Know your enemy

24 Jun Know your enemy

Marco Ivaldi, Technical Director at HN Security

On June 9th, I have given a brief speech titled “Know your enemy” within the Cyber academy initiative promoted by ANRA, the Italian national organization of risk and insurance managers.

“The first event of the Cyber academy is dedicated to the contextualization of risk […]. If the point of view of those who are subject to risks is well known, there are not many opportunities to look at the other side of the coin, that of the attackers. How do attackers identify their potential targets? What are their main motivations? We will have the opportunity to discuss these topics directly with Marco Ivaldi, Technical Director at HN Security”. 

The full video of the event is available on YouTube. For those, like myself, who prefer to read an article instead of watching a video (or just don’t understand Italian), I have prepared a fairly accurate transcription of my talk. Enjoy!

Good morning. My name is Marco Ivaldi, and I’ve spent the last 20 years attacking the networks of companies just like yours. Unlike criminals, however, after the intrusion is over, I always deliver a report that describes the identified vulnerabilities and how to fix them 😉 In other words, I’m a penetration tester.

Having dedicated my career to studying attackers in order to be able to best emulate them, I hope to be the right person to illustrate their point of view.

Let’s begin with an important clarification: when we talk about attackers, we aren’t referring to “hackers”. We’re talking about criminals. Hacker is a very loaded term, and only some of its meanings have a negative connotation. For instance, as some of you may be aware of, hackers built the Internet as we know it.

Having clarified who are the subjects of our interest, let’s try to examine their motivations.

In this timeline, I’ve displayed some examples of threats, highlighting their appearance during the past 20 years.

In blue, I’ve pointed out the typical targets of penetration tests at each historical moment, to give a perspective on the technological evolution. The other colors indicate different types of threats:

• In green, I’ve pointed out malware without any specific goal beside self-propagation.
• In orange, malware used during espionage or sabotage campaigns.
• In yellow, I’ve indicated malware used by profit-seeking attackers.

As we can see, at the beginning of the years 2000s, malware cared only about self-replication. Malware authors didn’t have the intent nor an immediate way to monetize cyberattacks (with some notable exceptions).

All this started to change in 2007: the growing popularity of Internet Banking services paved the way to a specific malware family known as “banker trojans”, which steal access credentials to carry out fraudulent money transfers.

Starting from 2010, a series of international espionage and sabotage campaigns were exposed: certainly, the most famous is the one associated with the Stuxnet malware, aimed to sabotage Iran’s uranium enriching operations.

The tipping point, that changed the perspective on cyberattacks in these latest years, in my opinion dates to 2013: the first large scale ransomware campaign (CryptoLocker).

If we can safely say that before 2013 the prevalent motivations of cyberattacks were curiosity, intellectual challenge, and also activism and espionage, today beside those motivations we have a new one that certainly takes the lion’s share…

… Money!

Back in the day, there were only banker trojans that used to infect the personal computers of Internet Banking users to steal their credentials. Or the occasional phishing email that politely asked to transfer money to the provided IBAN (I don’t know about you, but personally I’d rather not consider this type of attack as a cyberattack, even though it uses a technological medium such as email).

Today, also thanks to the popularity of cryptocurrencies, it’s much easier to monetize cyberattacks. A true “extortion industry” is born.

Ransom requests are typically related to:

• Recovering files encrypted by the attackers.
• The threat of leaking confidential information stolen from victim’s computers.
• The threat of interrupting victim’s connectivity via Denial of Service attacks.

Beside ransom requests, the growing popularity of cryptocurrencies opened other possibilities of illegal profit:

• Installation of miners on unaware victim’s systems (“CryptoJacking”). Often in these cases the attackers don’t even bother to check who are the owners of the compromised systems, they just install a miner to generate new cryptocoins.
• Direct theft of bitcoins or other cryptocoins from Internet-connected exchanges or wallets.

And then we also have the so called “exit scams”. Fraudulent exchanges that operate normally for a while to collect as much cryptocoins as possible, then at some point the owners file for bankruptcy and escape with everybody’s money.

The most famous (potential) exit scam is perhaps that of Mt. Gox in 2014, in which about $460 millions worth of bitcoins disappeared into thin air (today, they would be worth billions!).

Coming back to our timeline, as we already said, starting from 2013 we have assisted to the growing popularity of ransomware attacks. Since about one year, this popularity has been taken to the extreme, with a true industrialization of ransomware campaigns.

Ransomware as a Service (RaaS) was born. It’s a new paradigm in which there’s an actual service provider that sells malware, technological infrastructure, and personnel to different criminal groups, which then carry out the actual attacks.

I don’t want to dwell on this subject any further, because ransomware will be the central theme of the next webinar organized within this initiative.

Now that we’ve hopefully clarified their motivations, let’s examine how attackers choose their potential targets.

According to the collective imaginary, attackers:

• 1 – Carefully select their target based on some features of interest (market sector, size, income, ability to pay, etc.).
• 2 – Carry out stealth reconnaissance activities based on advanced active and passive techniques to identify exploitable vulnerabilities, while always making sure they’re not detected.
• 3 – Exploit the identified vulnerabilities in order to obtain an unauthorized access and do what they need to do.

In reality, this rarely happens…

The typical attackers are opportunists: they have the capability to exploit only some specific vulnerabilities at a moment in time and therefore they mass-scan all the Internet searching for vulnerable targets that they’re able to compromise.

Obviously, the scariest attackers are those who are able to carry out targeted attacks. However, if an organization could block even only opportunistic attacks, it would find itself in a much better position compared to most companies, which based on my experience have a security posture that leaves much to be desired…

To better convey this point, with a sufficiently large scope and permissive rules of engagements, my team has always been successful in compromising an organization. In Microsoft Active Directory environments, for instance, we have a success rate very close to 100%, and often all it takes to become Domain Admin is a few minutes of basic attacks using readily available tools!

But how does a successful attack look in practice? I’m going to tell you a couple of (anonymized) true stories.

Let’s begin with a scenario that involves Active Directory, that took place few months ago. A medium-large company, with a typical Windows-based IT infrastructure. Without getting too technical, the attack followed this playbook:

• 1 – The attacker identifies a “forgotten” test system connected to the target Active Directory domain that is affected by some exploitable vulnerability.
• 2 – The attacker exploits the vulnerability (e.g., weak access credentials, obsolete software, configuration mistake, etc.) and becomes local administrator on this system.
• 3 – The attacker then takes advantage of the gained privileges to collect domain credentials and move laterally within the infrastructure, compromising other systems, until he finds a process running with Domain Admin rights that he’s able to impersonate. Game over!

As I’ve said, this attack usually takes a few hours, in which an attacker is able to escalate from unprivileged user to domain administrator. Needless to say, once an attacker becomes domain administrator, he can do whatever he pleases: reading the CEO’s private email messages, delete or otherwise tamper with data stored on file servers, carry out any kind of fraudulent operation. He literally holds the keys of the organization!

Let’s now examine a second true story that illustrates another type of attack that was popular a few years ago (but remains valid even today): we’re talking about wardialing.

This attack is named after the movie WarGames (from 1983), in which the young protagonist calls in sequence a series of phone numbers searching for computers that answer on the other side of the line, in order to try and obtain an unauthorized access, usually by guessing valid passwords.

Wardialing is exactly that: we take phone numbers associated with an organization and we call them one by one searching for interesting stuff. We may find absolutely anything: a VoIP PBX, a remote maintenance access to specific devices (such as storage appliances, anti-theft systems, air conditioning), even automatic gates that can be operated via the phone line!

Once upon a time, however, something really remarkable happened to me and my team. After a scan we isolated some phone numbers that answered to standard voice calls in a weird way: at times there was just silence, while sometimes there were voices and beeping sounds. After a careful investigation, with the support of our customer, we were able to trace this back to…

… Elevators!

Modern elevators have a built-in alarm system that connects you with a remote operator in case you press the emergency button. Back then, I wasn’t aware of the fact that it’s possible to directly call their associated phone number (if you know it) and abuse the emergency communication system to eavesdrop on conversations that take place in the elevator or, since you can also talk to the occupants, play terrible pranks 😉

So, what do these two examples (and many others that we don’t have the time to discuss today) have in common? If you were to remember just one thing from this speech…

… It should be this: “You can’t protect what you don’t know”.

All compromises derive from not knowing… Not knowing that there’s a “forgotten” test system, an administrative user that was never deactivated, or that “temporary” firewall rule that exists since more than 10 years! Or, again, the elevator or the gate that can be called and operated remotely via a simple phone.

Often, an attacker doesn’t need specific tools or skills: to carry out a successful intrusion, most of the time common logic is enough.

As defenders, what can we do to deal with this problem? We must try to reverse this knowledge disequilibrium.

And it’s right here that the offensive security discipline comes to our aid. A quality penetration test enables us to know, above all:

• Know our enemy, by emulating adversary’s techniques.
• Know ourselves, by taking advantage of an external attacker’s point of view.

It may seem absurd but trust me when I say that often attackers know their target networks better than legitimate administrators! That’s the reason why the unbiased point of view of an external third party is of paramount importance.

The collaboration between blue time (the defenders) and the red team (the attackers) enables us to obtain a concrete knowledge of our security posture, on which we can base our decisions to manage corporate risks.

This knowledge gives us a strategic advantage against our adversaries, because as somebody used to say prevention is always better than cure 😉

With this, I’m done. Thank you all! For those wishing to get more information on these subjects, these are my contacts. Enjoy the rest of the webinar.