Inside a Hacker's Playbook

5/24/2018 Inside a Hacker's Playbook

1/22

TEN TARGETED TECHNIQUES THATWILL BREAK YOUR SECURITY

INSIDEA HACKER'SPLAYBOOK


2/22

Targeted attacks are successful because they

are stealthy, specific and disarmingly personal. If they

do it right, advanced attackers can quietly infiltrate

a network and steal data or information at will for

months or even years.


3/22

Learn how to stop them by taking a page from

their playbookliterally. Trustwave presents a

never-before-seen copy of an advanced attackers

technique manual. Use it well to design security that

counters their plays perfectly.


4/22

A Playbook On Profiting

From Targeted AttacksBefore we tackle the finer techniques of building amoney-making cyber scam, lets talk a little about thebasics of this gig, shall we?

First of all heres what we are not trying to do. Werenot trying to blanket the internet with malicious V1agrospam or mass SQL inject a zillion websites.

Were narrowing our work down to a specific company

or industry based on vulnerability opportunities that wescare up. The broadest well get is hitting a range ofcompanies vulnerable to one precise vulnerability eithernever discovered by security researchers or just recentlypatched by a vendor.

Do it right and youll get your hands on huge cachesof valuable customer data, and maybe even hit thejackpot with the targets most important intellectualproperty. With that, you can blackmail people or sell tocompetitors or even to nation states.

You wont just be buying a new Ferrari.Youll be buying a fleet of em.

With a little bit of research,some crafty writing and theright technology, crooks makea good living running targetedattacks to steal corporateand government data. Themore we can learn about theirtechniques, the better we cancounter them.

As we sneak a look ateach of the plays insidethis bad guy instruction manual,lets look for ways to turn thisinside knowledge on its head.Well also offer advice on howto block each attack technique.

Know Your Adversary


5/22

of breachedorganizations

neededsomeone

else to tell themthey'd been

compromised

76%

Play1: Staging

YourAttackLetsgettoeasymoney!Mosttimes,thereare fivestages toa reallygnarly targetedattack:RESEARCH: Startby doingreconontheanticipatedtarget. Digforpubliclyavailableinformationandsociallyengineeryourway toexploitableinfo abouttheir ITsystems

INTRUDE: Usethatinformationtofindthe rightemployeetospearphish andtherightvulnerabilitytotargetwith

yourmalicious payloadoncethe baitstaken youllhaveyour initial toeholdinthe targetsnetwork

PROPAGATE:Whenyou pwn onemachine, useitsnetworkconnectionsto spreadmalwareontoothermachinessoevenifyoure detectedinoneplaceyouve gotcontrol ofothermachines

INFECT: Once yougetthelayofthe landthroughyourdifferentconnections, installmoretools toreallystarttostealandaggregatedata

EXFILTRATE:Finally, youvegottoget allthatdataoutof there.Amongotheroptions, publicweb trafficworkswell

48%were told byregulatory bodies

25%by law enforcement1% by the public2% by a third part


6/22

Play 2: Specialize and

OutsourceIts not what you know, its who you know. Put togetheryour own little mafia with specialists who work togetherto keep your multi-step campaign running. Just like cavemen split labor into hunting and gathering, you just haveto break it up into hacking and scamming.

Build the team however you like. Hire people, outsource tomalware kit vendors, even work in an equal partnership.Just remember what they say about honor among

thievesJust think: no n00bs allowed. If they cant spell or findthe caps lock, or code better than your average scriptkiddie can, its hasta la vista, baby.

Targeted attackers are

building a business aroundstealing from your business.Just as youd dedicate a lotof specialized employeesand vendors to solving yourbusiness problem, theyresourcing skills necessary tocrack your defenses. Hereare the top five out of 10common specialties namedby the FBI:

CODERS: write malware,

exploits and data theft tools

VENDORS: trade andsell stolen data, malwarekits, footprints intocompromised networks

CRIMINAL IT GUYS:Maintain criminal ITinfrastructure like serversand bullet-proof ISPs

HACKERS:seek and

exploit application, systemand network vulnerabilities

FRAUDSTERS:create andexecute social engineeringploys like phishing anddomain squatting

The FBIs List of Cyber Crime Specialties


7/22

More thana third of

data breach

investigationsoccur withinfranchise

businesses

>1/3

Play3: ScaleYour

AttacksOnceyougettogether thatA-team,youregoingtomilkeveryvulnerabilitydry.

Developedor boughtanexploitforanewvulnerabilityinsome sorryoldcompanysretailpointofsale (POS)system?Maybeit'sforsomesmall-timegrocerystoreinSanFrancisco, but thenmaybethatsameexactvulnerabilityandsystemconfigurationisgoingtoworkinPOSmachinesatother franchisesofthesamebrand.

Then,son, your meal-ticketis punched.Youllsteal tentimesthedatabutonly reallydo theworktobreakintoone location.


8/22

of largecompanies haveexperienced 25or more social

engineeringattacks in the

past two years1

of young

workersregularlyignore

IT policies2

48%

70%

Play 4: Play The Player,

Not The GameTheres a good chance your targets employees will beoh-so-helpful without even knowing it. Theyll give youinformation, help you upload malware on their machine aneven hold the door open for you if you need to sneak intoa building. These peeps should be your best friends duringthe first two stages of attack: research and intrusion.So work this to your advantage. Here are some tips:

If you want information-about the org chart, locationof a data center, technology they use or whatevercasomeone who would know, pretend to be from anotherdepartment and just ask. Nine times out of ten theyllfreely tell you out of the kindness of their hearts.

Official-sounding emergencies work every time. Act likeyou need help to get a mission-critical project done orelse heads will roll. Works best if you know the name oftheir boss boss.


9/22

of largecompaniessaid social

engineering costthem an averageof $100,000 per

incident3

30%

Ifyourtargetemployee is highupthefoodchainandtooparanoidtotakeyourbait, tryworkingsomeoneintheirentourage. Alot ofadminseventempsaresittingat workstationsthatcan access thesamesystems thebosscomputers arehooked into.

Congratsyoujust gotajobinHR. Pretendtobe arecruiter.Inthis market,peoplesjudgment tendsto getcloudediftheythinktheresanewjobonthe horizon.

Depending on howmuch youvegotridingon thisattack, youmay even investina littlein-person socialengineering.Put onadelivery uniform, bringsomeflowersandseeifsomeone will let youinthe building.


10/22

Elite cybercriminals aretapping into search enginesand social networks tohelp them target specificemployees for social-engineering trickery at a wide range of companies,professional firms and government agencies.

Byron AcohidoUSA Today

Play 5: Get Social For

Better ReconSometimes you dont even need to ask employees forinformationtheyll offer it up right on their Twitterfeed. Use social media to find out all sorts of sweetintel. Heres what you can find out by making a dummyFacebook account and tricking someone into friending it:

Where they went to high school or college Their mothers maiden name Their birthday Their dogs name Facts about their job: title, promotions, boss name, big

projects coming up etc.

All of these are valuable hints at passwords, systemchallenge question answers and information thats gonnagrease the skids of your targeted campaign. Even if youdont friend the person directly, you can potentially dig uinfo by friending one of THEIR friends. Evil genius, no?

Social media also rules when it comes to building a psych

profile on an employee who might turn out to be thekind of tool to help you roll out that first intrusion intoa target company. If you know what his or her hobbiesare, what teams they root for or any other personalinformation, you can craft the perfect bait that willget them to visit a site youve infected or trick theminto opening a malicious document.


11/22

of passwordscontain a namein the top 100girl and boyname lists

of passwordscontain a nameon the top 100dog names list

(this is the kind of infopeople readily giveaway on their social

media feeds)

32.8%

16.7%


12/22

of organizationshave IT staff

sharingpasswordsor access tosystems or

applications4

don't change

their privilegedpasswords

within 90 days5

or more enterpriseshave informal or nopatch management

processes in place7

42%

48%

40%

Play 6: Probe for

Every WeaknessWhy break a window when youve got the key for the frodoor? Look for user credentials at every step of the wayGoal number two is to find clues about the architectureof the target companys IT infrastructure to choose thright malware kit or custom build something that canhelp you pick the proverbial locks if the keys arent lyingaround. This can be anything from unencrypted passwordfiles to lists of company IP addresses to system versioninformation of deployed assets.There are vulnerabilities in just about every corporatenetwork between here and the moon. If your targetcompany doesnt have them, chances are a third partyvendor or partner company with ties into the networkprobably does.

Should you exploit zero-day vulnerabilities never beforediscovered by the security industry or vulnerabilities thatalready have a patch? Uh, yeah. Yeah, you should. If your

smart, theyll both play a part in your plans.


13/22

of Apache Tomcat

installationswith accessibleadministrative

interface have thedefault credentials

30%

Zero-dayvulnerabilities rock. Buttheyreexpensivetofindand exploit, andknownvulnerabilitiescan bepretty wideopen. MostITdepartmentsare too busy to plug theirholeswithpatches.

In situationswhereyoure seeking very specificinformationsaymanufacturingschematics yourestealingfor a competing companyornationstateanddetectionisntan option, thenshellingoutfor zero-daydiscovery andexploitation makessense.

Butifitisall aboutpropagating malwareinacompanyyou already know (orhaveahunch about) hasunpatchedsystems,itmakes more sensetotakeadvantage of oldvulnerabilities.


14/22

of targetedattacks initiallyoccur through

web use

of targetedattacks initiallyoccur through

e-mail use

enter throughlocal devices

50%

48%

2%

Play 7: Reinvent old

Web & Email AttacksOnce your crew has done its homework on a target, itstime to cast your line and wait for a bite. Some of themost effective initial intrusion plays are fundamentallypretty old-school in natureyoure just phishing peoplewith fake emails, IMs or social media messages to trickthem into visiting an infected site or downloadinga malicious executable. Now use the information yougathered to custom fit that interaction! Craft a lure

thats believable and build a hook that seems so painlessthat no one even notices theyve been landed.

Do it like this:

Example 1: Your hackers just found a killer vulnerability ina software platform commonly used by entertainmentcompanies. But you need control of a machine withaccess to exploit it. Fortunately for you, there aremore than a few gossip fanatics in the entertainmentcommunity. Since most of the companies youre targeting

are based in Hollywood, you use SQL injection tostrategically compromise the homepage of a few localgossip sites with malicious code that downloads onvisitors machines. To keep pesky reputation-based filtersfrom finding your website infection, you set it up sothat it will only interact with machines working within ablock of IP addresses originating from Los Angeles.

Advanced attackers areincreasingly usingstrategic web compromisesto infect theirtargets via drive-by-

download:

The goal is not large-scale malware distributionthrough mass compromises.Instead the attackersplace their exploit code

on websites that cater

towards a particular set ofvisitors that they might beinterested in.

--Shadowserver

Intel About the Enemy


15/22

Example2:Youvefoundsomemiddle managerinaccounting whosgot access tosystemsthatholdtonsofsaleablefinancial andcustomer data. You chumitupwith himonFacebook,convincinghimyoumethimatanaccountingprofessional groupconference. Throughyourfriend status youfindouthisreal passionisntledgerbooksbutphotography. So, youtaskyourhackersandcoderstobuildabasic photography buffwebsitewithsomehiddendrive-by-downloadpayloads. While he looksattipsondigitalSLRs, yourmalicious payloadsilentlyloadsinthebackground.

Example3: Youvegottenyourhandsontheorganizationalchartofatargetcompanyandreadina companyblogaboutastrategicnewhire ofJohn Smithinthe marketingdepartment. Youcreate aGmail accountunderthenameoftheHRmanageranduse it towritean emailthatlookslike HRblewitand gave everyoneinfoonSmiths salaryandbenefits.Theyopentheattachment,JohnSmithcompensation.xls,andbang,curiositykilledthenetwork.


16/22

of targetedmalware remains

undetectedby traditional

anti-virus

88%

of incident responseinvestigations, a third

party responsiblefor system support,development and/or maintenance of

business environmentsintroduced the security

deficiencies.

In76% Play 8: Think SidewaysOne backdoor into a corporate network might be good,but more is always better. If you want to stay on anetwork for a long time, youve got to use that initialclient-side pwnage to move sideways through the networkThat way, if your first intrusion is detected and yourmalware package is eliminated from that machine, youllstill keep your hands on the steering wheel elsewhere.

The secret? Youve got to propagate with diversity. Youneed to use completely different types of payloads ondifferent systems because once one type is found out,odds are theyre gonna scan the network looking foreverything that looks like that sample. But if you controa bunch of endpoints with different types of malware,theyll probably never even know theyre still compromised.

INTEL ABOUT THE ENEMY


17/22


18/22

Play 9: Hide in

plain sightStealth is the name of the game in these targetedattacks. Sometimes you just want to do the old smash-and-grab, where you want to get in and out of thenetwork with as much loot as possible or with a veryspecific piece of information. But generally the mostprofitable way is to drain the database is a littleat a time for a LONG time.

Put some technical noise dampeners on your intrusions.You dont want to knock over any expensive vases whileyou digitally cat burgle the place, do you? Every movemenshould be planned to avoid setting off any alarms. As yodrop tools on systems to aggregate data and controlbackdoors, here are some tips:

Avoid self-replicating malware Hide malware in system folders and get them

to look like common processes Make use of webmail accounts to route SSL-encrypte

command-and-control traffic to your backdoors Use packer utilities to hide malicious binaries If you can, store some malware components

in the cloud

Because the endgame forany targeted attack is tosteal data, it only makessense to depend on data-centric security tools tofrustrate adversaries. Thiscan be accomplished byunderstanding the context

of the data and detectingmalicious networkapplication traffic thatis dragging the data outthrough application-aware,next generation firewalls.The use of encryption tohide attacks and theft of

data is on the rise. Over25 percent of all dataexfiltrated by attackersis encrypted by cybercriminals. Also critical areencryption techniques thatrender data useless even if itis exfiltrated.

Intel About the Enemy


19/22

Play10:Takedata

QuietlySomaybeyoure al33tspearphisher,youre wickedgoodtaking overanetwork andyouvegot anoselike abloodhoundforjuicy data. Itall amounts tonadaifyoucantgetthe data outofthenetwork.Bepatient!Quietandslowexfiltration makesiteasiertosteallargerstoresofinformationwithoutsettingoffalarmsthatwill shutyou downmidstream.

Luckyforyou, mostcompanies todaydontsetuptheirfirewalls toblockoutboundtrafficsoyouhavealotofoptions.Publicweb trafficcanproveto be oneofthemostefficientwaysofslowlyleakingdataoff thenetwork.HTTPStrafficcan have addedbenefitof

steeringclearofdata leakpreventiontools byhidingdataunder cloakofSSL.


20/22


21/22


22/22

SECURITY IS A PROCESS,NOT A PRODUCTThats why, through an integrated, automated and agileapproach, Trustwave delivers stronger security, continuouscompliance and fewer headaches. Our broad portfolio ofintegrated technologies, compliance and risk services, and eliteSpiderLabs research, testing and threat intelligence can helpyou to secure your business, centralize compliance, and gainthe meaningful, actionable intelligence you need to make fasterand proactive decisions. And our unique approach helps you toseamlessly achieve business continuity and compliance by swiftlyimplementing, monitoring, auditing and enforcing protection andcontrol over your sensitive assets and data. Interested in howTrustwave can help? Visit www.trustwave.com.

Documents

Inside a Hacker's Playbook