March 22 2021
After a cyber attack the immediate question we get asked is: who did it? Wanting attribution is not surprising. However, it misses a more obvious point: were you collateral damage, or were you the only target?
An untargeted attacker
Attacks like WannaCry are untargeted and spread automatically by exploiting known weaknesses in systems. Your organisation is not the only one being attacked. As this is widespread, security researchers get samples of the malware and begin their analysis. Within hours many signature-based defensive solutions will block the attack.
The first organisations attacked in an untargeted manner will be compromised. However, others will benefit from immunity after defenders have reacted.
During the recent Petya/NotPeya incident, Secarma monitored the sample on VirusTotal. VirusTotal allows anyone to upload files and then subjects them to anti-virus scanning from sixty-three vendors. When a solution detects the sample we know that they have implemented a signature to block the attack. Our research showed it took around 8 hours from the signature going live for 50% of the anti-virus solutions to block the sample.
If an untargeted attacker attempts an email phishing campaign they will send thousands of emails. These are quickly marked as suspicious and get labelled as Spam. Without specific tailoring for the individual the interaction rate is lower, and good security awareness training helps limit exposure as well.
The bottom line about untargeted attacks is: the initial attack will usually succeed, but soon defenders catch up and begin to immunise the next potential targets.
A targeted attacker
Targeted attackers are not automated. A human will be involved who can think their way around problems. They are likely to employ individually targeted Phishing techniques or utilise knowledge of specific software you use to plan their assault. They will develop their own exploits for existing flaws and deliver them surgically to their target.
As the activity is not widespread or ‘noisy’ in the same way as an untargeted attacker. The process of gathering evidence is slower, making it harder to defend against.
In effect everyone who is the subject to a targeted attack becomes patient zero.
Steps of an untargeted attacker
An untargeted attacker is automated. That means they will have one purpose and a few tricks baked-in, enabling them to serve that purpose. A human being is involved in the preparation stage and in the aftermath. While the attack is ongoing there is typically no human involvement.
The following steps are used by untargeted attackers:
- Preparation – find a new flaw in common software (a so-called “Zero Day”), or choose a known flaw. After making a choice they generate an exploit. This needs to work reliably and without any human interaction from the attacker. They will then figure out how their malware will spread between hosts and then implement and test that.
- Attack –the attacker will run their malware. It will then automatically find targets, exploit them, and then spread itself.
- Pivot – the act of “pivoting” means to use a compromised computer to attack machines on the network it is connected to. The Petya/NotPetya malware had automated lateral movement capabilities. It was designed to pivot further into internal networks.
Pivoting is relatively unsophisticated in this model. However it seems that they are now getting more sophisticated at this step.
Steps of a targeted attacker
A targeted attacker is operated by a human. They will follow the steps listed below:
- Reconnaissance – find as much information as possible. A clever attacker will use search engines and social networking sites to do this. This masks their origins and prevents detection.
- Preparation – at this point the attacker will sift through the information to find the easiest entry point to their target.
- Attack – executing the scenario that was prepared to achieve their goal. The initial exploit will likely result in a compromised computer which is ready to accept commands remotely from the attacker.
- Pivot –the initially compromised machine becomes the attacker’s beachhead. From here they will repeat the steps again using their new circumstances. Now they will be within a network and are inside the corporate firewall.
As there is a human involved for sure within the pivoting process the data available on compromised machines will be stolen. Pivoting is far more successful when undertaken by a skilled attacker and can remain undetected for considerable time.
Example of a targeted attacker
At Secarma we are engaged in penetration testing and red teaming engagements. Our day job is to simulate what a targeted attacker would see. The following is a fictional re-telling of a targeted attack which worked in an engagement in 2017:
Reconnaissance – Members of IT staff were identified using LinkedIn. One individual had a personal blog detailing their hobbies and interests, which are often used in passwords. We selected them as our target.
Preparation – LinkedIn suffered a data breach in 2012 which exposed hashed passwords for our target. This allowed us to try offline password guessing which is faster and without any risk of detection.
Attack – We used “John the Ripper” (an offline password brute-force tool) armed with a word list of potential passwords. This failed to find the target’s password.
Patrick Grech released “Wordlist Extractor” (an extension for the burp suite testing proxy). This was used to create a list of words the target had written on their blog. Using words that we know the person has an interest or familiarity with is better.
After a number of unsuccessful attempts using the “rockyou.txt” word list we had success using our tailored word list.
We tried that password on the organisation’s VPN and were given access. Once on the VPN we were able to authenticate to the Windows domain with the same credentials to inherit their privileges on the network.
This meant that the target had reused that password for work on 3rd party sites (at least LinkedIn). They had also not altered it most likely since before 2012. It was useful not only for the VPN but the Windows domain.
Pivot – From the Windows server we located a network share containing home directories for various Linux servers leaking enough data to allow us to pivot into the Linux estate. This opened up more opportunities for us to access sensitive information.
Here the value of simulating a targeted attacker has been demonstrated. Without knowledge of the employees we would not have uncovered this simple route into the network.
Preventative measures for targeted attackers
Defending against a targeted attack is harder and requires defence in depth combined with staff training. The following is a list of recommended defensive measures:
- Periodically check staff email addresses with https://haveibeenpwned.com/ to find exposed accounts.
- Discuss with affected employees, and ensure they reset all work accounts.
- Provide security awareness training to staff. Particularly this needs to include awareness of using work email accounts or passwords on 3rd party systems.
- Consider behavioural profiling as part of your defensive stack. This could flag deviations of use, and would detect the pivoting movement which would be abnormal behaviour for the user.
If you are being targeted by an attacker with skill and all the time in the world, they will eventually get in. The goal is to ensure that you put barriers in place as well as detection mechanisms to limit the damage when they do.
How can Secarma help?
Untargeted Attackers – Every organisation should be able to protect themselves against this category of attacker by using good security practices such as: applying patches, using secure passwords etc. A penetration test, or any black-box assessment, can simulate this well.
Targeted Attackers – Our Open Source Information Gathering (OSINT), red teaming, and simulated phishing service lines replicate what a targeted attacker would see. While these are time and scope limited, they will give you a real picture of your threat landscape. Additionally our education division offers security awareness training as well as Secure Coding Workshops to engage staff with the reality of cyber security.