INSIDE A HACKER'S PLAYBOOK Look inside for notes on how to stop em! Targeted attacks are successful because they are stealthy, specific and disarmingly personal. If they do it right, advanced attackers can quietly infiltrate a network and steal data or information at will for months or even years. Learn how to stop them by taking a page from their playbookliterally. Trustwave presents a never-before-seen copy of an advanced attackers technique manual. Use it well to design security that counters their plays perfectly. A Playbook On Profiting From Targeted Attacks Before we tackle the finer techniques of building a money-making cyber scam, lets talk a little about the basics of this gig, shall we? First of all heres what we are not trying to do. Were not trying to blanket the internet with malicious V1agrow spam or mass SQL inject a zillion websites. Were narrowing our work down to a specific company or industry based on vulnerability opportunities that we scare up. The broadest well get is hitting a range of companies vulnerable to one precise vulnerability either never discovered by security researchers or just recently patched by a vendor. Do it right and youll get your hands on huge caches of valuable customer data, and maybe even hit the jackpot with the targets most important intellectual property. With that, you can blackmail people or sell to competitors or even to nation states. You wont just be buying a new Ferrari. Youll be buying a fleet of em. With a little bit of research, some crafty writing and the right technology, crooks make a good living running targeted attacks to steal corporate and government data. The more we can learn about their techniques, the better we can counter them. As we sneak a look at each of the plays inside this bad guy instruction manual, lets look for ways to turn this inside knowledge on its head. Well also offer advice on how to block each attack technique. Know Your Adversary of breached organizations needed someone else to tell them they'd been compromised 76% Play 1: Staging Your Attack Lets get to easy money! Most times, there are five stages to a really gnarly targeted attack: RESEARCH: Start by doing recon on the anticipated target. Dig for publicly available information and socially engineer your way to exploitable info about their IT systems INTRUDE: Use that information to find the right employee to spearphish and the right vulnerability to target with your malicious payloadonce the baits taken youll have your initial toehold in the targets network PROPAGATE: When you pwn one machine, use its network connections to spread malware onto other machines so even if youre detected in one place youve got control of other machines INFECT: Once you get the lay of the land through your different connections, install more tools to really start to steal and aggregate data EXFILTRATE: Finally, youve got to get all that data out of there. Among other options, public web traffic works well e K 48% were told by regulatory bodies 25% by law enforcement 1% by the public 2% by a third party S te p o n e in th e f g h t a g a in st ta rg e te d
a tta c k s is d e v e lo p in g e x e c u tiv e
a w a re n e ss th a t th e se a tta c k s re a lly a re
h a p p e n in g . B e c a u se th e se a tta c k s a re
d e sig n e d p re c ise ly to a v o id d e te c tio n , its e a sy to p re te n d y o u re n o t b e in g
ta rg e te d o r a tta c k e d . B u t c h a n c e s a re
y o u m a y a lre a d y b e c o m p ro m ise d . Play 2: Specialize and Outsource Its not what you know, its who you know. Put together your own little mafia with specialists who work together to keep your multi-step campaign running. Just like cave men split labor into hunting and gathering, you just have to break it up into hacking and scamming. Build the team however you like. Hire people, outsource to malware kit vendors, even work in an equal partnership. Just remember what they say about honor among thieves Just think: no n00bs allowed. If they cant spell or find the caps lock, or code better than your average script kiddie can, its hasta la vista, baby. w Targeted attackers are building a business around stealing from your business. Just as youd dedicate a lot of specialized employees and vendors to solving your business problem, theyre sourcing skills necessary to crack your defenses. Here are the top five out of 10 common specialties named by the FBI: CODERS: write malware, exploits and data theft tools VENDORS: trade and sell stolen data, malware kits, footprints into compromised networks CRIMINAL IT GUYS: Maintain criminal IT infrastructure like servers and bullet-proof ISPs HACKERS: seek and exploit application, system and network vulnerabilities FRAUDSTERS: create and execute social engineering ploys like phishing and domain squatting The FBIs List of Cyber Crime Specialties More than a third of data breach investigations occur within franchise businesses >1/3 Play 3: Scale Your Attacks Once you get together that A-team, youre going to milk every vulnerability dry. Developed or bought an exploit for a new vulnerability in some sorry old companys retail point of sale (POS) system? Maybe it's for some small-time grocery store in San Francisco, but then maybe that same exact vulnerability and system configuration is going to work in POS machines at other franchises of the same brand. Then, son, your meal-ticket is punched. Youll steal ten times the data but only really do the work to break into one location. In order to stay a step ahead of the attackers, youve got to start thinking like them. One key way to do that is to hire penetration testers to barrage your systems with the same type of techniques the bad guys use. Doing so can help you fnd widespread vulnerabilities like the POS example highlighted above. of large companies have experienced 25 or more social engineering attacks in the past two years 1 of young workers regularly ignore IT policies 2 48% 70% Play 4: Play The Player, Not The Game Theres a good chance your targets employees will be oh-so-helpful without even knowing it. Theyll give you information, help you upload malware on their machine and even hold the door open for you if you need to sneak into a building. These peeps should be your best friends during the first two stages of attack: research and intrusion. So work this to your advantage. Here are some tips: If you want information-about the org chart, location of a data center, technology they use or whatevercall someone who would know, pretend to be from another department and just ask. Nine times out of ten theyll freely tell you out of the kindness of their hearts. Official-sounding emergencies work every time. Act like you need help to get a mission-critical project done or else heads will roll. Works best if you know the name of their boss boss. SOURCES: 1 www.securingthehuman.org/blog/2011/09/22/ justifying-your-awareness-program-with- social-engineering-survey 2 www.eweek.com/c/a/Security/Younger-Employees- Ignore-IT-Policies-Dont-Think-About-Security- Says-Cisco-274940/ 3 www.securingthehuman.org/blog/2011/09/22/ justifying-your-awareness-program-with- social-engineering-survey of large companies said social engineering cost them an average of $100,000 per incident 3 30% If your target employee is high up the food chain and too paranoid to take your bait, try working someone in their entourage. A lot of adminseven tempsare sitting at workstations that can access the same systems the boss computers are hooked into. Congratsyou just got a job in HR. Pretend to be a recruiter. In this market, peoples judgment tends to get clouded if they think theres a new job on the horizon. Depending on how much youve got riding on this attack, you may even invest in a little in-person social engineering. Put on a delivery uniform, bring some flowers and see if someone will let you in the building. P 0 Your employees typically play a big role in a targeted attack and their response to advanced attackers probes have the potential to make or break your organizations chances of keeping the bad guys at bay. In spite of that, industry estimates show consistently that as few as a quarter to a third of employees today are ever trained on how to respond to these social engineering ploys. Employee training can make it much harder for targeted attacks to ever take shapean adversary who cant gather the right information will fnd it imminently more difcult to customize an attack. Elite cybercriminals are tapping into search engines and social networks to help them target specific employees for social- engineering trickery at a wide range of companies, professional firms and government agencies. Byron Acohido USA Today Play 5: Get Social For Better Recon
Sometimes you dont even need to ask employees for informationtheyll offer it up right on their Twitter feed. Use social media to find out all sorts of sweet intel. Heres what you can find out by making a dummy Facebook account and tricking someone into friending it: Where they went to high school or college Their mothers maiden name Their birthday Their dogs name Facts about their job: title, promotions, boss name, big projects coming up etc. All of these are valuable hints at passwords, system challenge question answers and information thats gonna grease the skids of your targeted campaign. Even if you dont friend the person directly, you can potentially dig up info by friending one of THEIR friends. Evil genius, no? Social media also rules when it comes to building a psych profile on an employee who might turn out to be the kind of tool to help you roll out that first intrusion into a target company. If you know what his or her hobbies are, what teams they root for or any other personal information, you can craft the perfect bait that will get them to visit a site youve infected or trick them into opening a malicious document. of passwords contain a name in the top 100 girl and boy name lists of passwords contain a name on the top 100 dog names list (this is the kind of info people readily give away on their social media feeds) 32.8% 16.7% B 4 2 According to recent numbers, more than half of enterprises today have seen malware infections rise as a result of employees use of social media. And thats just the tip of the iceberg when it comes to how a persistent attacker will use social media to their advantage. Social media as an intelligence goldmine is an extremely efective method for hackers to start planning their plan. Teres no silver bullet, but a combination of smart social media policies, automated enforcement of these policies and a workforce well-trained in the ways of social engineers can help stem the tide of these attacks. of organizations have IT staff sharing passwords or access to systems or applications 4 don't change their privileged passwords within 90 days 5 or more enterprises have informal or no patch management processes in place 7 42% 48% 40% Play 6: Probe for Every Weakness
Why break a window when youve got the key for the front door? Look for user credentials at every step of the way. Goal number two is to find clues about the architecture of the target companys IT infrastructure to choose the right malware kit or custom build something that can help you pick the proverbial locks if the keys arent lying around. This can be anything from unencrypted password files to lists of company IP addresses to system version information of deployed assets. There are vulnerabilities in just about every corporate network between here and the moon. If your target company doesnt have them, chances are a third party vendor or partner company with ties into the network probably does. Should you exploit zero-day vulnerabilities never before discovered by the security industry or vulnerabilities that already have a patch? Uh, yeah. Yeah, you should. If youre smart, theyll both play a part in your plans. SOURCES: 4 www.liebsoft.com/Password_Security_Survey/ 5 www.liebsoft.com/Password_Security_Survey/ 6 www.trustwave.com/global-security-report 7 https://securosis.com/assets/library/main/ quant-survey-report-072709.pdf of Apache Tomcat installations with accessible administrative interface have the default credentials 30% Zero-day vulnerabilities rock. But theyre expensive to find and exploit, and known vulnerabilities can be pretty wide open. Most IT departments are too busy to plug their holes with patches. In situations where youre seeking very specific informationsay manufacturing schematics youre stealing for a competing company or nation stateand detection isnt an option, then shelling out for zero-day discovery and exploitation makes sense. But if it is all about propagating malware in a company you already know (or have a hunch about) has unpatched systems, it makes more sense to take advantage of old vulnerabilities. The most common corporate password is Password1, because it just barely meets the minimum complexity requirements of Active Directory for length, capitalization and numerical figures 6
DEFENSE: Hackers might not start with a client-side attack to gain entry into your systems. Sometimes the frst step is to run a SQL injection on your website to fnd unencrypted password fles. Given users propensity to reuse passwords, that early work may yield long- term access to accounts across many systems. Strong password managementincluding enforcement of frequent password changesis a must to limiting damage in these instances. On the vulnerability front, organizations have got to do a better job patching their system to limit malicious sofwares mojo. Zero-day attacks are a tougher nut to crack and defense against exploitation will depend upon security mechanisms at other security layers to prevent a widespread attack from gaining much ground within the network or exfltrating data elsewhere. of targeted attacks initially occur through web use of targeted attacks initially occur through e-mail use enter through local devices 50% 48% 2% Play 7: Reinvent old Web & Email Attacks Once your crew has done its homework on a target, its time to cast your line and wait for a bite. Some of the most effective initial intrusion plays are fundamentally pretty old-school in natureyoure just phishing people with fake emails, IMs or social media messages to trick them into visiting an infected site or downloading a malicious executable. Now use the information you gathered to custom fit that interaction! Craft a lure thats believable and build a hook that seems so painless that no one even notices theyve been landed. Do it like this: Example 1: Your hackers just found a killer vulnerability in a software platform commonly used by entertainment companies. But you need control of a machine with access to exploit it. Fortunately for you, there are more than a few gossip fanatics in the entertainment community. Since most of the companies youre targeting are based in Hollywood, you use SQL injection to strategically compromise the homepage of a few local gossip sites with malicious code that downloads on visitors machines. To keep pesky reputation-based filters from finding your website infection, you set it up so that it will only interact with machines working within a block of IP addresses originating from Los Angeles. Advanced attackers are increasingly using strategic web compromises to infect their targets via drive-by- download: The goal is not large- scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in. --Shadowserver Intel About the Enemy Example 2: Youve found some middle manager in accounting whos got access to systems that hold tons of saleable financial and customer data. You chum it up with him on Facebook, convincing him you met him at an accounting professional group conference. Through your friend status you find out his real passion isnt ledger books but photography. So, you task your hackers and coders to build a basic photography buff website with some hidden drive-by-download payloads. While he looks at tips on digital SLRs, your malicious payload silently loads in the background. Example 3: Youve gotten your hands on the organizational chart of a target company and read in a company blog about a strategic new hire of John Smith in the marketing department. You create a Gmail account under the name of the HR manager and use it to write an email that looks like HR blew it and gave everyone info on Smiths salary and benefits. They open the attachment, JohnSmithcompensation.xls, and bang, curiosity killed the network. k
Te examples named at lef and on the previous page are just the tip of the iceberg in terms of the type of creativity targeted attacks are employing to personalize their intrusion attempts. Secure web and email gateways are critical to stopping all manifestations of blended email and web attacks. As Example 1 illustrates, old web fltering technology won't always worktechniques like initiating IP address-specifc malware downloads can get around defenses that depend on reputation fltering. Tis is where advanced technology with real-time code inspection comes into play. of targeted malware remains undetected by traditional anti-virus 88% of incident response investigations, a third party responsible for system support, development and/ or maintenance of business environments introduced the security deficiencies. In 76% Play 8: Think Sideways One backdoor into a corporate network might be good, but more is always better. If you want to stay on a network for a long time, youve got to use that initial client-side pwnage to move sideways through the network. That way, if your first intrusion is detected and your malware package is eliminated from that machine, youll still keep your hands on the steering wheel elsewhere. The secret? Youve got to propagate with diversity. You need to use completely different types of payloads on different systems because once one type is found out, odds are theyre gonna scan the network looking for everything that looks like that sample. But if you control a bunch of endpoints with different types of malware, theyll probably never even know theyre still compromised. F 1 8= 1 6= 1 2= 11.8% 41.2% OF MALWARE USES HTTPS TO EXFILTRATE DATA 29.4% USES FTP USES SMTP INTEL ABOUT THE ENEMY OF MALWARE USES HTTPS TO EXFILTRATE DATA Targeted attacks are so ingenious these days that even with the tools and practices we've suggested already, there's still a chance that some attacks will slip through. Always operate under the assumption that you've already been hacked and utilize practices and technologies that will seek out existing infections, risky security confgurations and any suspect fle system changes that could be a red fag of infection. Play 9: Hide in plain sight Stealth is the name of the game in these targeted attacks. Sometimes you just want to do the old smash- and-grab, where you want to get in and out of the network with as much loot as possible or with a very specific piece of information. But generally the most profitable way is to drain the database is a little at a time for a LONG time. Put some technical noise dampeners on your intrusions. You dont want to knock over any expensive vases while you digitally cat burgle the place, do you? Every movement should be planned to avoid setting off any alarms. As you drop tools on systems to aggregate data and control backdoors, here are some tips: Avoid self-replicating malware Hide malware in system folders and get them to look like common processes Make use of webmail accounts to route SSL-encrypted command-and-control traffic to your backdoors Use packer utilities to hide malicious binaries If you can, store some malware components in the cloud Because the endgame for any targeted attack is to steal data, it only makes sense to depend on data- centric security tools to frustrate adversaries. This can be accomplished by understanding the context of the data and detecting malicious network application traffic that is dragging the data out through application-aware, next generation firewalls. The use of encryption to hide attacks and theft of data is on the rise. Over 25 percent of all data exfiltrated by attackers is encrypted by cyber criminals. Also critical are encryption techniques that render data useless even if it is exfiltrated. Intel About the Enemy Play 10: Take data Quietly So maybe youre a l33t spearphisher, youre wicked good taking over a network and youve got a nose like a bloodhound for juicy data. It all amounts to nada if you cant get the data out of the network. Be patient! Quiet and slow exfiltration makes it easier to steal larger stores of information without setting off alarms that will shut you down midstream. Lucky for you, most companies today dont set up their firewalls to block outbound traffic so you have a lot of options. Public web traffic can prove to be one of the most efficient ways of slowly leaking data off the network. HTTPS traffic can have added benefit of steering clear of data leak prevention tools by hiding data under cloak of SSL. T Network monitoring tools have advanced considerably over the years to better fnd common signs of attacks, but attackers do a good job staying one step ahead of alerting technology. One of the most efective tools organizations have in their struggle to discover malicious activity is system informationbut we have to know what to look for. Tat means correlating small events alerts from across the infrastructure so that one big alarm sounds when enough of them happen at once. It's a specialty of security information and event management (SIEM) tools and the skilled analyst that know how to use themboth indispensible in the fght against targeted attacks. SECURITY IS A PROCESS, NOT A PRODUCT Thats why, through an integrated, automated and agile approach, Trustwave delivers stronger security, continuous compliance and fewer headaches. Our broad portfolio of integrated technologies, compliance and risk services, and elite SpiderLabs research, testing and threat intelligence can help you to secure your business, centralize compliance, and gain the meaningful, actionable intelligence you need to make faster and proactive decisions. And our unique approach helps you to seamlessly achieve business continuity and compliance by swiftly implementing, monitoring, auditing and enforcing protection and control over your sensitive assets and data. Interested in how Trustwave can help? Visit www.trustwave.com.