TEN TARGETED TECHNIQUES THAT

WILL BREAK YOUR SECURITY

INSIDE
A HACKER'S
PLAYBOOK
Look inside
for notes
on how to
stop em!
Targeted attacks are successful because they
are stealthy, specific and disarmingly personal. If they
do it right, advanced attackers can quietly infiltrate
a network and steal data or information at will for
months or even years.
Learn how to stop them by taking a page from
their playbookliterally. Trustwave presents a
never-before-seen copy of an advanced attackers
technique manual. Use it well to design security that
counters their plays perfectly.
A Playbook On Profiting
From Targeted Attacks
Before we tackle the finer techniques of building a
money-making cyber scam, lets talk a little about the
basics of this gig, shall we?
First of all heres what we are not trying to do. Were
not trying to blanket the internet with malicious V1agrow
spam or mass SQL inject a zillion websites.
Were narrowing our work down to a specific company
or industry based on vulnerability opportunities that we
scare up. The broadest well get is hitting a range of
companies vulnerable to one precise vulnerability either
never discovered by security researchers or just recently
patched by a vendor.
Do it right and youll get your hands on huge caches
of valuable customer data, and maybe even hit the
jackpot with the targets most important intellectual
property. With that, you can blackmail people or sell to
competitors or even to nation states.
You wont just be buying a new Ferrari.
Youll be buying a fleet of em.
With a little bit of research,
some crafty writing and the
right technology, crooks make
a good living running targeted
attacks to steal corporate
and government data. The
more we can learn about their
techniques, the better we can
counter them.
As we sneak a look at
each of the plays inside
this bad guy instruction manual,
lets look for ways to turn this
inside knowledge on its head.
Well also offer advice on how
to block each attack technique.
Know Your Adversary
of breached
organizations
needed
someone
else to tell them
they'd been
compromised
76%
Play 1: Staging
Your Attack
Lets get to easy money! Most times, there are five
stages to a really gnarly targeted attack:
RESEARCH: Start by doing recon on the anticipated
target. Dig for publicly available information and socially
engineer your way to exploitable info about their IT
systems
INTRUDE: Use that information to find the right employee
to spearphish and the right vulnerability to target with
your malicious payloadonce the baits taken youll have
your initial toehold in the targets network
PROPAGATE: When you pwn one machine, use its network
connections to spread malware onto other machines so
even if youre detected in one place youve got control of
other machines
INFECT: Once you get the lay of the land through your
different connections, install more tools to really start
to steal and aggregate data
EXFILTRATE: Finally, youve got to get all that data
out of there. Among other options, public web traffic
works well
e K
48%
were told by
regulatory bodies
25%
by law enforcement
1% by the public
2% by a third party
S
te
p
o
n
e
in
th
e
f
g
h
t a
g
a
in
st ta
rg
e
te
d

a
tta
c
k
s is d
e
v
e
lo
p
in
g
e
x
e
c
u
tiv
e

a
w
a
re
n
e
ss th
a
t th
e
se
a
tta
c
k
s re
a
lly
a
re

h
a
p
p
e
n
in
g
. B
e
c
a
u
se
th
e
se
a
tta
c
k
s a
re

d
e
sig
n
e
d
p
re
c
ise
ly
to
a
v
o
id
d
e
te
c
tio
n
,
its e
a
sy
to
p
re
te
n
d
y
o
u
re
n
o
t b
e
in
g

ta
rg
e
te
d
o
r a
tta
c
k
e
d
. B
u
t c
h
a
n
c
e
s a
re

y
o
u
m
a
y
a
lre
a
d
y
b
e
c
o
m
p
ro
m
ise
d
.
Play 2: Specialize and
Outsource
Its not what you know, its who you know. Put together
your own little mafia with specialists who work together
to keep your multi-step campaign running. Just like cave
men split labor into hunting and gathering, you just have
to break it up into hacking and scamming.
Build the team however you like. Hire people, outsource to
malware kit vendors, even work in an equal partnership.
Just remember what they say about honor among
thieves
Just think: no n00bs allowed. If they cant spell or find
the caps lock, or code better than your average script
kiddie can, its hasta la vista, baby.
w
Targeted attackers are
building a business around
stealing from your business.
Just as youd dedicate a lot
of specialized employees
and vendors to solving your
business problem, theyre
sourcing skills necessary to
crack your defenses. Here
are the top five out of 10
common specialties named
by the FBI:
CODERS: write malware,
exploits and data theft tools
VENDORS: trade and
sell stolen data, malware
kits, footprints into
compromised networks
CRIMINAL IT GUYS:
Maintain criminal IT
infrastructure like servers
and bullet-proof ISPs
HACKERS: seek and
exploit application, system
and network vulnerabilities
FRAUDSTERS: create and
execute social engineering
ploys like phishing and
domain squatting
The FBIs List of Cyber Crime Specialties
More than
a third of
data breach
investigations
occur within
franchise
businesses
>1/3
Play 3: Scale Your
Attacks
Once you get together that A-team, youre going to milk
every vulnerability dry.
Developed or bought an exploit for a new vulnerability
in some sorry old companys retail point of sale (POS)
system? Maybe it's for some small-time grocery store
in San Francisco, but then maybe that same exact
vulnerability and system configuration is going to work in
POS machines at other franchises of the same brand.
Then, son, your meal-ticket is punched. Youll steal ten
times the data but only really do the work to break into
one location.
In order to stay a step ahead of the
attackers, youve got to start thinking
like them. One key way to do that is
to hire penetration testers to barrage
your systems with the same type of
techniques the bad guys use. Doing
so can help you fnd widespread
vulnerabilities like the POS example
highlighted above.
of large
companies have
experienced 25
or more social
engineering
attacks in the
past two years
1
of young
workers
regularly
ignore
IT policies
2
48%
70%
Play 4: Play The Player,
Not The Game
Theres a good chance your targets employees will be
oh-so-helpful without even knowing it. Theyll give you
information, help you upload malware on their machine and
even hold the door open for you if you need to sneak into
a building. These peeps should be your best friends during
the first two stages of attack: research and intrusion.
So work this to your advantage. Here are some tips:
If you want information-about the org chart, location
of a data center, technology they use or whatevercall
someone who would know, pretend to be from another
department and just ask. Nine times out of ten theyll
freely tell you out of the kindness of their hearts.
Official-sounding emergencies work every time. Act like
you need help to get a mission-critical project done or
else heads will roll. Works best if you know the name of
their boss boss.
SOURCES:
1
www.securingthehuman.org/blog/2011/09/22/
justifying-your-awareness-program-with-
social-engineering-survey
2
www.eweek.com/c/a/Security/Younger-Employees-
Ignore-IT-Policies-Dont-Think-About-Security-
Says-Cisco-274940/
3
www.securingthehuman.org/blog/2011/09/22/
justifying-your-awareness-program-with-
social-engineering-survey
of large
companies
said social
engineering cost
them an average
of $100,000 per
incident
3
30%
If your target employee is high up the food chain and
too paranoid to take your bait, try working someone
in their entourage. A lot of adminseven tempsare
sitting at workstations that can access the same
systems the boss computers are hooked into.
Congratsyou just got a job in HR. Pretend to be a
recruiter. In this market, peoples judgment tends to get
clouded if they think theres a new job on the horizon.
Depending on how much youve got riding on this
attack, you may even invest in a little in-person social
engineering. Put on a delivery uniform, bring some
flowers and see if someone will let you in the building.
P
0
Your employees typically play a big
role in a targeted attack and their
response to advanced attackers
probes have the potential to make
or break your organizations chances
of keeping the bad guys at bay. In
spite of that, industry estimates
show consistently that as few as a
quarter to a third of employees today
are ever trained on how to respond
to these social engineering ploys.
Employee training can make it much
harder for targeted attacks to ever
take shapean adversary who cant
gather the right information will
fnd it imminently more difcult to
customize an attack.
Elite cybercriminals are
tapping into search engines
and social networks to
help them target specific
employees for social-
engineering trickery at a wide range of companies,
professional firms and government agencies.
Byron Acohido
USA Today
Play 5: Get Social For
Better Recon

Sometimes you dont even need to ask employees for
informationtheyll offer it up right on their Twitter
feed. Use social media to find out all sorts of sweet
intel. Heres what you can find out by making a dummy
Facebook account and tricking someone into friending it:
Where they went to high school or college
Their mothers maiden name
Their birthday
Their dogs name
Facts about their job: title, promotions, boss name, big
projects coming up etc.
All of these are valuable hints at passwords, system
challenge question answers and information thats gonna
grease the skids of your targeted campaign. Even if you
dont friend the person directly, you can potentially dig up
info by friending one of THEIR friends. Evil genius, no?
Social media also rules when it comes to building a psych
profile on an employee who might turn out to be the
kind of tool to help you roll out that first intrusion into
a target company. If you know what his or her hobbies
are, what teams they root for or any other personal
information, you can craft the perfect bait that will
get them to visit a site youve infected or trick them
into opening a malicious document.
of passwords
contain a name
in the top 100
girl and boy
name lists
of passwords
contain a name
on the top 100
dog names list
(this is the kind of info
people readily give
away on their social
media feeds)
32.8%
16.7%
B
4
2
According to recent numbers, more
than half of enterprises today have
seen malware infections rise as a
result of employees use of social
media. And thats just the tip of
the iceberg when it comes to how
a persistent attacker will use social
media to their advantage. Social
media as an intelligence goldmine
is an extremely efective method
for hackers to start planning their
plan. Teres no silver bullet, but a
combination of smart social media
policies, automated enforcement
of these policies and a workforce
well-trained in the ways of social
engineers can help stem the tide of
these attacks.
of organizations
have IT staff
sharing
passwords
or access to
systems or
applications
4
don't change
their privileged
passwords
within 90 days
5
or more enterprises
have informal or no
patch management
processes in place
7
42%
48%
40%
Play 6: Probe for
Every Weakness

Why break a window when youve got the key for the front
door? Look for user credentials at every step of the way.
Goal number two is to find clues about the architecture
of the target companys IT infrastructure to choose the
right malware kit or custom build something that can
help you pick the proverbial locks if the keys arent lying
around. This can be anything from unencrypted password
files to lists of company IP addresses to system version
information of deployed assets.
There are vulnerabilities in just about every corporate
network between here and the moon. If your target
company doesnt have them, chances are a third party
vendor or partner company with ties into the network
probably does.
Should you exploit zero-day vulnerabilities never before
discovered by the security industry or vulnerabilities that
already have a patch? Uh, yeah. Yeah, you should. If youre
smart, theyll both play a part in your plans.
SOURCES:
4
www.liebsoft.com/Password_Security_Survey/
5
www.liebsoft.com/Password_Security_Survey/
6
www.trustwave.com/global-security-report
7
https://securosis.com/assets/library/main/
quant-survey-report-072709.pdf
of Apache Tomcat
installations
with accessible
administrative
interface have the
default credentials
30%
Zero-day vulnerabilities rock. But theyre expensive to find
and exploit, and known vulnerabilities can be pretty wide
open. Most IT departments are too busy to plug their
holes with patches.
In situations where youre seeking very specific
informationsay manufacturing schematics youre
stealing for a competing company or nation stateand
detection isnt an option, then shelling out for zero-day
discovery and exploitation makes sense.
But if it is all about propagating malware in a company
you already know (or have a hunch about) has unpatched
systems, it makes more sense to take advantage of old
vulnerabilities.
The most common corporate
password is Password1,
because it just barely meets
the minimum complexity
requirements of Active
Directory for length,
capitalization and
numerical figures
6

DEFENSE:
Hackers might not start with a client-side
attack to gain entry into your systems.
Sometimes the frst step is to run a SQL
injection on your website to fnd unencrypted
password fles. Given users propensity to reuse
passwords, that early work may yield long-
term access to accounts across many systems.
Strong password managementincluding
enforcement of frequent password changesis
a must to limiting damage in these instances.
On the vulnerability front, organizations have
got to do a better job patching their system
to limit malicious sofwares mojo. Zero-day
attacks are a tougher nut to crack and defense
against exploitation will depend upon security
mechanisms at other security layers to prevent
a widespread attack from gaining much
ground within the network or exfltrating data
elsewhere.
of targeted
attacks initially
occur through
web use
of targeted
attacks initially
occur through
e-mail use
enter through
local devices
50%
48%
2%
Play 7: Reinvent old
Web & Email Attacks
Once your crew has done its homework on a target, its
time to cast your line and wait for a bite. Some of the
most effective initial intrusion plays are fundamentally
pretty old-school in natureyoure just phishing people
with fake emails, IMs or social media messages to trick
them into visiting an infected site or downloading
a malicious executable. Now use the information you
gathered to custom fit that interaction! Craft a lure
thats believable and build a hook that seems so painless
that no one even notices theyve been landed.
Do it like this:
Example 1: Your hackers just found a killer vulnerability in
a software platform commonly used by entertainment
companies. But you need control of a machine with
access to exploit it. Fortunately for you, there are
more than a few gossip fanatics in the entertainment
community. Since most of the companies youre targeting
are based in Hollywood, you use SQL injection to
strategically compromise the homepage of a few local
gossip sites with malicious code that downloads on
visitors machines. To keep pesky reputation-based filters
from finding your website infection, you set it up so
that it will only interact with machines working within a
block of IP addresses originating from Los Angeles.
Advanced attackers are
increasingly using
strategic web compromises
to infect their
targets via drive-by-
download:
The goal is not large-
scale malware distribution
through mass compromises.
Instead the attackers
place their exploit code
on websites that cater
towards a particular set of
visitors that they might be
interested in.
--Shadowserver
Intel About the Enemy
Example 2: Youve found some middle manager in
accounting whos got access to systems that hold tons
of saleable financial and customer data. You chum it up
with him on Facebook, convincing him you met him at an
accounting professional group conference. Through your
friend status you find out his real passion isnt ledger
books but photography. So, you task your hackers and
coders to build a basic photography buff website with
some hidden drive-by-download payloads. While he looks
at tips on digital SLRs, your malicious payload silently
loads in the background.
Example 3: Youve gotten your
hands on the organizational
chart of a target company
and read in a company blog
about a strategic new hire of
John Smith in the marketing
department. You create a
Gmail account under the
name of the HR manager
and use it to write an email
that looks like HR blew it
and gave everyone info on
Smiths salary and benefits.
They open the attachment,
JohnSmithcompensation.xls,
and bang, curiosity killed the
network.
k

Te examples named at lef and
on the previous page are just the
tip of the iceberg in terms of the
type of creativity targeted attacks
are employing to personalize their
intrusion attempts. Secure web
and email gateways are critical
to stopping all manifestations of
blended email and web attacks.
As Example 1 illustrates, old web
fltering technology won't always
worktechniques like initiating IP
address-specifc malware downloads
can get around defenses that depend
on reputation fltering. Tis is where
advanced technology with real-time
code inspection comes into play.
of targeted
malware remains
undetected
by traditional
anti-virus
88%
of incident response
investigations, a third
party responsible
for system support,
development and/
or maintenance of
business environments
introduced the security
deficiencies.
In 76%
Play 8: Think Sideways
One backdoor into a corporate network might be good,
but more is always better. If you want to stay on a
network for a long time, youve got to use that initial
client-side pwnage to move sideways through the network.
That way, if your first intrusion is detected and your
malware package is eliminated from that machine, youll
still keep your hands on the steering wheel elsewhere.
The secret? Youve got to propagate with diversity. You
need to use completely different types of payloads on
different systems because once one type is found out,
odds are theyre gonna scan the network looking for
everything that looks like that sample. But if you control
a bunch of endpoints with different types of malware,
theyll probably never even know theyre still compromised.
F
1 8=
1 6=
1 2=
11.8%
41.2%
OF MALWARE
USES HTTPS TO
EXFILTRATE DATA
29.4%
USES FTP
USES SMTP
INTEL ABOUT THE ENEMY
OF MALWARE
USES HTTPS TO
EXFILTRATE DATA
Targeted attacks are so ingenious
these days that even with the tools
and practices we've suggested already,
there's still a chance that some attacks
will slip through. Always operate
under the assumption that you've
already been hacked and utilize
practices and technologies that will
seek out existing infections, risky
security confgurations and any
suspect fle system changes that could
be a red fag of infection.
Play 9: Hide in
plain sight
Stealth is the name of the game in these targeted
attacks. Sometimes you just want to do the old smash-
and-grab, where you want to get in and out of the
network with as much loot as possible or with a very
specific piece of information. But generally the most
profitable way is to drain the database is a little
at a time for a LONG time.
Put some technical noise dampeners on your intrusions.
You dont want to knock over any expensive vases while
you digitally cat burgle the place, do you? Every movement
should be planned to avoid setting off any alarms. As you
drop tools on systems to aggregate data and control
backdoors, here are some tips:
Avoid self-replicating malware
Hide malware in system folders and get them
to look like common processes
Make use of webmail accounts to route SSL-encrypted
command-and-control traffic to your backdoors
Use packer utilities to hide malicious binaries
If you can, store some malware components
in the cloud
Because the endgame for
any targeted attack is to
steal data, it only makes
sense to depend on data-
centric security tools to
frustrate adversaries. This
can be accomplished by
understanding the context
of the data and detecting
malicious network
application traffic that
is dragging the data out
through application-aware,
next generation firewalls.
The use of encryption to
hide attacks and theft of
data is on the rise. Over
25 percent of all data
exfiltrated by attackers
is encrypted by cyber
criminals. Also critical are
encryption techniques that
render data useless even if it
is exfiltrated.
Intel About the Enemy
Play 10: Take data
Quietly
So maybe youre a l33t spearphisher, youre wicked good
taking over a network and youve got a nose like a
bloodhound for juicy data. It all amounts to nada if
you cant get the data out of the network. Be patient!
Quiet and slow exfiltration makes it easier to steal
larger stores of information without setting off alarms
that will shut you down midstream.
Lucky for you, most
companies today dont
set up their firewalls to
block outbound traffic so
you have a lot of options.
Public web traffic can
prove to be one of the
most efficient ways of
slowly leaking data off the
network. HTTPS traffic
can have added benefit of
steering clear of data leak
prevention tools by hiding
data under cloak of SSL.
T
Network monitoring tools have
advanced considerably over the years to
better fnd common signs of attacks, but
attackers do a good job staying one step
ahead of alerting technology. One of the
most efective tools organizations have
in their struggle to discover malicious
activity is system informationbut we
have to know what to look for. Tat
means correlating small events alerts
from across the infrastructure so that
one big alarm sounds when enough of
them happen at once. It's a specialty
of security information and event
management (SIEM) tools and the
skilled analyst that know how to use
themboth indispensible in the fght
against targeted attacks.
SECURITY IS A PROCESS,
NOT A PRODUCT
Thats why, through an integrated, automated and agile
approach, Trustwave delivers stronger security, continuous
compliance and fewer headaches. Our broad portfolio of
integrated technologies, compliance and risk services, and elite
SpiderLabs research, testing and threat intelligence can help
you to secure your business, centralize compliance, and gain
the meaningful, actionable intelligence you need to make faster
and proactive decisions. And our unique approach helps you to
seamlessly achieve business continuity and compliance by swiftly
implementing, monitoring, auditing and enforcing protection and
control over your sensitive assets and data. Interested in how
Trustwave can help? Visit www.trustwave.com.