Anatomy of a cyber attack (Angles of attack and exploit - oblique preferred.)
- Get inside the target's perimeter, operations, and their "head".
Once you do this, you've bypassed nearly all conventional defenses - firewalls, ipam, soc-siems, wafs, ips-ids, password and account protection.mfa-ufa, deception networks, shiny blimky boxes, etc....
Defense in depth? Nah, more like layers of tissue paper, flimsy tissue paper. ;)
Think this is hard to penetrate facilities/perimeters? Nah, just a bit of incremental effort.
Plus, it's kinda hilarious when you finally talk to them using their IPs, internal phone systems, secure commo links, etc... or call from the CEO's office/line/email. :D
Bash bunny USB attacks are easy and quick but your best weapon is between your right ear and left ear. Matches and smoke canisters can be very effective distraction tools regardless of physical security levels.
2. Spend some time documenting the target's process, procedure, operations, personnel, mindset and kulture as well as theie network, ports, apps, software packages, habits,,, etc... of corse get domain admin, hard coded accounts, soft accounts, etc... but don't use them -unless it's a "zippo raid in force" - then make sure to get "fuel and ammo dumps", destroy or degrade comms and commo, poison the water (data), burn the food/supplies, take or destroy cash/weapons/transport centers/capital equipment - e.g hotshots on engines or engine blocks of critical equipment.
Spoof, sniff, snort - sneak and peak and bury payloads everywhere.
3. Play with their heads - Ramp levels of attack over time, do counter forensics, do maskirovka and kompromat, muddy the waters and blame the innocent. Depending on level of blackhat criminality, real bad guys don't hesitate at swattting, bomb threats, wiildfires, false flag dummies and fall guys, etc....
If you mess with command and control staff and management in general, you can create 10x to 100x to 1000x the resulting chaos.
4. Ransomware is simple but effective. DDos/XDoS is not as simple but very effective. CAI cryptoworms will rule the world,, eventually.
Technical myopia is useful in target's and their response, but play chess when they are obsessing over checkers. Understand and use complex attacks, ripple fire, optempo - attack and wear out their security and IT with evening, weekend, and event holiday attacks, attack operations tuesday-friday during bankers hours.
Always destroy, degrade, disrupt, deny, delete, drift, data and data infrastructure whenever possible when on active measures/direct action.
5. 0daysare nice but not necessary to cause havoc/launch attacks.
Deception is the rule - distract with the right hand while using the left, or better yet use the "gripping£ hand.". Watch the birdie or the pretty assistanys while,,,,, ;)
6. Social engineering techniques work 25%-60% of the time and are transient re breaches. Intel runs work 95% of the time and are enduring, but it takes more time and effort.
Never use one fish where three or five or seven will do. Active torps in the water create chaos even if they miss and if you go active, you should go full spread.
Stay passive as long as possible,,, don't ping targets unless trying to panic them.
Work in teams and overwhelm yhe opponent.
Effective attacks cost 10x or 100x or 1000x less or greater than does effective defense. Most defenses are limited, illusory, reactive and ineffectuve,, but it's nice if you can use their defenses, their tools, in the attack phases.
7. Play the player, not his cards. Figure out mindset. Shiny object blinky box jockeys are easy to defeat as they are so 'rubber crutch' dependent. Poison and corrupt their packages and updates. Control them through their tech, their architecture, their processes.
Defense is 10x - 10000x more expensive than offense. Use this.
The bigger they are, the harder they fall. ;)
8. use 2nd party oblique attacks. In northern California, the power company is doing a good job of shutting down companies. };-]
Wire/cable cutters are as good a denial tool as DDoS botnets. Cut fibre, cut power, takedown street vaults and substations,, almost as good a way to shut down a data entre as burning it down.
Find and hit the weak points, choke points, single points of failure as this amplifies any attack.
Sow confusion, encourage doublethink, twirl that cape to blind and confuse the target, especially their command chain. Fort Apache is a good strategy for attackers.
9. Almost every company and organisation is sitting at 20% - 40% effective levels of security. The bad thing is that many think they are at 80% - 90% levels. They are confused, inexperienced, disingenuous and/or deluded as well as extremely conventional.
When we do an initial vuln assessment, we look for conventional architecture and operations, blinky box dependency or "if you could buy security comercially off the shelf, everyone would do it" :D , blind faith reliance on 'grand dads' security pwactices and processes, leadership/management that are smugly satisfied/arrogant re their security, etc...
as no matter how good, no matter how big the budget, there are always cracks and crevices for stainless steel cyber rats and snakes and skeeters to get un , deposit payloads, exploit/pwn2own. ;)
If the target is tight, wait a bit, as the gates to mordor always open up at some point in time, but far better to do an oblique/twisty attacks rather than direct frontal assault - save those for distraction psedo attacks.
10. Encryption is NOT, repeat NOT, the answer, the end all and be all of data security. Unless a state actor, hackers tend to not care about reading someone else's emails, commo, documents.
Beware and be aware of the lessons of Enigma and Bletchley Park, USS Pueblo, the Glomar Explorer and several Soviet submarines, etc....
Every time access is shared to encryption keys, the risk of key compromise is doubled. Share with one system or party, reduce the level of security and increase the percentage for compromise.
Also, encryption can be a double edged sword as dual or triple level encryption can render your secure data useless and you provide the means/the tools to encrypt already for use on system.
Further, there are two kinds of people, those who have lost/mislaid/corrupted their cryptokeys and those who will lose/misplace/corrupt their cryptokeys. ;)
11. Re encryption, elliptical curve in particular which being used for IoT systems and devices, it is cryptographically suspect and/or broken. EU banks were big on EC a few years ago, but no longer as simple DPA hack reveled keys patterns.
"Cryptographic experts have expressed concerns that the National Security Agency has inserted a kleptographic backdoor into at least one elliptic curve-based pseudo random generator.[38] Internal memos leaked by former NSA contractor, Edward Snowden, suggest that the NSA put a backdoor in the Dual EC DRBG standard.[39] One analysis of the possible backdoor concluded that an adversary in possession of the algorithm's secret key could obtain encryption keys given only 32 bytes of PRNG output." - wikipedia.
So put not your faith in encryption, as even AES128 will be broken soon and that will probably allow brute forcing of AES256 and beyond.
12. System destruction and compromise, e.g. bricking systems no matter how complex and sophisticated can be accomplished through EMP devices on a local or area basis or perhaps by key code sequence broadcast/packet release on systems/boxes/chipsets/chips with malware at deposition level. All your threat hunting in the world will not find this type of malware/payloads.
As with everything else, the security coverage is limited, reactive, and constrained.
13. Look for arrogance, tech dependency, rote blind adherence to outdated processes and procedures in the target's personnel.
Hacking people can be surprisingly easy and quick compared with technical systems hacking,
Have patience and take your time as an 'ambush' predator rather than actively chasing down targets. Password spray combined with intermediate pawn systems as command and control servers works very well,, or so it's been said. ;)
14. For a howto guide attack project profile, read "The Dogs of War" by Frederic Forsythe. Especially the pre-phase to the "100 days". Re-read and think about Aesop's fables, Sun Tzy the Art of War, Clausewitz Vom Kriege, etc...
15. Know that within every hardware and software package/solution/devuce are the seeds of their own destruction. System level coomands, e.g. chmod, chown, crypt, rm and rmdir, etc... make it unnecessary to download modules once sudo/system/root access is gained.
--will continue later --
COO ISRSEC International, Ltd. CISO ISRSEC (North America)
5 年pandemic times :-0 https://www.dhirubhai.net/feed/update/urn:li:activity:6637863943832428545/
COO ISRSEC International, Ltd. CISO ISRSEC (North America)
5 年Risk and covid 19 https://www.dhirubhai.net/feed/update/urn:li:activity:6631909572514758656/
COO ISRSEC International, Ltd. CISO ISRSEC (North America)
5 年cloud hopper and backups https://www.dhirubhai.net/feed/update/urn:li:activity:6619390981341016064/?commentUrn=urn%3Ali%3Acomment%3A(activity%3A6619297634341437440%2C6619390874335924224)
COO ISRSEC International, Ltd. CISO ISRSEC (North America)
5 年https://www.dhirubhai.net/feed/update/urn:li:activity:6618220546339459072/ So, conventional security , securitay, is very low or negative re ROI. Are y'all tired of building two foot stone walls of security? A two foot wall may stop the 'two year old to four year old' junior hackerz, but it won't stop decent and/or experienced haXORs at all.
COO ISRSEC International, Ltd. CISO ISRSEC (North America)
5 年https://www.dhirubhai.net/feed/update/urn:li:activity:6613593354041122816/ Almost every company and organisation is sitting at 20% - 40% effective levels of security. The bad thing is that many think they are at 80% - 90% levels. They are confused, inexperienced, disingenuous and/or deluded as well as extremely conventional.