Apt Hacker Methodology PDF
Document Details
Uploaded by IndebtedOwl
Tags
Summary
This document details APT hacker methodology, covering techniques like reconnaissance, exploitation, and clean-up. It also discusses the importance of patience, targeting the weakest link, and thinking outside the box in cyberattacks.
Full Transcript
Chapter 3 APT Hacker Methodology AHM: Strong Enough for Penetration Testers, Made for a Hacker AHM: stand for APT Hacker Methodology Penetration Testing: is a sanctioned attack against an organization performed to test the efficacy of security controls and defenses in place. Examples...
Chapter 3 APT Hacker Methodology AHM: Strong Enough for Penetration Testers, Made for a Hacker AHM: stand for APT Hacker Methodology Penetration Testing: is a sanctioned attack against an organization performed to test the efficacy of security controls and defenses in place. Examples of testing: Response to “malicious” activities: such as phishing emails or social engineering phone calls Technical controls: such as the configuration of computers, servers, and network infrastructure Testing the process: where employees follow to respond to detect incidents. Difference between APT Hackers & Penetration Testers Penetration Testers: They receive a signed letter from the organization they have been contracted with indicating the test has been approved by an authorized party Penetration Testers if they get caught they do not face any real consequences or arrest. Limitation of Penetration Testers Activities: Not allowed to target top executives Specific and agreed upon targets are allowed to test Only specific personnel are targeted to test APT Hackers do Not have limit and do not abide by any rules or limit AHM Components (Requirements, Skills, soft Skills) Elegant, Big-Picture Thinkers: APT hackers who can execute elegant attacks and see the big picture. Once you have the correct image of the big picture, you will see that any organization can be compromised No organization is 100% secure. Advanced: Echelons of Skill Thepath of mastery is like climbing a series of ladders with platforms between each. Each rung in the ladder represents a specific new skill that you must purposefully use to achieve the goal Upon reaching each platform, you will obtain an enlightened understanding of the skills permitted to get there. First you must learn the acknowledge simply that a technology works Second you learn how it is supposed to work Third you learn how it really works Fourth you learn how to break it Preparation If I had six hours to chop down a tree, I would spend the first four sharpening the axe…………Abraham Lincoln Preparation for an attack is critical for any attacker Preparation in the form of reconnaissance, is an extremely important process that can not be hurried through Reconnaissance: is the how to properly perform reconnaissance on a target organization APT hacker will take his time testing all the tools and techniques to be used in an attack This can cover: testing an exploit, rootkit, backdoor, or phishing website. To make sure all are worked out before executing an attack Patience Patience is a characteristic of APT APTspent lots of time reconnaissance while traditional hackers spent little APTspent lots of time testing all the tools and techniques to be used in an attack APThackers ensure that each phase of the attack is tested well, otherwise alerting the target is no option Social Omni-Science Social Engineering: any act that influence a person to an action that may or may not be in their best interest. Social Engineering is defined by understanding the pic picture of how all social elements affect the security of a target. Examples: Inter-relationship between employees and managers Inter-relationships between departments within organizations Impact of geological diversity of companies Business policies and procedures Company politics Ethnic differences and diversity of employees Overall security awareness and importance placed on security World events external to organization Employee skills Impact of holidays and vacation Always Target the Weakest Link Manyattackers simply target the systems they know how to compromise AnAPT hacker analyzes a target organization and specifically identifies and select the weakest link for attack. Traditional hacker might attempt: SQL injection Cross-site scripting Parameter manipulation on a target’s web application If not vulnerable, then move on to another target Always Target the Weakest Link APThacker has an entire toolset of attacks and techniques to choose from Heor she chooses the technique that exploits the specific weakest link in the chain at the target organization to quickly access to the desired asset Can guarantee success by performing ample: Reconnaissance Understanding the target Waiting for the opportune time Then target the weakest link Exploitless Exploits ExploitlessExploits: work by simply using a technology as it’s intended to accomplish our goals One example of Exploitless exploit could be tailgating on an administrative channel. An APT hacker will also use: Memory corruption exploit Preexisting exploit Think Outside the Box It is critical for any hacker especially APT hacker It is an ability you can learn, you do not need to be born with it What in the box: Constraints of assumptions Traditional thinking Group thought Thinking outside the box means is thinking without the above constrains of assumption or convention The box is constructed of the rules put in place by: pragmatism Human nature People in authority Your peers Think Outside the Box AnAPT hacker thinks outside the box in every phase of a successful attack From inception to clean up Nature of being criminal Not restricted by rules No fear of the law The Bicycles story The Process of Thinking Outside the Box There are four major techniques with the generic process: Find a creative are (space and time) Think without your filter Just write Create first, filter second Thinking Outside the Security Box Remember that the core technique to thinking outside the box is questioning or analysis: Determine the traditional answer (assumptions) Question the traditional answer (question assumptions) Analyze the exact opposite of the traditional answer (contradict assumptions) One common approach would be to consider the existence of a security control to be a positive thing for the APT hacker. Look for Misdirection Think like a magician Organizations always show off with their security systems for misdirection Examples: Smaller organizations with limited staff, a security engineer familiar with network security might be far more likely to focus on technology to secure the network while ignoring or neglecting other areas such as host-hardening standards Large organizations might be able to afford large teams of security individuals who each have their own unique skill sets, but neglecting training end users on secure behavior. Keep it Simple, Stupid (KISS) Despiteall of the attack vectors, techniques, and tools available to the APT hacker, you must strive to keep your attacks as simple and elegant as possible. Bykeeping our attacks as simple as possible, we will avoid unnecessary opportunities for our attacks to fail. Leonardo da Vinci put it best when he said “simplicity is the ultimate sophistication” APT Hacking Core Steps There are seven major steps within each phase of AHM: Reconnaissance Enumeration Exploitation Maintaining Access Clean up Progression Exfiltration Although these phases are performed in this order, they can be iterative, and can be performed in a different order, or many times within one attack Reconnaissance Most critical step for an APT hacker Performing proper reconnaissance is one of the core differences between a smart threat and an advanced threat. This phase can not be rushed or undervalued. Asan APT hacker, you must take all the time necessary to fully understand: Your target Its business Its people The technologies in place Enumeration Considered the final part of reconnaissance where you focus on identifying specific details about a particular piece or system within an organization For example, identifying: Specific software version User name structure Responsible parties for specific systems Exploitation It is the phase everyone’s minds go straight to when discussing hacking Thisis where you take advantage of the vulnerabilities you have identified in the previous two phases of reconnaissance and enumeration. Itwill typically get you some foothold into a target organization The key to success during the exploitation phase is to have prepared properly Clean Up Clearing up takes many different forms during an attack It may involve cleaning up evidence of successful: Exploitation Removing evidence of the method used to maintain access to a system Completely removing all traces of enumeration and reconnaissance Progression Progression can also take on many different forms It may be gaining more rights to the system that was compromised during the exploitation phase Or gaining access to more systems on the targeted network Some people refer to parts of this phase as: Lily-padding Leapfrogging Pivoting In which we use the compromised system to target other systems on the internal network Whatever you call it, progressing deeper into the target organization until we reach our intended goal or asset presents its own unique challenges Exfiltration As an APT hacker, you must consider the most effective way to get the data you need from your target Whatever that data is: Small as a user name and password to another target system Large as a multi-terabyte archive APT Hacker Attack Phases There are five major phases that we will systematically go through when targeting and attacking a specific organizations: Reconnaissance: all available information regarding the target is obtained and analyzed Spear social engineering: specific individuals who are likely to be exploitable and who are likely to have some level of access to the target asset are manipulated via purely digital methods into disclosing: Sensitive information Credentials Obtaining remote access to the user’s system Digital methods including e-mail, instant messaging systems, USB drives, and others APT Hacker Attack Phases Remote and wireless: based on reconnaissance data, remote locations, wireless systems, and remote end users are targeted due to less restrictive security controls being in place. Wireless networks and wireless vulnerabilities are targeted to provide as much anonymity as possible while still within close physical proximity to systems owned by the target organization. End-user wireless clients are also targeted using specially designed and extensible rogue wireless access points Hardware spear-phishing Endusers and key physical locations are targeted using Trojan hardware devices Purpose-built hardware devices that can compromise an attached computer system or remotely accessible bugging systems Physical infiltration Target specific physical locations including: Facilities owned by the target organization Homes of target users Remote third-party facilities Remote workers at hotel rooms We will combine our physical infiltration with attacks designed to compromise: key technical systems Bug y physical areas Obtain access to intermediate Target physical assets ATP Hacker Foundational Tools A few tools and techniques will be necessary within almost every phase of attack Primarypurpose of these tools is to maintain as much of our anonymity as possible Ofcourse, in digital world, we always leave small traces of our existence These traces will not only be extremely small, but they will ultimately lead investigators on a wild goose chase to a place that will not be associated with us Anonymous Purchasing There will be tools, both digital and physical, that we will need to purchase To keep our purchases anonymous, we have few primary options besides cash. You can purchase any tools or services we need using: Credit card gift cards Digital currencies Credit card gifts cards do not require any personal information for activation, when checking out, you can simply choose any name and address as the credit card owner Digital currency also known as crypto-currency, such as Bitcoin or Litecoin. They are made to keep all of your transactions anonymous, and many on-line retailers are accepting them. Anonymous Internet Activity When performing any activities on the internet, we must be careful to keep all of our activities anonymous and untraceable We will accomplish this by tunneling all of our communications through an intermediate system, which will then appear to be the source of our network communication Three primary technologies: Open, free, or vulnerable wireless networks Virtual private server pivots Web and socks proxy Anonymous Internet Activity The most basic example, we can use an open wireless network to probe and attack our target organization. The logs in the target server would show the IP address of the Free_Wifi_Hotspot public IP address Another example, by pivoting through a server in London and probing a server in New York, the logs on the server would show the source coming from London. Or pivoting through countries that may be unfriendly to the country of our target organization. For example, if our target organization is an American company, we could pivot through servers in China We also can chain together as many of these systems as we choose. Thus, to make it as difficult as possible to trace our activities back to us. The purpose is to use these methods to delay investigators for any unreasonable amount of time, and move to another place. These pivot systems can be purchased in another country using the anonymous payment system we mentioned Anonymous Phone Calls When we specifically need to use phone system for example to perform reconnaissance by calling individuals or performing social engineering attacks, we do not want to use a phone that has any connection to us You must use a burn phone, a phone used temporarily and then discarded when we are finished They are inexpensive and do not require a contact and are perfect burn phones You also can use the cash or any of the two methods of payments we mentioned before Its is necessary to spoof your caller ID through inexpensive services such as SpoofCard. Law enforcement can trace the physical location of the user There are also Internet-based Voice Over IP (VOIP) system that we can use to place phone calls. There are also hardware – and software-based voice changing systems that can actually work quite well. APT Hacker Terms Target Asset: our ultimate intended asset at the target organization (i.e. trade secrets, intellectual property, valuables) Intermediate asset: any asset that will help us reach our intended target asset (e.g., a compromised computer, compromised phone, bugged phone) Beachhead: the first compromised host asset at the target organization Lily Pad: any intermediate asset that is used to progress toward a target asset Pivot: similar to lily pad, a pivot is an intermediate asset to target an otherwise inaccessible intermediate asset