Want to defend your network? Profile the person attacking it If you want to hack someone's network then learn your target. This starts with recon. What does your target run? What information can you find out about them? Remote scanning will tell you lots about a target system ... unless their sysadmins are good and have changed all the banners to throw you off. So you learn about the …
.....it is so much fun. "How far can I get without a single malicious packet.
"However, try to pull 2TB worth of data off of that network and alarms will go off everywhere" - probably not. Maybe 10 years ago, yeah I can see that. If you do it over SSL, it will probably never be noticed. A little rate limiting + companies being too scared of their own employees to dare MITM, bye bye data.
Case in point:
- Company I work for now - "Yeah, we're gonna MITM @ the Palos", but it never gets gone.
- Previous company: "Well, we must socialize it", and it never got done (AND NO DON'T SOCIALIZE IT, JUST DO IT!!!! It's not up for a vote).
- Company before that - We don't give a shit.
- Company before that - Though the Chinese have PWNd us, we're not going to do that (and their tech is in every piece of military communication gear).
"So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself
Taken from "The Art of War" by Sun Tzu.
I believe that this is still required reading at most military colleges; it's good advice for anyone involved in security in any way.
It may be require reading but the lessons are not being heeded: From Sun Tzu to Fourth Generation War
"This is why bulk data theft is so much rarer than simple compromises to ... pump out spam ... Getting in is easy. Getting out is hard."
It could be that the "spam" isn't. Set up a batch of email accounts on gmail, outlook etc & fire up the spam bot. Rinse & repeat.
Plus the regular spammers seem to be quite good at burying URLs deep in other people's web sites. If the target is sufficiently pwned that could be an exfiltration portal. Just stuff going out of the normal webserver provided it could be made to look innocuous in the logs.
A really good hack can be months or even years in the recon stage. It probably involves building a duplicate network in your own lab at which you can make dry runs.
That would need to be a spectacular hack, because otherwise it'd be way more efficient just to get a job there and access the data legitimately before putting it to whatever nefarious use you wish.
This is why bulk data theft is so much rarer than simple compromises to mine bitcoin, pump out spam or encrypt everything and demand ransom. Getting in is easy. Getting out is hard.
Only if you don't understand what you're doing.
Compress the crap out of the data and you'd be amazed how much that 2TB shrinks. Then you have all sorts of opportunities to move it - why send it all to one place? Why not move different parts to different drop boxes (note, not dropboxes)? Take your time - make the transfers look legitimate and not constant rate, and go for a couple of MB here, a couple of MB there. It'll soon add up. And if you've already got the sysadmin & their monitoring tools beat, what's your hurry?
How much could you post to some prearrange websites "comments" sections? If you own enough of the network, can you have a legitimate transfer made beyond the firewall? companies send data to suppliers/clients all the time.
Getting data out without arousing suspicion is all about diversity of transfer mechanism, destination, rate, and the accounts used to do so, and the rest is a function of time & data volume.
I didn't say it was impossible, I said it was hard. It is the one part of criminal compromise that requires the most orthogonal thinking and the part of the operation where you are most vulnerable to detection.
I also am not about to write an article explaining how to solve the one truly hard problem in criminal data exfiltration. I leave that as an exercise for the reader.
They will give you the keys and the codes to the whole shop. They don't want to see menial people like you around so you get in off-hours. Everybody knows that all cleaners are stupid and retarded people so no-one will talk to you or check what you are doing or even suspect any threat. They only check if you skip work early, you are free to work unpaid overtime (in fact, the contract sort-of requires it because the service provider under-bid on the job).
So, go see Manpower or Adecco and You Are IN!
Passwords and logins will often be hidden about 1.5 meters from an office chair. If not, it is trivial to add a key-logger to a keyboard (cleaners use gloves and wipe things down). But of course we don't want to log in out-of-hours, that would be logged. We are just scoping the place and undermining the defences.
So, what's stopping people? Cleaning is WORK, that's what. 99.95% of the haxor wannabees want to never leave their room and be rewarded immediately. The pro's ... are not so picky.
They will give you the keys and the codes to the whole shop. They don't want to see menial people like you around so you get in off-hours. Everybody knows that all cleaners are stupid and retarded people so no-one will talk to you or check what you are doing or even suspect any threat
Ah, the Wall Street approach... Don't bank on that working with everyone though. I talk to our cleaners and coffee staff, etc, as I have more in common with them than I do most of those I work with or for. I'm certainly not alone in that.
This is oddly one of the strengths of most public sector organisations, cleaners are just part of the staff so they have friendships with people in the buildings, they know the staff, they are known.
Right up until outsourcing happens - then this problem rears it's head again.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
