[BreachExchange] Components of modern hacking operations
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Jun 6 10:10:40 EDT 2016
http://www.networkworld.com/article/3075827/security/components-of-modern-hacking-operations.html
During my conversations with security executives, a topic that consistently
comes up is what, exactly, constitutes a modern hacking operation. Security
professionals understand they’re no longer facing script kiddies who lack a
comprehensive plan. However, they’re also not fully aware of how
detail-oriented adversaries are when developing an attack campaign.
Today’s hacking operations are well-organized and developed by well-funded
teams of highly trained adversaries who have diverse experiences and
backgrounds. In fact, attack planning is handled like a business operation
and includes hiring plans, budgets and timelines.
To help security professionals better understand the attacks they’re
facing, I thought I’d share some of my observations on the work that goes
into planning a hack.
Goals define the operation
An attack starts long before a network is breached. The first step in any
attack is setting the operation’s goals. Hackers don’t randomly pick an
entity, blindly attack it and hope they’ll discover valuable information.
Targets are selected based on the data they possess and how that
information will help the hackers meet their goals.
Typically, the criminal entity behind the attack sets the goals, which vary
depending on their objectives and motives. For example, a nation-state that
uses a cyber attack to provide the country’s businesses with a research and
development advantage would set a goal of stealing intellectual property
and trade secrets from prosperous companies.
Larger campaigns may often include several smaller goals that when combined
reach the main objective. In some cases, the campaign may include hacking
into several targets to achieve a goal. For example, an operation may
include hacking into another company in order to infiltrate the intended
target’s network. Hackers used this approach in the Target breach when they
first compromised the HVAC vendor’s system to access the Target network.
This leads me to my next point about goals: Hackers will do anything to
accomplish them. They’ll disregard rules and will use deception whenever
possible. Criminals intent on making money, obtaining intellectual property
or carrying out other nefarious activities are behind these operations, not
people who follow corporate policies.
Getting to know you
The reconnaissance that hackers conduct goes beyond mapping a company’s IT
network or learning about its technology. They’re interested in gathering
as much information as possible on their target, especially around how the
business and its key personnel operate. These details will help attackers
navigate around any technological or human barriers that hinder the attack.
To collect these details, hackers will use social media to learn where key
members of your security team worked or went to college. If a hacker has
penetrated your network, they’ll review emails and calendar entries to
learn when key security personnel are on vacation and attack when there’s a
staffing gap.
Not to make you paranoid, but in some cases hacking organizations will use
insiders to obtain information on their target. They’ll either use a person
already working at the organization or attempt to get someone hired by the
company, allowing them to operate from within the target. Job interviews
can teach the adversary how the company handles security events and how
security personnel are measured and evaluated. If an adversary knows, for
example, that a company’s security team is measured by how quickly it
remediates incidents, an attack may include malware that’s easy to discover
as a way to distract them from the real operation.
Gathering all this information makes reconnaissance very time consuming.
I’ve seen some hackers start reconnaissance a year before the initial
infiltration. But all of this preparation increases the chances of the
operation succeeding.
Celebrate diversity
Hacking teams are composed of people who have various backgrounds whose
expertise can help the operation. An attack targeted at a mine may include
a geological expert, for instance, who can provide firsthand knowledge on
how this organization functions. This diversity gives the hackers new ways
of approaching the operation. Companies would be wise to follow a similar
practice when building out their security teams, a point I made in a recent
Network World blog.
The roles on a hacking team are also diverse. For example, there’s usually
a group of people dedicated to deception. This often-overlooked group
creates a campaign that distracts the security team from the main
operation. The distraction is meant to mitigate the risk of the campaign
being discovered. Some of the more common distractions include a DDoS
attack that brings down a company’s website or malware that a security team
can easily detect. These decoy threats mask the real threat and allow it to
continue unabated.
Penetrating a network is the simplest part of an operation and is sometimes
outsourced, a point that surprises many people because they consider
penetration the operation’s most important component. But outsourcing
penetration to someone who specializes in the task guarantees that the
hackers will get into the organization. The reason is simple: Teams that
handle penetration get paid only if they infiltrate the target. With their
paycheck on the line, these teams will do everything possible to defeat a
company’s defenses.
Taking it easy
Hacking operations aren’t rushed. Attackers want to remain undetected in
your IT environment for as long as possible. This approach allows them to
minimize mistakes and, of course, gather more data and compromise more
systems. I’ve seen cases where attackers went undetected for a year, giving
them ample time to access systems like Microsoft Active Directory and
Outlook Web App. Having this access let attackers collect every employee’s
log-in credentials and maintain persistence in the environment.
Think like the enemy
To combat more complex hacking operations, security teams need to adopt a
hacker’s mindset. Remember, hackers are out to deceive a company. Security
incidents, even minor ones, should be treated as a potential threat.
Companies need to aggressively monitor their IT environment and look for
any behavioral changes. Catching just one incident could expose the entire
campaign.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/eea5484c/attachment.html>
More information about the BreachExchange
mailing list