MATERIAL Y MÉTODOS

Software implants or malware can be removed from hard-drives by PSP or by formatting and reinstalling the software on the computer. Any malware that only resides in memory can be removed by a reboot. To overcome this attackers use various means to gain persistence for their malware on a system. Subsection 4.1.7 discusses the BullDozer hardware implant that provides persistence for the Kongur software implement.

5.8.1 Hardware Implants

FitzPatrick (2016) created and demonstrated ve hardware implants. The ve meth- ods include privilege escalation via JTAG, using Direct Memory Access to patch kernels, controlling a Programmable Logic Controller (PLC) wirelessly, inserting a malicious hard- ware module into a PLC without powering it o and attacking a computer using a USB C display adapter. As the most expensive of these devices costs less than USD 75 these techniques are within the ambit of the hobbyist. It follows that more well resourced threat actors such as organised crime are easily capable of employing such techniques.

RF retro-reectors are a recurring type of hardware implant in the NSA's ANT catalogue. However, these types of bugs are not limited to nation states and the designs for equivalent devices are freely available online. Ossmann (2014) created and published the designs online6 _{for ve retro-reectors, two general purpose (one Field-Eect Transistor (FET)}

and one P-type, Intrinsic, and N-type (PIN) material diode based design), one for PS/2 keyboards, another for USB devices and lastly one for monitoring VGA.

5.9. SUMMARY 76

5.8.2 Firmware Implants

Subsection 4.1.7 describes two implants that modify rmware. The IrateMonk implant modies hard drive rmware to substitute the MBR and the Swap implant performs a BIOS modication to exploit the HPA of the hard drive to achieve execution prior to OS loading. Such rmware implants will survive formatting of the hard drive.

5.8.3 Compromise in Depth

From analysing the les authored by Pecoraro (2013) we learn that frequent use was made of DSquery to survey the network. The high number of implants and beacons showed that the attackers had moved laterally in the network and compromised many of the machines on it. Re-imaging or reinstalling ten machines would not have removed the attacker from the network.

The network had been thoroughly mapped out and understood. The attackers had gone as far as creating network diagrams to visually depict the network. They even created an extra network diagram depicting how to exltrate data which mentions implants from NSA ANT catalogue for network devices. The status presentation on the JeepFlea Market operation claims a presence on front-end, middleware and back-end systems.

The attackers were organised and well-prepared with tools to script or automate attack actions and preprepared SQL queries to extract data from Oracle databases. They made heavy use of network redirection which would complicate tracking their movements. There were multiple separate network intrusions from July 2012 to September 2013.

5.9 Summary

This chapter presented approaches and techniques used by attackers to attack people and technology. Some of these attacker methods are aimed at evading detection, circumvent- ing security or gaining persistence while others are intended to exltrate data, intercept communication or determine the location of a target.

Defenders should be aware of the attacker techniques that can be employed against their users and information systems. The following are some key challenges that attackers present to defenders and that the next chapter seeks to address by presenting various defences to mitigate them.

ˆ The combination of possible compliance principles used in the various techniques across multiple mediums results in a large permutation of social engineering attacks making it hard for defenders to defend against.

ˆ Attackers seek to avoid causing warning messages and circumventing technologies that prevent users from aiding them in social engineering attacks such as phishing. They are also aware of the eorts of defenders to detect and reverse engineer their malware. They are able to remove or replace artefacts that could be found by forensic level analysis.

ˆ Moreover, attackers are able to circumvent security defences by removing themselves from the observable domain, e.g., by moving to the lower hardware rings.

ˆ OSes providing functionality like WMI and PowerShell allow attackers to live o the land while increasing the diculty of detection. Attackers who reuse OS func- tionality and query information services that are essential to the functioning of a network, e.g., DNS lookups or OS, e.g, le deletion, are attacking the indefensible. ˆ Electromagnetic radiation goes hand-in-hand with electronics and can be used to

breach security boundaries, e.g., by bridging air-gaps. Similarly, devices that broad- cast RF on known frequencies can be listened for until they come into range, e.g., cellular phones, wireless cards, Bluetooth, NFC, and so on.

ˆ Communication and/or networking scenarios are subject to interception, imperson- ation and MITM attacks should adequate safeguards not be in place to conrm participant identities and encrypt trac between them. By intercepting the data as it leaves the computer, the attacker does not need to compromise the computer itself.

ˆ Attackers can employ non-software methods, e.g., rmware and hardware, to persist their malware.

Chapter 6

Defences against Attack Types

According to Yoran and Robertson (2015), zero-days are by denition impossible to pre- pare for but to speed response they suggest preparing, prioritizing, monitoring, keeping up with change, catering for human fallibility and continuous testing and improvement of security.

There are numerous techniques that can be used to secure information systems and defend against attacks. Specic cyber attack implementations can be defended against once they have become known. However, as Langner (2013) states, attack tactics and methodologies can be learned from existing attacks and then used in the creation of new attacks, which may target other industries and even exploit new vulnerabilities.

This chapter suggests defences applicable to categories or classes of attacks that were distilled from Chapter 4 and presented in Chapter 5. As such, the defences in this chapter are ordered similarly to the attacks in the previous chapter. These defences are intended to provide value to defenders even in the face of attacks that make use of exploits that target zero-day vulnerabilities.

Defenders should aim to detect and prevent attackers as they gain entry to a network, move laterally and gain administrator privileges. By understanding the attacker's techniques defenders can seek to mitigate against them and even raise the costs to the attacker to dissuade them.

6.1 Defending People

Defending people is a critical component of overall information security. If eort were only spent on improving the security posture of the processes and technology then the people would remain the weak point that attackers would still be able to target.

6.1.1 Training

Practising good OpSec is especially important as attackers can turn to other methods and sources to circumvent security1_{. Patching the people vulnerabilities through training}

helps reduce the rate at which users succumb to phishing attacks (Sheng et al., 2010). To prevent and/or mitigate against social engineering attacks, Hadnagy (2010) recom- mends learning to recognise the various types of social engineering attacks, creating a culture of security awareness, knowing the value of the information being requested, de- veloping standard operating procedures, learning from social engineering tests and keeping the software updated.

The success of such defensive eorts should be monitored by periodically testing the organization's employees, e.g., conducting mock phishing exercises against them, and tracking the results.

6.1.2 Information to Assist Decision Making

In their study Egelman et al. (2008) show that if there is an active warning, 79% of users do not proceed to a risky website, however this percentage drops to a mere 13% if the warning is of a passive type.

This indicates that preventing a user from proceeding to risky website by displaying a message that requires action is far more powerful than allowing the user to load the website and then displaying a warning message that does not require active eort on the part of the user to bypass.