In the Spring of 2001 I attended a week long ‘ethical hacking’ course run by Internet Security Systems, a company that is now a security research team at IBM. The training was excellent, both explaining how to explore and break into systems then allowing students to exploit servers, steal information, crack passwords and deface websites. This was, naturally, conducted within a carefully controlled lab environment.
The course was based largely on a new series of books called Hacking Exposed. I went straight out and bought the second edition of Hacking Exposed from a local bookshop as soon as the course was over. I have picked up other versions over the years, but that second edition has aged well, the information remaining generally applicable to today’s environment. Vulnerabilities and tools may evolve, but the things hackers do are largely the same.
This is, in some ways, quite reassuring. Those who want to protect systems are well advised to keep abreast of the latest developments in how systems are breached. But could it be that reading a book on hacking every 15 years is nearly enough to keep you up to date in your mission to gather useful threat intelligence?
It’s a hard idea to swallow, especially if you are a CISO who is already spending hundreds of thousands of any western currency each year on so-called threat intelligence feeds. It means you need to do some reading, probably research further afield to fill in gaps and ultimately understand the problem at a lower level than you might have wanted. You can’t throw money at that – just time and brain cells. Many of us have less of the latter than the former, sadly.
It’s worth remembering that threat intelligence has to be relevant to you, otherwise it’s just plain information. A feed of malware hashes or IP addresses of command and control servers might seem useful, but only if some of that malware comes your way. Without analysis and a subsequent discovery that it is relevant the information does not graduate to ‘threat intelligence’.
For example, you may receive news that a madman is on the rampage with an axe in Croydon, UK. And you live in San Francisco. Unless you have people you care about living in Croydon this news is not threat intelligence, it is just information. If you remember that you have loved ones in the area then that analysis converts the information to useful threat intelligence upon which you should act as quickly as possible, by warning anyone who needs to know.
Let’s return to the idea that basic, general threat intelligence can be useful for a good, long time. The book simply provides information, remember. You need analysis to create threat intelligence. If you understand your business and its IT processes then you can distil threat intelligence from its pages. Of course, not every hacker is the same. Motivations and tactics vary, but ultimately you can boil down the basics to one sheet of A4, which you can find written inside the back cover of Hacking Exposed.
If you are sceptical that real black hat hackers would follow such apparently straight-forward processes and use freely-available tools you might be interested in a case in which an Italian security firm was breached, its data being leaked onto the internet in considerable quantities.
Hacking Team, which specialises (ironically) in providing software and services to agencies that want to breach the computers belonging to people of special interest, ought to have been a fairly hard target. However, we now know how its attacker managed to break in and steal passwords, files and access to other systems without resorting to brand new tools and techniques.
The details were published in English via the Pastebin website (http://pastebin.com/raw/0SNSvyjJ) on 15/04/2016. The document is very interesting because it gives the lowdown on how the self-professed “blackhat hacker” Phineas Fisher operated. His process will be familiar to anyone who has read Hacking Exposed or any similar guide to penetration testing.
Phineas details not only what he did but what his victims could have done to stop him. That free advice, which applies to nearly everyone, is valuable threat intelligence that is already of a good vintage and that should age well over foreseeable years.
@spgedwards
@selabsuk
www.selabs.uk
Simon is Director of SE Labs, a security consultancy company that specialises in testing security products and services using current threats. He is also Technical Director at global risk and security specialist BGS Intelligent Security Solutions. Operating as an IT journalist between 1995 and 2010, Simon worked on the UK’s biggest computer magazine titles. At Dennis Publishing these included titles such as Computer Shopper, PC Pro, Computer Active, Web User, Mac User and IT Pro. One of Simon’s areas of expertise is anti-malware testing and he was, until the end of 2015, Technical Director of Dennis Technology Labs, an independent security testing business that is part of the Dennis Publishing media company. A founder member of the Anti-Malware Testing Standards Organisation (AMTSO), Simon was chairman of the organisation’s Board of Directors between 2012 and 2015.