Interview with an Ethical Hacker

Sub Title : What is hacking all about?

Issues Details : Vol 14 Issue 3 Jul – Aug 2020

Author : Defstrat Team

Page No. : 47

Category : Military Technology

: July 28, 2020

Def Strat: Can you please tell us about yourself briefly?

I am skylight471, a hacker. I am a Computer Science graduate and have been tinkering with security for about 18 years. I believe that I am good at what I do: I have hacked and stayed undetected within critical info infrastructure of some eight-balled countries. I did add an Offensive Security Certified Professional (OSCP) certification along the way. When I’m AFK (away from keyboard) I play word games and read books on productivity.

Def Strat: If there is one myth that you could debunk in Cyber Security, what would it be?

Most people strongly feel that “I use this blinking box by _______ (name of Security Vendor). It is a well-known OEM, so I am unhackable”.

Rest assured; this is the biggest myth bred by security practitioners. Companies selling their products always inflate features and make tall claims, giving the user a false sense of security. It does not end with one myth, there are more:

  • One belief that is rampant is that the “Attackers change their tactics all the time”. This is simply a fairytale and a marketing excuse.
  • Another story that is frequently pedaled is about new exploits surfacing everyday – zero days and such stuff; please understand that these exploits are just 5% of the complete gig.

Once into the system, the attacks follow a cookie-cutter approach (same approach or style is always used, and not enough attention is paid to individual differences). Same lateral movement, registry tweaks, network pivoting etc.  All this is hard to miss for a mature and qualified Cyber Security practitioner. Believe me, ‘Attackers’ tactics do not change much: they are specialist, not magicians.

Def Strat: What is one of the biggest bang-for-the-buck actions that an organization can take to improve their Cyber Security posture?

The easiest and surest thing that an organization can do is to implement the concept of ‘least privilege’. Limit administrative access on most systems, because, if a hacker is able to compromise a user who has administrative access to systems, it is game over.

Also, trust me, DNS logging is a highly underrated Cyber Defence practice. Ingesting and monitoring the DNS logs provides numerous benefits to a defender. DNS logs are a goldmine of information in terms of what your systems are up to: Who is talking to whom, what apps are running etc; a goldmine of information indeed. Organizations can install some IDS (Intrusion Detection Software) like Zeek (focusing on network analysis, it looks for specific threats and trigger alerts) to further augment the DNS logs. And, put a stethoscope on the egress traffic to scan for signs of abnormality or malicious activity and then discard infected data packets.

These basic steps will effectively deter most attackers.

Def Strat: How is it that Cyber Security spending is increasing but breaches are still happening?

Cyber Security is everyone’s concern and not just the Cyber Security Team; organisations are simply allotting hefty budgets for these teams and feeling reassured. The axiom that “People are the weakest link in a Security Chain” is conveniently overlooked; ‘General Duty persons’ of all seniorities are actually the weakest link in the chain. Also, Cyber Security goes beyond a few sketchy policies and slogans, it is an important business decision and needs to be handled like other business and enterprise risks.

As technologies evolve, Hackers realign their methods. This leaves the concept of layered defense – spanning security technologies, policies & procedures and risk management, the only way to deal with unforgiving attacks. Additionally, the ‘People’ need to be trained and educated.

Def Strat: What are your thoughts on Chinese Cyber Warfare capabilities?

Let us start by accepting that the Chinese are good; they win all bug bounties and capture hacker’s flag contests around the globe. But I think that is mostly a deception tactic. The Chinese are too smart to undersell themselves at such thrift shop escapades, they are simply showcasing talent to strongarm other nations.

In my appreciation, China started its efforts to become a Cyber Warfare power in 1990s; the trigger being the US technology blitzkrieg in Gulf War. Having started early, their efforts are bearing fruit and China evidently is one of the frontrunners.

China’s stated Military Strategy describes the primary objectives of its Cyber capabilities to include: “Cyberspace Situation Awareness, Cyber Defense, support for the country’s endeavors in cyberspace, and participation in international Cyber Cooperation.” The strategy frames these objectives within the aims of “stemming major Cyber Crises, ensuring National Network & Information Security, and maintaining National Security and Social Stability.” That is profound and encompasses all.

Def Strat: Assuming that China is one of the leaders in Cyber Warfare, can you suggest an approach to counter them?

The key to defend against any cyber-attack, lies in the intimate understanding of the attacker’s approach/strategy. Reports on Chinese Cyber Offensive by various security researchers brings out a very subtle pattern, accordingly I recommend three approaches (based on my experience) to practice deterrence:

  • attacker may ‘Cold Store Access’, or they may ‘Cold Store Exploits’,
  • or, if these two fail or are undoable, they take the brute force approach and overwhelm the target using the infamous DDoS (Distributed Denial of Services) attack.

Def Strat: Well this appears interesting. Can you expand upon these methods some more for our readers?

All Cyber Operations hinge on the art of ‘enumeration’. Enumeration implies intimately understanding a target and each individual software and hardware component of the target.

Let us assume that one has to bring down/own the website of the Transport Ministry of Country X. I would start the process by visiting the website, analyzing the hosting environment of the portal, and find out the version of components (database, server, firewall etc) used by the portal. When I am done enumerating the portal, I would know that the ‘Transport Ministry’ hosts a website on an IP address, they use Linux version 2.4 for the server and run WordPress version 4.3 for the content management system.

This list of the software version is my target. If I am able to find an exploit for any of these software component (weakest link), I am done. I will be able to own the target in no time. So, all cyber operations boil down to two things – Target Enumeration and Exploit Bookkeeping. If I have those two things in place, all I need to do is to map the right exploit to a target’s parameter and, BOOM, I will be done.

  • Cold Store Access implies that I have compromised a system and am lying low in it. Often you hear about APT (Advanced Persistent Threat). That is one form of Cold Storing Access. Once I have cold stored access in the Transport Ministry website, I will do a periodic check of the access validity. I would, may be, milk data off the target slyly so as to evade any DLP (Data Loss Protection) alarms. And, when ordered, bring the website down, I will destroy the portal; BOOM and no Kinetic Energy used!!!
  • Cold Store Exploits entails keeping a software exploit ready and mapped to your target system. It is like the laser dot showing up on a target from a sniper’s gun. The dot is invisible in the cyber domain. So, when I get a green, I press the trigger and bring down the target or make it behave to my advantage. Drawing from the example – I may display a banner with expletives on Transport Ministry website, I may encrypt all the files therein or I may infect every visitor who visits the website. The possibilities are endless; In case of cold store methods, often, the exploit will not fall in the category of Remote Code Execution (RCE) – that is, it might not engage the target seamlessly and may require a trigger at the target’s end. This is where things like Social Engineering, Insider Threats etc are necessitated. The supreme art of war is to subdue the enemy without fighting – Sun Tzu.
  • DDoS Attacks entail simply overwhelming the target with an amount of data which it cannot handle. This is an attack on the availability of the system, and if it does not bring down the system completely, it only deteriorates its performance considerably. If cold-storing techniques were Ironman, DDoS is Thor. In the past, China has deployed its powerful DDoS tool, the ‘Great Cannon,’ against GitHub pages that provided tools for circumventing China’s Great Firewall.

Def Strat: How can the Blue Land defend their Systems (Defensive)?

Simply stated, they need to get over the ‘security in a box’ mentality to prevent attacks. The checklist-based security approach has been failing organizations for a very long time. I think the following steps can help an organization up its Cyber Security by leaps.

  • Implement Role Based Access Control, restricting system access to authorized users.
  • Practice Defence in Depth; multiple layers of security controls to provide redundancy in the event a security control fails, or a vulnerability is exploited.
  • Work towards the education and awareness of employees; must include spam, phishing, malware, ransomware, and social engineering.
  • Log, Reflect and Improvise; appears very mundane but crucial.
  • Threat Intelligence Collaboration: intelligence gathered from multiple sources, processed and corelated, helps IT teams quickly detect and identify threats and automatically respond at digital speeds.
  • Talent management: a grossly overlooked vertical, their career paths need to be well defined.
  • Let specialist be involved in making and implementing policies; Cyber Security appointments cannot be sublet for cadre management avenues in the organisation.

Def Strat: Finally, can we ask you to give some tips for someone who is vying to master this field?

Let me begin by saying that it is a tough vocation, there is no well beaten path, and it a lot of hard work all the way. The Cyber Space is overflowing with information, events are overtaking time and a lot is happening to fill the 24 hours. Technology is evolving rapidly, and new tools and techniques add to the challenge. In order to stay relevant, one has to stay current and slog.

Complexity, Extensibility and Connectivity are the three prime drivers governing the evolution of Cyber Security problems. Curiosity to understand how things work in the Cyber domain is therefore vital. This gets further complimented by a desire to tinker and play around with options, alternatives, and opportunities. Finally, nothing beats real world experience; apprenticeship is the order of the day and managing to penetrate through tough security is a personal achievement; it boosts self-esteem. So, just go for it.

Def Strat: A final word for the Cyber Security Defenders:

Cyber Security conjures an imagery of white-collared experts toying with convoluted and expensive technology.  However, the most important step to conclusive defense is training one’s employees to be safe with technology already in place. Password management, spotting phishing etc are some basic things our employees need to be trained on. An indicative metric, devised by me, of an organization’s Cyber Security posture is the overall percentage of employees using a password manager. If a show of hands to that is not heartening for you, be prepared for a visit from the ‘hacker’.