Apt Hacker Methodology PDF

Summary

This presentation discusses APT (Advanced Persistent Threat) hacker methodology, touching on topics like preparation, patience, social engineering, and exploiting vulnerabilities. It also explores the different phases and tools used in an APT attack.

Full Transcript

Chapter 3
APT Hacker Methodology

Public
AHM: Strong Enough for Penetration
Testers, Made for a Hacker

 AHM: stand for APT Hacker Methodology
 Penetration Testing: is a sanctioned attack against an
organization performed to test the efficacy of security
controls and defenses in place.
 Examples of testing:
 Response to “malicious” activities: such as phishing emails
or social engineering phone calls
 Technical controls: such as the configuration of computers,
servers, and network infrastructure
 Testing the process: where employees follow to respond to
detect incidents.

Public
Difference between APT Hackers &
Penetration Testers

 Penetration Testers: They receive a signed letter from the
organization they have been contracted with indicating the
test has been approved by an authorized party
 Penetration
Testers if they get caught they do not face any
real consequences or arrest.
 Limitation of Penetration Testers Activities:
 Not allowed to target top executives
 Specific and agreed upon targets are allowed to test
 Only specific personnel are targeted to test

 APT Hackers do Not have limit and do not abide by any rules or limit

Public
AHM Components (Requirements, Skills,
soft Skills)

 Elegant,
Big-Picture Thinkers: APT hackers who can
execute elegant attacks and see the big picture.
 Once you have the correct image of the big picture, you
will see that any organization can be compromised
 No organization is 100% secure.

Public
Advanced: Echelons of Skill

 Thepath of mastery is like climbing a series of ladders
with platforms between each.
 Each rung in the ladder represents a specific new skill
that you must purposefully use to achieve the goal
 Upon reaching each platform, you will obtain an
enlightened understanding of the skills permitted to get
there.
 First you must learn the acknowledge simply that a technology works
 Second you learn how it is supposed to work
 Third you learn how it really works
 Fourth you learn how to break it

Public
Preparation

 If I had six hours to chop down a tree, I would spend the first
four sharpening the axe…………Abraham Lincoln
 Preparation for an attack is critical for any attacker
 Preparation in the form of reconnaissance, is an extremely
important process that can not be hurried through
 Reconnaissance: is the how to properly perform
reconnaissance on a target organization
 APT hacker will take his time testing all the tools and techniques
to be used in an attack
 This can cover: testing an exploit, rootkit, backdoor, or
phishing website. To make sure all are worked out before
executing an attack

Public
Patience

 Patience is a characteristic of APT
 APTspent lots of time reconnaissance while traditional
hackers spent little
 APTspent lots of time testing all the tools and
techniques to be used in an attack
 APThackers ensure that each phase of the attack is
tested well, otherwise alerting the target is no option

Public
Social Omni-Science

 Social Engineering: any act that influence a person to an action that
may or may not be in their best interest.
 Social Engineering is defined by understanding the pic picture of how
all social elements affect the security of a target. Examples:
 Inter-relationship between employees and managers
 Inter-relationships between departments within organizations
 Impact of geological diversity of companies
 Business policies and procedures
 Company politics
 Ethnic differences and diversity of employees
 Overall security awareness and importance placed on security
 World events external to organization
 Employee skills
 Impact of holidays and vacation

Public
Always Target the Weakest Link

 Manyattackers simply target the systems they know
how to compromise
 AnAPT hacker analyzes a target organization and
specifically identifies and select the weakest link for
attack.

Public
Always Target the Weakest Link

 APThacker has an entire toolset of attacks and
techniques to choose from
 Heor she chooses the technique that exploits the
specific weakest link in the chain at the target
organization to quickly access to the desired asset
 Can guarantee success by performing ample:
 Reconnaissance
 Understanding the target
 Waiting for the opportune time
 Then target the weakest link

Public
Exploitless Exploits

 ExploitlessExploits: work by simply using a
technology as it’s intended to accomplish our goals
 One example of Exploitless exploit could be
tailgating on an administrative channel.
 An APT hacker will also use:
 Memory corruption exploit
 Preexisting exploit

Public
Think Outside the Box

 It is critical for any hacker especially APT hacker
 It is an ability you can learn, you do not need to be born with it
 What in the box:
 Constraints of assumptions
 Traditional thinking
 Group thought

 Thinking outside the box means is thinking without the above constrains of assumption
or convention
 The box is constructed of the rules put in place by:
 pragmatism
 Human nature
 People in authority
 Your peers

Public
Think Outside the Box

 AnAPT hacker thinks outside the box in every phase of
a successful attack
 From inception to clean up
 Nature of being criminal
 Not restricted by rules
 No fear of the law

 The Bicycles story

Public
The Process of Thinking Outside the Box

There are four major techniques with the
generic process:
Find a creative are (space and time)
Think without your filter
Just write
Create first, filter second

Public
Look for Misdirection

 Organizations
always show off with their security
systems for misdirection

Public
Keep it Simple, Stupid (KISS)

 Despiteall of the attack vectors, techniques, and tools
available to the APT hacker, you must strive to keep
your attacks as simple and elegant as possible.

Public
APT Hacking Core Steps

 There are seven major steps within each phase of
AHM:
 Reconnaissance
 Enumeration
 Exploitation
 Maintaining Access
 Clean up

 Although these phases are performed in this order, they can be
iterative, and can be performed in a different order, or many
times within one attack

Public
Reconnaissance

 Most critical step for an APT hacker
 Performing proper reconnaissance is one of the core
differences between a smart threat and an advanced threat.
 This phase can not be rushed or undervalued.
 Asan APT hacker, you must take all the time
necessary to fully understand:
 Your target
 Its business
 Its people
 The technologies in place

Public
Enumeration

 Considered the final part of reconnaissance where you
focus on identifying specific details about a particular
piece or system within an organization
 For example, identifying:
 Specific software version
 User name structure
 Responsible parties for specific systems

Public
Exploitation

 It
is the phase everyone’s minds go straight to
when discussing hacking
 Thisis where you take advantage of the vulnerabilities you
have identified in the previous two phases of
reconnaissance and enumeration.
 Itwill typically get you some foothold into a target
organization

 The key to success during the exploitation phase is to
have prepared properly

Public
Clean Up

 Clearing up takes many different forms during an attack
 It may involve cleaning up evidence of successful:
 Exploitation
 Removing evidence of the method used to maintain access to a
system
 Completely removing all traces of enumeration and
reconnaissance

Public
Progression

 It
may be gaining more rights to the system that
was compromised during the exploitation phase
 Some people refer to parts of this phase as:
 Lily-padding
 Leapfrogging
 Pivoting

Public
Exfiltration

 As
an APT hacker, you must consider the most effective
way to get the data you need from your target

Public
APT Hacker Attack Phases

 There are five major phases that we will systematically go
through when targeting and attacking a specific organizations:
 Reconnaissance: all available information regarding the target is
obtained and analyzed
 Spear social engineering: specific individuals who are likely to be
exploitable and who are likely to have some level of access to the target
asset are manipulated via purely digital methods into disclosing:
 Sensitive information
 Credentials
 Obtaining remote access to the user’s system

 Digital methods including e-mail, instant messaging systems, USB drives, and
others

Public
APT Hacker Attack Phases

 Remote and wireless: based on reconnaissance data,
remote locations, wireless systems, and remote end
users are targeted due to less restrictive security
controls being in place.
 Wireless networks and wireless vulnerabilities are
targeted to provide as much anonymity as possible
while still within close physical proximity to systems
owned by the target organization.
 End-user wireless clients are also targeted using
specially designed and extensible rogue wireless access
points

Public
Hardware spear-phishing

 Endusers and key physical locations are targeted
using Trojan hardware devices
 Purpose-built
hardware devices that can compromise an
attached computer system or remotely accessible
bugging systems

Public
Physical infiltration

 Target specific physical locations including:
 Facilities owned by the target organization
 Homes of target users
 Remote third-party facilities
 Remote workers at hotel rooms

 We will combine our physical infiltration with attacks designed to
compromise:
 key technical systems
 Bug y physical areas
 Obtain access to intermediate
 Target physical assets

Public
ATP Hacker Foundational Tools

 Primarypurpose of these tools is to maintain as much of
our anonymity as possible

Public
Anonymous Purchasing

 Youcan purchase any tools or services we need
using:
 Credit card gift cards
 Digital currencies

 Credit card gifts cards do not require any personal information for
activation, when checking out, you can simply choose any name
and address as the credit card owner
 Digital currency also known as crypto-currency, such as Bitcoin
or Litecoin. They are made to keep all of your transactions
anonymous, and many on-line retailers are accepting them.

Public
Anonymous Internet Activity

 Three primary technologies:
 Open, free, or vulnerable wireless networks
 Virtual private server pivots
 Web and socks proxy

Public
Anonymous Internet Activity

 Themost basic example, we can use an open
wireless network to probe and attack our target
organization. The logs in the target server would
show the IP address of the Free_Wifi_Hotspot
public IP address

 Thepurpose is to use these methods to delay
investigators for any unreasonable amount of
time, and move to another place.

Public
Anonymous Phone Calls

 You must use a burn phone, a phone used
temporarily and then discarded when we are
finished
 There are also Internet-based Voice Over IP
(VOIP) system that we can use to place phone
calls.
 Thereare also hardware – and software-based
voice changing systems that can actually work
quite well.

Public
APT Hacker Terms

 Target Asset: our ultimate intended asset at the target
organization (i.e. trade secrets, intellectual property, valuables)
 Intermediate asset: any asset that will help us reach our
intended target asset (e.g., a compromised computer,
compromised phone, bugged phone)
 Beachhead: the first compromised host asset at the target
organization
 Lily Pad: any intermediate asset that is used to progress
toward a target asset
 Pivot: similar to lily pad, a pivot is an intermediate asset to
target an otherwise inaccessible intermediate asset

Public