The original version of this post was published on SecurityWeek.
Hackers are human. Hopefully that doesn’t surprise you too much. Being human means that they are subject to human tendencies, like taking the path of least resistance.
To a hacker, this means avoiding the most protected way to an asset. They know that no one can simply walk into the room where a business keeps its crown jewels. Similarly, the applications that present the most risk to an organization will be the most heavily gated and most thoroughly tested. Trying to get through would be like slamming one’s head repeatedly into a big brick wall—something most humans tend to avoid.
So hackers find a less protected route by pivoting. The concept of pivoting has strong roots in the historical principles of warfare. Savvy generals eschewed attacking the middle of the opponent’s defensive line, normally the point of heaviest fortification. The infamous Pickett’s Charge at Gettysburg is a notable example of the futility of this approach. Instead, these generals used flanking maneuvers to find the weakest point in the defenses and, when sufficiently positioned, deftly pivoted to roll up the opponent’s line “like a wet blanket.”
As the ongoing thrust and parry of cyber security evolved and defenses became more efficient, the attackers also adopted the pivot approach. Here’s how it works: first, assume the most important machines or applications will be the most heavily fortified; however, with limited budget and resources, assume that there will be weak points in the defenses. Now, find the best entry point that encounters the least amount of resistance, and use that pathway to methodically work your way to the real target.
The first use of the pivot was at the machine level, largely because applications were not yet widely exposed via the Web. True to form, it soon became apparent that it was folly to directly attack the database server because it was too well protected. Instead, the relentless attackers found they could gain entry through the weaker roll-up defenses on their way to the database server.
These same attackers soon found that they had an unlikely ally to help them execute their flanking maneuvers — the carbon-based life form. To this day, CISOs will freely tell you that it is the employees who are the weakest link in the defensive line. Attackers frequently gain their initial entry point by simple phishing techniques or other forms of social engineering. If you don’t believe me, just send me your social security number and the account number of a major credit card for a free study on the subject and, as a bonus, you can help me access millions of dollars for an exiled Ethiopian prince.
Once in, attackers leverage common mistakes in design and/or coding to gain the necessary credentials to pivot to the next step in the network. They may need multiple pivots, but because of the privileges gained along the way, they eventually are able to traverse the network to the target machine.