Welcome to the final day of our first Expert Week. We like to be in a constant state of learning here at UKFast, and there’s no better way to educate ourselves than spending time in the company of experts. With cybersecurity at the top of the agenda for every online business, it seems the perfect time to get up to speed with all the ways that an attack can strike.
Our final of five of experts is Adam Chester. Adam is a hacker, Infosec researcher and Senior Pentester at Secarma.
Here’s our chat with Adam:
The term “hacker” certainly seems to be broadening. When I was first introduced to the security scene we were still trying to decide if this was the right term to use.
Today the word “hacker” is still associated with someone who attempts to break into a computer system but has also been expanded to describe creativity.
Being a hacker is all about viewing the world in a different way, pushing the boundaries and making things act in ways they were never designed. Whether this is by exploiting a bug in software to gain remote access to a system, modifying commodity hardware to run a different operating system, or porting Doom to run on a printers LCD display, it is the ability to challenge a systems design which in my mind makes a hacker.
This is a difficult question, and unfortunately, it doesn’t come with an easy answer. In my experience, malware authors rarely have a singular motive.
If we look at many of the early virus writing groups, malware was often developed as a way of expressing creativity and showing off technical expertise. Rather than causing damage, the goal of many early “VXers” was to demonstrate a technical ability, a race to be the first to execute software on the latest devices using low-level development languages and then to share their knowledge.
As time has moved on, so have motives. We increasingly make our data available and trust systems to keep our data safe, and combined with the rise in anonymous digital currency, ransomware provides people of varying experience levels with an easy and relatively anonymous way to earn money.
It’s hard to say just what motivates someone to create this type of destructive malware, but with “ransomware as a service” readily available, and malware creation toolkits lowering the barrier to entry for many, the temptation of making money in a relatively low risk and anonymous way seems too much for some to pass up on.
Unfortunately, as we often find with many types of crimes, things are rarely black and white when it comes to understanding why people do the things that they do.
The job of penetration testers and security researchers is often to emulate an attack using similar techniques to a unethical hacker. By simulating an attack on software or infrastructure, we can show just how an attacker would go about gaining access to critical assets.
You will often find that the motivations of any hacker are similar, we all enjoy breaking into systems and finding new and unique ways to achieve this, whether this is by identifying a flaw in a web application which we can use to our advantage, or deploying rogue access points to capture and manipulate data from unwitting users.
The big difference is in the motives and aftermath. Once an assessment has concluded, our job is to help a customer to understand just how we achieved our goals, to demonstrate just what kind of impact a flaw may have, and discuss the recommended ways to mitigate any issues identified. It is by using this cycle of identifying and remediating issues that we can drive up the barrier to entry needed for an unethical hacker to access a system.
Taking Mirai as an example, which impacted insecure IoT devices around the world by exploiting weak default credentials, we see that attempts were made to solve the problem by developing malware to intentionally knock insecure devices offline (the so called Brickerbot).
Some may say that this is an example of “good malware”, attempting to solve an issue by removing vulnerable hosts from the Internet. However, on the other side, this directly impacts an end-user who is often just caught in the cross-fire. What may seem right to one group will undoubtedly be wrong in the eyes of another.
Another way to view this issue is to consider a hypothetical “good malware” which is developed to fix an issue by patching a vulnerability on as many systems as possible. Privacy and legal issues aside, the ability for any one group to build and maintain software which runs on an array of different hardware and configurations is extremely difficult. There are often too many variables to consider for this ever to be truly effective.
If we look at recent headlines, you’d certainly think that cybercriminals are very much in the lead, and you’d probably be right. Systems are inherently complex, with many moving parts and layers of abstraction. Just when you think you have a system locked down and isolated, an attacker figures out that you can exfiltrate data by blinking a hard drive LED!
During a recent trip to Defcon, I had the chance to chat to some extremely smart people who have been in the information security arena for a long time. Hearing different opinions built on years of experience, and seeing how many solutions are being developed to help consumers and businesses to protect their data, we know that an attackers job is becoming increasingly difficult. However, I think we are far from developing an “unhackable” solution.
While an attackers success is never 100% guaranteed, don’t underestimate their perseverance and creativity.
If we look at the evolving world of malware, with specialist groups such as “FancyBear” using sophisticated malware to compromise their targets, or Industroyer, a malware variant which targets industrial control systems with the aim of knocking power stations offline, we see that ransomware is in fact just one example of the many types of malware being used by attackers.
There are trojans which attempt to sneak onto systems by pretending to be legitimate software, documents with embedded macro code, worms which spread without user interaction, adware designed to generate revenue by displaying adverts, or even rootkits which attempt to hide malware by embedding themselves into the operating system – the list goes on.
Rather than attempting to keep up with the different types of emerging threats, what is important is to identify the risks associated with any types of malware, and understanding how you can best reduce their impact.
Basic security practices such as ensuring that backups are in place and tested routinely, users are educated and empowered to identify and report suspicious activity, and systems are hardened with the latest vendor patches and up to date antivirus signatures can go a long way to preventing a serious incident.