I have read a lot over the past few years about Advanced Persistent Threats(APT). Many people believe that these attacks are carried out by sophisticated attackers employed by China or other nation states. While this may be true, I have often I have wondered, how much effort/resources would be required to carry out such an attack.
Well, recently one of my clients said "We have invested a lot into security recently and we would like to see what a real attacker would do to our network". So, we proposed performing a "blended threat assessment" aka(Hit us with every trick in the book assessment). So, what did we do and what was the result?
Result = Global Administrative Rights(Domain Admin) and undetected persistence in the network for over a week. Not that we were detected, but the penetration test ended.
Level of Effort = 2 weeks of social recon, 5 phishing emails, 1 hr to setup C&C servers, 8 hrs to take global Domain Admin.
Strategy = Social Recon + Phishing + Browser Exploits + Trojan Excel Sheets + Metasploit & Meterpreter.
Given, real APT attacks often persist for months or years without detection and focus on leeching large amounts of data from target networks. But, the concepts are all the same. The client was a large multinational organization. Because of the critical nature of its business, it had made security a priority. While they did have their security flaws, they were ahead of the curve when compared to others in their industry. But, at the end of the day all it took was 1 man, limited recon, a few phishing emails, and a little imagination to achieve the same effect. I did not use any 0-Day exploits or advanced attack strategies.
I think this case study does an excellent job of illustrating the idea of the reverse arms race happening in cyber security today. The idea that it costs organizations millions of dollars to secure them selves against attack, while it only requires limited resources to breach that same security.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment