153 brooks road, rome, ny | 315.336.3306 | ://ainfosec.com 153 brooks road, rome, ny | 315.336.3306...

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Thinking Like an Attacker:What does it take to attack a system

Eric ThayerSenior Engineer

Assured Information Security (AIS)153 Brooks RoadRome, NY 13441

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Who are we?

AIS is a security research company primarily serving the DoD

Our mission is to analyze, understand, characterize and exploit cyber systems using adversarial techniques

Started as a group of hackers and have maintained the mentality since 2001

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Am I qualified to talk about this?

Performing “Offensive Cyber” since 2002◦ First AIS employee hired to perform red team assessments◦ Offensive research could not be acknowledged at the time◦ The term Cyber did not have the same meaning then

System Administrator and Unix Security Admin for the DoD for five years prior to that◦ Developed security monitoring tools◦ Participated in multiple incident response exercises◦ Supported the Air Force Research Laboratory in Rome, NY

• Network Operations Center• Defensive Information Warfare Laboratory

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

What is an attacker?

HackerSecurity Researcher

Grey Hat

Black Hat

White Hat

L33t Hax0rScript Kiddie

Vulnerability Research Engineer

Penetration Tester

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

What drives an attacker?

Curiosity◦ How did they make that work◦ What are they doing with this data◦ Why do I have to do this this way

The desire to make something do what it was not intended to do◦ Circumvention of others protections◦ “Outwitting” the designer or developer

The challenge associated with successfully breaking a system ◦ The notoriety, satisfaction, and challenge of compromising a system ◦ Who doesn’t like to see things blow up?

Money…

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

What is the role of an attacker?

Attackers are responsible for the identification and disclosure of vulnerabilities within a system through various means◦ Funded research◦ Interesting personal project◦ The search for more money

Provide insight into system design and security that is not always evident to designers, developers, and users◦ Security professionals view every target as a challenge◦ The question of how could I break that is always in the back of their mind

Serve as the “dark side” to help maintain the delicate balance between good and evil

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

How do you become and attacker?

First you must be able to ask the question “Why?”, or “How?”, or even “What if?”◦ Curiosity is the catalyst of all good findings◦ Following up on those questions is how most of us got our start

More importantly, you need a technical background with in depth understanding of the basics of computing◦ What’s going on inside the box◦ How is software designed and built◦ How does the systems design impact the operation◦ How are things talking to each other◦ What is the software development/maintenance process

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

What else do you need?

An understanding of the foundations of security◦ What are the basic types of vulnerabilities◦ How are systems exploited◦ What techniques are usually applied to analysis of a particular class of

target◦ What is actually required to get code execution◦ What measures are in place to prevent certain types of exploitation

Respect your elders, you may not be the first one to show interest a particular target◦ Learn from the work of others and use their experience to feed your

curiosity◦ Build on their foundation and use the tools and/or techniques they used to

help in your assessment

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

How does this apply to the IoT?

Embedded platforms are becoming increasingly advanced◦ Full operating systems◦ Support for complex networking and communications protocols◦ Real time feedback/diagnostic interfaces◦ Feature rich user interfaces

Lack of protection mechanisms in “closed” systems and networks makes for a rich target environment◦ Trusted relationships and communications between nodes◦ Open, unauthenticated protocols◦ Decreased security to allow for integration of components

“Why does a _____ need to be secure, nobody would ever want to attack that?”

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Great, lets attack something!

Develop an understanding of the target◦ Analyze available documentation◦ Review the design◦ Interact with system and observe normal behavior

Identify goals for the assessment◦ Define what you are attempting to achieve

Perform targeted system analysis◦ Manual and scripted interaction with components, services, or interfaces◦ Hardware/Software analysis

• Identify hardware functionality• Extract software and determine behavior• Identify the basic functionalities and features that may allow for exploitation

◦ Investigate design, development, and implementation weaknesses Develop “exploitation” techniques

How?

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Understand your target

To effectively exploit a target you must understand its behaviors and limitations

Define what the system is capable of◦ How does it operate?◦ How do components communicate with each other?◦ What forms of access exist?

Determine what functional features exist and identify how they can be exercised◦ Use the target system as user would◦ Monitor behavior and interaction of components◦ Identify a behavior of interest and develop more comprehensive tests

Build an understanding based on observation◦ Documentation◦ Interaction◦ Monitoring of behavior

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Define your goal

What do we want to impact◦ The system as a whole◦ Physical controllers connected to smart embedded systems◦ Servos and actuators◦ Blinky lights◦ The manufacturer’s reputation

What is our driving force◦ Intelligence◦ Theft◦ Profit◦ Personal harm◦ Just because I can

What may have been done in this area before

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Achieving your goal

Determine what it is that you want to do and the impact you want to have◦ Think about how you are going to achieve that goal and what information

you may need◦ Interact with and monitor the system to collect the required data

Identify the components of the system that may be useful in helping you achieve our goal◦ What dependencies may exist that could help exploitation◦ Are certain components of the system weaker than others◦ Do remote access/communications vectors exist

Observe the system and refine your approach◦ Trial and error is common practice◦ Observe behavior and adjust accordingly

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Before performing the analysis

Although the technique for every assessment is similar, the process is driven by the understanding of the target◦ The more you know about the system under the hood the easier the

assessment will be◦ In depth knowledge and clearly defined goals will help focus the

assessment and manage scope Every target system will be different

◦ Remote access techniques will vary◦ OS may be Linux based, it may not◦ Exposed services could exist

The purpose and design criteria for the system will set the bar for protections◦ Purposefully designed systems often present a hardened attack surface◦ Integration of legacy systems often introduces security holes◦ Multiple systems from various suppliers integrated into a single solution…

Things to remember before getting into the weeds

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Targeted system analysis

Identify the basic features that may allow for exploitation◦ Network communications◦ Input processing◦ Exposed services◦ Software updates

Interface with the target through the exposed interfaces and observe the resultant output for anomalies◦ Develop test cases to stress system operation◦ Generate network data or program input to test functionality◦ Manipulate data, timing, and sequencing

Extract software and data and perform more in depth reverse engineering◦ Perform static and dynamic analysis◦ Identify functional system blocks and interfaces◦ Trace data flow

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Develop an exploit

Exploitation is an art, not a science, initial attempts at generating an effect don’t always work◦ These are complex systems, there is often logic and preconditions that

must be met◦ Understanding of the targets operation in certain scenarios may require

further investigation◦ Educated trial, error, and observation are key to successful exploitation

Exploitation is not limited to code execution, unintended use of features can also be an exploit

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Now what?

Define your goals based on what you know◦ Learning is an iterative process◦ As your knowledge of the target evolves, you will need to refine your goals

Understand what has been done already ◦ Build upon what others have accomplished◦ Learn from their mistakes

Understand the potential issues associated with attacking any system◦ There are some things that just may not work◦ Time, budget, and resources are most commonly your limiting factors

Remember, an exploit does not have to provide a means to execute code, but a severe vulnerability will have a much more meaningful impact

153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com

Can you hack it trivia