when tailored to the target and its employees. Casting a wide net to catch the low hanging fruit (to mix my metaphors) is not an acceptable way to model APTs and is certainly not how your adversaries are doing things.
- Establish beachhead—Ensure future access to compromised assets without needing a repeat initial intrusion. This is where Command & Control (C2) comes in to play and it’s best to have something that you’ve created yourself; that you fully understand and can customize according to your needs. This is a key point in this book that I make a number of times when discussing the various aspects of C2—it needs to be secure but its traffic has to look legitimate. There are easy solutions to this problem.
- Escalate privileges—Gain local and ultimately domain administrator access. There are many ways this can be achieved; this book will dedicate considerable space to the best and most reliable methods as well as some concepts that are more subtle.
- Internal reconnaissance—Collect information on surrounding infrastructure, trust relationships, and the Windows domain structure. Situational awareness is critical to the success of any APT.
Next Generation Technology.
There are numerous technologies available that claim to be able to prevent APTs, capable of blocking unknown malware. Some of these products are not bad and do indeed add another layer of security by providing some degree of behavioral analysis—for example catching a Metasploit callback by looking at what the .exe is doing rather than relying on an antivirus signature, which can be easily bypassed. However, that is trivial to model simply because the behavior of such tooling is very well understood. A genuine APT will be carried out by skilled threat actors capable of developing their own tools with a very strong understanding of how modern intrusion detection and prevention systems work. Thus, in describing modeling techniques, I make heavy use of the SSH protocol as it solves a lot of problems while masking activity from monitoring systems and at the same time gives the appearance of legitimate traffic. It is wise at this point to reflect on what an APT isn’t and why. I’ve seen a number of organizations, commercial and otherwise, giving out advice and selling services based on their own flawed understanding of the nature of Advanced Persistent Threat. The following article published in InfoWorld is as good a place as any to rebut some myths I saw in a discussion online recently:
- APT sign No. 1: Increase in elevated log-ons late at night—This is nonsense. Once a target has been compromised (via whatever means), the attacker has no need to make use of audited login methods, as they will have deployed their own Command & Control infrastructure. You will not see elevated log-ons late at night or at any other time.
The demographic of what we consider to be “hackers” has changed beyond all recognition so this introduction will be the last time I use that word. It is outdated and outmoded and the connotations it conjures up are completely inaccurate. I prefer the more neutral terms, “attacker” or “external actor,” because as you will learn, there are far worse things out there than teenage anarchists with too much time on their hands. The “Golden Age” of hacking whose anti-heroes were Mark Abene, Kevin Poulsen, Kevin Mitnick, and others was an incredibly innocent time compared to today, where the reality is stranger than the cyberpunk fiction of the 1980s that inspired so many hackers of the day.
It’s been a busy couple of years. The Snowden revelations shocked the world and directly led to wide-sweeping changes in the tech industry’s attitude toward security. In 2013, I had a conversation with a client that would have been unthinkable prior to the leaks—a conversation where the NSA was the villain they wanted to be protected against. This was a globally respected Fortune 500 company, not the mob. Intellectual property theft is on the rise and increasing in scale. In my line of work I am in a unique position to say with certainty that the attacks you hear about are just the ones that are leaked to the media. They are the tip of the iceberg compared to the stuff that goes unreported. I see it on a daily basis. Unfortunately for the wider tech industry, breaking in to target systems (and I’d include penetration testing here, when it’s conducted properly) is a lot easier than keeping systems secure from attack.