In a dark room lit only by the light from four computer monitors sits a hacker named Hector (not his real name). You can hear the faint pulse of an EDM track coming from his headphones as Hector taps away on his computer’s keyboard. The above description could serve as the setting for a hacker movie set in the early 2000s. But it doesn’t work in today’s context. Nowadays, Hector sits in a brightly lit room with multiple screens at his disposal. He is part of an Advance Persistent Threat (APT) group that rewards him for his work with a monthly salary and bonuses for successful campaigns. Hector is the modern hacker. Unfortunately, Hector is not alone. He is one of many who have chosen the path of honing his skills for the purpose of committing misdeeds. More specifically, he is just part of a highly effective, dynamic, determined and hungry team of individuals who receive work for what they do best: breaking and entering without leaving a trace. As a member of the recce team, Hector is responsible for gathering as much information as possible on an intended target as part of the whole campaign. He’s managed by a Project Manager who coordinates the other functions of the whole hacker collective. To facilitate his work, Hector spends his days creating new aliases for his online presence. He starts with a burner phone which he uses as verification for his identity. He then signs up for an email address and starts creating various online personas. He maintains, at the very least, 10 identities at any given time. Each of these profiles requires meticulous planning and details. Even under extreme scrutiny, the profile looks legitimate. With such a profile, Hector makes contact with an individual who has been classified as a target. This might take some time and many more failures than instances of success. However, perseverance is key. Befriending a target on social media is a win for Hector's team, as this allows for the information gathering to begin.
In one campaign, for instance, Hector chooses to utilize a female persona to act as a honeypot to gather system information of an electrical plant. His role is to identify the weakest link in the targeted environment. He then passes whatever information he finds to the project manager, who then works with the exploit team. Discussion between the teams is fluid, so as to ensure the timely formulation and execution of sound decisions.
Hector catches a break in the campaign when his target divulges information pertaining to the network environment and how “air gapped” it is. At the time, the target was utilising an internet-ready mobile phone to chat on Facebook Messenger whilst in the plant. He subsequently tethered his phone to his work laptop to chat on it to avoid his supervisor reprimanding him for using his phone. With further conversation, Hector steers the conversation towards the target’s job role and function. He acts oblivious to the IT jargon while secretly learning about the make of the network switch used in the network, as well as the issue which he is facing at work (a network outage due to a failed upgrade). The exploit team, with all the information gathered, are able to create an exploit for multiple versions of the said network devices. With the target’s internet-enabled work laptop, the exploit team crafts a phishing attack that uses a take-out menu in a form of PDF file. This asset contains a dropper for a call back to the command and control server maintained by the APT. This feature allows the team to remotely connect to the said machine when it is idle. Based on the campaign objective, the attack can take place at any given time. However, the project manager is ultimately responsible for determining how long the campaign can last as exploits are patched. This too is part of the recce team’s job, as they can help determine how often the intended target’s system is patched.
Defending Against the Malicious Hacker
Information leakage and human nature together constitute a recipe for a breach. How does one prevent such an occurrence? Anti-virus perhaps? Firewalls maybe? Sandboxing possibly? Will the deployment of the above solution solve the problem at hand? Perhaps we should be looking at a more foundational approach to security. Overall, there is no method more foundational than one that employs basic security controls. Organizations should embrace a path that specifically incorporates many of the Center for Internet Security’s (CIS) Critical Security Controls (CSC). As such, they can then use this means to develop and maintain an inventory of connected software and hardware, manage their assets’ secure configurations, monitor vulnerability risk and collect log data within a centralized repository. Fulfilling all of these elements can be a lot for organizations to do on their own. In response, they should turn to Tripwire whose solutions naturally integrate with the CIS CSC. Learn more about Tripwire’s foundational approach to digital security here.
