Thinking Like a Hacker – “How to Mitigate Attacks”

Russian-hackers-steal-turkish-citizens-data

It seems like almost every week there’s a new giant cyber security breach in the headlines. Some major corporation or government entity has yet once again been hacked by cyber criminals. The question we keep asking ourselves is how did this happen. Not again! The truth is that all these major security breaches were bound to happen as some point because cyber criminals are becoming much more exploitative and cunning when it comes to making a political statement or attempting financial gain. This is nothing new but what is new is the size and scope of these attacks. Cyber criminals have become emboldened by the seeming vulnerabilities projected by each subsequent successful major American corporate breach. It doesn’t help when U.S. government agencies aren’t able to prosecute the perpetrators of these crimes. Enter, a new way of thinking…”Think Like A Hacker!”

When it comes to cyber attacks, criminals know no bounds nor do they subscribe to any moral ideology. There seems to be a consistent motive behind these cyber attacks that are becoming ever more present. Know thy enemy! Become them! Think like them! It has become the golden rule that in order to mitigate cyber attacks, IT security administrators and law enforcement agencies must think like them. Cyber criminals are finding new and innovative ways to execute elaborate Inter crimes from afar that know no boundaries. So how does one use the theory of thinking like a hacker to help mitigate breaches……. attack yourself! There’s no better proven method of discovering vulnerabilities in ones network other then attacking it like a hacker would. Penetration tests have proven instrumental in these situations and have become the focal point of all IT security administration in one-way or another.

The first step in thinking like a hacker is to approach the network as an outsider. The type of network I would like to attack is a financial network. The reason why I would want to launch an attack against a financial network is financial gains. I would hack into user accounts by using social engineering, and malware to get access to user logins and passwords after which I would make large dollar transfers into fake oversees accounts that have been setup by me. The tools mostly required to pull of this type of attack are freely available online. Again….”Think like a Hacker!”

The first step is to examine the attack surface of the financial institution to determine entry points. I would examine web-based information as well as people-based information. What types of web applications are they running? How is their corporate infrastructure managed and by who. Who are the branch managers and how do they perform wire transfers. What are their account policies for shared branch accounts if they have any? Don’t forget…..”Think like a Hacker!” Remember?

Information gathering:

Corporate websites
Information gathered through a multitude of various search engines
Social media sites for employees and management personnel
Social engineering emails using directed spear phishing techniques
Social engineering phone calls to account managers and call centers
Ask everyone everything they know about said financial institution

Tools used to perform information gathering can include:

Whois
Google Hacking tools
Kali Linux – Network Penetration software
The attacked financial institution’s very own IT security policies and procedures could even be used against them!

These steps would encompass the initial stage of the attack, reconnaissance, and the information gathering stage, which all subsequent stages success depends upon. Mitigating IT security breaches is an ever-changing game of chance. Cyber criminals are not resting on their laurels nor should IT security administrators and law enforcement, which is why Unified Threat Managements systems (UTMs) are becoming more popular today.

There are many arguments that firewalls are going the way of the dinosaur. It’s been well documented that almost all Internet traffic takes two roads, Port 80 and Port 443, which are two ports that could never be blocked. The irony here is that the very firewalls that are used to protect our networks are the very bridges that allow crackers to cross and wreak havoc.

Today, 99 percent of successful attacks are client side attacks where the end user inexplicably opens up that nefarious email or software program they shouldn’t. In these cases what use is a good firewall? How can we block the very highways that we use during rush hour to get to work? This is essentially what we do when we deploy a firewall. For instance, if there were an accident in the left lane, we could still pass it in the right lanes because the right lanes “MUST” stay open for traffic to pass. The same applies to firewalls and attackers know this and use this to their benefit.

I would avoid putting firewalls on client end computers because by the time the crackers make it to the client side machine they are pretty much home free. Instead, I would deploy a defense-in-depth strategy utilizing a layered approach. Such a defense plan could include, spam filters, anti-virus, anti-phishing, easy secure password management software, and malware/spyware scanners with real-time updates. This in addition to user training on how to identify social engineering attacks both via email and any other means will help build an effective defense strategy.

figure 1

As is the case with most network security defense campaigns there’s never a single solution answer; Therefore, I see Unified Threat Management (UTM) as the most useful way to go about defending networks. UTM’s could include firewalling as part of its defense strategy but only as part of the big picture. In the end, I think firewalls are most effective at directing traffic rather than a tool used to prevent attacks. Emerging threats are on the rise as seen in figure 2 below.

figure 2

Networks that had enterprise grade firewalls, antivirus programs, IPS/IDS programs, and patching programs in place still fall victim to breaches by hackers. Services with automated patching aren’t enough to keep up with this daunting threat. Although patching is necessary and is useful in some cases the costs associated with patching every vendor’s system is exorbitantly high.

From personal experience, I know that patching software could risk the potential of damaging another area of software or functionality. Even though patches provided by vendors are meant to do well and good and criticality of the vulnerability is crucial, it’s impossible for software vendors to test their software against every customer’s network, hardware, and software configuration; therefore, it is best left to the company, who is the customer, to pre-test patches before deploying them within their live network environments. Larger companies will probably have their own internal IT departments perform these functions but for the smaller businesses there are 3rd party companies that offer these services for a fee. Figure 3 outlines a typical process used in threat management.

figure 3

Responding to attacks is just as critical as preventing them. As seen in recent times, many companies have faced scrutiny in regards to the way they responded to major network breaches involving sensitive customer information. The courts of public opinion can have a severe impact upon the reputability of an organization, which could, in the worst case, have irreparable damages ultimately leading to insolvency and bankruptcy. The first step in recovering from a network breach is containment. Quarantining the breach prevents further damage by isolating the intrusion to the infected systems. The next step is to evaluate the damages to determine what systems were affected and what information has been breached. Lastly, I would adhere to any governmental regulatory agency’s breach notification procedures as required by law.

The intricacies involved with mitigating external network breaches and worse yet, internal network breaches, are innumerable, which is why the landscape of cyber defense methodologies is ever changing. Prudent IT security administrators can’t just have a “set it and leave it” mentality in today’s cyber environment. This is why it’s critical for IT security practitioners to be flexible and maintain an evolving cyber defense methodology that adapts to new emerging threats. The best way to accomplish this is to think like an attacker who’s highly motivated to get from the outside of a highly sophisticated network to the inside. Having the ability to anticipate your enemy’s next move can help mitigate or totally eliminate an otherwise volatile situation leading to a major network breach involving sensitive personal information.

Citations:

Kaspersky Lab. (2013). Kaspersky Lab’s Patch Management and Vulnerability Assessment. Retrieved 8 16, 2015, from Kaspersky Lab: http://www.kaspersky.com/images/Kaspersky_Lab_Whitepaper_Patch-Management-Vulnerability_eng_final.pdf

Sullivan, B. (2014, 10 4). How to protect yourself? Think like a hacker. Retrieved 8 14, 2015, from cnbc.com: http://www.cnbc.com/2014/10/03/how-to-protect-your-data-think-like-a-hacker.html

Unified threat management. (2015, 7 29). Retrieved 8 14, 2015, from Wikipedia: https://en.wikipedia.org/wiki/Unified_threat_management

Grimes, R. A. (2012, 5 15). Why you don’t need a firewall. Retrieved 8 16, 2015, from Info World: http://www.infoworld.com/article/2616931/firewall-software/why-you-don-t-need-a-firewall.html