Wil Allsopp - Advanced Penetration Testing. Hacking the World’s Most Secure Networks

1. Chapter 1: Medical Records (In)security
2. Chapter 2: Stealing Research
3. Chapter 3: Twenty-First Century Heist
4. Chapter 4: Pharma Karma
5. Chapter 5: Guns and Ammo
6. Chapter 6: Criminal Intelligence
7. Chapter 7: War Games
8. Chapter 8: Hack Journalists
9. Chapter 9: Northern Exposure

1. Chapter 5: Guns and Ammo

Wil Allsopp

There is an old yet erroneous belief that fortune favors the brave. Fortune has and always will favor the prepared. When your organization experiences a serious security incident (and it will), it's your level of preparedness based on the understanding of the inevitability of such an event that will guide a successful recovery. It doesn't matter if you're responsible for the security of a local community college or if you're the CISO of an international bankthis fact will always remain true.

To quote Howard Ruff, It wasn't raining when Noah built the ark.

The first step to being prepared is being aware.

There has always been the impression that you have to patch your systems and secure your networks because hackers are scanning vast address ranges looking for victims who haven't done these things and they'll take whatever vulnerable systems they can get. In a sense that's truethere have always been those who are satisfied with low hanging fruit. It was true back in the 80s as wellwar dialing on the PSTN and such attacks are usually trivial to guard against if you know what you're up against. However, if you are specifically targeted by someone with time and resources, you have a problem of an altogether different magnitude. Put simply, gaining access to corporate systems by patiently targeting the users was usually the best way to go in the 80s and it's usually the best way now. However, the security industry, like any other, is constantly looking to sell new products and services with different names and to do that, a buzzword is required. The one that stuck was advanced persistent threat.

What differentiates an APT from a more traditional intrusion is that it is strongly goal-oriented. The attacker is looking for something (proprietary data for example) and is prepared to be as patient as is necessary to acquire it. While I don't recommend breaking complex processes down into simple lists or flowcharts, all APTs generally have the following characteristics:

• Initial compromiseUsually performed or assisted by the use of social engineering techniques. An attack against a client will include a core technical component (such as a Java applet), but without a convincing pretext, such an attack is usually doomed to failure. A pretext can be anything but is successful when tailored to the target and its employees. Casting a wide net to catch the low hanging fruit (to mix my metaphors) is not an acceptable way to model APTs and is certainly not how your adversaries are doing things.
• Establish beachheadEnsure future access to compromised assets without needing a repeat initial intrusion. This is where Command & Control (C2) comes in to play and it's best to have something that you've created yourself; that you fully understand and can customize according to your needs. This is a key point in this book that I make a number of times when discussing the various aspects of C2it needs to be secure but its traffic has to look legitimate. There are easy solutions to this problem.
• Escalate privilegesGain local and ultimately domain administrator access. There are many ways this can be achieved; this book will dedicate considerable space to the best and most reliable methods as well as some concepts that are more subtle.
• Internal reconnaissanceCollect information on surrounding infrastructure, trust relationships, and the Windows domain structure. Situational awareness is critical to the success of any APT.
• Network colonizationExpand control to other network assets using harvested administrative credentials or other attacks. This is also referred to as lateral movement, where an attacker (having established a stable base of operations within the target network) will spread influence across the infrastructure and exploit other hosts.
• PersistEnsure continued control via Command & Control. Persistence essentially means being able to access your target whenever you want regardless of whether a machine is rebooted.
• Complete missionExfiltrate stolen data. The most important part of any APT. The attacker is not interested in vandalizing systems, defacing web pages, or stealing credit card numbers (unless any of these things advances the final goal). There is always a well-defined target in mind and that target is almost always proprietary datathe mission is completed when that data has been located and liberated.

I am a penetration tester by trade (a professional hacker, if you like) working for every possible kind of client and market vertical over the best part of two decades. This book speaks from that narrative. I want to show how conventional penetration testing is next to useless when attempting to protect organizations against a targeted APT attack. Only by going beyond the stagnant nature of contemporary penetration testing methodologies can this hope to be achieved. Potential adversaries today include organized crime and nation statesit's worth pointing out that foreign intelligence agencies (of any nation) are heavily invested in industrial espionage, and not just against hostile nations.

There are numerous technologies available that claim to be able to prevent APTs, capable of blocking unknown malware. Some of these products are not bad and do indeed add another layer of security by providing some degree of behavioral analysisfor example catching a Metasploit callback by looking at what the .exe is doing rather than relying on an antivirus signature, which can be easily bypassed. However, that is trivial to model simply because the behavior of such tooling is very well understood. A genuine APT will be carried out by skilled threat actors capable of developing their own tools with a very strong understanding of how modern intrusion detection and prevention systems work. Thus, in describing modeling techniques, I make heavy use of the SSH protocol as it solves a lot of problems while masking activity from monitoring systems and at the same time gives the appearance of legitimate traffic. It is wise at this point to reflect on what an APT isn't and why. I've seen a number of organizations, commercial and otherwise, giving out advice and selling services based on their own flawed understanding of the nature of Advanced Persistent Threat. The following article published in InfoWorld is as good a place as any to rebut some myths I saw in a discussion online recently:

• APT sign No. 1: Increase in elevated log-ons late at nightThis is nonsense. Once a target has been compromised (via whatever means), the attacker has no need to make use of audited login methods, as they will have deployed their own Command & Control infrastructure. You will not see elevated log-ons late at night or at any other time.

  Auditing logs will most likely hit nothing when a skilled attacker has established his beach head. Most likely these mechanisms will be immediately circumvented by the attacker.