Embrace an Attacker Mindset to Improve Security
Perry Carpenter: Hi, I'm Perry Carpenter and you're listening to 8th Layer Insights. Let's start today's show with a little thought experiment. You can do this physically later if you have time but for now let's just do this mentally. Picture yourself outside your house, your apartment, your condo, wherever you live and now imagine that you're a thief who wants to get in. What would you do? You might first check to see if each door is unlocked. You might check to see if any of the windows are unlocked and in your case what do you think you would find? Now imagine they are locked, then what would you do? Well, I guess that depends on if you're targeting your house specifically or just any house in your neighborhood. If just any house will do, you might move on to see if there's a house whose owners didn't think to lock up but if you really wanted to get into your locked house, what might you do? Here are a few ideas.
Perry Carpenter: If you brought the right tools, you might try to pick the lock or bump the lock, exploiting a vulnerability in how the lock was actually designed or implemented. Or you might look to see if there's an upstairs window or a balcony that you can get to so that you can test the locks there. Maybe check under any welcome mats, flower pots or rocks that you see near doors just to see if somebody might have hidden a key to help them if they get locked out some day. You might check to see if any of the cars in the driveway are unlocked and have a set of keys inside that you can try and if none of those work, do you start getting more extreme? You might start thinking about destructive ways of gaining entry, maybe breaking a window or kicking down a door. Or you might think about innovative and creative ways of getting in.
Perry Carpenter: Maybe you can dress up as a service person or a law enforcement officer and just ring the door bell. Or maybe you take another look at all the exterior doors, to see if any have hinges on the outside where you could remove the hinge pins and just pull the door away. Or you could find a way to cause a distraction outside that might get someone to open the door and come outside to investigate so that you can slip in unnoticed. You get the idea. This is a simple way to understand and adopt an attacker mindset. We just took a couple minutes to run through that process and you probably already identified at least ten different ways that a motivated person could gain entry to the place that you live. That can be scary but it's also valuable because if you came up with all of those ways that fast, it means that lots of other people can as well and now you can start to find ways to mitigate each of those possible attack vectors.
Perry Carpenter: The idea behind this is to understand the mindset, the motivations and the capabilities of a possible threat actor so that you aren't simply oblivious to your vulnerabilities. Today's show is a deep dive into attacker mindsets. We'll hear from four experts who really know what it is to view the world through the eyes of an attacker. We'll hear from Chris Kirsch, David Kennedy, Maxie Reynolds and Ted Harrington. Let's dive in.
Maxie Reynolds: Building secure infrastructure is all well and good but if you really want to keep data safe, I think the best way to do it is to understand how people think, both the employees of a company and the people who are seeking to destroy those defenses and get past those people.
David Kennedy: There's a lot of different things that go into it. Are you trying to emulate a nation state from a capabilities perspective or are you, you know, looking at organized crime? There's a lot of different models you can look at and those approaches vary based off of the sophistication of the attacker and, and what you're ultimately trying to go after.
Chris Kirsch: With threat modeling what you have to do is figure out all the different ways that somebody could hurt you or somebody could get to a certain goal that you want to keep from.
Maxie Reynolds: Split the mindset into two, the offensive side and the defensive side. The offensive side keeps you in that hunt mode as the attack unfolds and it helps you identify opportunities that present themselves and exploit them.
Ted Harrington: I have to think the bad thoughts which is I have to have the attacker mindset, I have to look at something and say how can I break it, you know. It's supposed to do X, can I make it do Y?
Chris Kirsch: So you, you typically start with defining what's important to you and then you think backwards and say, "Alright, what do I need to protect from, to protect that asset that I care about?"
Maxie Reynolds: You can never be frantic or frustrated within an attack, you have to very much keep yourself together because otherwise you'll draw attention.
Ted Harrington: What was this person thinking when they were building it? What was the actual process that their mind was going through in terms of how they assume that people would use this system?
David Kennedy: What's the most effective route for us as an attacker to profile and target an organization, to get access to objectives? Is that profiling their external perimeter, looking for security exposures that they may not have identified? Is that going through and targeting key individuals within your organization that may have a level of access, through phishing your social engineering capabilities? We're really trying to emulate what an actual attacker would do.
Ted Harrington: Once you can understand that assumption, you can now poke at the assumption and say, "Are there flaws in the assumption?" and when you combine those two, you can find those flawed assumptions and unexpected weakness in the system, that's where these exploitable vulnerabilities live.
Perry Carpenter: On today's show, we learn the value of intentionally adopting an attacker mindset and how we can use that mindset to improve the security of our organizations and our personal lives. All of that after the break. Stay with us.
Perry Carpenter: Hi there, my name is Perry Carpenter. Join me for a deep dive into what cyber security professionals refer to as the 8th layer of security, humans. This podcast is a multi-disciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. Welcome to 8th Layer Insights. I'm your host, Perry Carpenter.
Perry Carpenter: Welcome back. I really believe that the study of attacker mindsets is a fundamental and necessary aspect of any good security program. Bruce Schneier who was a guest back in episodes two and five summed it up well in a blog post way back in 2008. That blog was simply titled The Security Mindset and let me read a little bit of what he wrote. He says, "Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend and there were no actual ants included in the box. Instead, there's a card that you filled in with your address and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail and I replied, "What’s really interesting is that these people will send a tube of live ants to anyone that you tell them to.""
Perry Carpenter: Security requires a particular mindset. Security professionals, at least the good ones, see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities and they can’t vote without trying to figure out how to vote twice. They just can’t help it. And then Bruce goes on to write this, "SmartWater is a liquid with a unique identifier linked to a particular owner. The idea is for me to paint this stuff on my valuables as proof of ownership," I wrote when I first learned about this idea. "I think a better idea would be for me to paint it on your valuables, and then call the police." Really, we just can’t help it.
Perry Carpenter: And then here's how he sums up the mindset. He says, "This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work. The security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary, or a criminal. You don’t have to exploit the vulnerabilities that you find, but if you don’t see the world that way, you’ll never notice most security problems." And that really gets to the heart of today's show. If we can't see the world that way then we'll never-- Carl, Carl can you get that? Huh. Carl's not around. I guess that donut really didn't agree with him. How am I expected to do today's show without a sound engineer or coffee boy? Oh, okay. I guess it was just mail delivery, there's nobody outside, just this lumpy Fedex envelope. I wonder what's inside.
Perry Carpenter: Okay, I'm looking inside. It's just a sheet of paper and an old foot phone. Let's see what the note says. "All warfare is based on deception. Hints, when we are able to attack, we must seem unable. When using our forces, we must appear inactive. When we are near, we must make the enemy believe that we are far away. When we are far away, we must make him believe that we are near. Sun Tzu, The Art Of War." Strange! Someone is sending me overused Sun Tzu quotes. I wonder what's up with that. Oh, crap, that scared me. It's the foot phone. Hello? Yes.
Sun Tzu: If you know the enemy and know yourself, you need not fear the result of 100 battles. If you know yourself but not the enemy, for every victory gained, you will also settle the defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Perry Carpenter: Who is this? Call me Sun Tzu. But Sun Tzu died like in the 5th century BC, you can't be him. Zip it pod-cast boy, just go with it. you are able to discern and confirms their projections. It settles them, every predictable patterns it responds occupying their minds while you wait for the extraordinary moment that which they can not anticipate. That's it. You're creeping me out. I'm gone. I'll deal with this once and for all. Operator, can you trace a call. I've been these weird prank calls? I don't know, some guy spouting random Sun Tzu quotes. Okay, thanks. I'll wait to hear back from you'.
Sun Tzu: Call me Sun Tzu.
Perry Carpenter: But Sun Tzu died, like, in the 5th century BC, you can't be him.
Sun Tzu: Zip it, podcast boy, just go with it.
Perry Carpenter: Hello, hello? Whatever, dude, but you creeped me out. I've got a show to do and where's Carl? Gee. Yes.
Sun Tzu: To know your enemy, you must become your enemy.
Perry Carpenter: What?
Sun Tzu: Engage people with what they expect. It is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment, that which they can not anticipate.
Perry Carpenter: That's it. You're creeping me out. I'm gone. I'm going to deal with this once and for all. Operator, can you trace a call? I've been getting these weird prank calls? I don't know, some guy spouting random Sun Tzu quotes. Okay, thanks. I'll wait to hear back from you.
Perry Carpenter: Hello?
Perry Carpenter: Hello?
Sun Tzu: Perry.
Perry Carpenter: Oh, man, I'm getting really tired of this.
Sun Tzu: If your enemy is secure at all points, be prepared for him. If he is in superior strength, evade him. If your opponent is temperamental, seek to irritate him.
Perry Carpenter: Man, you're irritating me, I'll tell you that.
Sun Tzu: Pretend to be weak that he may grow arrogant.
Perry Carpenter: Can you hold on for just a sec?
Operator: Sir, we traced the call. It's coming from your location.
Perry Carpenter: That's interesting.
Sun Tzu: Sir, the caller is inside the house. Would you like me to call law enforcement for you?
Perry Carpenter: No, I think I've figured out what's going on. Thanks for letting me know. I'll call 911 if this turns out to be a real emergency.
Sun Tzu: Yes, sir. Be safe.
Perry Carpenter: Thank you. Okay. I'm back. You were saying?
Sun Tzu: If he taking his ease, give him no rest. If his forces are united, separate them. If sovereign and subject are in accord, put division between them. Attack him where he is unprepared. Appear where you are not expected.
Perry Carpenter: Carl.
Carl: Yeah. Oh.
Perry Carpenter: Carl, I know it's you.
Perry Carpenter: Just come on out.
Perry Carpenter: Oh, man, what did you eat? That's awful. Ugh. Okay, I appreciate you dramatically trying to get us into this attacker mindset topic for today but that was a little bit too far. Can you just reel it in a little bit from now on? Thanks. That was a really cool voice changer app though. Congratulations! You had me going on that one for a minute. Okay. Now, I think we have a podcast to get to and we have some guests that we want to hear from, so let's try to maintain a little bit of focus from here on out today. Thanks.
Perry Carpenter: Let's jump back in to understanding what an attacker's mindset is and why we need to cultivate an attacker mindset to improve our security. To do that I'll introduce Maxie Reynolds. Maxie is the technical team lead at Social-Engineer LLC and she recently wrote an entire book all about the attacker mindset, it's called The Art Of Attack, Attacker Mindset For Security Professionals. It was recently optioned by Netflix and is likely to go into production in 2022. Maxie, tell us about the premise of the book and why you decided to write it.
Maxie Reynolds: With the book I wanted to look at the mindset specifically because I think most often you hear that it's user error that causes or contributes to most security failures and I think that is true to a large degree but I think there's a lot to be said about the varying methods of security from a corporate and cultural standpoint. So I started thinking about that and when I did, I came to realize that it's actually an attacker's mindset that gets past all of those things, so it's, yes, the, the end user or the receptionist can fail, so to speak, but it's the attacker mindset itself that gets those people and defenses to fail. I also looked at how building secure infrastructure is all well and good but if you really want to keep data safe, I think the best way to do it is to understand how people think, both the employees of a company and the people who are seeking to destroy those defences and get past those people.
Perry Carpenter: Maxie sums up the problem and purpose. Well, this gets back to what Bruce Schneier wrote about in the blog excerpt that I read earlier in the show. Being able to look at systems and environments from an attacker's perspective is hugely important. A normal person looks at a system and will only really contemplate how to use that system. An attacker or a good security person will look at a system and contemplate how it might be abused and that's a completely unique way of engaging with the world. It's all about uncovering blind spots and vulnerabilities and, as you can imagine, it can be a super fun job for people who are good at it.
David Kennedy: My whole career has been really trying to understand the attacker mindset or offensive capabilities that adversaries and attackers have. It's a fun job first and foremost, you get to break into things and, and steal money. Unfortunately you have to put the money back but, you know, you get the ability to really help organizations get better with defenses.
Perry Carpenter: That's David Kennedy, he's the founder and CEO of TrustedSec and the CTO and founder of Binary Defense.
David Kennedy: When you start looking at how you're going to target an organization, you know, there's a lot of different things that, that kind of go into it. Are you trying to emulate a nation state from a capabilities perspective like China or Russia or North Korea or Iraq or are you looking at organized crime? There's a lot of different models you can look at. Ultimately your goal is to have, you know, some sort of objectives that you want to go after, whether that's intellectual property, whether that's trade secrets, whether that's credit card data, there's a number of objectives for organizations that they want to try and protect. And so having objective based goals is typically what we look for when we go through these types of engagements or assessments and then we start to build a way for us to be able to gain access to those systems.
David Kennedy: So what's the most effective route for us, as an attacker, to profile and target an organization to get access to our objectives? Is that profiling their external perimeter, looking for security exposures that they may not have identified? Is that going through and targeting key individuals within your organization through phishing or social engineering capabilities and really trying to emulate what an actual attacker would do against an organization? Ultimately it's profiling the organization, understanding our objectives and then starting to figure out the best way that we can get access to that data in any way possible in order to demonstrate the impact that we could have as an attacker, an adversary going after it.
Perry Carpenter: Embracing an adversarial mindset for positive reasons isn't unique to the security industry. It's used by militaries around the world as they run war games and a form of it was even used by the Catholic Church. Let me explain. You've probably heard the phrase "playing devil's advocate" before. Essentially that's what embracing an attacker mindset is. Now here's a bit of interesting history. The origin of the phrase "devil's advocate" may actually be way more literal than you think. In 1587 Pope Sixtus V established the position Advocatus Diaboli which is Latin for devil's advocate. This person's job was to find reasons that a particular candidate for sainthood shouldn't be deemed worthy for the position. In other words, their role was to play the skeptic, to do things like suggest natural explanations for alleged miracles or they might suggest that the candidate for sainthood performs certain acts of service out of vanity or selfishness. You get the idea.
Perry Carpenter: The job was to find vulnerabilities in each candidate's case for sainthood. Their duty was seen as difficult and unpleasant but vital to the integrity of the process. Pope John Paul II did away with the formal role of devil's advocate in 1983 as part of an effort to streamline the canonization process for saints but here's the important thing. Even without this formal role, the Catholic Church still recognizes the vital nature of the function of a devil's advocate and so the tradition carries on even today. And if you're wondering, people started using the phrase, "devil's advocate" the way that we do today, way back in the mid 1700s. So this mindset of specifically looking for flaws in something is critical. We need it because we all have blind spots.
Perry Carpenter: When we building something we can typically only imagine using that thing the way that we designed for it to be used. We're blind to how it might be misused and abused. It's kind of like if you've ever written a paper or an email that had a few really bad typos or grammatical errors that other people could probably spot really easily and you could even spot easily if it were somebody else's writing but because you already know what you wrote, you're prone to miss out on those errors because your mind is prioritizing your intent, what you already know exists, over the visual input that it's receiving. We're blind to so many issues and faults in our systems and the world around us because of what's known as present bias. We prioritize our short-term gains and our pleasures over long-term good.
Perry Carpenter: We also suffer from optimism bias, believing that bad things just won't happen to us or if they do, they won't be as bad for us as they are for other people and we tend to live in truth default mode.
Maxie Reynolds: It wouldn't do us any good to have to think about someone, every sentence they said, to, like, go over it with a fine-tooth comb. We wouldn't build societies, we wouldn't build relationships, it would, it would do us no good. And so truth default mode comes in and says, "Hey, listen, you've survived this long, it's okay, not everybody's lying. Most of the time it's going to be okay."
Perry Carpenter: But, of course, it's things like blind spots and biases and truth default mode that can get us into problems when it comes to properly assessing risk and building secure systems and so that's where threat modeling comes in.
Chris Kirsch: You only know whether your company would be susceptible if you actually test from the vantage point of an attacker.
Perry Carpenter: That's Chris Kirsch.
Chris Kirsch: I'm the co-founder at Rumble which is an asset inventory platform.
Perry Carpenter: Chris is one of those rare people who won a black badge at the Def Con Social Engineering Capture The Flag competition. If you're not familiar with it, it's essentially a gamified version of looking at the world through an attacker mindset. It is looking at a specific organization and finding different flags that you have to figure out how to get. Each of those flags represent a way that an attacker might gain a foothold or critical information about that organization, that could then be used or combined in some way, that would be relevant for launching an attack. And so, Chris, if you would, go ahead and just describe threat modeling from your perspective and then maybe we'll bring in some of the components related to your experience with the Social Engineering Capture The Flag.
Chris Kirsch: Threat modeling is really how you think an attacker might be attacking you. If you have the best luck in the world but you have a door with hinges on the outside and you can pop the pins out and just open the door that way, then you didn't model your threats appropriately, right, because you don't just want to protect the lock from being picked, you want to protect your house from being broken into. And so with threat modeling, what you have to do is figure out all the different ways that somebody could hurt you or if somebody could get to a certain goal that you want to keep them from, like getting to your credit card data. Typically start with defining what's important to you and then you think backwards and say, "Alright, what do I need to protect from, to protect that asset that I care about."
Perry Carpenter: We'll get to Chris's personal experience threat modeling organizations as he did in the Def Con Social Engineering Capture The Flag exercise but before we do so, I want to bring in one more guest.
Ted Harrington: Ted Harrington, I am the executive partner at Independent Security Evaluators, ISE, and I am the author of the best selling book Hackable, How To Do Applications Security Right.
Perry Carpenter: Ted is on a mission to help organizations become more secure by showing them how to challenge their assumptions, identify their blind spots and, you guessed it, view their systems through the eyes of an attacker. So, Ted, if you could, describe threat modeling from your perspective and maybe give an example.
Ted Harrington: Threat modeling's a really interesting topic to me because I see so many organizations not really know what it is and I see that as a problem because it is the foundation of any security plan. It's sort of like whatever, you know, pick your professional sports team that you like, I think the NFL makes-- the national football league makes for a good metaphor because they play one game a week. And so that means each week they have a different opponent and the game plan against that opponent, specifically against that opponent. And so what they're doing is they scout the opponent, right? They say, "Okay, well, this week we're playing the, you know, whatever, we're playing the New York Jets and here are their strengths and here are their weaknesses," and they scout themselves too and they say, "Well, here are our strengths and here are our weaknesses," and then they'll determine what's the game plan that's going to best set us up to win against this opponent in this game that we're playing right now.
Ted Harrington: Not all games, it's not a universal thing, like, we're playing against this opponent and that to me is what threat modeling is like because really what you're doing is you're trying to understand who the opponent is, your collection of attackers. You're trying to understand your strengths and your weaknesses in context of their strengths and their weaknesses and really threat modeling, in its simplest form, it helps you answer three questions. Question number one, what do you want to protect? Those are your assets. Is it tangible things like data or money or is it intangible things like reputation or availability of the system? So that's question one, what do you want to protect?
Ted Harrington: Question two, who do you want to defend against? And so that's where you're asking, "Hey, are we worried about organized crime, nation states, casual hackers, corporate espionage, insider threat, whatever?" That's question number two, who do we want to defend against? And then question number three is where will we be attacked? So that's your collection of attack services, basically anywhere the information can be accessed or the system can be interacted with. And once you've answered those three questions, which is a little more complex than just here's three questions and give, you know, a short answer to it but it also is as simple as that.
Ted Harrington: Once you answer those three questions, what it does is it then informs you where you should invest time, effort and money because we don't have unlimited time, we don't have unlimited person power, we don't have unlimited money to defend so we have to be really strategic and that's what I think threat modeling does, is it helps you, it helps you understand the game you're in, understand the opponent you're playing against so that you can develop a game plan best optimized to try to defend, or try to win against that opponent.
Perry Carpenter: So if you're doing all of this work of threat modeling in order to defend against attackers, it might be important to understand some of the processes that an attacker might go through to target and launch attacks against your organization and then, of course, the capabilities that they have to bring that attack to bear. What I want to do real quick is just refer you to a model and every model has weaknesses and strengths but this is a model that is popular because right now the strengths outnumber the weaknesses. This is what's known as the cyber kill chain model. It was developed originally by Lockheed Martin and has been used widely and adapted widely by organizations and security professionals around the world.
Perry Carpenter: The idea behind the model is that when you understand the basic steps that an attacker will take, you can start to, to break the chain at certain points. You can make it harder for the attacker to accomplish their mission by shoring up defenses and putting in strategic road blocks at every different step of the chain. So, let me just run through this real quick, we don't have a lot of time to, to stop at each one but I want to make you familiar with this, so that we can then start at step one and spend a little bit of time there.
Perry Carpenter: Step one of the cyber kill chain model is reconnaissance. This is where an attacker finds out everything that they can about their organization. They might harvest email addresses related to that organization, look at dark web data dumps, they might do social media profiling, all of that comes into this reconnaissance phase. This is the scoping out the target. Then they move on to step two. This is weaponization, where they use all the information and all the understanding that they have against the target to craft a very specific attack tailored towards that target. Step three is delivery of that attack, usually in the form of something like a phishing attack or some other kind of payload.
Perry Carpenter: They've done the reconnaissance, they've built the attack framework that they're going to use and then they try to deliver that. Step four is the actual exploitation of that, when somebody clicks on the link within the phishing email or they send the information or they let the person in the front door, you get the idea. And then is installation and I mentioned that all frameworks have some weaknesses, this could be a weakness in the Lockheed Martin version because it is talking specifically about installation but there are many attacks where nothing needs to be installed. The, the attacker just gets away with information because somebody gets tricked into giving it.
Perry Carpenter: But in this model they talk about installation and that can be a rootkit installation, some other form of a malware and so on, that then moves to step six, which is the establishment of command and control in the victim's infrastructure so that they can do remote management of the systems there, that ultimately move to the last step, step seven, which is acting on the attacker's objectives. So spreading throughout the system, collecting the information that they're looking for or causing whatever damage they want to cause, all of this is the final step in the Lockheed Martin kill chain. So why is this important?
Perry Carpenter: This is important because I think it is critical to understand that for an attacker to do something significant there's generally a process that they're following, even if that's just subconscious. They're trying to understand their target, they're trying to build the best attack possible and then they're launching that attack and then seeing what the fruit of the attack is. And just about any model that you can think of is going to start with that understanding the target and that's where we're going to spend a few minutes right now. We'll specifically talk about the topic of OSINT. OSINT is acronym spelled O-S-I-N-T and it stands for open source intelligence and when people talk about OSINT, they're usually talking about gathering open source intelligence.
Perry Carpenter: I've got an entire episode around data leakage and open source intelligence gathering planned for later on. So we're not going to go too deep right now but I do want to just scratch the surface and give you an idea of how critical the reconnaissance phase of any attack is.
Maxie Reynolds: OSINT or open source intelligence is by far the most important thing that you can really do as an attacker, it informs a lot of your decisions up front and it's strange because OSINT is very data driven, obviously, it's-- it is information in its day that you go out and collect but it informs a lot of the psychology that you use in an attack.
David Kennedy: OSINT is, is open source intelligence gathering and that's what we do to comb various different sources, looking for information about an individual person or a company or an organization, I mean, whatever our information that we're looking for is. And why that's important to understand is that there's so much information available, whether it's on your social media accounts, your Instagram, your LinkedIn profiles. A good example of, of leveraging OSINT to target an organization is that a lot of IT folks will put their experience and their description of profiles for their organization. So what I can do is I can map your entire technological stack typically through LinkedIn because of your LinkedIn profile.
David Kennedy: So you're like, "Oh, hey, I have X product and this product we've had it in for two years," or, "We implemented this product and you're linked with this person." I know that you have this product at a certain maturity level, so I know that going into an organization I have to get around this anti-virus product and this intrusion prevention system and, "Hey, maybe you're predominantly Linux and OSX or Mac."
Maxie Reynolds: So OSINT for an attacker is put into three buckets. So you, you find information and you put it into one of three buckets. The buckets are good from a pretext standpoint, so good for making people believe that you should be there and that's for networkpen testing and physical pen testing, you have to fit into the environment. And then there is information on the environment holistically. It's, it's getting you familiar with the target, so to speak. So where they are headquartered, maybe, how many employees they have, the information, the software that they're using, the hardware that they're using is often available. Things like blueprints come from OSINT and you'll look at maps and things like that.
Maxie Reynolds: And then there's a third bucket which is this is no use to me in either of those two buckets so goodbye, it just doesn't matter.
Chris Kirsch: One technique that some OSINT folks have used to find certain accounts on Facebook and some of the other social media sites was to use the password reset function because sometimes those give up your data. So, for example, you could enter somebody's screen name and say, "I want to reset my password and this is my screen name," and then it would ask you, "Hey, do you want to send it to star star star phone number or star star star email address," and some of the email address and phone number is starred out but it's not the entire number. So you can often guess the full email address and then, for example, take that and feed that back in and say, "I want to reset my password again," but this time instead of using the screen name, I'd put in my email address, for example.
Chris Kirsch: And now we can verify that the email address you guessed is actually the correct one because it'll show up the account name with the avatar to say, "Is this the account that you want to reset?" So I actually went through 500 different websites, looked at them and you can pivot from phone and email to screen name and image. You can confirm it the other way round when you, when you guess things or you can just start with an email and say, "Does this person have an account on this website?" And then you could, for example, send them very effective phishing emails by sending an email to the account pretending to be from a website that you know they use. And I found these kind of password reset leaks in big payment solutions and big e-commerce providers and big payroll companies. You provide this type of information to the company, it somehow leaks out in other ways.
Perry Carpenter: Welcome back. At this point you've got a handle on the basics of what an attacker mindset is and why it's useful to look at the world through the eyes of an attacker and you've even heard a bit about some of the techniques used. Let us now take a few minutes to hear how our guests have used this mindset to uncover security vulnerabilities and ultimately help organizations reduce risk.
Maxie Reynolds: Things like blueprints come from OSINT and you'll look at maps and things like that. I love finding blueprints, specifically older ones because if a client has moved into a building and they've modified it, they didn't go full construction and, like, eliminate corridors. So it's always interesting to find the older ones and look at buildings from the outside and see if you can cross-reference. So things like the fire code can tell you if a building is changed on the inside but the blueprints are actually still the truth of the building. You can look at a building, look at the exit points, discover through that, through-- it's-- I wouldn't say it's complicated maths, it's just I don't want to do it on a podcast, you can look at the building and the exit points and find how many, say, rooms or apartments are on a floor and that might be within the modern building but if you look at the old blueprints, you can see that there are secret corridors still alive and they're unmanned and they don't have security because they're not in use.
Maxie Reynolds: That's not how an architect works. He doesn't care about the security of a building so he will rebuild corridors or outside of corridors that I can use and he's not thinking of security. And then as the security companies come in and let's say they're putting in cameras, then they're also not putting them in corridors that are unused. So blueprint versus a modern building, when it's been changed, is extremely helpful to us as attackers. When I got those blueprints, they were not labeled but they showed where office space would be and they showed larger areas and we were quickly able to sort of piece together where a large SOC could be and we had some information from the client.
Maxie Reynolds: So one thing that I will say to attackers listening to this, is when you have that scope meeting with your client, ask them questions that will be relevant for you to know because they're not looking at you like attackers yet, they're looking at you like peers, where they're just going to swap information with you. You can ask things like, "Well, how deep into the building is your SOC? How many people do you have?" And those are legitimate questions but they're also very helpful when you're in there. So, that's one sneak.
Perry Carpenter: Here's David Kennedy, again.
David Kennedy: I was going after an organization and, and this was a, a medical company, hospitals, hospital chains and I had been profiling this, this doctor that I wanted to target because in a lot of hospitals, the doctors are in positions of power within organizations so like IT, for example, the person that would be in charge of that IT person is not necessarily a CIO, it's the doctor. And so they're, they're structured in different ways. So I was going after this one doctor that was in charge of their technology infrastructure and so I was profiling the organization, looking at this individual, very chatty person on social media especially around doctor stuff, you know, medical research and stuff to that affect, what they're doing from an IT infrastructure, you look at his LinkedIn profiles, director force, mapping on his organizational structure and tools.
David Kennedy: So I had spent a lot of time going after this individual and I spent about a week building out this entire pretext or this attack that we're going to launch against this specific doctor and it was very crafted, very well done, very believable. We actually found a flaw in one of their web applications that made it look like it was actually the email address and the link was going to their legitimate site. So it looked like everything was very well believable. It was a really awesome crafted attack. And so the main goal of this was credential harvesting to see what they had from a multi factor authentication perspective. We didn't want to go the code execution route yet, because we don't know all their defenses yet so we want to kind of probe first of what they have and get some user names and passwords that are valid and then kind of go from there.
David Kennedy: And the way that we ran this pretext is it, it left the door open for us to, to still interact with this individual if we needed remote code execution, we could use that as an option because we had established communication with this individual back and forth from this pretext. And so when we did this, we sent this phish out and this doctor hook, line and sinker believed every aspect of it and entered in his user name and password for authentication. So we had his user name and password now. And so now our goal is to say, "Okay, well, what systems do they have externally facing that don't incorporate multi factor authentication? Can we get in through Microsoft 365? Can we do, you know, any type of HR system or things, things that will allow us at least to start to get our initial foothold in and start to then figure out what we can do to gather information for our next attack?"
David Kennedy: And we, we saw that they had a VPN concentrator, it was, like, a backup VPN concentrator, it was, like, an older one and that's always a great one because a lot of times people will forget to put multi-factor authentication on there. So we type in the user name and password and they were using a, a technology for, for multi-factor authentication that gives you a few options. One, you can do what's called a push notification which it will push to your phone and you can hit approve or deny, right? So, are you logging in, yes or no? The second option is a text message, so it will send you a one time text message and the third option was a phone call and the fourth one was using an authenticator app.
David Kennedy: Well, in this specific case the company had deployed it with the save your previous preference, so it didn't prompt you every time for those four methods. You could still select it but it would automatically do what the user had previously done in the first place. So in this specific case, this doctor had the push notification set up, so it automatically pushed to his phone. We got this phish, successful phish, and all of a sudden now answering with user name and password and then it's automatically pushing, "Are you authenticating to a VPN, from Cleveland, Ohio, by the way, but with our geolocation tags, are you logging in, yes or no?
David Kennedy: So I'm sitting down and I'm freaking out, like, "Oh, man, I just spent a whole week building out this entire hack, going after this individual, making it perfect, finding a flaw in the web application, making this a 100% successful attack, at least in my mind, and all of a sudden now I'm busted. This, this guy's going to be like, "Oh, my gosh, I'm in charge of IT, I'm not logging in from Cleveland, Ohio, you know, this is a major problem," and he's going to hit deny and then he's going to report this phish and my whole infrastructure is going to be taken down. So I'm sitting there, I'm like, "Oh, crap," and so I'm like, "Alright, let me go, let me go get a bourbon because it's going to be a long night."
David Kennedy: So, you know, I'm like, "Alright, let me go get a bourbon, I'll be back in, like, like, five minutes." And so I go get a bourbon, pour a bourbon and I'm like, "Alright, it's time to tear everything down and start to rebuild," because I'm going to have to target either somebody different or figure out a way to, to go after this in a different angle. Started to get those brain juices flowing, you know, possibly while a little bit inebriated. And so, you know, when I did this, I got back to my computer, logged back into my computer and I was successfully logged in. Somehow I, I was authenticated, I was on the VPN with the push notification that went out. And so I'm like, "Well, that's, that's weird." I'm gonna, like, at least double check to make sure I'm in. So I look around and, like, I'm fully authenticated, can access all their systems and I'm like, "Well, that's strange, like, how did I, how did I do that and bypass multi-factor authentication."
David Kennedy: And, you know, I was thinking, "Well, maybe it was a technology issue where if it times out, maybe they misconfigured it wrong and allows you to VPN in." Well, turns out that the doctor's like, "Well, I think I'm logging in from somewhere," so he just hit approve. So even though they had multi-factor authentication in, the end user was ultimately, with the lack of education awareness around those types of attacks, ultimately was the downfall of bypassing this specific piece of technology which is to your previous point, Perry, when you rely solely on your technological controls, those are bound to fail, what do you have after the fact and education awareness in this case would have been a major deterring factor for this specific attack.
Ted Harrington: There's a story that I wrote about in my book talking about this idea of how do you take existing functionality and use it in the attack.
Perry Carpenter: Ted Harrington.
Ted Harrington: So in the metaphor used, used with the ants that the functionality is send ants to address and it's like, "Well, can I use that in an unattended way." So I wrote about this in my book about this hacker who goes by the pseudonym of Manfred and he's spent a lot of time looking at online games and he was really interested in in-game currency and the way that in-game currency operates in those games and for people who aren't familiar with it basically, you can earn or you can buy currency and then you can use that currency to, like, get special weapons or access to secret levels or whatever.
Ted Harrington: And there was these banking systems that help process transactions and the banking systems would be something like when you want to take out, let's say, a hundred coins to buy the bow and arrow or whatever, it would be the formula was 500 coins minus 100 coins equals your revised balance which is now 400 coins. And so what Manfred realized when he looked at the way that worked was that it was operating under the assumption that the system would react to positive integers, positive 500 minus positive 100 equals positive 400. And he, and he pulled out the-- one of the greatest tools in the hacker's tool kit, which is the question what if and he said, "Well, what if I could figure out a way to get the system to respond to negative integers."
Ted Harrington: And sure enough he found a way that he could actually in a very trivial manner do that. And so now what would happen was it would say 500 coins minus negative 100 coins and as we all learned in middle school, you know, subtracting a negative is actually addition. So his account balance would increase, he would get the secret weapon or whatever. And that's a great example of using the way that a system is supposed to work, right. It's supposed to process a transaction using a numerical value but it was not intended to work that way. And this is why these types of techniques are really, really important, organizations really need to not just, you know, run some scanner that looks for some known vulnerability but actually look at the unique context of a system the way that works to be able to say, "Well, if someone has a malicious mindset and they have a certain motivation, could they abuse this system and achieve some unintended outcome?"
Perry Carpenter: Let's take a couple minutes to hear from Chris Kirsch. Chris, tell us a little bit about your experience winning the Social Engineering Capture The Flag contest at Def Con. I'm specifically interested in what all went into that and how that maps to some of the things that might happen in a real world attack.
Chris Kirsch: So in the SACTF, we got a real target, a company that actually wasn't aware that they were a target for the SACTF and everybody gets a different company but they're all in the same industry. So one year I participated, it was all security companies, the next year it was all toys and gaming companies. And you get your target and then you get this list of flags for this exercise. So it's about 30 pieces of information, half of them are to get you physically into the building. So there are things like, who refills the soda machines, who does the catering, who does the pest control, who does the-- who's the security guard or the security guard company because if you know that, you can just throw on a uniform and you can walk right in. They also want to know what are the badge readers like in the cards. What system are they using so that you can figure out, can you clone these cards by walking by somebody or get in in another shape or form? So really on the physical side.
Chris Kirsch: The other half of the flags are flags that would enable you to get in digitally. So it starts out with simple things like, you know, what are the operating systems that they use, what are the PDF readers, the browsers and versions, VPN client and version, all those sorts of things, anti-virus solution. Do they block certain websites, for example, Facebook because you could send in a phish email over Facebook to somebody who works there for example, right? You have to figure that out. All of those things you have to get from public sources. You're not allowed to go to the building, you're not allowed to ask a friend who works there but you have to get them from public sources because you're trying to simulate what an attacker would be able to collect, just looking at the company over the Internet.
Chris Kirsch: So you can really go deep. You can start out on Glassdoor, like, Glassdoor where people review the company, you find out if they have a break room, for example. That can be helpful if you're trying to get into a certain office. If it's a retail space and so on or, or any other type of company. And then you move on to things like LinkedIn and look on Facebook for people who disclose where they're working, what they're posting about. So you can really lar-- get a very rich picture of a company. So, the companies I was targeting, I almost feel like I worked for them because I did so much research. I think I spent about 60 or 80 hours just researching a single company and writing up the report of about ag-- 80 pages. And now we can use that in the attack.
Chris Kirsch: So not only the digital and the physical stuff but also the jargon, right? If I phone you and I say, "Hey, I'm with GIT," and that's the term for the general IT Department or something like that and I use that lingo and I drop in some other terms to say like, "Oh, yeah, you know, the folks on the 13th floor aren't too happy with X, Y, Z," if you know that all the executive team work on the 13th floor and that's internal lingo, right, you're immediately an insider. So you can leverage all of the stuff that you learn to sound like an insider and you're, you're just a lot more credible and you can get people to comply.
Chris Kirsch: So when I did my call, I think I figured out that there is a subsidiary of the company that they'd acquired that is based in Wilmington. So I called them up and said, "Hey, I'm with the ERP team in Wilmington and I have a question for you," right? I didn't even have to say I, I work in this department in this company, I just referenced the place of the headquarter and that sounds like you're inside the company. You don't have to say that you're with a company if you say what location you're from. So those kinds of things. You want to be very relaxed in the conversation, just have a normal conversation, person to person, and you want to start out with things that are very simple, very simple questions that are not threatening.
Chris Kirsch: So, for example, I introduced myself on that call and I said, "Hey, I'm Eric," I don't know what named I used, "I'm Eric from the ERP team in Wilmington. Just a quick question, but are you guys open right now? I haven't seen any bookings data from your systems in a while." And so the question, "Are you open right now?" is very non-threatening. You would tell that to somebody who is just, you know, like, a, a customer calling in and wanting to know whether they can come into the store. This was a retail environment. And, so, once you get people to answer those simple questions, you know, like, "Hey, can you just check if you have an Internet connection? Can you just go to Facebook for me?" right?
Chris Kirsch: Now you're getting them to comply a little bit more with something that's maybe a little bit of a bigger ask but, "Hey, just go into Facebook," they know, like, Facebook's safe, we kind of build up that rapport a little bit over time and eventually you'll be able to direct them to-- say like, "Hey, can I just ask you to type in this URL for a diagnostic site that we use?" and then you get them to that site. And then I happened to a point where they were telling me like, "Oh, yeah, yeah, we had some problems with the, with the credit cards last week, you know, like, is-- does that have anything to do with it?" I got them to accept that I will send them a router that they will plug into the network and all of that stuff.
Chris Kirsch: So you could get very, very far with that approach and I think I had-- I think it was, like, 12 or 14 minutes to get all of the flags on the first call and then I wrapped up, thanked them and moved on to the second store and just ran the same play again until the clock ran out.
Perry Carpenter: So as we get ready to wrap up, I think it would be very useful for us to have our guests provide some last thoughts about how organizations can become more resilient.
David Kennedy: We do a ton of incident response, going into companies that have just been impacted by ransomware and then have, like, 90, 90% of their infrastructure completely ransomed. You know, you can tell that, that all of their eggs are in one basket from a, a very specific piece of technology or a firewall and then an anti-virus product and those fail them and they literally have nothing else to rely upon to recover their infrastructure and security's a lot more that. We really have to be more proactive and security is no longer an option to have. If you're doing business and you have technology, you're in the boat of being attacked by various groups. You have to do more when it comes to security. I think that's the most important piece to recognize.
Chris Kirsch: Let's make this a universal statement. I think every organization has blind spots. I mean, I hear it every single day where people are like, "Oh, well, why would anybody attack me? I don't have anything worth protecting." I had a really interesting example that actually where I was talking to a company that they handle ticketing for live events and, and they said, "Well, we only have email addresses of our customers, we don't even process payments, so we don't have anything worth protecting." I'm like, "But you process the tickets, right?" and they said, "Yeah." I said, "Alright, well, what about an attacker who wanted to buy one ticket and then use it over and over and over again with all his friends or what about an attacker who wanted to make every ticket unusable? Wouldn't that imperil future contracts with event organizers?"
Chris Kirsch: Like, "Oh, yeah, that could never happen, that would destroy our business." It's like, "So, you actually have things to protect."
Ted Harrington: The best way I can explain it to people who are from outside of the security industry is with lock picking. So if I tell somebody that I pick locks for a hobby, right, they usually say, "Oh, that's weird, like, isn't that illegal?" But the act of picking a lock, if you have permission to pick the lock and if it's your own lock, it's actually not illegal or at least in most jurisdictions. If you want to get into lock picking, definitely look up the legislation in your state or country because it varies by region but most of the time just owning the lock picking gear and trying it out on your own locks is not illegal. Think of your house. How do you know your house is secure or more specifically the locks on your house are secure?
Ted Harrington: Do you simply believe that because of the advertising on the packaging of the locks, right? Lock picking teaches you how to check whether it's secure or not. If you know how to pick a lock and you know what kind of things typically stump you, that's a good way to then judge for yourself whether a lock is good or not. Now, not everybody wants to get into lock picking before they move into a house or change out their locks and that's why you have people who do security research, right, both on locks, physical locks but also for software and for networks and systems and so on, so that you don't have to learn it yourself but you can get other people to do the testing for you.
Perry Carpenter: It looks like it's time to wind down today's show. I'm going to give Maxie Reynolds the last word and then I'll be back to summarize with a few closing thoughts.
Maxie Reynolds: You have to be curious. I think curiosity and persistence are the two fundamental cognitive skills that you can have because without curiosity, you won't learn, you will not be driven to learn and without persistence, you won't continue to learn and continue to grow and evolve because technology does, attacks do. They, they grow and evolve and they advance and so you have to keep up with them and curiosity and persistence will allow for you to grow with them.
Perry Carpenter: That's all we have time for today. I hope that you've enjoyed considering how adopting an attacker mindset can help improve security, appreciating this mindset is critical as we strive to better secure our organizations and our lives. This process of threat modeling, looking at your attack surface and thinking through frameworks like the Lockheed Martin cyber kill chain can help spur your thinking as you try to view the world through the eyes of an attacker. And here's the thing, we all suffer from tunnel vision and have blind spots and sometimes no matter how hard we try, we can get so locked into our thinking about certain systems through the lens of their intended use that we'll miss vulnerabilities that an attacker might immediately spot and because of that we often need to consult with experts who specialize in breaking and abusing systems.
Perry Carpenter: We need to do whatever it takes to gain this perspective because, I'll say it like this, if we aren't looking at our organizations, our systems, and our lives through the eyes of an attacker, then only the attackers are and they will gladly find the flaws and exploit the vulnerabilities. As Maxie said in her final thought, be curious and be persistent. Thanks so much for listening and thank you to my guests, Chris Kirsch, David Kennedy, Maxie Reynolds and Ted Harrington. I filled the show notes with links to the references that we mentioned today, including links to Maxie's book, Ted's book and other materials that you should find interesting. So, be sure to check those out.
Perry Carpenter: If you've been enjoying 8th Layer Insights, please go ahead and take just a couple seconds to head over to Apple podcast and leave a rating and a review. That does so much to help. And you can also help by posting about the podcast on social media, recommending it within your network and maybe even finding an episode to recommend to a friend or family member. If you haven't yet, go ahead and subscribe or follow wherever you like to get your podcasts. Lastly, if you want to connect with me, feel free to reach out on LinkedIn or Twitter or Clubhouse, I'd be happy to connect with you. Well, until next time, thank you so much. I'm Perry Carpenter, signing off.