The technical people who drive our innovation are, for most purposes, well meaning. They create technology which has shaped our way of life, and done what many would have previously considered unthinkable. These developers and engineers are wonderful at conceiving and building systems. However, they are horrible at understanding how to break them. As the defenders of the kingdom, a security operations or development team has to think of every possible attack, which is what we do in red teaming. This workload is considered otherworldly compared to their adversary, who only needs one working method of attack to obtain their goals.
A large part of the divide in knowledge is between understanding and not understanding how attackers think. In the world of red team operations, this is known as, “thinking maliciously.” Thinking maliciously is a topic that many people feel is covered in introductory classes and anyone in our industry could ramble on about endlessly, but I’m not going to do that. My goal is to get even you stubborn readers, who think you already know everything you need to know about thinking maliciously, to finish reading.
I am going to talk about beer. Beer is a drink which unites, and divides, many. Some will accept whatever a server has to offer, others will refuse anything less than an imported microbrew. Either way, a beer or two often makes people more comfortable around each other. You might relax and socialize with some colleagues over a beer. Or, if you go to the same sports bar every week, you might start to chat with the other regulars. You’ll probably meet a lot of interesting people with various backgrounds: from executives to grunts. You exchange stories about what you do for a living. Everyone has a good time.
But, the next day you notice that your office key card is gone. Did you lose it? You go to the office and ask security to let you in. But they tell you that you came in at 3 AM to pick up some paperwork.
You’ve been attacked.
You were in a normal social setting, but someone got you. Your adversary just befriended you at a bar next to your office, and proceeded to enter after you were gone. You didn’t notice it until later, but that guy you used to see every week at the bar was no longer there.
Social engineering is a hard problem to solve. Human nature dictates that we are social creatures—we interact with others and show people a certain level of respect. For example, most of us would hold a door open for someone to be polite, even if we don’t know the person. However, because human nature is often predictable and difficult to change, methods involving the human factor are easy to exploit.
The proper way to handle an encounter with a stranger at an entrance is to challenge him. Make him badge into the door or call security. But most people feel uncomfortable doing this. Perhaps it makes them seem like jerks or they’re afraid to challenge a superior who may take offense. We also don’t want to believe that some of the people we meet are bad.
In reality, most people you hold the door open for are not adversaries. But that might change based on where the door leads. If you’re going into the cafeteria, it may not cause much concern. But if you’re going into a developer’s office with sensitive data, than the people entering should be challenged. It’s painful, but necessary.
Cases such as the tailgating problem are simple to solve, but tricky to enforce. The problem worsens when an individual is presented with a social situation he cannot handle himself. Adversaries may also be difficult to identify, especially if they have no qualms about impersonating positions of power, including governments. When used as a disguise, even the most innocuous things can be used as an attack pivot. For example
As defenders, we have to understand that anything can be a point of entry, and as a human factor we contribute a good deal of risk. However, I am not here to spread fear. Each of these scenarios has a possible solution. Some require technical changes, such as implementing an isolated network for “Internet of Things” devices. Others need a cultural shift, such as requiring employees to challenge tailgaters. As innovators and maintainers of a vast industry, we need to start ‘Building Security In’ from the beginning. With defense in depth and secure code practices, we can help reduce the risk faced by businesses to a manageable level. While we cannot always stop an attacker from entering, we can help prevent him from achieving his goal once inside.
Attackers have a goal and they will do whatever they can to achieve it as efficiently as possible. That is all there is to know. However, understanding how they achieve that goal takes time. Developers have immense understanding of how things are designed and supposed to work. Unfortunately, they’re not always the best at understanding the flaws in their own code. Even worse, developers may think their code is impervious to attack. So they can write unit tests all day, but if they don’t recognize there is a problem, they can’t defend against it. On the other hand, attackers never assume anything about a system until it is tested in every possible fashion.
To think maliciously means to form a plan and act in a way that your target does not anticipate. This can be so involved that it requires zero-day exploits, or so simple that it costs nothing more than an hour at the keyboard.
If you read to that last line, I have achieved my goal. Now how long did you stare at this screen, rather than your message inbox where you receive security alerts?