Don’t Be The Weakest Link — Why You Might Be An APT’s Favorite Target
- 25 March, 2019 15:00
More often than not, we simply assume that we have nothing worth stealing, so why should anyone take the time to try and hack us?
Taking a step back to look at some of the hacks that have gone on in recent years, some of the individual attacks do not appear to be of any specific value beyond the basic sellable personal information.
However, when combined with data gleaned from other breaches, they start to come into focus as a part of a larger and potentially more dangerous picture.
When a company like Marriot gets hacked and customer information is stolen, on the face of it we can see the markings of an attempt to steal personally identifiable information that can be used to commit fraud with the pilfered credit card numbers. If the criminals are playing a longer game, then they can use the stolen identity to open other kinds of accounts which can be used to garner them ill-gotten financial gains.
But what about if your attackers aren’t exactly criminals but state actors who are concerned less about financial gains — even though the North Korean’s Lazarus group has shown us that states can gin up some pretty decent coin through hacking — and more about finding out secrets or manipulating information to cause mistrust?
APTs Think Differently, And So Should You
Since the 2016 U.S. elections, you have probably heard names like Cozy or Fancy Bear being thrown around to describe the Russian groups from their military intelligence (GRU) arms.
China, Iran, Israel, and of course the Five Eyes all have dedicated and generally talented hacking units who show up to work every day, try to exploit their targets, and then go home for the evening before coming back the next day to start it all over again.
State hackers are often termed as Advanced Persistent Threat (APT) actors. These groups are just that, persistent. Without the need to make a quick buck, they can play a long game, going after a variety of targets with different methods to get what they are after. Since they have time and vast resources on their side, these hackers have the breathing space to work their way up the chain until they are able to breach their primary target or piece together enough information to satisfy their goals. So why does this matter for organizations or teams who view themselves as uninteresting to hackers?
Smart attackers rarely take the most direct approach to hacking their targets, choosing instead to find the weak links that can be more easily exploited. In the most classic example, an attacker looking to exploit a corporate target is unlikely to send a spearphishing email directly to the CEO or CFO, but instead, send it to a personal assistant or someone in the payments department who may open a malicious document and is not taking the same level of security precautions.
Once they gain a foothold on their lower level target, they can work their way laterally to try and reach higher privileged targets, or sometimes achieve their goals through their softer target who may have access to sensitive data or can authorize payments.
Far too many organizations have allowed gross negligence to go on in their security hygiene, making themselves easy pickings for skilled hackers.
Pulling Together The Pieces Of The Puzzle
Probably one of the most famous examples in recent years has been the hacking of the reportedly poorly defended Office of Personnel Management (OPM) which was announced in 2015 after the breach was discovered during a PoC being run by a security vendor. The hackers, later believed to be Chinese military units, had in 2014 broken into what is essentially the U.S. Government’s HR department and made off with 22.1 million records of present and past federal employees.
As the HR department for the Federal government, the OPM handles the vast majority of background checks for those employees seeking security clearances. According to reporting on the breach, the hackers broke into the servers that handle the Standard Form 86 background questionnaire, where there are believed to be around 18 million archived records. Before being kicked out of the OPM servers, the Chinese hackers stole digital images of fingerprints belonging to an estimated 5.6 million government workers and snooped around in the full personnel files of 4.2 million employees.
While it is difficult to know exactly what the hackers intended to do with all of their pilfered booty, it is interesting to note that the CIA and other clandestine agencies manage their own background checks due to the sensitivity of the matter. This is important because spies are commonly given the cover of being diplomats, justifying their presence in the foreign country. So what happens when the Chinese are able to look through lists of registered diplomats and match the names there against those who do not have a State Department issued background check?
Adding to the intrigue is that part of a background check includes listing foreign nationals with whom you have been in contact. This kind of information can be of great interest to the Chinese security agencies like the Ministry of State Security (MSS), their security apparatus that functions like a cross between the NSA and FBI. Mentions of meetings with Chinese nationals by American diplomats would most definitely lead to some uncomfortable conversations back home under the suspicion that they may have been recruited as intelligence assets.
In more recent news, it would appear that the same groups of Chinese hackers are likely behind the hacks of Marriot which also, surprisingly, occurred in 2014. Reportedly snatching up roughly 500 million personal details such as names, passport numbers, and probably a few credit card numbers, this dataset must have been a treasure trove for intelligence officers looking to keep track of the movements for some of the U.S. government diplomats and those using diplomatic cover, that they had picked up in the OPM and other hacks.
On their own, none of these hacks seem to amount to very much. While painful for their victims, there doesn’t appear to be much of a national security concern. However taken together, they start to form a pretty effective intelligence operation which came together through hacking relatively soft targets instead of going directly at the goldmine of the CIA itself.
Score one for the patient hacker.
How To Avoid The Next Big Hack
In the age of GDPR, we are going to hear about more and more breaches as organizations are forced under threat of hefty penalties to report. The good news is that we can learn a lot from those who have been exploited, avoiding some of their mistakes.
While we can never be totally unhackable, we can take more precautions and make sure to follow best practices.
Adhering to practices like performing regular pen testing, not using components with known vulnerabilities in your applications, using secure configurations for data stored on public clouds (we’re looking at you S3 buckets of doom) and utilizing segmentation and hashing to minimize damage in the event of a breach, are all important steps to take in making it a lot harder for even a determined hacker to capture your flag.
Of course, the best way to make sure that hackers never steal the mountains of customer data squirreled away in your servers is to not collect more than you need in the first place. When you are done using customer data, get rid of as much as possible. Your marketing department might complain, but you’ll be grateful in the event that hackers take a strong enough interest in trying to break in.
Security as a concept is done best when every actor plays their part in denying attackers a weak link to exploit. In practice, this goal is imperfect but we still need to do our part to make hackers earn their paycheck, hopefully causing them hours upon hours of unpaid overtime.