If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. -Sun Tsu, The Art of War
Some advice on preventing about 70% of the incidents I see over in /r/securitybreach, a sub reddit started to help answer the questions: What’s the enemy after? How do they go about trying to get it?
Approximately 30% of the incidents I’ve seen stem from an Account Compromise: Credentials were compromised and now there’s unauthorized access to data.
The tactics are basic password spraying: Grab a combo list like Exploit.in and spray those creds across multiple targets.
Broken Access Control
“Nobody wants to hack us”
About 20% of incidents are due to broken access control, yet there’s more to the story and the motivation is possibly more interesting. The majority of broken access control incidents I’ve seen are schadenfruede motivated.
Maybe you don’t process credit cards or crypto currency. Maybe you don’t store any personal data. Doesn’t matter, there’s a company or consultant out there looking for press and they’d love to find your open S3 bucket, elastic search db, or mongodb.
How are you doing on those SANS Critical Security Controls? Number 1 is inventory. You can’t protect what you can’t see. Simply running Scout2 and acting on that insight would prevent 50% or more of the Broken Access Control incidents I see.
Insufficient Logging & Monitoring
This one, sorry, I don’t have concrete insight into Magecart tactics. I’ve got a hunch that there’s not a strong culture of peer reviews or CI/CD in the victim environments.
At the least, make sure you have sufficient logging & monitoring in place to know when a change happened, authorized or not.
APT, maybe a nation state figured it out but now every script kiddie knows how to do it. I find APT tactics interesting, partially due to the asymmetric problem of defense, partially because – thanks to open source tooling – the methods are easy to execute, and mostly because it’s a great example of turning your enemies strength (Active Directory) into their weakness.
Side note: The Art of War is possibly the best security book written. OK, back to APT.
The one thing I’d recommend: Run through it yourself in your environment. Once you see how it’s done you will “know the enemy” and can leverage what you know about your environment – know thyself – to implement IOCs.
Here’s a simple receipe:
- Use Metasploit as your C&C
- Use Unicorn to generate a payload with a good chance of avoiding AV detection.
- Find a list of targets on LinkedIn.
- Phish your list. Email them a link to your Unicorn payload and a simple message to trick them into running.
- Now you’re on the network. Use powershell empire to find a logged in domain admin.
- Game over
What’s that sound?
It’s old hats – grey beards? – grumbling: Nothing new here, old news. Maybe, but if it’s old news then why’s it still effective? Incident trend data shouldn’t be the domain of marketing teams trying to push the next silver bullet. Help me out over in /r/securitybreach.
The general who wins the battle makes many calculations in his temple before the battle is fought. The general who loses makes but few calculations beforehand.