Cybercrimes are becoming more frequent and understanding what happens behind the curtain can help you better align your business objectives, help mitigate risk, and highlight gaps in your security plan. By looking at your surface area from the lens of a threat actor, you can apply a more holistic approach when making decisions for your own business and leverage this intelligence to better protect yourself and your customers.
Jason Slagle, president of CNWR, Matt Lee, security and compliance senior director for Pax8, and Tom Lawrence, president of Lawrence Technology Service, put themselves in the shoes of a potential hacker and outlined how they would hack a business during a session at CompTIA’s ChannelCon 2022. The goal: to help you better understand how to set your organization off on a security-first path. Here’s what they had to say:
Step 1: Assess the Landscape
POV: I’m a threat actor with hacking skills and you’re in my crosshairs as a potential victim. I’ll access your system using publicly posted information, unpatched security gaps and a little social engineering. I’m not afraid of calling around to see who will give me access, find a way in through an outside vendor, using an app to escalate privileges and getting admin access to a device. It’s amazing what I can do from there.
The first stage of an attack is typically someone with criminal intentions looking for an opportunity. Scouting out big paydays means the hacker is on the hunt for a huge attack surface full of unchecked vulnerabilities. They often target managed service providers because of the massive number of endpoints that MSPs have, and their connection to tons of client users, usually with admin rights, from specialists to CEOs.
“The first question is what do you look like to the world?” said Slagle.
“That also means your humans and operation security posture,” Lee said. “There are resources you can use to look at your own infrastructure and go, ‘oh I left that exposed,’” said Lawrence. “Start using these tools and look at your own domains.”
Mapping out the landscape of your system is very helpful to threat actors who love to use open-source intelligence tools to build a visualization of your world. Connecting different open-source data sets helps them understand the full picture of your organization, your infrastructure and where your previous data lives.
Think of it as an enumeration phase. They investigate your infrastructure, build a map and assess value of the data to steal.
Step 2: Assess the Attack Vectors
POV: Now I’m going to see what I can use as a way in. Like a burglar trying to break in, I’m checking for unlocked doors — did you leave your software unpatched? Did you leave a default password? I’ll look for exposed vulnerabilities and weak security posture to exploit.
Here’s a list of questions to ask about cyber criminals planning potential attacks:
Do they attack the infrastructure or users?
Do they have a clear and easy vulnerability path to exploit?
Can they simply badger a user into approving MFA?
Can they trick your users into an adversary in the middle?
Are your OAuth tokens or cookies vulnerable to theft?
Do your people post personal information on social media?
Hackers can attack the infrastructure based on vulnerabilities. They can attack humans based on fundamental human weakness and attack your authentication configuration and weaknesses. Lots of options to ruin your day.
If they don’t have the resources needed to attack you fully, they can sell the access to another threat actor on an initial access brokerage site—on the dark web. “A lot of times initial access is the hardest part, so people will pay for it,” said Slagle.
There are tons of different specialties that each have their own monetization goals.
“Most people don’t realize that an entire ecosystem exists where the threat actors are as entrepreneurial as the companies they are attacking,” Lee said. “There are initial access brokers, ransomware specialists, malware specialists, vulnerability and zero-day specialists and each brings something to that ecosystem. There’s even money launderers out there to help keep those threat actors out of jail.”
Step 3: Compromise and Attack
POV: Now that I have a plan of attack and potentially a team I can go to work. Gain access, deploy ransomware, extort, or steal any valuable intellectual property. First, I’ll gain access through the planned method, then I’ll escalate privilege and start to expand and leave footholds — anything that allows me to persist.
With initial access cyber criminals can start looking through your files, internal documents, processes, plans and names. They’re looking for bigger fish in the pond, people with more access than the initial person who was compromised.
They’ll also lurk as long as necessary, months even, especially if you’re a valuable target, and develop a strategic attack plan. The idea is to maximize damage in a short period of time to ensure you pay.
Step 4: To the Right of the Boom
POV: Once I have devastated your world and interrupted operations, the clock is ticking for your business to continue functioning. I have already enumerated your insurance policy that you conveniently left in the documents folder in the server and know how much ransom to ask for. This puts us in a very advantageous negotiation position.
You contact your insurance company, they assign attorneys, ransomware negotiators, forensics specialists and breach coaches, and begin the process of up to two weeks to determine how and when the threat actors got in. You are unable to restore operations until you know about all the footholds left and when.
You are left unable to restore operations until the insurance company can answer these questions. Your backups may or may not have been compromised.
After arduous negotiations and failed restoration attempts, you finally pay the threat actor. When you have malware and ransomware often it will try to spread and run the same encryptions again, making it harder to decrypt even after you pay the ransom.
Your insurance company comes back and tells you about a two-month-old foothold and every machine needs to be replaced or reimaged.
Step 5: What Did We Learn?
POV: After an attack like this, you need to do an after-assessment and start making changes — unless you want me back again. To avoid a nightmare like this, you’ve got to stay one step ahead. Track your assets, your data and your vulnerabilities and patch everything before I come around.
“The first rule of cyber is, ‘Know thyself,’” said Lee. “Start looking at your organization as if you wanted to break into it and game your skills. There are tons of ways to train yourself in what threat actors are doing that doesn’t consume your entire world.”
“Start using tools to look at your own domains,” said Lawrence.
If worrying about threat actors keeps you up at night, add an effective governance, risk and compliance (GRC) program. Learn to mitigate risk, align business objectives and highlight gaps in your security with The CompTIA ISAO.
Want More Cybersecurity Information?
Check out CompTIA's 2022 State of Cybersecurity research report now.