It doesn't hurt to identify who your potential adversaries are. We've mentioned so far that more and more of these are entire nations, or states, or syndicates, you know, terrorist and criminal syndicates, hackers, black hat hacker groups, cracker groups like the ones behind Koobface for example, there could be corporate competitors, there can be somebody who just recently got let go at your company or fired, disgruntled X, whatever, okay, government agencies also are participating in this as well.
So knowing who your enemies are is a really good thing. You're trying to think like a cracker, think like a black hat hacker, and realize that a lot of these nations or states they have a long-term approach, so if it's some advanced persistent threat to their developing against a large corporation, they don't mind if it takes six months, or a year, or longer for that to come to fruition for them. So they're in this for the long haul, they're very persistent. And, so we had to be very, very vigilant in our protection of our corporate systems in our corporate information. Remember that hackers are not always somebody who's nefarious, we usually call them black hat hackers. Crackers are criminal hackers, so that's kind of, you know, for financial gain and for other reasons, phone breakers or phreakers. You got script kiddies who basically will use Metasploit and all the prepackaged code to launch attacks or other things they can download off of the Internet. There is hackitivist that have a political agenda, maybe defacing a website, maybe to go beyond that like the group Anonymous, so there are different categories of crackers and black hat hackers out there.
|Crackers||Synonumous with black hat hacker|
|Phrackers||Hacker of telecommunication systems|
|Script Kiddies||Hacker with little skills|
|Hacktivists||Hackers with a policital agenda|
Techniques used by hackers
To think like your adversaries or to think like a cracker, there is really a seven step process that's usually going to be the modus operandi. And I would want you to memorize this for the exam!
- Step 1: Perform footprint analysis (reconnaissance).
- Step 2: Enumerate applications and operating systems.
- Step 3: Manipulate users to gain access.
- Step 4: Escalate privileges.
- Step 5: Gather additional passwords and secrets.
- Step 6: Install back doors.
- Step 7: Leverage the compromised system.
Obviously, the first step is to gather information, okay. They're going to do social engineering of various forms. They're going to use readily available tools to do port scanning, and sniffing, and reconnaissance of your network. They basically want to find out what operating system versions you're using, what builds you're using of operating systems, and routers, and switches. They want to know what you're using for your intrusion prevention service, what you're using for your firewall. So step one and step two kind of work hand-in-hand. Then step three, once they have that information, they want to manipulate users either through brute force or through reconnaissance to get access to the system. If they can get access as a root user or as an administrator, even better. If not, they'll get any kind of access they can and then they'll use weaknesses in the system to escalate their privileges and try to get higher level authority or authorization on the systems and services. At that point, they now have greater access where they can gather additional information, hashes, secret keys.
Then they can install backdoors at critical systems. Those backdoors can be malicious code of various types, some of them can be time bombs that go off and exfiltrate data or pull data – maybe you know over a long weekend like a Labor Day weekend, or the Super Bowl, or something like that. And then those backdoors can also create reverse sessions, reverse TCP sessions back to some server or some malicious host and then of course they use that to leverage the compromised systems.
Now even though we have these seven steps, chances are malicious attackers know that you are thinking about these seven steps, so they're trying to "think outside of the box." They're trying to find new ways, and lot of the malware that you'll find it's resident in RAM memory on servers, and other devices...is very clever, okay. It can morph itself, so if you remove it from RAM, it will put itself in certain directories. If you delete it from certain directories, it can rebuild itself based on modifications to the registry. So very clever, it can, you know, take itself and break it up into various RAR files that are compressed in certain directories. It can hash itself, so that if you looked for that particular executable code, you won't find it unless you know the hash of that executable code. So they're getting very, very clever in their ways to evade you and your forensics.
Now there are a bunch of general categories of threats, and it's always a good idea to kind of categorize these things to help in countermeasures and mitigation techniques to, you know, have different categories. So obviously, some of the threats that we have are forces of nature, otherwise known as acts of God. So are your equipment and your facilities protected against flood, and fire, and hurricanes, and tornadoes, and the like. And do you have disaster recovery plans, business continuity plans?
There are physical security attacks. Somebody who actually can pick locks, they can piggyback when people are using their badges, and somebody gets access through a doorway, can they piggyback through without having to have any credentials.
There are enumeration and fingerprinting – the ability to use software and malicious code to actually determine what type of operating systems you have. This can be accomplished as simply analyzing the TCP behavior of the three-way handshake. You can do port scanning, you can do enumeration of IP address ranges, there is spoofing (IP spoofing) – representing yourself as a legitimate interior host or actually using the IP address of the ultimate target of your attack and then again impersonating DHCP servers, or default gateways, or DNS servers.
There is man-in-the-middle or meet-in-the-middle attacks where you could actually inject herself in between two endpoints in a conversation or a channel - a UDP flow or a TCP connection.
There are overt channels and covert channels, you can tunnel things like peer-to-peer file sharing or instant messaging inside of HTTP or port 80. There are blended threats and malware, there is all kinds of code out there that has the ability to morph itself depending upon the antiforensics that you take.
You can exploit privileges and escalate your privileges if you can get unauthorized access to a system, you can exploit trust relationships between servers in the same directory service or Active Directory. And of course, you can just do flooding which is a denial-of-service attack to use of resources like disk space, RAM memory, or CPU usage.
There are quite a few industry efforts that we use to keep track of what's going on out there. There is the CAPEC – the Common Attack Pattern Enumeration and Classification. You can go to capec.mitre.org. There is the Open Web Applications Security Project – OWASP.org. There is also the Web Application Security Consortium Threat Classification – WASCTC – you can go check them at webappsec.org. There is also Malware Attribute Enumeration and Characterization – MAEC – that's created by mitre, you can go to MAEC.mitre.org.