Hello and welcome to the inaugural Hacker Nemesis blog series!
I'm Paul Dant, and I head up Illumio's Cybersecurity Research Group in the Office of the CTO. We're a team of life-long hackers and career security practitioners with decades of cyber experience, playing defenders and attackers.
Why the name Hacker Nemesis for the blog series? Connecting the dots between Illumio capabilities and our customers' cybersecurity needs is our primary mission, particularly as it pertains to cyber resilience. In other words, we're making it harder for hackers to hack you and extort money from you. Which they absolutely hate. NEMESIS!
Over the next few posts, I'm examining a universal truth that explains why we're still losing in cyber: Everything has changed, yet nothing has changed! I've spent decades hacking everything from games to tent-pole film productions to nuclear energy facilities - all quite successfully - and I'll talk about some of those attacks here.
The patterns you'll quickly identify are as follows:
Hackers are not magic.
These attacks are a lot easier than they look.
Attackers are living off the land: Once in the network, the operating system provides just about everything needed to really mess up your day.
The ransomware attack playbook is decades old.
A note on cyber resilience
Cyber resilience is more than surviving an attack.
If we look to the ubiquitous Zero Trust theology, it tells us we need to accept that an attacker will - at some point, if not already - infiltrate the network. "Assume breach" is the specific wording, and I strongly support that principle.
If an attack renders 80 percent of your critical servers locked, with operations coming to a grinding halt, but you recovered from backup forty-eight hours later? You survived, but that's hardly resilience. What did 48 hours of downtime cost?
If you're resilient, there's no downtime. When the inevitable network infiltration happens, it's so incredibly constrained to a single compromised system that the attacker will move on to an easier target with a more favorable risk/reward outcome. In other words, breach containment. Making sure that the first compromised system - the "initial compromise," if you will - is the last system compromised. Easier said than done, right?
If there's a tldr; for this article, it's this: The key to preventing successful ransomware attacks is visibility and control of unauthorized lateral movement. Everywhere.
You're not going to stop every infiltration attempt, but you can dramatically reduce your risk of making that "do we pay them?" decision by cutting off the attackers' ability to move further into your network.
Yes, let's try to keep them out of the network to begin with; that's a given and exactly what "defense in depth" is about. Perimeter defenses, endpoint defenses, network defenses - they all have their appropriate role in a layered defense that must include compensating controls in the event that any or all of those defenses fail.
I was Zero Cool-ish
With this being the inaugural post of the series, why not go all the way back to my first exploit in 1991 to see how attackers are still using the same old tricks I was using as a kid hacker?
Looking back to hacker lore, Zero Cool managed to take down 1,507 systems. While I only managed to take down about 47 in my first attack, it's still quite an achievement given I did this before we'd even heard of Zero Cool.
My first attack - also the most destructive of my black hat days - targeted a simulated space shuttle mission and complete disruption was my primary (and only) objective.
Spoiler alert: I won. But I also got caught, highlighting a critical aspect of hacking that separates the so-called script kiddies from the awesomely called 1337 hax0rs: You can't brag about being a hacker if you get caught. Inversely, it also taught me that bragging about being a hacker will, in fact, get you caught.
Before we dissect this attack, let's set the proper context. The simulated space shuttle mission in question was a science project my seventh-grade class participated in, featuring an actual shuttle construction, a specially chosen student crew that would spend almost two full days manning the shuttle, and a volunteer ground crew in the makeshift mission control center (ordinarily the science classroom).
And what's powering all of this? Computers! Specifically, a few dozen IBM PS/2s running Novell NetWare clients over IPX/SPX on a token ring network. It was a brilliant, innovative event that I wanted to be a part of and applied as the crew's Computer Officer. Inexplicably, I wasn't selected!
Clearly, the selection committee's decision was unacceptable, and they would have to pay. My vengeance would be two-fold. First, ruining the shuttle mission for everyone else is going to be really satisfying for a twelve-year-old hacker with a grudge. As important, though, is for them to learn to never overlook Paul Dant again. What a silly mistake they made.
Before we dissect this attack, let's look at an important tool for understanding the "how" and "why" of attacker behaviors.
The MITRE ATT&CK framework
Critical to demonstrating the way an attack typically progresses is the ATT&CK Framework, developed and maintained by MITRE. If you're not familiar with it, I highly recommend checking it out as you'll see it used a lot in mapping out attack methodologies.
The figure below represents a clean depiction of the typical phases of a Conti ransomware attack. The Conti ransomware group is no more, but their methodology lives on in Conti off-shoot groups. In fact, you'll start to notice that most ransomware attacks, regardless of the group behind it, follow this general map.
Here's how to read it:
The top-most row, from left to right, represent tactics. Think of each tactic as a progression of the attack toward the end objectives, meaning a failure (or lack) of controls allowed the attack to progress.
Within each tactic column, we have the techniques used to progress the attack to the next phase, or tactic. Techniques represent the specific attack mechanisms used and understanding them can help us formulate risk and determine appropriate controls - including how much those controls should cost!
Taking down the shuttle mission
While the plans I drew up for this attack didn't look quite as crisp as a MITRE ATT&CK map, I guarantee I had them and they looked something like this.
But here's the twist: If I were to map the tactics and techniques in my space shuttle attack to the ATT&CK framework, it'd likely look something like this:
Yes, that's the right image - the one we just looked at. Why? Because these ransomware attack playbooks go back decades!
I was deep in these tactics and techniques before I'd even heard the term ‚Äúhacking‚Äù because it's just intuitive, which is what makes the ATT&CK framework so valuable.
Call to action!
In my next post, I'll start digging into each of the tactics and techniques I used, and you'll see just how little things have changed where it really, really counts: our ability to see and control the spread of ransomware and breaches throughout the network!
In the meantime, how good do you feel about an infiltrator's ability to move around your network, undetected? In so many cases, the very first indication of an intrusion is the new desktop wallpaper on your systems after ransomware has rendered it unusable.