I suppose I should do a quick recap of the scenario, such as it is:
Your business operates in a gated community, where the front office is the only 'address' the internet has. The front office routes all the messages it receives in accordance with the various rules and protocols it's told to use, forwarding most messages to the fulfillment center managing customer requests and the rest to various employee residences as needed.
Each building - the front office, fulfillment center, and residence - has a robot maid (called Rosie, in honor of the Jetsons). Rosie comes in all sorts of makes and models, and you can add attachments as needed. There's danger, though... as someone familiar with the particular make, model, and/or attachment may be able to program Rosie to act in unexpected ways. She may take pictures of the files in your filing cabinet, or make copies of all your letters and send them on, or set a particular window to receive commands from another location.
I want to discuss that process a little bit further. See, malware has two separate stages. There's the method of infection (the vulnerability that allows someone to install malicious software on your computer) and then there's the payload, which is what you want the malware to do once it's there. The payload has more to do with the attacker's intent, whether it's copying files or encrypting files until you pay a ransom or turning your computer into a 'bot' that checks in periodically for further orders.
Any method of delivering malware can be used for any of those purposes, and more. Different payloads will also give off different indicators that there's malware on your computer. If Rosie is communicating with a command and control center somewhere, there may be logs of that activity and ways to detect it... though you'd have to know how to spot it. (That's part of why I want to play with an IPS/IDS. See what it logs, what sets off an alert, etc.)
But the malware has to get to Rosie first, get through the firewall to her, and she has to read it and be affected by it.
There's a bunch of different methods for doing this, and I by no means claim that I know them all. I will say one of the biggest/best methods is to get someone inside the firewall to connect to you. Phishing attacks, watering hole attacks, and the like.
Phishing attacks, at least when someone is deliberately targeting a business, are not the laughable attempts you'll find in your spam folder. They probably did their research (the video I posted earlier has some great examples of this, though it was done after they were already in the network.)
They may look you up on Facebook, or LinkedIn. May try to figure out your home address, your pets names, your children's names. They'll try to guess your passwords and user name. They may go dumpster diving for any information they can use against you.
And when they craft an e-mail, it will be practically indistinguishable from legitimate mail. If they're trying to get you to install something malicious, they'll create their malicious software and find a way of wrapping it in something legitimate. If they say it's an ssh application, they'll attach it to the e-mail and it'll open and act just like an ssh application ought to. Or they'll add a link to an e-mail, but modify the address so that it goes to the computer they're waiting to hack you with.
They can apparently also use macros, and images, and other things. It's part of why they advise you not to let your e-mail give you a preview (since doing so involves opening the e-mail) and not to let it display images.
Or they research your company, and notice that a lot of your employees go to a specific website outside the firewall (to check the news, or stock prices, or sports... or even something work-related.)
So they set up a watering hole attack, using that website to launch an attack when your employees visit it.
Or they drop some infected USB drives in a parking lot, and wait for someone to find it and plug it in.
I'm still learning all this myself, but I've heard a couple of penetration testers say that they have never failed to penetrate the defenses of their target.
Think about that for a second.
Anyways, to bring this back to my analogy... let's say that a malicious letter was somehow wrapped up in a legitimate letter. It gets to your home through one method or another, and it goes straight to Rosie (unless it's caught by an anti-virus program before she can read it). If she hasn't been updated or modified since the vulnerability was found, then the payload is delivered and she follows whatever she's instructed to do.
Once Rosie's affected, she can also be used to send messages to her neighbors, affecting them as well.
Eh... I'm not too happy with this post, I feel like it didn't quite go where I wanted it to. But it's getting late, and I've got stuff to do tomorrow. Not sure how much I'll post next week.
Your business operates in a gated community, where the front office is the only 'address' the internet has. The front office routes all the messages it receives in accordance with the various rules and protocols it's told to use, forwarding most messages to the fulfillment center managing customer requests and the rest to various employee residences as needed.
Each building - the front office, fulfillment center, and residence - has a robot maid (called Rosie, in honor of the Jetsons). Rosie comes in all sorts of makes and models, and you can add attachments as needed. There's danger, though... as someone familiar with the particular make, model, and/or attachment may be able to program Rosie to act in unexpected ways. She may take pictures of the files in your filing cabinet, or make copies of all your letters and send them on, or set a particular window to receive commands from another location.
I want to discuss that process a little bit further. See, malware has two separate stages. There's the method of infection (the vulnerability that allows someone to install malicious software on your computer) and then there's the payload, which is what you want the malware to do once it's there. The payload has more to do with the attacker's intent, whether it's copying files or encrypting files until you pay a ransom or turning your computer into a 'bot' that checks in periodically for further orders.
Any method of delivering malware can be used for any of those purposes, and more. Different payloads will also give off different indicators that there's malware on your computer. If Rosie is communicating with a command and control center somewhere, there may be logs of that activity and ways to detect it... though you'd have to know how to spot it. (That's part of why I want to play with an IPS/IDS. See what it logs, what sets off an alert, etc.)
But the malware has to get to Rosie first, get through the firewall to her, and she has to read it and be affected by it.
There's a bunch of different methods for doing this, and I by no means claim that I know them all. I will say one of the biggest/best methods is to get someone inside the firewall to connect to you. Phishing attacks, watering hole attacks, and the like.
Phishing attacks, at least when someone is deliberately targeting a business, are not the laughable attempts you'll find in your spam folder. They probably did their research (the video I posted earlier has some great examples of this, though it was done after they were already in the network.)
They may look you up on Facebook, or LinkedIn. May try to figure out your home address, your pets names, your children's names. They'll try to guess your passwords and user name. They may go dumpster diving for any information they can use against you.
And when they craft an e-mail, it will be practically indistinguishable from legitimate mail. If they're trying to get you to install something malicious, they'll create their malicious software and find a way of wrapping it in something legitimate. If they say it's an ssh application, they'll attach it to the e-mail and it'll open and act just like an ssh application ought to. Or they'll add a link to an e-mail, but modify the address so that it goes to the computer they're waiting to hack you with.
They can apparently also use macros, and images, and other things. It's part of why they advise you not to let your e-mail give you a preview (since doing so involves opening the e-mail) and not to let it display images.
Or they research your company, and notice that a lot of your employees go to a specific website outside the firewall (to check the news, or stock prices, or sports... or even something work-related.)
So they set up a watering hole attack, using that website to launch an attack when your employees visit it.
Or they drop some infected USB drives in a parking lot, and wait for someone to find it and plug it in.
I'm still learning all this myself, but I've heard a couple of penetration testers say that they have never failed to penetrate the defenses of their target.
Think about that for a second.
Anyways, to bring this back to my analogy... let's say that a malicious letter was somehow wrapped up in a legitimate letter. It gets to your home through one method or another, and it goes straight to Rosie (unless it's caught by an anti-virus program before she can read it). If she hasn't been updated or modified since the vulnerability was found, then the payload is delivered and she follows whatever she's instructed to do.
Once Rosie's affected, she can also be used to send messages to her neighbors, affecting them as well.
Eh... I'm not too happy with this post, I feel like it didn't quite go where I wanted it to. But it's getting late, and I've got stuff to do tomorrow. Not sure how much I'll post next week.
No comments:
Post a Comment