Today’s cybersecurity climate is more volatile than it has ever been. Threats come from all directions, aimed at anyone and everyone. While cybersecurity training is vital, it’s often difficult for people to understand the true context of the problem without, unfortunately, experiencing it firsthand through a cyber-attack or data breach. That’s why it’s crucial to shift your security mindset and adopt an offensive cybersecurity strategy.
This new and different approach, which empowers people to assert themselves against threat actors rather than become their victims, involves thinking like our adversaries and emulating their behaviors to find where organizations’ vulnerabilities exist. There are many offensive and defensive components to the cybersecurity chess match that we can learn and use in our favor.
The cyber threat landscape has evolved dramatically, and today’s threat actors tend to be motivated by either money or theft of intellectual property, meaning exfiltration of data. It is important to keep this in mind because to think like a threat actor, you first must understand what the threat actor’s motivation or end game is. This is where having an offensive security strategy – emulating the actual mindset of your adversary – can help you beat their game. There are a few examples of this type of thinking. If the target is a financially motivated one, reconnaissance efforts will be geared toward the goal of making money which can be slightly different if the threat actor’s main goal is to exfiltrate IP or sensitive user data. If the goal is to make money quickly, ransomware is the fastest growing and most likely method of achieving this goal. To get ransomware into a target’s network, the easiest way is to socially engineer an employee to unknowingly click a link or download a “file” that installs ransomware on the target’s device, which in turn attempts to escalate access privileges and traverse the target’s network, locking users out until a ransom is paid.
Now let’s think like a threat actor. If you have a specific target in mind, we can go to the Internet for our recon. With the vast amount of open-source intelligence (OSINT) data available on each of us (such as social media, housing purchases, legal court filings, etc.), the recon can be quite simple for a threat actor if they are targeting a specific employee, such as a C-level executive. Let’s pretend we are targeting a CEO because they often have the highest level of access. We decide the best way to go is to employ a Business Email Compromise attack (BEC). A BEC is when a threat actor goes after a large “phish”1 with a process called “whaling.”2
From here, we want to impersonate the CEO and get someone within the company to transfer money into our account. Recently, the FBI released a public service announcement revealing that business email compromise (BEC) attacks caused domestic and international losses of more than $43B between June 2016 to December 2021, with a 65% increase in losses between July 2019 and December 2021. The first thing to do is to “get to know” the target via social media. Social media is a window into work history, friends and family, hobbies, location, vacation or work trips, metadata from photos (which can give an exact location of where a photo was taken) dogs, sports teams, the pattern of how you speak and write, what words you use, the way you structure sentences, and so much more.
Once we have determined where our target lives, we can investigate the types of internet providers that the target may use (and possibly the IP netblocks they issue to that region). Some providers give a unique password to your home router, some will not. For example, where I live there is only one provider that services the area. If the ISP is similar to where our target lives, having only one ISP helps determine the model of the routers used by that ISP and if they use default passwords. If so, default passwords are easy to find on the surface web. Typically, a large percentage of home routers use the default username and password of “admin” and “admin.”If we get lucky, and the home router is using a default password, we are in. Sometimes, we can get access in other ways and find one of the many vulnerabilities in unpatched SoHo routers or Wi-Fi, which might allow us to compromise it. Or perhaps the router exposes additional services via UPnP which may contain vulnerabilities, like a Minecraft server, or remote access into the target’s home network. As a last resort, we can physically show up to the target’s location and perform some sneaky Wi-Fi attacks, or get even luckier and find an open, unencrypted guest network.
Once we are on the network, we can leverage a whole new class of layer 2 attacks against all the systems on their home network like gaming computers, IoT, tablets, etc. If there are work-issued devices on the network, or the target shares a work password on a non-work device, we will find it.
Once we have the target’s work account credentials, we plan the next stage of our BEC attack. In our recon work we see that our CEO target is going on vacation. This is the perfect time to attack. Our plan is to get the CFO or other responsible financial executive to quickly send money into our threat actor “account.” As threat actors, we use trust, fear, and urgency to get what we want. We can simply use the account credentials gleaned from our CEO and send an email to the CFO or other executive explaining that there is a payment that must be made immediately, or the company will lose a client or some other scare tactic. Being the good threat actors that we are, we have also done our homework and learned exactly how the CEO writes, what words she uses, and how she structures her sentences so that we can impersonate her perfectly. We send our email and wait for the money to arrive.
The above scenario isn’t far-fetched – in fact, it happens every day. Threat actors get more sophisticated all the time. They use what works and learn from what doesn’t. BEC is just one of the weapons in a hacker’s arsenal.
Now let’s leave our threat actor life and jump back into the cybersecurity persona. What are five measures that would protect our target?
- Always change default passwords on all devices and use multi-factor authentication.
- Do not use the same password or incremental updates to the same password. And while on passwords please use 15+ characters.
- On a home network, use the guest network option and separate work devices from everything else.
- When posting on social media, think about how much information you are potentially giving to a threat actor and how it can be used against you.
- Employ a code word known only to the CEO, CFO and/or others who can quickly send money. If the “CEO” does not know the code word, money doesn’t get sent.
Through an offensive cybersecurity strategy and thinking like the adversary, we are on our way to better protect ourselves, our family, our work, and our lives. Learn more about how you can Beat the Threat Before It’s a Threat by visiting Secureworks at the in-person and online RSA Conference 2022
Footnotes:
- Phish: The practice of tricking Internet users into revealing personal or confidential information which can then be used illicitly. - Merriam-Webster Definition
- Whaling: Whaling is a highly targeted phishing attack - aimed at senior executives - masquerading as a legitimate email. - NCSC Definition