Think of the perfect attack like the perfect murder. It must be planned carefully and meticulously then executed systematically and flawlessly. Remember all the small detail in Hitchcock’s “The Rear Window”? No-one would have noticed anything or even missed the victim if it weren’t for Jimmy Stewart, who, with a broken leg had nothing better to do all day than to gaze out his rear window.
Recon, Recon, Recon
The first step in infiltrating a potential victim is to do sufficient reconnaissance.
This is much more important for a truly successful attack than most realise, and shouldn’t be confused with scanning. Reconnaissance is all about quietly researching a target without being noticed.
Social engineering done correctly can be a key component. After all the perfect attack, like the perfect murder implies that no-one even suspects who is the culprit until it’s too late. This phase may require the most effort and may take months and this is a key phase for the perfect attack.
The perfect attack, at its most basic element, has trust and wellbeing, as part of the target being upheld. As such, passive reconnaissance (not actively engaging with the potential victim) is the best starting point.
During passive reconnaissance the attacker will find a consistent way of recording all the information he can gather. There is so much information on the internet to collect from; social media sites; Wikipedia; other online tools - which doesn’t reveal the true purpose - much less identity - of the hacker and could be key components of the recon.
Information about the company or organisation, its employees (potentially also disgruntled ones) could prove invaluable. Tools online may help in harvesting relevant email addresses and email address formats.
Wardriving no longer requires technical expertise (open source software is available to do this) and may provide further information. Are all your wireless networks secured? Another very useful tool is a search machine.
Spiders are out scouring the internet every day, to collect all sorts of information from you, us and the hacker. In some cases it may even suffice as recon tool (see also “Google Hacking for Penetration Testers”).
During this passive reconnaissance, identifying a key trusted entity of the target is the goal. It may be a key employee with admin access; it may be a branch office with poor security on the one hand - but complete access to the corporate network on the other hand.
The particular trusted system might also be a particular IT system, DNS or some other set of servers that is an entrusted integral component of the victim’s infrastructure.
By identifying such a key trusted component and using that as a mechanism to infiltrate the system, the hacker has found a way to lull the unsuspecting target into complacency.
A more ambitious hack might purposefully include compromising that component of the system which is “MOST” trusted and therefore considered impossible to break into.
Security personnel will be focusing on areas where known vulnerabilities exist and neglect regular checks of the trusted system. Also once in a trusted area it’s very likely that access to all other systems is possible.
Ok, so let’s assume the hacker has identified the trusted system to break into. “All my systems are being monitored and all changes logged regularly, we would detect that immediately!” Would you?
The next step in reconnaissance for the perfect attack is to find a way to hack into the system without being noticed or monitored. If this is truly not possible, then another trusted system is targeted.
However, hackers are very inventive, they’re not bound by processes, procedures or permissions and chances are they will find a way to go unnoticed.
At some point passive reconnaissance no longer provides as much relevant information, and at this point active reconnaissance can be initiated.
During active reconnaissance, the truly alert victim may notice that some probes (not scans yet) are taking place, but no source is identifiable. This type of probing however is going on constantly, over the public internet and the tendency is clearly to ignore this “noise”.
In order to minimise the amount of time spent on the website, tools can be used to make snapshots of each webpage that the hacker can refer to over and over offline.
Has an additional company been acquired that may have added vulnerabilities or trusted systems? What about job postings, are experts being sought for particular IT systems?
The Netcraft website is a good example of active reconnaissance. Here the systematic hacker can find out more information about IT systems used, even historical information and does not reveal the IP of the hacker.
Note for a perfectly planned attack the reconnaissance phase is still ongoing and no active hacks are being attempted yet.
So four reconnaissance milestones are needed for the perfect attack before proceeding to the next phase:
• Which trusted system or component is to be hacked / compromised?
• How can this trusted system be broken into, what resources are required to do this and how are they obtained?
• How can this hack be done without being noticed or monitored? Alternatively, how can the probability that it gets noticed be minimised?
• What is the scope and timeframe for the Scan? How can both scope and length of the scan be reduced to a minimum to avoid suspicion and ensure unwanted side effects?
Note that the hacker may have to go through the reconnaissance loop several times before completion. Also note that a truly professional hacker won’t have spent noticeable time on your website during this phase, as that could leave behind a digital footprint.
Once the above mentioned reconnaissance milestones are reached, the perfect attack can progress to scanning.
This should be straightforward and simple if recon was done properly. At this phase, the perfectly planned hack will only scan where truly necessary.
The victim’s infrastructure is scanned in a focused way verifying only those vulnerabilities and trusted components that have already been identified during reconnaissance.
Scanning may also show the way to a more refined exploit, for example reconnaissance may show that a multi-vector attack is required to break into the trusted system (e.g. a slow post attack as decoy bringing webservers to the brink, during which time a code injection into a system with access to the target system is executed) the scan will have to include several methodologies (e.g. both port scanning and application or vulnerability scanning).
In any case the actual scans to be done (TCP, UDP, port, application) shouldn’t be used without discretion, only the necessary scans identified during recon.
Scanning completion is achieved when all is necessary for the next phase - exploit. The perfect plan on what to exploit and how must be refined and detailed more precisely than in reconnaissance.
Stealth is important in this phase too! If usernames and passwords are stolen, what about the hashed passwords? The perfect attack will have anticipated this already and have a plan to decrypt the passwords offline and unseen.
Network sniffing may be the chosen method -a considerable amount of information is still sent over the internet unencrypted. Wireless networks are particular prone to undetected network sniffers.
If a number of security systems are already in place, then a multi-vector attack is quite possibly the chosen method for the perfect attack, for example a volumetric attack to knock down your Web Application Firewall during which a SQL injection is quietly and successfully executed.
Last but not least there is plenty of open source software to do the actual exploit (e.g. Metasploit). If the reconnaissance and scanning phases were done properly, the actual exploit should be a question of systematically executing the plan already defined.
So what do I do?
Think like a hacker and anticipate the attractiveness of your trusted systems; who has administrative access; where you have particularly sensitive data.
Actually the next time you are attacked it will probably not be the perfect attack - you’ll probably find out about it before all the damage is done.
The question is are you prepared for that moment, is there some emergency decision making process in place? In any case at least a Disaster Recovery and Business Continuity Plan are a must.
Assume you will be hacked and have your Information Security Team develop plans for just such a case. For example what is the plan of action after website defacement?
The Infosec Team should have mechanisms in place to detect such a breach as soon as it has occurred or as soon as possible thereafter, as well as plans to mobilise the diagnosis and recovery team with the goal of bringing the website back to its original state without the previous vulnerabilities.
Corresponding plans to deal with a DDoS attack of any kind, data theft or data compromise must also be in place. Does your InfoSec team have plans for recovery after each of these types of breaches?
This article is brought to you by Enex TestLab, content directors for CSO Australia.
About the Author: Dr Claudia Johnson - Akamai Technologies