Picture: © Saporob | Dreamstime.com
The lines between our physical and virtual worlds continue to blur, and the words, “you’ve been hacked,” continue to take on all sorts of ominous connotations across these blurred lines, especially after a mega attack like last week’s WannaCry. With this in mind, we decided to ask an offensive security specialist and bug hunter to break it all down for us.
By Matthew Maley
For the record, I’d like to make one thing clear: I hate the word “cyber.” When it’s used to describe anything with regard to computers, technology, security, or “hacking,” it casts this aura of inaccessibility over anything associated with it. As someone who works in cybersecurity, my field is full of terms that effectively tell the general public that they need not bother trying to comprehend our dark arts, for these are beyond their understanding.
I’m here to tell you that this isn’t the case. People like me aren’t wizards or part of an enlightened techno-cult that can bend computers to our will. Let’s pull back the curtain a bit to understand what really goes on during a “hack,” “breach,” “cyber-attack,” or “offensive cyber-operation.”
We see these terms appear in the news almost constantly. Last year, they were so prevalent that The Guardian even suggested calling 2016 “the year of the hack.” As I write this, Twitter and global news organizations are all abuzz that the National Health Services (NHS) in England were hit by a cyber-attack (this was just the tip of the iceberg… seriously, Google WannaCry). These are issues that affect most of us personally as individuals, as citizens of developed nations that heavily depend on technology, and as members of organizations whose prosperity is decidedly dependent on computer systems.
Since these terms are used interchangeably and this post is supposed to be about Offensive “Cyber” Operations, let’s start there. What does this phrase really mean? The DoD has a detailed, long-winded definition for this exact term. A simpler definition might be something like this:
“An effort by a person or group to gain access to a computer system that is not theirs and for some purpose.”
If we break this out into its components, we can begin building a picture of what exactly is going on here. We start at the very basic level.
The Attacker — the person or group executing the attack.
The Victim — who or what is the target of the attack.
The Computer System(s).
The Attack itself — purposeful action taken to access that computer system without the consent of the owner.
The Objective or Motive.
Who Done It?
Whenever something untoward happens, in the physical world or the virtual, the first question people ask is “What happened?” The second is invariably, “Who’s behind it?” When you think about it that makes sense, because it isn’t until people know the “who” that they can really start to understand the “why.”
Unfortunately, when it comes to hacks and breaches, figuring out the “who” is typically the last piece of the puzzle to come together, if it ever does.
But let’s not get bogged down here — we still have a long way to go. Now, I could show you some crazy matrix or spectrum graphics on this but again, the official sources on this stuff are tedious at best. Let’s keep it simple.
Attackers generally fall into a couple basic categories: Nation states (a.k.a Advanced Persistent Threats or APTs), cyber-criminals, hacktivists, and some dude in a basement. The biggest difference that sets these groups apart are 1) motive, and 2) resources. By resources I mean both the money and manpower they have to put toward accomplishing whatever objective they set for themselves. In a more real sense, this translates to how functionally capable they are at conducting operations.
Nation-States or APTs: Mission Matters
These aren’t the APTs you hear about in the news, this threat is far more real. These guys are typically pros; this is their day job and they often work with what’s called a black budget. They’re well funded and have a distinct mission. That mission typically means that the last place they want to be is in the news. This makes them more likely to take targeted action to gain information over the long term than to break stuff (but they do allegedly break stuff too).
These professional mission-oriented groups are one of the few attacker groups willing to bridge the real and virtual or cyber worlds and use one to enable the other. They’ve also been thought to employ disinformation tactics to mask their actions as each other or another class of attacker with different motives (see Sony hack). If one were to believe that magic exists in the cyber world, these are some of the few that can be part of the conjuring. However, not all nations that play at what’s commonly called cyber-warfare fall into this group.
Cybercrime: Organized, Online
Simply put, this is organized crime taken online. Money is the name of their game and they employ cyber-twists on otherwise standard crime to get there: fraud, theft, scams, money laundering, ransom, extortion, etc. These groups are clever, resourceful, indiscriminate, and always opportunistic. They aren’t afraid to borrow and steal capabilities that are available to the public and use them to great effect (e.g. WannaCry). The weaponization of recently disclosed and patched vulnerabilities is common with this band of cybercriminals.
It’s typically easier to derive a vulnerability from a patch or disclosure than invest in discovering a new vulnerability. It’s also very effective. It can literally take years for some organizations to apply security updates. In certain parts of the world, these groups seem to be given tacit approval to operate by governments, potentially in exchange for use of their services.
Hacktivism: Public Pickings
These are basically loosely organized hacker groups that want the spotlight. Whether it’s to bring attention to a cause or to stoke their own egos, their actions always play out in the public eye. The capability of these groups doesn’t go far beyond the basics (read this as “what you can find on Google with a bit of practice”). They tend to pick soft targets and sometimes opt for disruption over taking anything of value. And no, before you ask, a denial of service is not hacktivism.
Dude In A Basement: Much Ado About Nothing?
As this guy, typically a lone ranger, is the least likely to affect any of us and the least likely to end up on the news channels, we’re going to leave this misunderstood soul to tinker around in peace.
Of course, the above examples are just generalization and there are outliers in each group. The leading (economically advanced) nation states are widely accepted to have the most capable attacker groups as compared to others, a perhaps natural by-product of the superior resources they have available.
Think of it this way: A Ferrari, for certain purposes, is more capable than a budget sedan or hobbyist special built from spare parts in a garage (or basement). That’s not to say some hobbyist can’t get his buddies together and build something that’ll outrun a Ferrari, but the quality in engineering and testing, combined with backend support and infrastructure, make the Ferrari a more capable and reliable tool to win a race. On the other side, there’s a better than 50/50 chance of the hobby car failing catastrophically. It’s exactly the same for tools that enable cyber-attacks.
Why Do They Do It?
Almost always, the motive is the easy part. As with most things, the end goal is generally power in some form or another. In this case it’s typically information (e.g. intelligence collection or corporate espionage), money, or fame/notoriety for oneself or a cause.
- When an organization is targeted to gain access to clearance records of government employees and contractors? Intelligence collection.
- When the payment system within a large retailer is compromised? Money.
- When there’s a smash and grab where nothing of real value is taken but user credentials get dropped to the Internet? Notoriety.
- These might sound simplistic and at one level, things do get more complex when you consider groups that use misinformation to cover their tracks, but that’s a different story. The common thread here is that the “why,” the motive, defines the objective, or the “what.” And interestingly enough, how all these groups achieve their objectives is very similar.
Before we move on, let’s talk about the elephant in the room: Terminology. While there are working definitions for some of this stuff out there, all of it is so open to individual interpretation it makes conversation difficult, even to those of us that work in the field. People taking heat after a successful attack specifically throw around the term APT pretty indiscriminately.
I don’t know if they think the APT aura somehow absolves them of responsibility, but we’ve seen that card played often enough to be rightfully skeptical. I’ve personally experienced occasions where the actions of my teams have been investigated and categorized as that of an APT-level actor; I knew for a fact though, that we were just a handful of guys, professionals, but far from top-tier or APT in any way!
Who Done What?
When it comes to executing an attack, everyone puts their pants on one leg at a time. It all starts with a foothold, just like if you were storming a beach. You need that initial point of access to get past the crunchy outer security shell of most networks and into the soft, gooey center.
How does this happen? Well the most common way for attackers to get their “foothold” is human error. Yes, that’s right: A user is either going to voluntarily give up access (phishing), reuse their password from something else that was hacked previously, give away their credentials, or an admin is going to neglect to properly secure some part of an application that’s available to the internet. Done. There are multiple ways of gaining a reliable foothold in a network, and there’s no magic required; just an imperfect person on the other side of the equation.
Let’s provide some added context to this password reuse bit to drive this home. Do you have a standard password you use everywhere or a couple of passwords you alternate between? If that’s not you, does it describe anyone you know at work? I think we all either are, were at one time, or know someone like I’m describing. That’s important because some site or service that you or that person has subscribed to has been compromised. I’m talking about things that we all recognize and are familiar with (e.g. LinkedIn, Yahoo, Adobe, Dropbox, Tumblr).
There’s a site, https://haveibeenpwned.com, that’s cataloged 3,752,347,222 sets of credentials from 215 sites through public breach disclosures (like attackers dropping database dumps to Pastebin or sites with similar functionalities). Now, thankfully, that site is just providing a service to let people potentially affected confirm if their account is at risk without having to go to the source material. For someone who knows where to look, this stuff is readily available and offers an avenue for an easy win.
Magicked? No, But Exploited
There’s also another way, called exploits. From an attacker’s point of view, this whole process of attacking a network or application is a lot like navigating a maze, at some point there just won’t be a wall blocking the path. What if I told you there is (sometimes) a way to walk through walls? I know, you’re thinking, “Now you’re being dramatic,” and “You already said magic doesn’t exist.” Well… it’s complicated.
Exploits are, at least in my opinion, the closest thing to magic in the “cyber” world. The “best” ones can send even the most prepared organizations scrambling to figure out how to effectively defend themselves. They can allow an attacker to bypass layers of defenses that would otherwise effectively block avenues that an attacker could use to gain a foothold or access a system. Do note that when I say, “exploits,” that’s actually wrong; I’m really referring to vulnerabilities that have been weaponized, not the exploit itself.
Vulnerabilities themselves are actually a really interesting topic. At their core, vulnerabilities in software systems are really just unintended pieces of functionality within these systems. It’s not that an application is “broken into” per se but that someone, through countless hours of research, discovered something that was already there, waiting to be found, unknown even to whoever wrote the code.
Two of the best known examples to date are MS08-067 and MS17-010, the vulnerabilities that resulted in Conficker nine years ago and WannaCry last week, respectively (two of the most impactful examples of malware (a catch-all phrase for malicious software) that have come to exist to date). These are vulnerabilities within Microsoft Windows that resulted in full control over a windows computer just by being able to communicate with a universally present Windows service over a network.
Yes, it was almost a decade between disclosures of vulnerabilities in Windows of this magnitude, and no, it didn’t make it hurt any less. The actual exploit is the easy part, weaponizing the vulnerability to do something specific and controllable (typically execute code) is more complex. And it’s finding some of these things that really borders on the inexplicable. Check out @taviso and @tiraniddo on Twitter, you’ll see what I mean.
The World Of Virtual Weaponry: How An Attack Unfolds
So what happens in an attack? What “payload” are we delivering with our phishing attack or exploit? What is facilitating access into these systems? That facilitator goes by many names; RAT (remote access/administration tool), implant, agent, trojan, virus, backdoor, malware, etc. In the simplest terms, the facilitator is a computer program that allows an attacker to remotely access a computer and carry out other actions through it. In practice, these can be flexible and robust toolkits that put powerful capabilities within easy reach of an attacker operating inside a network.
Okay, so we’re in, now what? Well we’ve gone through all this trouble to get this far, let’s make sure we can stay to have some fun. The first order of business, after an attacker figures out where they just landed, is to give themselves a reliable way to keep a foothold. This typically involves leveraging functionality within the operating system to make sure the agent or RAT will restart itself automatically if it were to stop running, or give the attacker a means to cause an agent to run at will.
These techniques, as they’re called, are a really good example of the creativity that goes into being an effective attacker. Changing default programs, changing modules that load by default, scheduling recurring jobs, triggering execution on certain events are all basic examples of what are called “persistence” techniques (you could read more about this here). The balance that has to be struck here is reliability versus stealth. Some of the more apparent methods are incredibly reliable, but will also get caught.
A good attacker won’t stop there. They’ll use multiple techniques on different systems set strategically through the network or system they’re operating in, perhaps in different physical locations, business units, or types of systems. They’ll also make sure they vary how they’re communicating into and out of the network, trying to blend in with what should be “normal” traffic as much as possible.
Techniques leveraging third party services offered by trusted providers (like Google or Dropbox) and something called “domain fronting” (a method that leverages a fundamental component of how cloud-based/distributed systems work today) effectively allow an attacker to become, not just look like, a service that we already know and trust. A couple of years ago, colleagues of mine (@sixdub and @harmj0y) put a lot of effort into this layering of offensive and evasive techniques, referring to it as: “offense in depth.” It’s the idea that having “multiple options in case you hit a snag at some step in your attack chain” increases your effectiveness as an attacker, by giving you something to fall back on if things go wrong.
Careful Compromise & Collection
Unfortunately, in a majority of environments I’ve seen, it isn’t even necessary to go to those lengths to be effective. Assuming we’re fastidious attackers, we’ll go the extra mile to not get caught. With our contingencies in place, we can now get down to whatever our objective was for being here in the first place. You typically don’t risk international incidents, extradition, and jail time for nothing.
Getting from your initial foothold to your final objective often takes a lot of patience, a little luck, and the ability to understand how to use the administrative functionality of computer systems within the systems you’re accessing, sometimes just a bit better than the guy who does the admin work normally.
By compromising some legitimate user accounts, carefully figuring out what we can access, and rummaging through a few file shares, we can typically work our way to the level of access we need for our objective. All the while, we blend in with the everyday happenings on the network; no exploits, no magic, just living off the land.
What happens next? Well, that depends. If you’re after information, you collect and exfiltrate it through whatever means to get it out efficiently. If you plan on sticking around, you’re more aware about the need to do this without compromising your access in the network. Maybe that means using a third party service instead of the same method you’re using to control your agents. If your objective is something else, it just takes creativity and some awareness of the environment you’re in, and you’ve gotten all the access that you need. In the case of WannaCry, whoever released it didn’t appear to have an particular objective, apart from causing mayhem as far and as wide as they could. Perhaps for some people, that’s an objective in itself.
And that’s really why, in the end, the motive itself isn’t what matters, except in terms of how it’s useful to prevent or stop any ensuing mayhem.
(The writer is a bug hunter, or more specifically, an Offensive Security Certified Professional, a GIAC Certified Web Application Penetration Tester and currently a manager with Gotham Digital Science. You could reach him here.)