With an onslaught of cyber breaches taking place daily, companies of all sizes are now hiring ethical hackers to test their ability to withstand targeted attacks. As a lead penetration tester, it's my job to rigorously challenge the defences of some of the worlds' largest organisations and I'd like to invite you to discover more about what's involved as well as learn about the covert tricks and techniques I use.
Ethical hacking services are increasingly being recognised as a great way for businesses to unearth security weaknesses before they can be exploited by online criminals. Organisations adopting a proactive approach to threat identification invariably find that this is much easier than trying to manage the fall out of a full blown cyber incident, which can cause huge financial losses and reputational damage.
Assessing and breaking defences
Any organisation interested in testing its defences should be aware of two main levels of confidential security assessment. In the security industry, these levels are referred to as 'Penetration testing' and 'Red Teaming'.
Penetration testing involves the use of multi-layered evaluations to compromise an organisation's networks, systems and applications. Clients provide a scope outlining assets they'd like tested and I figure out a way to exploit them without causing damage. Wide-ranging vulnerabilities that I look for include insecure firewall and network configurations, flaws in source code and application logic, and web scripting problems. Even the smallest of vulnerabilities can be enough to provide a way in.
For clients that want to fully test the integrity of their defences, a Red Team operation is a full-scale attack simulation designed to challenge not only the capability of an organisation's technology to withstand a sophisticated and highly-bespoke attack but its people and processes as well. The fundamental aim of Red Team engagement is to breach an organisation by any means necessary. This includes use of modern adversarial techniques, even physical intrusion. You'd be surprised at just how easy it can be to infiltrate an office to steal data or install malicious software via a USB stick.
A Red Team exercise is executed with military precision and typically begins with detailed reconnaissance work, which involves collecting as much information about a company and its employees as possible. By building profiles of staff I'm able to quickly identify likely best targets. Social media sites like Facebook and LinkedIn provide a great way of acquiring personal details and can also help to identify the type of technology a business is using - very useful for pinpointing weaknesses to be taken advantage of.
Unlike penetration tests, which can be carried out in just a few days, Red Team operations are conducted over a lengthier period of time, usually a number of months. A prolonged attack strategy makes a hacker's presence on a network harder to detect, enabling me to quietly monitor network activity and strike when the time is right. For this reason, many businesses targeted by criminal hackers can be completely oblivious to their presence.
Thinking like the adversary
The attack methods I deploy vary greatly and largely depend on the organisation targeted. Social engineering tends to be one of the most effective methods to gain a foothold onto a network. This usually entails tricking victims into opening a fraudulent email designed especially for the recipient. All it takes is for one unsuspecting employee to click on a malicious link or attachment to trigger the installation of a hidden computer virus or malware and I'm away!
Once one user's account has been compromised, the next step is to monitor and impersonate that user to attack other members of the network. This process of 'snowballing' is necessary to gain the privileges needed to explore other areas of a network and discover new assets. In some instances, I start right at the very top of the organisation and compromise the account of the CEO. It's surprising what information one can learn just by talking to a receptionist.
Widespread use of weak passwords means that social engineering efforts aren't always necessary. Through the use of automated brute force tools, which enter thousands of common password variations, I'm able to crack user credentials in a matter of minutes.
Being wholly familiar with latest security products and incident response procedures gives me the upper hand in knowing how to avoid detection and exploit little-known vulnerabilities. On one occasion, I managed to breach a company's defences by exploiting its two-factor authentication system - the very system designed to protect users from having their credentials stolen in the first place! This goes to show that just because a product provides security, it doesn't necessarily mean it's inherently secure in itself!
One of the more unusual routes I have taken to infiltrate a company is compromising office equipment like phones, webcams and printers. Peripherals are an easy target because they are rarely patched by IT teams. For ethical reasons, I avoid hacking into webcams and cameras used by clients, however remote camera feeds from boardroom conference systems provide a useful way to glean highly-sensitive information.
Stopping a hacker in his tracks
The methods highlighted in this article provide just a tiny glimpse into the techniques used by myself and other real-life hackers. Of course, I can't give away all the tricks of the trade!
Like any skilled hacker, given enough time and resources, I'm confident of being able to unlock the defences of any company, regardless of how secure its IT team might claim. No matter how well protected an organisation thinks it is, cyber security can always be improved.
By performing basic cyber hygiene and addressing gaps in security highlighted by a penetration test or Red Team engagement, businesses can make life as difficult as possible for the actual bad guys. These steps, coupled with proactive detection of attacks before they cause damage, can seriously help to reduce an organisation's information security risk.