The Hacker’s Perspective: Risk as Opportunity

When the Cybersecurity Model Maturity Certification (CMMC) goes into effect this year, the defense department will be holding its contractors to a higher standard than ever before. But whether or not they’re ready for the change remains to be seen: in the past, DoD partners were required to comply with regulations like NIST 800-171. In reality, many fell behind due to the leeway they had in implementation.

With CMMC, the DoD hopes to foster a “culture of cybersecurity” throughout the federal government, and a big part of that involves an emphasis on risk. While the traditional mindset of compliance is based on a checklist of one-size-fits-all security controls, a risk-based mindset invites every business to find its weakest spots and prioritize them effectively.

Now, bidding contractors will be required to demonstrate adequate levels of security before a contract can even be awarded. But while the CMMC provides plenty of guidance, contractors will find its standards difficult to meet unless they take responsibility for their own unique risks. In this blog, we will examine what that effort entails, especially from the perspective of an organization’s worst enemies.

What is Risk?

According to the Risk Management Framework (RMF) published by the National Institute of Standards and Technology (NIST), “risk” is a combined measurement of two factors:

  1. The likelihood that a vulnerability will be exploited
  2. The impact of such an event

In some ways, this fits with a common sense notion of risk, and in other ways it does not. For instance, hackers are not counted as a risk by this definition, but “risk” does include everything which hackers and other adversaries may use to their advantage.

Incidentally, what proves advantageous to a hacker is also the most serious kind of risk. And while certain oversights in security may not seem like a big deal from the organization’s perspective, this mistake is less easy to make from the opposite side of an attack.

How Hackers See Risk

When conducting a cyber hunt, Securicon often uses red-teaming to find less obvious vulnerabilities in an organization’s network. While a “blue” team works to defend the network from attacks, the “red” team works to bypass them using a combination of techniques.

These two perspectives could not be more different: while the blue team takes a hierarchical and organized view of the technology they are defending, the red team is opportunistic. It works to find any trigger that allows it to cause chaos or otherwise subvert normal operating conditions.

For hackers, “risk” therefore translates into “opportunity”. And although individual hackers differ in their overarching goals, all of them look for three basic opportunities:

  • Access – establish an initial and persistent presence within the target organization for further activity
  • Concealment – hide activity by evading detection, which means bypassing normal safeguards, disguising malicious activity as legitimate or creating a diversion elsewhere in the network
  • Escalation – gain privileges and therefore greater control over a system

The greatest risks to an organization’s security center around these goals and should be prioritized accordingly. Common examples include:

Wide Area of Attack

In a past article, we talked about the importance of minimizing attack area in the context of industrial control systems (ICS). This principle applies more broadly: networks become increasingly less secure with every new access point such as routers and IoT devices. Partners up or downstream also represent potential targets which hackers can use to gain a foothold.

Useful Idiots

Despite how far technology has come, hackers still use social engineering during the reconnaissance phase of an attack. Untrained personnel may be persuaded to divulge sensitive information which can be used for access, concealment or escalation. They may also compromise their organization by clicking malicious links containing malware or phishing scams.

Blind Spots

Robbers do not come in through the front door: likewise, the most sophisticated hackers seek an entry-point that is not well-monitored or protected to conceal their presence. Thanks to the Internet of Things (IoT), organizations are now flooded with a host of devices – from printers to coffee machines – that may contain significant vulnerabilities and require protection.

Lack of Security Controls

Overlooked security controls – such as two-factor authentication (2FA), network passwords and encryption – represent one less obstacle for hackers to overcome during an attack, and they will use such oversights to their advantage. On the other hand, even controls that seem redundant can prevent an attack from succeeding at a crucial stage.

Using a Hacker’s Mindset

The best form of security is proactive security, and proactive security starts by finding risks and remediating them before they are ever exploited. As this risk-based approach becomes essential to meet federal standards for compliance, organizations will benefit from thinking about their systems like an outsider.

In 2020, consider investing in a professional risk assessment. With years of experience in a DoD context, our trained experts can offer something that automated solutions cannot rival: human intelligence, creativity and a deep understanding for the way real hackers think.


Securicon is poised to support industry partners in preparing for CMMC through Gap Analysis and Assessment of security practices and procedures. Contact us for more information.

How Real Hackers Think, and Why it Matters

hackers, cyber attacks cyber warfare
hackers, cyber attacks cyber warfare

In 2019, hackers are experiencing what sea-pirates experienced in the 17th century: a golden age. And just like the British Navy used privateers to keep pirates at bay, modern businesses must use the tools and methods of hackers to prevent successful attacks.

For the past few years, data breach occurrence has steadily climbed. The average cost of a cyberattack has hit $1.7 million, and by 2021, annual cybercrime damages will reach $6 trillion – exactly when the world will have 3.5 million unfilled cybersecurity positions.

Vulnerability assessments and penetration tests are a proven line of defense against hackers as they can show where points of attack and unauthorized entry exist. But these methods are only successful with a professional touch: in order to beat hackers at their own game, an organization must be able to think like them. In this article, we’ll explain what that means.

Two Types of Attacks

The media continues to depict hackers as socially isolated trolls. But if this stereotype was ever accurate, it no longer reflects reality: hackers around the world come in many stripes, from lone professionals to organized crime groups and even governmental or military organizations.

For organizations, there are two major categories of motivation that define the attacks they can encounter.

Attacks for Effect

Some hackers aim to cause as much destruction as possible. This group may comprise amateurs who wish to gain the respect of other hackers or disgruntled current or former employees with a personal vendetta.  But also included in this group may be hacktivist groups or politically motivated attackers whose intent is to send a message – either to the site owner or to the public.  The product of their attack is to make the site a very visible billboard for their favorite cause.

But the biggest threat to organizations today comes from the second class of attacks.

Attacks for Gain

Criminals undertake hacking for reasons ranging from data theft to political terrorism to monetary gain. Far from being trolls, hackers in this class of attacks are organized, professional, well resourced, and persistent. They thrive on invisibility and may evade detection for a long time while doing their work – a persistent threat.

Since hackers in this class are the most dangerous to an organization, understanding their modus operandi is crucial to avoiding them.

How a Hacker Thinks

1. Strategic

Prior to an attack, hackers may spend months preparing, gathering reconnaissance and strategizing how to execute. During this time, they will search for points of entry by mapping an organization’s network and IT assets, its structure and procedures.

Tactics used may include,

  • Footprinting
  • Social engineering
  • Accessing public records
  • Port scanning and probing

Even with high levels of security control, hackers may dupe employees or administration into divulging critical information via phishing and social engineering. Training and compliance at all levels of an organization are therefore crucial portions of a security strategy.

2. Opportunistic

During the preparation phase, hackers search for anything that can grant them unauthorized access to a system. This means that any exploits may be used, no matter how obscure – and in fact, obscure vulnerabilities may be preferred.

Organizations have many levels of IT infrastructure that may provide a gateway for deeper penetration. So-called “non-critical” systems like internal email should not be neglected when it comes to documentation and testing. At the same time, during a vulnerability assessment or pentest, systems should be prioritized to reflect the likeliest starting point for a real-world hacker.

3. Stealthy

While trolls are interested in visibility, criminals are not. Professional hackers use a variety of techniques to keep their activities hidden from administrators and lurk within a system for years at a time:

  • Enter discretely – hackers know that obvious entrances are carefully guarded and seek out less obvious points of entry to begin an attack. Additionally, 90% of hackers use encryption to disguise their origin.
  • Persistent access – once they are inside of a system, hackers quickly try to establish a backdoor for persistent access. This way, they will always be able to return, even if the vulnerability by which they gained access is patched.
  • Move laterally – by re-entering over time, hackers advance slowly from point A to point B. This allows a careful and methodical progression from small vulnerabilities to much larger ones.

In order to keep systems secure, it’s not enough to guard the front entrance: organizations must continually scan and monitor activities on their network to detect signs of suspicious activity.

4. Goal-oriented

It should be clear by now that real-world hacking is a difficult process that requires preparation, and commitment to a long-term strategy. Every hacker therefore pursues some concrete object, such as:

  • Political sabotage – an organization may be attacked either because it is involved in political activities, because it serves the government, or its products and services are critical to a nation’s political process. In this case, hackers may aim to obstruct its daily operations by targeting mission-critical systems.
  • Data theft – today, almost any organization has a wealth of information about its customers and clients. This data can be exploited for many purposes and – wherever it is stored – attacks should be anticipated.
  • Monetary gain – hackers rarely steal money directly from their victims. But companies possess many assets which can be used for profit, including intellectual property and trade secrets.

Concerted attacks, like any other business risk, are difficult to predict, but they are not difficult to anticipate. Although cyberattacks are inevitable, they should never be viewed as inexplicable or mysterious. To protect itself, an organization should identify and monitor its most valuable assets.

5. Deceptive

Hackers will use deception in the earliest stages of their campaigns. During reconnaissance, they often trick employees into forwarding “important information” to their colleagues, which is – in reality – a phishing attack.

When they actually begin their work hackers will, moreover, use false-flags to misdirect system admins, and anyone else who may be watching. This includes targeting systems they do not really care about and using exploits that are not crucial to their end-games

Experience vs. Automation

To enforce real security, companies require experts who know how to think like hackers.  Throughout the industry, however, those who claim to do so are frequently misguided. Most pentests, for instance, are left to automated software, leaving clients vulnerable to attacks that software can’t anticipate.

Securicon is comprised by infosec veterans who have played red-team against government agencies in real-world hacking scenarios and formulated unique toolkits that money cannot buy. Our scans and assessments reflect this experience and uncover the only vulnerabilities that matter: those our clients are unaware of.

Most hackers will not work for anyone except themselves. But Securicon’s team shares the knowledge and experience of professional hackers, while aiming to protect – rather than harm – the companies they target. In the long term, we believe there is no better way to enforce security, and anything else is a compromise.

Ransomware ‘LockerGoga’ Disrupting Industrial Operations

It has recently been reported that a new breed of ransomware is infecting industrial networks and forcing ICS organizations to switch from digital to manual operations. The malware LockerGoga’ has, within the past few weeks, infiltrated Norwegian aluminum Manufacturer Norsk Hydro. Because of this incident, the organization was forced to execute their business continuity and cybersecurity incident response plans 

In recent history, LockerGoga has hit two other manufacturing companies, Hexion and Momentive. For Momentive, LockerGoga led to a global IT outage that left the company to decommission their infrastructure and start anew.  

According to a FireEye report, a new strain of LockerGoga has been forcing systems to shut down entirely, locking user accounts, and making it difficult for organizations to pay the ransom. It is not yet known how attackers are gaining access to the victims’ networks, but evidence shows that their targets’ credentials were known prior to the intrusion. 

Anatomy of An ICS Attack 

Attackers may be utilizing phishing attacks to gather credentials in a campaign prior to accessing the victim’s network. Once they have access, they use common, opensource tools like Metasploit and Cobalt Strike to move laterally throughout the network. While moving towards the ICS layer of the network, password scrapers like Mimikatz are being used to extract cleartext and hashed passwords from memory to gain escalated system privileges.  

After they have attained Domain Administrator – the highest privilege for network users – they utilize Microsoft Active Directory tools to deploy their ransomware on target machines. Payloads are then signed to appear legitimate prior to execution of the code used that encrypts files, blocking an organization from access unless they pay up. The hackers are also killing processes to forcibly disable antivirus on the target machines.  

The newest strain of LockerGoga has been disabling network adapters attached to organizational computers, removing them from the network. This forces the system to cease any communication, causing widespread network disruptions.  

A New Breed 

It’s worth noting that LockerGoga is different from previous ransomware that have affected ICS systemsNotPetya utilized fewer extreme methods of disrupting operational processes. NotPetya did showcase that malware could be created to migrate laterally through the network autonomously.  

Although, LockerGoga has some manual direction from the attackers, it is more precisely targeted than NotPeya. Crucially, this attack is not limited to ICS organizationsit is also infecting other industries through crimes of opportunityAny networks that have publicly exploitable vulnerabilities may end up as victims. 

Takeaway  

Norsk Hydro fell victim to LockerGoga, but never included Cybersecurity Incident Response Plan in their Business Continuity Plan. This leading them to have a longer recovery time because they were unsure how to proceed. Organizations should include CIRP in their BCP and plan to undergo routine vulnerability assessments/penetration tests of both their IT and ICS networks. If you fail to plan, then you plan to fail 

Resources:

https://www.hydro.com/en-US 

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html 

 https://blog.talosintelligence.com/2019/03/lockergoga.html 


Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!

Preparing For Data Breaches: 5 Lessons From 2018

cyber attacks cyber warfare2018 will likely go down in history for the sheer scale of consumer data that was hacked, leaked, stolen and otherwise compromised by cyberattacks throughout the year. Estimates show that during the first six months alone, 4.5 billion records were exposed over 945 data breaches leading to mass identify theft and financial fraud.

On the one hand, this is deeply concerning. On the other hand, it’s not very surprising at all.

Among the biggest breaches which occurred during 2018, Facebook, Quora and Marriot Hotels stood out for the simple reason that these were the very companies that should have been safe. When industry giants fall to attackers, small firms and businesses don’t stand a significantly better chance.

As regulators turn a critical eye to data breaches and consumer privacy, the time for businesses to pay sharp attention has come. If protecting the good faith of consumers isn’t enough incentive, financial loss in the form of penalties and theft should be.

In this article, we’ll look at five key lessons that stand out from the past year of cyberattacks, and what businesses can learn from them.

  1. Complacency Kills

Marketing firm Exactis has comprehensive data on nearly every citizen in the U.S – 340 million records, to be exact. Last year, security researcher Vinny Troia discovered that all those records had been stored on a publicly accessible database which was easily found with a simple search query.

Soon after the leak was publicized, the company made its records private: something which should have been done the moment they were created. Exactis justly received large amounts of negative publicity for failing to take this crucial step earlier.

Similarly, when data was stolen from 500 million patrons of the Marriot hotel chain, an investigation revealed that hackers had been in Marriot’s system for four whole years before they were discovered. Alarm bells had warned security administrators of this activity on several occasions, but never resulted in adequate measures to assess the full level of intrusion.

Takeaway: Nothing does more for attackers than a simple lack of vigilance across the board. A robust risk prevention protocol coupled with serious attention to every red flag is key to avoiding and addressing cyberattacks.

  1. Never Postpone Disclosure

In the past, companies have been reluctant to admit a data breach occurred. Last year, ride-sharing company Uber settled for $148 million dollars in court after failing to disclose a data breach which occurred in 2016, compromising the personal information of 600,000 drivers. Similarly, the U.K’s Ticketmaster knew about a breach for seven months before finally revealing it.

Hiding a breach doesn’t do a company any favors – if the intention is to avoid bad publicity, it only prolongs and exacerbates the inevitable. In the meantime, fixing existing issues and mitigating the damage becomes more difficult.

In the wake of GDPR which mandates that companies must reveal a breach within 72 hours of its occurrence, the number of reports coming out of the U.K have quadrupled, showing just how common delayed acknowledgment was before the legislation.

Takeaway: Companies should take a hint from Quora, which immediately disclosed a vulnerability that had exposed 100 million of its users, responded to the incident by resetting account passwords and created an informational site in the wake of the breach – all within a 72-hour window.

  1. Anything Can Be A Flaw

Data breaches take many unexpected forms. Last year, Facebook turned off – and has not yet turned back on – a seemingly benign feature which allowed users to view their profiles as a visitor would. The “view as” feature contained a critical bug enabling hackers to access 50 million user accounts.

Meanwhile in New York City, Saks Fifth Avenue and Lord & Taylor found that a device had been inserted into their card readers which stole the account information of nearly 5 million customers.

These exploits couldn’t be more different – one completely physical, and one involving complex digital hijinks. But they show that attacks can come in many forms, and no detail should be overlooked when it comes to data.

Takeaway: Web designers should eliminate unnecessary features that could constitute a vulnerability user experience. Businesses should also invest in penetration testing for digital properties, while businesses should regularly monitor their facilities and point-of-sale (POS) systems for malicious hardware.

  1. Beware of Third-Party Apps

Third party applications have become an indispensable part of the digital ecosystem, as businesses depend on them to process transactions and provide essential functions to their websites. Unfortunately, third party applications have also become a primary route that hackers use to compromise businesses.

2018 saw two high-profile breaches of third-party apps. Mobile linking platform Branch.io was attacked, potentially exposing the information of 685 million users across services like Tinder, Shopify and Yelp. MacAfee reports that the sales support platform [24]7.ai may have leaked credit card info and social security numbers from thousands of users.

As long as they are in charge of building their services, a business can defend them. But third-party apps are controlled on the outside, and often reflect a different set of security prerogatives. For instance, a website may securely encrypt its traffic while an unsecured plugin transmits it in plain text.

Takeaway: Businesses must be especially wary of the third-party apps which support their site. In some cases, they may not even realize how many dependencies they employ and should conduct regular inventories to ensure the safety of their users.

  1. Pay Attention to Insider Threats

In April of last year, SunTrust Bank announced that 1.5 million customer records had been stolen with criminal intent. The culprit, the institution claimed, was likely one of its own employees.

Insider threats are one of the biggest and most unpredictable threats an organization can face, and they aren’t always malicious. Simple user error can cost an organization billions of dollars. As Verizon’s 2018 Data Breach Investigations Report states:

Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.

As an example, the average cost of a phishing attack – which occurs when a user clicks on an illegitimate email – was $1.6 million dollars in 2018. When such a simple action can cause such devastating consequences, no organization is safe from risk.

Takeaway: In order to stay safe, companies must be looking in both directions. Educating personnel on security protocol is one important way to monitor insider threats; monitoring behavior for signs of malignancy is also essential.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!