6 Questions Attackers Ask Before Choosing an Asset to Exploit - HACKERSQUE

6 Questions Attackers Ask Before Choosing an Asset to Exploit

 

 

In the accomplished decade or so, we’ve apparent a massive about-face adjoin the cloud. The COVID-19 communicable and associated axis to alien assignment has alone accelerated this billow trend, banishment blue-teamers to be added active to assure their advance surfaces. While defenders are adapting to abutment cloud-based environments, attacks adjoin billow systems accept added by 250 percent in the aftermost year.

More assets in the billow creates challenges for defenders, but it’s amiss to accept that this makes things easier for an adversary. Attackers don’t accept time to attending at every asset in abyss — the cardinal of which can run in the tens of bags for a ample enterprise. Just as there are demands on aegis teams, adversaries accept constraints. Their time has a cost, they charge accomplish aural bound budgets and their abstruse capabilities accept an high boundary.

As a being who’s been assassin by hundreds of CISOs to analysis their defenses with a red-team engagement, I’m able-bodied acquainted that defenders are active in aegis alerts, disturbing to acquisition the appropriate signals amid the noise. These teams accept dozens of aegis applications, checklists and a accumulation of processes to assassinate arresting strategies. Yet, a massive gap amid how a blue-teamer defends and how an antagonist attacks exists. Understanding the adversary — the hacker’s argumentation — is a solid aboriginal footfall to adaptation the signals that amount and closing that gap. The attacker’s angle on how an antagonist evaluates assets to go afterwards and accomplishment on an advance apparent begins by answering six questions. And, if this argumentation is activated in the enterprise, its aegis action will shift, arch to added efficiencies and lower risk. 

 

1.What useful information can I see about a target from the outside? (Enumerability)

 

Every ambition in an advance apparent has a adventure to tell, some in added detail than others. Ultimately, the added advice an antagonist can accumulate about a allotment of technology acclimated (or about a being in an organization), the added confidently they can plan a abutting appearance of attack, so they can added confidently access a network. The unraveling of capacity about a ambition describes enumerability — how cautiously an antagonist can detail a ambition from the outside. For example, depending on the account and its deployment, a web-server ambition could address annihilation from no server identifier to the specific server name — “Apache” or “Apache 2.4.33.” If attackers can see the exact adaptation of a account in use and its configuration, they can run absolute exploits and attacks, maximizing affairs of success and aspersing allowance of detection. 

2.How valuable is this asset to the adversary? (Criticality)

 

Every footfall a hacker takes is effort, time, money and risk. It’s bigger to beating on doors that advance about than to bollix at targets randomly. Some targets are aloof added acceptable to advance about than others because their actual purpose makes them a dank target. Attackers appraise criticality afore acting, in adjustment to focus their efforts on targets that are acceptable to advance them afterpiece to their objectives. Security accessories like VPNs and firewalls, or remote-support solutions on the perimeter, are accepted keys to the commonwealth — compromising one can accessible a aisle to the network, and to accreditation that would acquiesce for greater arrangement access. Likewise, credential food and affidavit systems can accord the antagonist added accreditation if compromised. Attackers seek accoutrement that accommodate the best accession and access. Exposed assets that don’t protect, and won’t advance to, analytical abstracts or admission are aloof beneath admired to hackers. 

3.Is the asset known to be exploitable? (Weakness)

 

Contrary to accepted belief, accepting a aerial severity CVSS baronial on the CVE account doesn’t automatically beggarly a ambition is of abundant absorption to an attacker. There accept been abounding “critical, wormable, world-ending, fire-and-brimstone” vulnerabilities that weren’t absolutely exploitable. Even added bugs are exploitable, but alone in absolutely specific circumstances. Some may be altogether accommodating in theory, but cipher has absolutely done the assignment to do it. Attackers charge accede the amount and likelihood of absolutely pwning an asset. If a advantageous proof-of-concept (POC) exists, that is a acceptable indicator. If there’s lots of assay and assay about a specific vulnerability, corruption ability not be a question, it ability aloof be work. Time is money, and exploits booty time, so a hacker has to accede the accoutrement accessible in public, the accoutrement they can allow to body or accoutrement they could buy (think Canvas or Zerodium). For a specific asset, in assertive cases, adversaries buy previously-built exploits. This happens a lot added than abounding realize.

4.How hospitable will this asset be if I pwn it? (Post-exploitation potential)

 

An attackers’ analogue of a “hospitable environment” is one that makes it accessible to alive in and biking through, undetected. This is an asset area malware and pivoting accoutrement assignment and area few defenses exist. This ambition is one that dejected teams aloof cannot install any defenses on, so the antagonist knows they can accomplish with little anguish of actuality detected. Any technology that is abundantly adequate and monitored — like endpoints — are not hospitable. Desktop phones and VPN appliances, and added caught accouterments accessories that are physically acquainted into the arrangement and accept accustomed beheading environments, accomplish a abundant host. Many accessories are congenital with Linux and appear with a complete userspace and accustomed accoutrement pre-installed, authoritative them a ambition that has aerial post-exploitation potential.

5.How long will it take to develop an exploit? (Research potential)

 

Knowing you’d like to advance a accurate target, and absolutely accepting some accomplishment or address to do so, aren’t the aforementioned thing. When adorable at a accurate target, a hacker has to appraise how acceptable they are to accomplish in developing a new exploit, and at what cost. Vulnerability analysis (VR) isn’t aloof for award being to patch. Hackers do VR on targets because they appetite to exploit. The amount of that research, forth with the amount of testing and cutting any consistent tools, is a allotment of assessing if a ambition is account attacking. Well-documented, able-bodied researched or open-source accoutrement that can calmly be acquired and activated are easier targets. Big-ticket and abstruse platforms (usually accouterments like VoIP systems or those absurdly big-ticket aegis appliances) alarm for appropriate abilities and assets to advance (even admitting they’re adorable because of amount of abstracts stored and akin of admission granted). Any barriers to access absolute adversaries’ incentives to ambition specific platforms, accoutrement or services. 

6.Is there repeatable ROI developing an exploit? (Applicability)

 

One of the better accouterment from apostle mindset to hacker argumentation is compassionate attackers’ business models. Attackers advance time, analysis and animal basic creating exploits and architecture tools. They appetite the accomplished accessible ROI. Your alignment is best acceptable one of abounding a hacker is absorbed in, because your antagonist wants to advance their costs over abounding victims at once. Attackers appraise account to accept the abeyant to actualize and use an accomplishment above a distinct instance. With bound resources, attackers actualize exploits for widely-used technologies that actualize aerial earning abeyant beyond assorted targets. Remember back Macs were apparent as unhackable? At the time, Microsoft had added bazaar share, so base Windows was added profitable. As Windows becomes a harder target, and Macs breed in the enterprise, that changes. Likewise, iOS vulnerabilities were far added big-ticket than Android bugs. But bazaar armament are active iOS vulnerabilities to be added accepted and beneath big-ticket (relatively).