What They Don't Teach You in "Thinking Like the Enemy" Classes

Tuesday, March 06, 2012

Pete Herzog

1789975b05c7c71e14278df690cabf26

For those of you who are interested in taking a security class that promises to teach you ethical hacking and how to think like the enemy, let me save you some time and money on what you will learn:

  1. Find who and what interacts with your target.
  2. Search those things for weaknesses.
  3. Attack.
  4. Clean up some of your tracks.
  5. Profit!


Now go and try to apply this in your new job as a penetration tester and ethical hacker. But it won't work as advertised. Because these classes are NOT teaching you how the enemy really thinks. They can't. And they're doing more harm than good.


WHAT THEY ARE NOT TEACHING YOU

1. The enemy is not homogenous. Just like there is not just one foreign language, there is not one type of enemy. And among those enemy attackers, not all think alike. Even those joined together under a common mission or goal, there is often division in how to accomplish that goal.

So which type of enemy are you learning to think like? The fanatic? The prankster? The desperate? The lonely? The zealous? The frustrated? The crazy? The poor? And even then, can you really think like them when they embody a mindset built from years of thinking and living a certain way? Can you really understand the motives of an attacker when your large take-out coffee might equal a day of their wages?

We like to think we can because movies tell us it's possible. But it's not.

For a little perspective, consider how many times have you heard from a friend/neighbor that they don't worry about intruders because they have a dog? And criminals don't have dogs? Some types of criminals have dog rings where the meanest dogs fight each other and these criminals have no problem handling those dogs. Just because you or your neighbors find a big, barking dog alarming or intimidating doesn't mean the attacker will. To not understand that is to already admit you might not be in their mindset. But if you can, let's try something harder: now try to think in the mindset that it's a morally correct and civilized thing to blow up a crowded market or a federal building. I can get even harsher, but it'll likely get censored here... so catch me at a seminar to discuss this further.

2. The enemy will invest much more resources in staging an attack than you think is worth it. For one, the attacker likely doesn't have the same financial value system you do. Secondly, they don't necessarily have the same motives as you which means you won't necessarily agree on what is your asset. So the enemy may go to a further extent learning your devices and dive in deeper than even the product manufacturer's own engineers. Sometimes years longer than what you think is the product life cycle. Since some of your engineers will be using tool kits and recycled code from other projects that they don't even know how they work just that they do work, your code and techniques will be around much longer than you expect. But most importantly, to some types of attackers, things you have and don't think much about, like reputation, ideology, political affiliations, representation, circle of friends, contacts, raw research data, customer details, or even your outspoken moral code, they may see as an asset worth taking greater than just credit card numbers. An attacker in it just for the kicks may be more interested in seeing you publicly eat crow than fencing your goods. And then there are some assets you don't realize how much they're worth until they're gone or smeared all over the news. So of course they'll put much more effort into it than you think you would if you were in their shoes because they think it's worth more than you do.

In seminars, we've covered this by showing how it's not uncommon for a stage magician to design and practice a trick for years before amazing an audience. So much time and effort for something done and gone in just minutes. Most people wouldn't even consider doing that. Which is why we then ooh and ahh and clap. Well, it's the same for some attackers. Sure, we'll still ooh and ahh but not in a good way and then it's them who usually clap.

For a little perspective on how hard it is to value something the same as someone else, how often have you been asked by a friend or neighbor to check out their computer because they think it's infected. They say, "Come on, it'll just take you ten minutes and I'll buy you a drink." But what they don't realize is that it actually took you at least ten years to be able to analyze and diagnose the problem in "just ten minutes" and no drink will compensate you for ten years and ten minutes worth of work. So if even your friends and neighbors can't extend their reasoning into how much effort it took you to do what you can do, why it's more valuable than a drink, then maybe you can consider it's just as hard for you to extend yours to think about what the enemy values and the amount of effort they will make?


3. The enemy can and will readily exploit the one thing in our society that we think has made us so advanced and civilized: trust. As children, our society makes us learn that it's nice and polite to share. Then it's cemented in by rewarding those who share their secrets with secrets of their own. And knowing secrets makes us feel trusted and important. Even the typical romantic comedies focus on trust - showing it's good and healthy to share with one another, then regret it, and then realize it doesn't matter and fall in love all over again. This way we can also laugh and cry together. It makes a unified society.

So as you grew you learned that it is polite and civilized to extend trust as a show of good will. People who receive that trust without earning it feel important. And if you really think you are important, you're likely to expect (demand!) to have access to the secrets of others and get mad at people who don't just trust you. Maybe you're even one of those people who believes the old expression that people who don't trust others can't be trusted. But we're all in it together in this society. And so sharing and extending trust brings us to be trusted in a nasty, vicious circle of trusting, love, and friendship. And self-importance.

And that's why people will click on that link that their old high school friend, Tim, sent them, despite that they haven't talked in 12 years, nor were they really friends then but rather just had their lockers next to each other, because Tim has something he apparently needs them to see-- so click click and zap!

It's very likely you trust way too much for far too little reason. And you likely trust in the wrong way. People generally don't discriminate what they trust where so that they will take financial advice from their dentist and dental advice from a close friend. Just because they trust them. Some people will trust corporations with their private lives and private info. Others even trust their politicians to actually represent them and have their best interests at heart. But in reality we need to have reasons to trust someone or something and having these reasons makes it very hard to be duped. In an ISECOM research project, 10 criteria were classified for trusting someone or something. And we find in practice most people are satisfied with just one of those criteria being met. Usually it's consistency, the trust criteria that shows this has happened to us before. Even the truly cynical however are still often satisfied with just 3 of the 10. We can blame society!

So an enemy who isn't saddled with the same burden of sharing and trusting as part of being polite in their society can only see these trust connections as exploitable interactions.

For some perspective on how your trust is a liability, when's the last time you bought something based on customer reviews? That's a fallacy called composability where we trust something because why would many people lie? Users of one trip advice website learned the hard way. That's because some reviews were faked by businesses to increase business and others were exaggerated out of anger from unhappy patrons. And when someone can influence your decisions by manipulating what you trust, then that's someone attacking you via a trust.

In the immortal words of Sun Tzu, "Trust is a delicate flower and we need to stomp it out before it destroys us." [Citation Needed]


4. The enemy is very capable of planning and interweaving multiple attacks across multiple channels to get to their target. It's harder to do, sure (see #2), but they aren't just thinking about your low hanging fruit. They are thinking multiple steps ahead of your current security measures, aggregating different means of attack, and correlating their attacks across wireless, telephony, people, and physical infrastructure to get there. For example, an exploit may require that a user receive an e-mail, click on a link in that e-mail to receive a document type not allowed via e-mail, over-ride any security warnings to view it, and then nest a dirty little bug within the operating system to call home camouflaged as normal traffic. And if you think, "But who would do all those steps?" re-read #3.

Nowadays, an attack which can be made directly, as in my exploit for your vulnerability, is "low hanging fruit" and expected to be the least bit of effort required in most security compliance documents. Which means anyone patching regularly will not be vulnerable for long. So attackers who are already making a large effort, will focus on more complicated but more certain attack methods that will be around a long time. So they will use precision timing, random-number guessing algorithms, back on back attacks like a flood followed by a specially timed buffer overflow, and a lot of trust manipulation all together on just one specific attack. Some people might consider this APT but I think it's really just ADITLO (A Day In The Life Of) for the enemy.

For a perspective in how vulnerable people are to the multifaceted, coordinated attack, consider the basic gym membership. The direct way would be for big thugs from the gym to just come and take your money from your hands. But that low hanging fruit ended a while ago for most gyms and so now they employ big thugs to berate and belittle you into joining. But you have to be there first. So to get you in they require a whole lot of trust manipulation from ads that tell you your fat and unhealthy, talk show hosts that tell you everyone needs to diet and exercise, to the sponsoring of diet books, magazines, video games, and shows all letting you know you're not in good enough shape. They apparently collude with models and actors who embody a look you want, designers and fashionistas who make clothes that will never fit people with a BMI not in the negative numbers, and spam email that repeatedly questions your sexual ability, and then there's that one friend or family member they already sucked in....


5. The enemy probably doesn't have everything you have but that doesn't mean that if we don't have it they don't either. That means don't think that you can't afford a supercomputer to crack encryption doesn't mean they don't have access to one. The enemy will get the things they need and make the things that you thought you had to buy (probably out of your garbage! ha!). Then there's the potential for state sponsorship of equipment for what they can't afford either. Then there's the enemy which is just a lot of people with a common goal (many hands make light work) who can just all download and run a program which causes a massive denial of service attack. When you try to think like the enemy you not only can't really imagine what they have access to but also what their diverse backgrounds teaches them how to solve problems in getting what they need.

For another perspective, consider the creation of the cantenna. While corporate security gurus were making sure that no wireless laptop, even with an expensive antenna, could get on their internal wireless network from beyond their property line, a kilometer away sits the enemy currently attacking their network while eating the Pringles crumbs from the can they threw out which now houses a USB wifi dongle.


6. The enemy will take advantage of your superego. That part of you which is defined by your society, culture, and way of living, and that makes you want to be likable, is one of the ways that the attacker will evade detection. Attackers know not to back you into a corner. They need to leave room for you to think you can choose from various courses of action, leaving the best (easiest) choice to be one where the you do nothing. And by nothing, I mean, puff out your chest, stomp around, and shout names and wave papers of compliance audits passed. But nothing as far as trying to actually catch the attacker.

That part of the attack often requires restraint not generally attributed to an enemy. Stealthy, yes. Smart, sure. But restrained? No, you automatically think that when you vanquished the attacker you did so before more damage could be done or else that the attacker was too stupid to know what they managed to get in to. That's your ego talking of course. But as light is cast on the attack and you need to take recourse, the superego defines what responsibility you must take and how you can make yourself accountable. So you're apt to lie like hell.

Yes, once again, society has made it more attractive to deny any wrong-doing and avoid punishment then to learn and grow from a mistake. Just look to our role models in government and in Hollywood. It's because our society wants us to punish those victims who didn't do all they could do. And in the corporate setting, that means to fire you or move you to marketing where you can't do more harm. However, that only means the next person to fill your role will be equally inexperienced by such matters but will have learned the golden rule: deny when caught.

For another perspective you can just look to pretty much anything. You name it, there's somebody denying it. In Smarter Safer Better we cover lying in detail and it's not the dumb ones who generally do the "deny and lie"- it's the smart ones! Studies show higher IQs correlates to learning deceit at an earlier age and being more apt to use deceit at all. That's why the dumb jock caught having adulterous sex with a flight attendant will fess up and go to rehab for apparently having a sex addiction while the Harvard educated businessman will deny like hell and smear the good name of the flight attendant by accusing them as a sex addict.

*   *   *

As you can see, you can't really think like the enemy in any realistic way. And if you could, it wouldn't matter because which enemy?

You can also see that in some cases, we are exploited in many ways by ourselves the same way the enemy exploits us. We have seen the enemy and they are us! Dun DUN dun! So think about that the next time you want to assess your security the old fashioned way (in movies) to use a thief to catch a thief. Or a psycho to catch a psycho. Or a... never mind, you get the idea. Your best recourse is stop trying to guess what the attacker is going to do next and practice good preventative security. But you can find the details from this in Chapter 14 of the OSSTMM 3:

  1. Make separations between your assets and what shouldn't be interacting with them.
  2. Lock down and control those interactions which are allowed.
  3. Actively manage all trusts.


If you liked this, you should also look into the ISECOM research and upcoming workshops on trust and human vulnerabilities. It's really incredible stuff.

Possibly Related Articles:
21860
General Security Training
Information Security
Methodologies Training Penetration Testing Attacks OSSTMM ISECOM Exploits hackers Information Security Infosec Mitigation Cyber Defense Attribution Pentesting Pete Herzog
Post Rating I Like this!
Default-avatar
Tamer Ibrahim Excellent article,i would like to add, in adiition to practice good preventative , geussing and identifying what am attacker may be able to do is essintial since it is a Cyberwar. also monitoring Assts and trusts shall be a going on process
1353388471
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.