When approaching computer forensics I try to put myself in the shoes of the subject of the case. In intrusions I try to think like the attacker... This is the inaugural post of a tag series I'll call mindset. During this series I'll try to uncover the thought process behind different types of hackers and show how understanding their individual nuances can increase your proficiency in examining intrusions.
In this post I reveal the base principle I use in examining an intrusion:
General Theory of Laziness
The theory works like this: Given two solutions that meet the attacker's requirements, the attacker will use the solution that is "easiest" to implement.
Therefore, considering the attacker's objectives are met by the solution...
In this post I reveal the base principle I use in examining an intrusion:
General Theory of Laziness
The theory works like this: Given two solutions that meet the attacker's requirements, the attacker will use the solution that is "easiest" to implement.
Therefore, considering the attacker's objectives are met by the solution...
- The easiest attack vector will be used
- Files of Interest will be in a relatively tight-knit location and time frame
- Multiple types of system events will be occurring in a tight-knit time frame, for example: log file entries at the same time as binaries being modified or created on the system
- Malicious behavior will be obfuscated no more than required
- Malicious binaries will reside in a system PATH location or other easily accessible location
- Malicious binaries will not contain convincing extended Copyright, Program, Version or other 'normal' executable information (Right-click -> Properties)
- Spell checking will be obviously overlooked
- Full error checking is really hard, expect use of Windows System libraries to make life easier
Case Studies:Let's look at some different examples and identify areas that highlight this theory and places we would expect to see exceptions.
Professional Intellectual Property Thief
- Objectives: Gather one or more particular types of information from a given Target taking care to not identify the "customer" this data will be given to or that the proprietary information is even being taken.
- Prolonged access may be necessary, attacker may make more of a conscious effort to hide the backdoor.
- Secretive ex-filtration of data is critical, malicious communication may be highly obfuscated or even encrypted.
Script Kiddy- Objectives: Gain community credibility, gain competence in intruding.
- Expect to see the noisiest intrusion ever. Lots of security log errors, possible service crashes etc.
Bot-Net Intruder/Manager
- Objectives: Take control of as many systems as possible.
- Security is not a priority, mass infiltration is. Expect binaries that attempt to self-propagate, call to their controller often and are not hidden or obfuscated well.
Expect to see more on these topics in the future.
Do you agree or disagree? Let me know in the comments!
1 comment:
Great post. I see the logic and recognize the pattern. My thoughts on this stray to those of a gambler. I always consider the possibility of a quick, clean kill, hoping I run into something I already know. I add this to your well-organized process to emphasize those dirty words, flexibility and thought :)
Post a Comment