It's not a matter of if you'll get hacked, more a matter of when. Security company, RSA, found this out recently when they discovered that their systems had been compromised by a so-called Advanced Persistent Threat (APT). There aren't a lot of details on the impact of the attack (although a lot of wild speculation) but RSA did say that information related to one of their security products was obtained by the attackers.
RSA have now released some additional information through their blog about how the attack happened. Some of you have had the opportunity to see me present at the Small Business Community Network (SBCN) in the past and may recall a session where I demonstrated the anatomy of a hack. Looking at the information shared by RSA, it's surprisingly familiar territory; so let's revisit what I presented to the SBCN and see how this might have helped RSA!
Setting The Stage
The first step in the SBCN demonstration actually started weeks before the presentation. It's true I have a little unfair advantage in helping to set-up the pretext for the 'attack' (in that I am intimately familiar with the SBCN) but I made a concious effort to stick ONLY to using publicly available knowledge.
To establish the pretext for the attack, I found contact details for all of the SBCN members and (from the web site) determined that Linda Ockwell-Jenner was the founder/leader of the organization. Linda happens to be very well connected, so it is likely that she holds a high level of reputation within the community.
And so we created our story: a local college student was working with Linda on some SBCN-related initiative. Our student (we'll call him George) is wanting SBCN members to help him test out a new system he's created. George will therefore e-mail all the SBCN members, introduce himself and ask for people to click a link where they can start testing!
Phishing For Phun
After creating an e-mail address for George, I sent through a message to all the SBCN members, posing as our helpful student. In an actual attack similar to what we have seen with RSA, this e-mail would likely include an attached document, or web site link leading to a document, containing some relevant information to the individuals being targeted. However, for the purposes of demonstration we certainly don't want to compromise members computers!
Instead, we picked an example activity that would provide some level of indication of how successful a real attack might be. The e-mail asked members to click on a suspicious looking link under the guise of helping to test a new registration system. When they clicked the link, they were asked to supply their SBCN web site username and password -- sensitive information that should never be shared! The hypothesis is that people who were willing to enter their passwords, were likely also to open documents.
Several members provided satisfaction for the hypothesis.
Establishing the Back Door
During the presentation, we picked up the example, and followed through in a controlled lab environment; essentially actually performing the attack. We clicked on a suspicious link which took us to a page containing information relevant to small business owners -- and a free downloadable business assessment document. As soon as the document was opened... wham... the computer was infected with malware sophisticated enough to evade detection by anti-virus.
The malware itself connects out from the compromised machine, back to the attacker -- who in our simple demonstration, was me! From here, the attacker is able to fully control the compromised machine. In our example we looked at, and stole, some files stored on the machine itself. This compromised system was now an entry point for the attacker.
Exploring the Network
But for an attacker, the compromised machine represents much more than a source of documents and other files. It's a beach head established within someone else's network. In our demonstration, the compromised machine was part of a simple network... and our attackers used the compromised machine to scan for other systems to attack. As we proceeded with the exercise, we found a server system on the network and proceeded to attack it via the system we originally compromised.
This is the critical point, it just takes a single system to be compromised to allow an attacker the opportunity to 'look around' for other targets. This is where the thinking behind simply securing the perimeter of your network fails: the attacker is already 'on the inside'.
Data Gathering
During our demonstration we looked at a few typical things that an attacker might do. We stole (and cracked) passwords, which got us into shared folders full of company files. We looked at confidential documents and even put in place a mechanism for the attacker to browse internal-only web sites, revealing yet more information. These are just some of the techniques attackers use in the search for data.
Exfiltration
At the end of the presentation, our attacker had run off with several confidential documents, salary information for the small business staff and their research and development plans for the next few years! And all the while, the Anti-Virus kept on running. The firewall was operational the whole time and there was not one indication that the computer's owner saw of any nefarious activity.
So, RSA?
The demonstration I did for the SBCN was very close to what just happened at RSA. They were victims of a targeted phishing attack (so-called Spear Phishing) which had users open a document. In the case of RSA, it happened to be an Excel spreadsheet containing a Flash file that exploited a previously unfixed security issue on Windows. Once opened, the attacker had access to the RSA network just as our attacker did during the SBCN demonstration.
As it turns out, the Advanced Persistent Threat isn't so advanced after all. The SBCN demo took probably around a week to setup, including building up our pretext, setting-up a lab environment to show how all this works, and to actually make it work!
Bottom line: don't be the next RSA. Understand that attacks like this happen, and what you should be doing to minimize the likelihood that it happens to you. Amazing what you can learn in an SBCN presentation!
- Log in to post comments