The purpose of this book is to support individuals who want to refine their ethical hacking skills to better defend against malicious attackers. This book is not written to be used as a tool by those who wish to perform illegal and unethical activities.
In this chapter, we discuss the following topics:
• Know your enemy: understanding your enemy’s tactics
• The gray hat way and the ethical hacking process
• The evolution of cyberlaw
Know Your Enemy
“We cannot solve our problems with the same level of thinking that created them.”
—Albert Eisenstein
The security challenges we face today will pale in comparison to those we’ll face in the future. We already live in a world so highly integrated with technology that cybersecurity has an impact on our financial markets, our elections, our families, and our healthcare. Technology is advancing and the threat landscape is increasing. On the one hand, vehicles that are capable of autonomous driving are being mass-produced as smart cities are being developed. On the other hand, hospitals are being held for ransom, power grids are being shut down, intellectual property and secrets are being stolen, and cybercrime is a booming industry. In order to defend and protect our assets and our people, we must understand the enemy and how they operate. Understanding how attacks are performed is one of the most challenging and important aspects of defending the technology on which we rely. After all, how can we possibly defend ourselves against the unknown?
This book was written to provide relevant security information to those who are dedicated to stopping cyberthreats. The only way to address today and tomorrow’s cyberthreats is with a knowledgeable security industry. Learning offensive security allows you to test and refine your defenses. Malicious actors know how to compromise systems and networks. Knowing your enemies’ tactics is paramount to preparing offensive and defensive strategies. Those who have accepted the responsibility of defending our technology must learn how compromises occur in order to defend against them.
The Current Security Landscape
Technology can be used for good or evil. The same technology that is used to make organizations and countries more productive can be used to steal, surveil, and do harm. This duality means that the technology we create to help us will sometimes hurt us, that technology used to fight for human rights can also be used to violate them, and that tools used to protect us can also be used to attack us. The criminal community has evolved to abuse technology on a scale that brings in enormous profits, costing the global economy an estimated $450 billion a year.
Respect your enemy. Malicious actors have a variety of motivations and tactics, and the scale and complexity of their attacks are increasing. Consider the following:
• In February 2016, attackers targeted Swift, a global bank transfer system, and fraudulently transferred $81 million from the Bangladesh Bank’s account at the Federal Reserve Bank of New York. Most funds were not recovered after being routed to accounts in the Philippines and diverted to casinos there.1
• In July 2016, it was discovered that the Democratic National Committee (DNC) was compromised and damaging e-mails from officials were leaked on WikiLeaks. The attack was attributed to two Russian adversary groups. The CIA concluded that Russia worked during the 2016 US election to prevent Hillary Clinton from winning the US presidency.2
• In October 2016, millions of insecure Internet of Things (IOT) cameras and digital video recorders (DVR) were used in a distributed denial-of-service (DDOS) attack targeting Dyn, a DNS provider. The Mirai botnet was used to take down the likes of Twitter, Netflix, Etsy, GitHub, SoundCloud, and Spotify a month after its source code was released to the public.3
• In December 2016, Ukraine’s capital Kiev experienced a power outage caused by a cyberattack affecting over 225,000 people for multiple days. The attackers sabotaged power-distribution equipment, thus complicating attempts to restore power. The attack prompted discussions about the vulnerabilities in industrial control systems (ICSs) and was linked to Russia.4
In recent years, we’ve seen the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Sony Entertainment, Equifax, Federal Deposit Insurance Corporation (FDIC), and Internal Revenue Service (IRS) all have major breaches—sometimes multiple large breaches. We’ve seen hospitals like the infamous Hollywood Presbyterian Medical Center pay ransoms to be able to continue to operate. While some attacks have a larger impact than others, on average a cyberattack costs organizations about $4 million, with some breaches costing hundreds of millions of dollars.
The security industry is also evolving. Products designed to promote self-healing networks competed in the first DARPA Cyber Grand Challenge. Malware solutions based on machine learning are replacing signature-based solutions. Integrated Security Operations Centers (ISOCs) are helping the security field collaborate. Cybersecurity conferences, degree programs, and training are increasingly popular. The security industry is responding to increasing cyberattacks with new tools, ideas, and collaborations.
Attackers have different motivations. Some are financially motivated and aim to make the biggest profit possible, some are politically motivated and aim to undermine governments or steal state secrets, some are motivated by a social cause and are called hacktivists, and some are angry and just want revenge.
Recognizing an Attack
When an attack occurs, there are always the same questions. How did the attacker get in? How long have they been inside the network? What could we have done to prevent it? Attacks can be difficult to detect, and bad actors can stay in the environment for a prolonged amount of time. Ethical hacking helps you learn how to recognize when an attack is underway or about to begin so you can better defend the assets you are protecting. Some attacks are obvious. Denial-of-service and ransomware attacks announce themselves. However, most attacks are stealth attacks intended to fly under the radar and go unnoticed by security personnel and products alike. It is important to know how different types of attacks take place so they can be properly recognized and stopped.
Some attacks have precursors—activities that can warn you an attack is imminent. A ping sweep followed by a port scan is a pretty good indication that an attack has begun and can be used as an early warning sign. Although tools exist to help detect certain activities, it takes a knowledgeable security professional to maintain and monitor systems. Security tools can fail, and many can be easily bypassed. Relying on tools alone will give you a false sense of security.
Hacking tools are just IT tools that are good when used for sanctioned purposes and bad when used for malicious purposes. The tools are the same, just applied toward different ends. Ethical hackers understand how these tools are used and how attacks are performed, and that’s what allows them to defend against these attacks. Many tools will be mentioned throughout this book. Tools that will help you recognize an attack are covered specifically in Chapters 7 and 8 as well as dispersed throughout the book.
The Gray Hat Way
To get to the “ground truth” of their security posture and understand its risks, many organizations choose to hire an ethical hacker, or penetration tester, to perform attack simulations. A penetration tester will use the same tools and tactics as a malicious attacker, but in a controlled and secure way. This allows an organization to understand how a bad actor might get into the environment, how they might move around inside of the environment, and how they might exfiltrate data. This also enables the organization to determine the impact of attacks and identify weaknesses. Emulating attacks allows an organization to test the effectiveness of security defenses and monitoring tools. Defense strategies can then be refined based on lessons learned.
A penetration test is more than a vulnerability scan. During a vulnerability scan, an automated scanning product is used to probe the ports and services on a range of IP addresses. Most of these tools gather information about the system and software and correlate the information with known vulnerabilities. This results in a list of vulnerabilities, but it does not provide an idea of the impact those vulnerabilities could have on the environment. During a penetration test, attack emulations are performed to demonstrate the potential business impact of an attack. Testers go beyond creating a list of code and configuration vulnerabilities and use the perspective of a malicious attacker to perform controlled attacks. A penetration tester will chain together a series of attacks to demonstrate how a malicious attacker might enter the environment, move throughout the environment, take control of systems and data, and exfiltrate data out of the environment. They will use weaknesses in code, users, processes, system configurations, or physical security to understand how an attacker might cause harm. This includes creating proof-of-concept attacks, using social engineering techniques, and picking locks and cloning physical access badges.
In many instances, penetration tests demonstrate that an organization could potentially lose control of its systems and, sometimes more importantly, its data. This is especially significant in highly regulated environments or those with industry compliance requirements where penetration testing is often required. Penetration tests often justify the implementation of security controls and can help prioritize security tasks.
Tests will vary, depending on the information you have about the environment. Black box testing is when you begin with no prior knowledge of the environment. White box testing is when you are provided detailed information about the environment such as the IP address scheme and URLs. Gray box testing is when you start with no information about the environment and after demonstrating that you can penetrate the environment you are given information to make your efforts more efficient.
Also, the nature and duration of tests will vary widely. Assessments can be focused on a location, business division, compliance requirement, or product. The methodologies used for exploiting embedded devices are different from those used during red team assessments (both are described in later chapters). The variety of exploits described in this book, from ATM malware to Internet of Things exploits, are demonstrative of the fascinating variety of specialties available to ethical hackers.
Emulating the Attack
This book includes information about many exploits and areas of ethical hacking. An overview of the ethical hacking process is provided here, and the process is further described in later chapters.
When you’re performing attack emulations, maintaining good communication with the assessment team and stakeholders is very important. Study the technical environment and ask questions that will allow you to formulate a plan. What is the nature of their business? What kind of sensitive information do they work with? Be sure the following areas are accounted for:
• Ensure everyone knows the focus of the assessment. Is this a compliance-focused penetration test that targets credit card data? Does the company want to focus on testing its detection capabilities? Are you testing a new product that is being released soon?
• Set up secure communication channels with your stakeholders and other members of your communication team. Protect the output from your testing tools and reports. Use encrypted e-mail. Ensure your document repository is secure. Set up multifactor authentication on your e-mail, document repository, and anything that allows remote access to your testing or reporting environment.
• Define the scope of the assessment in writing and discuss it with your assessment team and stakeholders. Is social engineering in scope? How in depth should the website assessment be?
• Be sure to inquire about any fragile systems—that is, systems that have unexpectedly shut down, restarted, or slowed down recently or systems that are critical for business operations. Formulate a plan to address them.
• Describe your methodology in detail to your stakeholders or team. Talk about the rules of engagement. Should they try to stop your attack emulation if they detect it? Who should know about the testing? What should they tell users who report any testing activities?
• Remain accountable for your actions. Log and document all your testing activities. It’s not uncommon to perform a penetration test only to discover you are not the first one to the party and that a breach is in progress. Be sure to discuss start and stop dates and blackout periods.
The typical steps of the penetration test are briefly described here and are discussed in more depth in following chapters:
1. Compile Open Source Intelligence (OSINT). Gather as much information about the target as possible while maintaining zero contact with the target. Compiling OSINT, otherwise known as “passive scanning,” can include using the following:
• Social networking sites
• Online databases
• Google, LinkedIn, and so on
• Dumpster diving
2. Employ active scanning and enumeration. Probe the target’s public exposure with scanning tools and the following techniques:
• Network mapping
• Banner grabbing
• War dialing
• DNS zone transfers
• Traffic sniffing
• Wireless war driving
3. Perform fingerprinting. Perform a thorough probe of the target systems to identify the following:
• Operating system type and patch level
• Applications and patch level
• Open ports
• Running services
• User accounts
4. Select a target system. Identify the most useful target(s).
5. Exploit the uncovered vulnerabilities. Execute the appropriate attacks targeted at the suspected exposures. Keep the following points in mind:
• Some may not work.
• Some may kill services or even kill the server.
• Some may be successful.
6. Escalate privileges. Escalate the security context so that you have more control.
• Gain root or administrative rights.
• Use cracked passwords for unauthorized access.
• Carry out a buffer overflow attack to gain local versus remote control.
7. Preserve access. This step usually involves installing software or making configuration changes to ensure access can be gained later.
8. Document and report. Document everything you found, how it was found, the tools that were used, the vulnerabilities that were exploited, the timeline of activities, and successes, and so on. The best methodology is to report as you go, frequently gathering evidence and taking notes.
NOTE A more detailed approach to the attacks that are part of each methodology are included throughout the book.
What Would an Unethical Hacker Do Differently?
The following steps describe what an unethical hacker would do instead:
1. Select a target. Motivations could be due to a grudge or for fun or profit. There are no ground rules, no hands-off targets, and the security team is definitely blind to the upcoming attack.
2. Use intermediaries. The attacker launches their attack from a different system (intermediary) than their own, or a series of other systems, to make tracking back to them more difficult in case the attack is detected. Intermediaries are often victims of the attacker as well.
3. Proceed with the penetration testing steps described previously.
• Open Source Intelligence gathering
• Active scanning and enumeration
• Fingerprinting
• Select a target system
• Exploiting the uncovered vulnerabilities
• Escalating privileges
4. Preserve access. This involves uploading and installing a rootkit, back door, Trojan applications, and/or bots to ensure that the attacker can regain access at a later time.
5. Cover tracks. This step involves the following activities:
• Scrubbing event and audit logs
• Hiding uploaded files
• Hiding the active processes that allow the attacker to regain access
• Disabling messages to security software and system logs to hide malicious processes and actions
6. Harden the system. After taking ownership of a system, an attacker may fix the open vulnerabilities so no other attacker can use the system for other purposes.
Attackers will use compromised systems to suit their needs—many times remaining hidden in the network for months or years while they study the environment. Often, compromised systems are then used to attack other systems, thus leading to difficulty attributing attacks to the correct source.
Frequency and Focus of Testing
Ethical hacking should be a normal part of an organization’s operations. Most organizations would benefit from having a penetration test performed at least annually. However, significant changes to a technical environment that could have a negative impact on its security, such as operating system or application upgrades, often happen more than just once a year. Therefore, ongoing security testing is recommended for most organizations because of how quickly technical environments tend to change. Red teaming exercises and quarterly penetration testing are becoming more and more common.
Red teaming exercises are usually sanctioned but not announced. Your client will know you are authorized to test but often doesn’t know when the testing will occur. Many red team assessments occur over a long period of time, with the goal of helping an organization refine its defenses—or blue team capabilities. Testing often runs over the duration of a year, with quarterly outbriefs and a variety of reports and other deliverables created to help an organization gauge progress. When the blue team, or defensive security team, sees an attack, they do not know if it’s a real-world attack or a red teaming exercise and will begin their incident response process. This allows an organization to practice a “cat-and-mouse” game, where ethical hackers are helping the defensive security team test and refine their security controls and incident response capabilities. Red teaming is often reserved for organizations with more mature incident response capabilities. Chapter 7 provides more information on this topic.
Many organizations are moving to a model where penetration tests occur at least quarterly. This allows these organizations to choose a different focus for each quarter. Many organizations align quarterly penetration testing with their change management process, thus ensuring testing activities take a thorough look at parts of the environment that have recently changed.
Evolution of Cyberlaw
Cybersecurity is a complex topic, and cyberlaw adds many more layers of complexity to it. Cyberlaw reaches across geopolitical boundaries and defies traditional governance structures. When cyberattacks range across multiple countries or include botnets spread throughout the world, who has the authority to make and enforce laws? How do we apply existing laws? The challenges of anonymity on the Internet and difficulty of attributing actions to an individual or group make prosecuting attackers even more complex.
Governments are making laws that greatly apply to private assets, and different rules apply to protecting systems and data types, including critical infrastructure, proprietary information, and personal data. CEOs and management not only need to worry about profit margins, market analysis, and mergers and acquisitions; they also need to step into a world of practicing security with due care, understand and comply with new government privacy and information security regulations, risk civil and criminal liability for security failures (including the possibility of being held personally liable for certain security breaches), and try to comprehend and address the myriad ways in which information security problems can affect their companies.
Understanding Individual Cyberlaws
Individual cyberlaws address everything from the prohibition of unauthorized account access to the transmission of code or programs that cause damage to computers. Some laws apply whether or not a computer is used and protect communications (wire, oral, and data during transmission) from unauthorized access and disclosure. Some laws pertain to copyrighted content itself and protect it from being accessed without authorization. Together these laws create a patchwork of regulation used to prosecute cybercrime. This section provides an overview of notable cyberlaws.
18 USC Section 1029: The Access Device Statute
The purpose of the Access Device Statute is to curb unauthorized access to accounts; theft of money, products, and services; and similar crimes. It does so by criminalizing the possession, use, or trafficking of counterfeit or unauthorized access devices or device-making equipment, and other similar activities (described shortly) to prepare for, facilitate, or engage in unauthorized access to money, goods, and services. It defines and establishes penalties for fraud and illegal activity that can take place through the use of such counterfeit access devices. Section 1029 addresses offenses that involve generating or illegally obtaining access credentials, which can involve just obtaining the credentials or obtaining and using them. These activities are considered criminal whether or not a computer is involved—unlike the statute discussed next, which pertains to crimes dealing specifically with computers.
18 USC Section 1030 of the Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA), as amended by the USA PATRIOT Act, is an important federal law that addresses acts that compromise computer network security. It prohibits unauthorized access to computers and network systems, extortion through threats of such attacks, the transmission of code or programs that cause damage to computers, and other related actions. It addresses unauthorized access to government, financial institutions, and other computer and network systems, and provides for civil and criminal penalties for violators. The Act outlines the jurisdiction of the FBI and Secret Service.
18 USC Sections 2510, et seq, and 2701, et seq, of the Electronic Communication Privacy Act
These sections are part of the Electronic Communication Privacy Act (ECPA), which is intended to protect communications from unauthorized access. The ECPA, therefore, has a different focus than the CFAA, which is directed at protecting computers and network systems. Most people do not realize that the ECPA is made up of two main parts: one that amended the Wiretap Act and the other that amended the Stored Communications Act, each of which has its own definitions, provisions, and cases interpreting the law. The Wiretap Act protects communications, including wire, oral, and data, during transmission from unauthorized access and disclosure (subject to exceptions). The Stored Communications Act protects some of the same types of communications before and/or after the communications are transmitted and stored electronically somewhere. Again, this sounds simple and sensible, but the split reflects a recognition that different risks and remedies are associated with active versus stored communications.
While the ECPA seeks to limit unauthorized access to communications, it recognizes that some types of unauthorized access are necessary. For example, if the government wants to listen in on phone calls, Internet communication, e-mail, or network traffic, it can do so if it complies with safeguards established under the ECPA that are intended to protect the privacy of persons who use those systems.
Digital Millennium Copyright Act (DMCA)
The DMCA is not often considered in a discussion of hacking and the question of information security, but it is relevant. The DMCA was passed in 1998 to implement the World Intellectual Property Organization Copyright Treaty (WIPO Treaty). The WIPO Treaty requires treaty parties to “provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors” and to restrict acts in respect to their works that are not authorized. Thus, while the CFAA protects computer systems and the ECPA protects communications, the DMCA protects certain (copyrighted) content itself from being accessed without authorization. The DMCA establishes both civil and criminal liability for the use, manufacture, and trafficking of devices that circumvent technological measures controlling access to, or protection of, the rights associated with copyrighted works.
The Digital Millennium Copyright Act (DMCA) states that no one should attempt to tamper with and break an access control mechanism that is put into place to protect an item that is protected under the copyright law.
The DMCA provides an explicit exemption allowing “encryption research” for identifying the flaws and vulnerabilities of encryption technologies. It also provides for an exception for engaging in an act of security testing (if the act does not infringe on copyrighted works or violate applicable law such as the CFAA), but it does not contain a broader exemption covering a variety of other activities that information security professionals might engage in.
Cyber Security Enhancement Act of 2002
Cyber Security Enhancement Act of 2002, a supplement to the PATRIOT Act, stipulates that attackers who carry out certain computer crimes may now get a life sentence in jail. If an attacker carries out a crime that could result in another’s bodily harm or possible death, or a threat to public health or safety, the attacker could face life in prison. The CSEA also increased the US government’s capabilities and power to monitor communications. The CSEA allows service providers to report suspicious behavior without risking customer litigation. Before this act was put into place, service providers were in a sticky situation when it came to reporting possible criminal behavior or when trying to work with law enforcement. If a law enforcement agent requested information on a provider’s customer and the provider gave it to them without the customer’s knowledge or permission, the service provider could, in certain circumstances, be sued by the customer for unauthorized release of private information. Now service providers can report suspicious activities and work with law enforcement without having to tell the customer. This and other provisions of the PATRIOT Act have certainly gotten many civil rights monitors up in arms.
Cybersecurity Enhancement Act of 2014
The Cybersecurity Enhancement Act of 2014 states that the director of the National Institute for Standards and Technology (NIST) will coordinate the federal government’s involvement in the development of a “voluntary, industry-led, and consensus-based” set of cybersecurity standards, consulting with both federal agencies and private-sector stakeholders. The act also states that federal, state, and local governments are prohibited from using information shared by a private entity to develop such standards for the purpose of regulating that entity.
Under the Cybersecurity Enhancement Act of 2014, federal agencies and departments must develop a cybersecurity research and development strategic plan that will be updated every four years. The strategic plan aims to prevent duplicate efforts between industry and academic stakeholders by ensuring the plan is developed collaboratively. The act also has an educational component, creating a “scholarship-for-service” program for federal cybersecurity workers and stipulating the development of a cybersecurity education and awareness program that will be developed by the director of NIST in consultation with public- and private-sector stakeholders. The director of NIST is also responsible for developing a strategy for increased use of cloud computing technology by the government to support the enhanced standardization and interoperability of cloud computing services.
Cybersecurity Information Sharing Act of 2015
The Cybersecurity Information Sharing Act of 2015, or “CISA,” establishes a framework for the confidential, two-way sharing of cyberthreat information between private entities and the federal government. Safe harbor protections ensure that that private entities are shielded from liability for sharing information.
CISA also authorized some government and private entities to monitor some systems and operate defensive measures for cybersecurity purposes. Private entities are shielded from liability for monitoring activities that are consistent with CISA requirements.
The authorization of private entities to use defensive measures for cybersecurity purposes on their own information systems and on the information systems of other consenting entities does not constitute the authorization of “hack back” activities, which are generally illegal under the Computer Fraud and Abuse Act. The authorization to operate “defensive measures” does not include activities that destroy, render unusable, provide unauthorized access to, or substantially harm third-party information systems.
New York Department of Financial Services Cybersecurity Regulation
State laws are becoming more detailed and prescriptive, as demonstrated by the New York Department of Financial Services (NY DFS) Cybersecurity Regulations. The NYDFS Cybersecurity Regulations went into effect in early 2017 and require financial firms in New York to implement specific security controls. The new regulations require a qualified chief information security officer (CISO), penetration testing, vulnerability assessments, annual IT risk assessments, and many other security controls. The CISO is required to report to the entity’s board of directors annually, in writing, the material cybersecurity risk, overall effectiveness of the cybersecurity program, and the confidentiality, integrity, and security of the entity’s nonpublic information.
Summary
Malicious attackers are aggressive and well funded, operate globally, use sophisticated techniques, and are constantly improving. They aim to control our hospitals, elections, money, and intellectual property. The only way to counter today’s aggressive malicious actors is to develop a pool of high-quality security professionals (ethical hackers) with the skills to counter their attacks. Ethical hackers are the buffer between the “dark side” (the cyber underworld) and those targeted by bad actors. They work to prevent malicious attacks by finding security issues first and addressing them before they can be exploited by the bad guys.
As the adversary increases the sophistication of their attacks, we, the ethical hackers of the world, work diligently to oppose them. Although prosecuting an attack is extraordinarily complex, cyberlaws are evolving to give us the mechanisms to collaborate more in order to prevent and address cybercrime. With a booming Internet of Things economy on the horizon, ethical hackers must expand their skill sets to focus on modern attack techniques. This book is intended to help do just that—help ethical hackers explore the worlds of software-defined radio, next-generation security operations, ransomware, embedded device exploits, and more. Happy hacking!
Comments
Post a Comment