HackedIN: APT, easy as 1, 2, 3
Jamieson O'Reilly
Founder @ Dvuln. Hacker. T?h?i?n?k?i?n?g? Doing outside the box. Redteaming, Pentesting, DevSecOps.
Having run 100s of red-team engagements on everything from federal government agencies to crypto exchanges, I've learned some things.
This week's edition of HackedIN provides insights that can be used defensively and offensively (ethically, of course).
Here are a few that have proven helpful to me and my team over the years.
Disclaimer: The knowledge and strategies shared in this article are intended for ethical and defensive purposes only. Misuse or malicious application is strongly discouraged and may result in legal consequences.
1. Sometimes, All You Need to Do is Ask
Offensive Insight
In red-team or phishing engagements, even when you know there's an escape route if things go south, the adrenaline is still high.
Interacting normally, asking someone for a favour, seems simple. But when you're pretending, every word feels like a giveaway.
The reality? It's usually not.
Many times, I've proved this theory with the brazenness of just asking straightforwardly, which can be so unexpected that targets think...
"Surely, someone with malicious intent wouldn't be so direct."
Defensive Takeaway
Train staff to be cautious even with straightforward requests.
The audacity of some social engineering attacks can sometimes be their strength.
Always verify before complying with any direct ask, no matter how innocuous it may seem.
2. One Step Forward, Two Steps Back
Offensive Insight
Generally, people are innately wary, especially when approached out of the blue.
So, from the moment you engage in a conversation, you might be playing from behind.
Depending on the context, when the above (1) doesn't apply, direct requests can set off alarm bells.
领英推荐
A different approach can be to draw them into a longer game. For instance, if the goal is to send a malicious file, you could first aim to set a foundation by seeking a second meeting.
This seemingly innocent initial interaction can disarm the target. The logic they might use is...
"They had the chance to harm me in the first meeting, but they didn't. So, perhaps they're genuine."
Defensive Takeaway
Instill a sense of continued vigilance in staff.
Just because an external contact didn't display malicious intent initially doesn't mean they won't later.
Multiple interactions should be treated with the same level of scrutiny as the first, especially when unexpected actions or requests are involved.
3. The Power of Not Giving a Fk**
Offensive Insight
Mastering this attitude requires practice.
Blackhat's might have an edge here as they're not constrained by the same reputational expectations.
They can shift to another target, regardless of whether they succeed with no client to answer to.
The essence of this strategy is manifesting an air of indifference.
If you give off a vibe that you're nonchalant about the outcome, it can have a disarmingly profound effect on the target.
They may perceive your casual demeanour as a sign of authenticity.
Defensive Takeaway
Counterintuitively, both overt eagerness and complete indifference can be red flags.
It's essential to ensure staff know that attackers come in all demeanours, not just wearing black hoodies and pretending to be tech support.
The key is not to be swayed by emotion but to rely on established verification and validation protocols for all interactions.