Want to be a good Defender? I cannot relay how extremely important it is not to underestimate your enemy when it comes to Information Security, now more than ever. Compute power is near limitless. Enemy’s time, budget and resources are near limitless. While the newspapers continue to show the bad-guys wearing hoodies, hunched over a keyboard with sexy matrix code falling in the background – the real threat is far more organized, far more operationalized and far more numerous. I know the real threat is working from more of a ‘NASA command center style’ operation center; with teams of individuals collaborating together to crack the Security -shell of thousands of Corporations, not the ‘hoodied’ hyper-smart, goth teenager the papers love to portray. No, the real threats are Graduate level Engineers working for nation-states or other sponsored campaigns. They have access to big-data, massive vulnerability databases, terabytes of password lists and endless sources other intelligence they combine using various programs and automated methods to mercilessly persist until they eventually gain their foothold in your org.
Not all adversaries are as operationalized as what is described above, but they are just as dangerous to your org. The Ransomware campaigners . . . Ransomeware is so pervasive now because there so much money to be made. Monetizing computer break-ins has changed in the last six years . . . If you’ve ever read Kevin Paulson’s book, ‘Kingpin’ you know that monetizing stolen credit card data at that time involved printing credit cards, having ‘mules’ go into the mall and buy merch; and then selling that merch. Compared to printing credit cards off of stolen data, Ransomware is the Six Sigma Process improvement to monetizing hacking. The ransom ask for each single individual compromise may not be high, but take that and multiply it by 1000 – use bitcoin and make sure the pay channel goes through ToR. From a hacker’s point of view, you are literally clicking and printing money.
Exploit Tools are cheap and easy to use. The black-market has created some easy to use, “Microsoft Office style” tools for building and delivering crafted exploits. I witnessed a lab demo where some of these Exploit builder tools were used; and they made injecting an exploit into a real MSWord doc surprisingly easy. There were options in the tools to select a particular CVE, convert that CVE to a marco – There were options to pad data to avoid anti-virus and options to paste in the IP of your C2 server . . . incredible. Same tools are available for Adobe.pdf and then there are tools to make sending a mass SPAM email to start the campaign as easy as selected a few drop down boxes. The demo I watched, the Anti-virus client did not detect anything wrong with the file created by the tools. User opens the file, the payload is activated, a Remote Access Trojan is downloaded.. . and then they were owned.
For us, as Defenders, what all of this means is that we have to defend against both targeted and non-targeted attacks. For all attack campaigns against your org, it is important to know what is special about your org, where the ‘crown jewels’ are in your org – what makes you attractive to attackers. It is important to keep up on trends, know the current malware and the active associated campaigns, know the malware behavior, understand the exploits, and know which threat actors use which malware. Intelligence feeds for an org are a must. Automation for inserting this intelligence and updating Security tools is also a must. We are fighting both machines and people. We have to leverage the compute power we have, we have to leverage intelligent programming to automate aspects our defense. We must never, never under estimate our enemy.
We must continue to read, learn and understand our enemy. One of way to do this is to reach breach reports released by the companies who have an aggregated understanding: (You will have to fill out a form; and give the companies your email – and other info – but well worth it. )