July 1, 2016 | 3 minute read
During my conversations with security executives, a topic that consistently comes up is what, exactly, constitutes a modern hacking operation. Security professionals understand they’re no longer facing script kiddies who lack a comprehensive plan. However, they’re also not fully aware of how detail-oriented adversaries are when developing an attack campaign.
Today's hacking operations are well-organized and developed by well-funded teams of highly trained adversaries who have diverse experiences and backgrounds. In fact, attack planning is handled like a business operation and includes hiring plans, budgets and timelines.
To help security professionals better understand the attacks they’re facing, I thought I’d share some of my observations on the work that goes into planning a hack.
An attack starts long before a network is breached. The first step in any attack is setting the operation’s goals. Hackers don’t randomly pick an entity, blindly attack it and hope they’ll discover valuable information. Targets are selected based on the data they possess and how that information will help the hackers meet their goals.
Typically, the criminal entity behind the attack sets the goals, which vary depending on their objectives and motives. For example, a nation-state that uses a cyber attack to provide the country’s businesses with a research and development advantage would set a goal of stealing intellectual property and trade secrets from prosperous companies.
Larger campaigns may often include several smaller goals that when combined reach the main objective. In some cases, the campaign may include hacking into several targets to achieve a goal. For example, an operation may include hacking into another company in order to infiltrate the intended target’s network. Hackers used this approach in the Target breach when they first compromised the HVAC vendor’s system to access the Target network.
This leads me to my next point about goals: Hackers will do anything to accomplish them. They’ll disregard rules and will use deception whenever possible. Criminals intent on making money, obtaining intellectual property or carrying out other nefarious activities are behind these operations, not people who follow corporate policies.
The reconnaissance that hackers conduct goes beyond mapping a company’s IT network or learning about its technology. They’re interested in gathering as much information as possible on their target, especially around how the business and its key personnel operate. These details will help attackers navigate around any technological or human barriers that hinder the attack.
To collect these details, hackers will use social media to learn where key members of your security team worked or went to college. If a hacker has penetrated your network, they’ll review emails and calendar entries to learn when key security personnel are on vacation and attack when there’s a staffing gap.
Not to make you paranoid, but in some cases hacking organizations will use insiders to obtain information on their target. They’ll either use a person already working at the organization or attempt to get someone hired by the company, allowing them to operate from within the target. Job interviews can teach the adversary how the company handles security events and how security personnel are measured and evaluated. If an adversary knows, for example, that a company’s security team is measured by how quickly it remediates incidents, an attack may include malware that’s easy to discover as a way to distract them from the real operation.
Gathering all this information makes reconnaissance very time consuming. I’ve seen some hackers start reconnaissance a year before the initial infiltration. But all of this preparation increases the chances of the operation succeeding.
Hacking teams are composed of people who have various backgrounds whose expertise can help the operation. An attack targeted at a mine may include a geological expert, for instance, who can provide firsthand knowledge on how this organization functions. This diversity gives the hackers new ways of approaching the operation. Companies would be wise to follow a similar practice when building out their security teams, a point I made in a recent Network World blog.
The roles on a hacking team are also diverse. For example, there’s usually a group of people dedicated to deception. This often-overlooked group creates a campaign that distracts the security team from the main operation. The distraction is meant to mitigate the risk of the campaign being discovered. Some of the more common distractions include a DDoS attack that brings down a company’s website or malware that a security team can easily detect. These decoy threats mask the real threat and allow it to continue unabated.
Penetrating a network is the simplest part of an operation and is sometimes outsourced, a point that surprises many people because they consider penetration the operation’s most important component. But outsourcing penetration to someone who specializes in the task guarantees that the hackers will get into the organization. The reason is simple: Teams that handle penetration get paid only if they infiltrate the target. With their paycheck on the line, these teams will do everything possible to defeat a company’s defenses.
Hacking operations aren’t rushed. Attackers want to remain undetected in your IT environment for as long as possible. This approach allows them to minimize mistakes and, of course, gather more data and compromise more systems. I’ve seen cases where attackers went undetected for a year, giving them ample time to access systems like Microsoft Active Directory and Outlook Web App. Having this access let attackers collect every employee’s log-in credentials and maintain persistence in the environment.
To combat more complex hacking operations, security teams need to adopt a hacker’s mindset. Remember, hackers are out to deceive a company. Security incidents, even minor ones, should be treated as a potential threat. Companies need to aggressively monitor their IT environment and look for any behavioral changes. Catching just one incident could expose the entire campaign.
This column previously appeared in Network World. Lior Div is the CEO of Cybereason.
Lior Div, CEO and co-founder of Cybereason, was a Commander in the famed Israeli Unit 8200 and is an expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He was in charge of carrying out some of the largest cyber offensive campaigns in history against nations and cybercrime groups during the same period as the watershed Stuxnet attacks that undermined the Iranian nuclear program at Natanz. He also received one of Israel’s highest awards at that time, the Medal of Honor. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.All Posts by Lior Div