A Hacker's Eye View: Targeted Attacks - Part One

28/09/2016 11:34

The risk of a cyber-attack has become an unfortunate fact of life in today's digital world. However, while businesses of all sizes and in all sectors should certainly be aware they are under threat, just like all thieves, cyber criminals have their preferred targets and methods.

For the most part, attacks against IT infrastructure are opportunistic in nature. Attackers are looking for the weakest victims in a very broad and automated fashion. However, in some cases cyber attacks can be more advanced and target specific market verticals or even individual organisations. These types of attacks are often perpetrated by highly skilled, well-resourced groups such as organised crime outfits or even nation states. In this series of posts, I'm going to outline, with real-world examples, some of the approaches taken by advanced adversaries against large enterprise targets. To begin, I'll focus on how an attacker finds and profiles their victim.

It's important to note that there is no such thing as a typical attack, but 'hackers' and security (penetration) testers alike follow broad indicative methodologies. There have been a few attempts to standardise this approach, most notably a paper authored by Lockheed Martin about a concept called 'intrusion kill chains'; the paper can be found here. As a concept, the kill chain model has some shortcomings, but does provide useful vocabulary to describe the stages of an attack thanks to the military vernacular. I'm going to start with a look at target acquisition, before we move on to the first phase in the kill chain model - reconnaissance.

Target Acquisition

An attacker will select targets based on their own goals, skillsets and also potentially from instructions by senior operators within their organisational structure. Often, targeted attacks can start in a more opportunistic way and can link with the reconnaissance phase in a loop. Hacktivists are sometimes likely to operate in this way, creating lists of target organisations and performing swift recon on each of them to find the 'low-hanging fruit' or easy targets.

When considering nation states and more equipped adversaries, targets will typically be decided in advance by leadership. This type of approach is more labour intensive and requires more time, and certainly limits the success without having access to vast resources.

Criminal organisations often take a blended approach to acquiring targets. Targets can be grouped together by common factors, such as market vertical or geographic location. This is a similar approach to a business finding their target market and underpins how advanced and sometimes discerning 'cyber criminals' can be. From this initial phase, they will start to look for the low hanging fruit.

When speaking to clients or giving talks, I like to use the old adage you're probably familiar with. Two men are walking in the woods, when they stumble across an angry bear (think 'The Revenant'.) "Do you think you can outrun the bear?" asks one of the men, to which the other replies I don't have to, I just need to outrun you".

For me, this neatly sums up many aspects of being a defender, especially in the context of an enterprise.


The reconnaissance phase is an essential part of profiling a target. Attackers will often spend weeks gathering intelligence on their target before a single packet is sent. Many of the tools that are used utilise cached or stored data that has been collected by an external aggregating source, such as Shodan or even Google. This means that the attacker doesn't ever 'touch' (send packets or HTTP requests to) any of the target's infrastructure but can still gather a large amount of information about them. This type of approach is known as passive open source intelligence gathering. A smart attacker will not only gather information about their target, but also about the target's associations, business partners and third-parties they utilise.

There have been several prominent examples of businesses being compromised and having data such as credit card details stolen due to a service provider's remote access tokens being compromised by an attacker. This demonstrates that even if an organisation has a strong security posture, they can still be exposed via weak third-parties.

More 'active' reconnaissance techniques are also commonly used, with varying degrees of stealth! Port scanners are still a mainstay of the 'hacker' toolkit. Due to most organisations being port scanned on their internet-facing estate hundreds of times per day, it largely goes unnoticed (or at least undifferentiated from the background noise).

The perimeter of an organisation, firewalls and routers, have long since been the battleground on which the attacker wishes to wage war. This is the equivalent of knocking on the front door, but many organisations are still vulnerable to it.

Humans are seen as a soft target for attackers and employees will often be 'probed' during a reconnaissance phase for weakness. This can range from phoning IT helpdesks to try and convince workers to disclose sensitive information, such as passwords, to offering money or blackmailing people to become 'moles' inside the organisation. Surprisingly, this DOES happen regularly.

Once the attacker is satisfied they have enough reconnaissance information on the target, it's time for them to move on to next phase. In my next post I'll go through how the attack begins - and crucially, how organisations can make themselves a less attractive target.