The Art of (Cyber) War

“Avoid what is strong and strike at what is weak”- Sun Tzu

Some trues are timeless – what was true when fighting a traditional combat war is true for Cyber warfare as well.

In numerous incident reports that I’ve reviewed, the first item usually included some variation of the phrase - “First entry point was probably falling prey to a phishing attack”. The level of confidence of that statement usually differs, depending on the professional integrity of the analyst (as phishing attack seems to be the “default” option).

When an attacker evaluates his next target, he would usually conduct a reconnaissance phase (assuming it’s not just a high-volume attack campaign). Once completed, the attacker will have a full “inventory list” of the security measures taken – vendors, versions etc., he can then decide to go “head-to-head” with those security products or follow Sun Tzu’s advice, realizing that Cyber security products are getting better (and stronger) in the protection they offer.

Following Sun Tzu’s guidelines pushes the attacker to find alternative options – and HW/FW vulnerabilities seems to be the weakest link. As shown on multiple cases, exploiting a wireless HID device vulnerabilities can bypass multiple security measures, and send the end-point to a URL where part of the malicious code is waiting to be executed, without the need for human user actually “clicking” on a link and without having to confront all those security content scanners.

In the aftermath the blame will fall on an employee that presumably clicked on a link that he shouldn't have clicked - resulting in more awareness campaigns and implementing additional Phishing detection solutions.

In summary, on your next incident, consider other entry options as well, where the first move was done maybe by someone sitting in your company’s lobby, passing through or even flying a drone next to your window with a Raspberry PI running Jackit payload.

祝好運

#roguedevicemitigation