In the crosshairs: the trend towards targeted attacks

I'd like to uh remind you you can uh provide feedback um uh about the talk there's information on your ticket and also the schedule on the website and I'd like to introduce the next speaker Lance patrell he'll be speaking about in their crosshairs please uh give a warm welcome

Applause all right let's grab that so thanks very much for coming um my interest in in targeting really comes because of the last 20 years work I've done in anonymity Technologies so I've been I founded anonymizer decom back in '95 I built Anonymous remailers of course you want to do something um and so I've spent a lot of time thinking about how people get recognized how people get targeted and what kind of technique they can use we're just going to have fun with this all right all right give me just one second get back to a screen size where I can actually see things just turn off all the

networking all right that'll be back in a moment

so I want to start off just with a a sort of a general question it's I'm sure all of you guys it's kind of obvious but if you get an Ecard from your mother on your birthday with one of you with a childhood picture of you on the card on the eCard and your email are you going to click on that link so so I see heads shaking no but I think most people people you know if you get something that's sufficiently personal looks sufficiently real it's the kind of thing you're still going to engage with you're going to you're going to click on that because it doesn't sound any alarms it's it's what you're expecting to

see and if you're going to a mainstream website I mean how many of us start the morning reading CNN Forbes some other website see what's going on for the day I think most people don't feel nervous about doing that they feel like this is a a big legitimate website I'm not in the dark alleys of the internet I I feel pretty good about this um but of course each one of these sites has been taken over for a watering hole attack but not just a general Watering Hole attack they've actually been used for targeted Watering Hole attacks which I think just changes the entire equation of of the threat model that you're dealing with and targeting

is it's hard to get really good data but it's looking like it's a significantly growing threat so there was a a great study that was done they interviewed a couple hundred companies they said are you concerned about targeting not at all somewhat concerned concerned or it's inevitable and in 2013 28% people said it was either a concern or inevitable and in 2015 70% of the companies interviewed said targeting was inevitable so it's gone from yeah we see some targeting it's a thing but most of the threats they were getting were were fairly broad spectrum to really getting you know lasered in so the this is a a a study of actually um companies in England but I think it probably

generally applies over 60% of the companies surveyed said that they had been targeted in the previous year 40% said that that was successful 20% actually lost data in the process and 15% suffered significant either Financial or reputational losses uh as a result of that so this is a huge problem these people are getting getting targeted and the targeters are are getting in they being effective against them and the two main kinds of tarting we see are email uh the reality is that you know like that that card from your mother a really well-crafted fishing attack is really effective you know if if it's from the right person it actually comes from your colleague's email account

because they hacked his computer first you know it's referring to real things it's it's talking about you know real situations very very difficult to to get people not to fall for that kind of thing and realistically most of us have to click to work you will get in a link that someone sends you that you in fact have to follow because that's part of your job you need to get the oh sounds just like feedback up here it's um and one of the things we're seeing though with with the email fishing attacks is a real Trend towards them being fishing links rather than fishing attachments because we've done a pretty good job of training people not not to

click on files when they show up in the inbox that you shouldn't be you know click opening bad files or or suspicious files but I think people still feel more comfortable with the links and so we're seeing a lot more of them being the links you go to the link then you get exploited and the browser really is the problem uh something like 68% of all malware is delivered through the browser over 90% of undetected malware comes through the browser five of the most vulnerable applications just by patch count are all either browsers or browser plugins oh God I feel sorry for you guys it's clearly that time of day um and you know they're just being

patched continuously they're enormous applications they got huge amounts of uh capabilities they're running you know multiple uh executing multiple programming languages most browsers running something like five different complete programming languages inside them this is sort of an impossible to solve problem but why Target it well I I think it's it's there's a couple of reasons why they want to Target the first is just success right if I if if if you get one of these Nigerian scams no one's going to fall for that you know that this is some uh bad bad situation and you're going to avoid it whereas you know with targeting I you get an email that says from me saying you know I

really appreciate it you having you being here at my talk and I appreciate the questions that you're going to ask because you're all going to ask me amazing questions and here's the copy of the uh deck that that you requested and and there you go but of course it wouldn't be from me it would be from the guy sitting next you who paid attention to what your email address was and so the targeting allows you to do that social engineering to make to give that warm and fuzzy feeling when the message comes in because it's from the right person it's got the right information it's referencing the right kind of context uh you know it's job

specific it's built just for you and so the odds of you're clicking on that are going to be much much higher on the web it works a little differently with the targeting so you know we're all pretty familiar with the spear fishing but with a webbased targeting they're they're getting clever in different ways so the first one I want to talk about was an exploit against Forbes and some hackers came in and they took over the Forbes quote of the day so when you go to Forbes boom that thing comes up they managed to compromise that and put in some malware and they uh they were using a couple of different zero days to go after the

people who at the website and those are valuable resources but what they did was they set it up so that it would only attack certain people that they wanted to go after in this case it went after DOD employees and Chinese dissidents and I the reports I have seen have been really clear about how they were doing it but looks like they were doing it based on IP addresses but only people ma matching the criteria they were going after actually suffered the attack and so that's great right because now obviously Forbes has got a company who's scanning their website looking for malware looking for attacks making sure that there's nothing going on but of course that bot doesn't meet the

criteria it doesn't see the attack happen uh only the people who you wanted to go after see it and then you send in your friends ex Teem to go oh yeah I got infected by this and they check the website and you know they don't get the attack either eventually they were able to to dig in and find the malware sitting there but it allowed them to be very effective and stay active for a long time the next an even more targeted attack was an AP group that was called Dark hotel and they went in and they did a two-phase attack first they compromised mostly Asian hotel chains and went into the reservation systems and they'd look

for reservations by high value targets so senior government folks or uh senior military senior corporate kind of people CEO levels um and they they realized when they were going to be staying at the hotel okay we know this guy's going to be checking in on Tuesday they would then and only then exploit the Wi-Fi captive portal and they'd go into that and hack it because now they know who's showing up and where what room they're staying in well when you reach the captive portal what two things does it ask you name and room number right so then they set it up to only exploit that one person when that name and room number were entered it would then push uh an

exploit onto the user's machine and these guys were willing to work pretty hard for it um they were doing a fake Windows uh update with assigned uh assigned codebase because they had brute forced 512-bit uh signing sht and they were using that to issue properly signed uh updates and then the software would sit silent for six months and then it would exploit you and start you know exfilling all of your data and install the the the the rat and all that other good stuff so extremely targeted and took a long time for these guys to trace it down because the malware was only resident for the short period of time on the Wi-Fi that the guy

was going to be in the hotel and as soon as they ran the exploit they actually uninstalled it and again you send out your forensic teams they don't see any of the effects you're looking for the water bug attack uh AP they had I think even another level of slickness in the way they manage the targeting and that they do their watering hole as a two-phase Target so when you go to the website the first time they grab a profile of your computer they look at what browser what operating system what plugins do you have what's your IP address they do a browser fingerprint so they capture all that identifying information from plugins and fonts and

languages that allow you to uniquely identify that visitor again when they come back and then they wouldn't do anything else so they then get to sit at their Leisure and look through all of that what's your IP address where are you coming from do you have cookies do I know who you are can I recognize you are you the person I want to go after and which attacks will work on you you and then they okay yeah that's a guy of Interest then the next person someone who was of Interest visits the page then they'd get exploited with something that was almost sure to work and would only attack that individual person based on either the browser fingerprint or the

source IP address and again really hard to track these people and they're able to get in and and hit their targets because they've they've done the ground research they know who they're going after they know the operating system they know what what this is going to look like so we're not now talking about sort of General Watering Hole attacks this is what i' I've started calling the sniper at the watering hole because if you're sitting at the watering hole and you start shooting every antalope that walks by two things are going to happen one the antelopes are going to start running because of all the shooting that's going on and two they're going to start

noticing all the bodies piled up right and that's what happens with untargeted Watering Hole attacks you're exploiting so many machines so many people you're leaving lots and lots of evidence lying around right ideally what you want to do is you want to sit back and wait for the the White Rhino to walk by because that's the money Target and only shoot him from you know half a mile away and then and then get out so the game here is to stay below the radar right the attacker wants to avoid notice and he gets a lot of wins from that right so he uh delays detection because he's not hitting so many people it's much harder to notice

the attack um you don't see it doesn't show up on anomaly detections because you're not getting a thousand exploited machines you're getting three exploited machines and of course you know there a numbers game the more machines someone tries to hit the better the odds of you being able to recognize the attack happening with your tools and because the odds are lower they can now also afford to use the better tools so that's why with uh for example the forbs attack they were willing to use a couple of zero days in there and these zero days are costing them you know six six figures plus to buy on the open market they don't want to then have that burned

in 24 hours by using the targeted approach they can avoid uh allowing that to be detected having you know the uh the signatures created having everyone's uh intrusion detection systems now aware of the techniques they're using and going after it so by being very careful about only attacking the people you particularly want you were able to avoid that kind of detection and you can also do more damage with a targeted attack because of the groundwork you can lay ahead of time right if I'm if I'm trying to exploit thousands of people and I get a thousand desktops I have no idea who they are where they are what company they work for what resources they might have

access to whereas if I'm going after just you you you're in the crosshairs uh I'm going to work out you know what what do you have I I know why I'm going after you you have access to some particular piece of data you've got uh money you've got some sort of resource I know that going in I know what I want to get I can go directly to that and more importantly I know what I'm going to do with it I've already worked out how to monetize this asset that I'm going to get or I've got a whole campaign laid out to you know dump all your emails on paste bin in a certain way to do the maximum amount of

reputational damage or whatever I'm going to do with it I can make you hurt a whole lot more as an attacker because I've been able to plan this out in advance because I know who I'm going after so are you a Target well I mean obviously if you're a high-profile individual you're a Target Obama Target you know uh the CEO of your company Target but do you have access to valuable data right you may be a schlub but you're a schlub with the keys to the kingdom that's that that certainly makes you of interest do you have access to exploitable data so the data might not be valuable obviously but it may be something someone could do something

with and this is this is one uh I always think about there was an attack on PR newswire so everyone familiar with PR newswire they do they're press release company you send them your press releases and they blast them out to a whole bunch of places what could be less valuable than a press release it's it's designed to be sent to every newspaper in the country right it's except they're embargoed most of the press releases you upload it and the press release gets sent out in six hours or in two days or something like that so they hacked PR newswire they grab all the press releases while they were under embargo find out which ones had interesting news

that would likely move the stock price of the companies and then had a huge codre of people that would then trade on the stock and they made hundreds of millions of dollars using this technique with these people all over the country before they you know got a little too aggressive and finally got caught access to money obviously people like money uh access to networks this is the target attack right if you can't get direct access to targets Network you go after the company that does their HVAC and you get access to their Network that way so if if you have access to a network which is of interest that may make you a Target access to people I

thinking you look at the fishing attacks that really work they're the personalized one so if you know the guy I want to go after and I know you know the guy I want to go after I may exploit you just to get access to your email account so I can learn about him crap the right email and send it from your computer right because that's a huge win and and it it makes it so much more difficult right you can't train someone well enough to recognize a fishing attack when it actually is from your friend's account talking about the fishing vacation you took last week and you know everything else and they they go after low hanging fruit so if if

you've got weak defenses they're looking for that that's that's a huge Target choice so can we avoid targeting can you prevent the targeting from happening to you so on the web yeah you actually kind of can and and this is sort of my my core expertise is doing this so you can delete your cookies you can hide your IP address you can scrub the persistent trackers you can try to get rid of the super cookies um you can mask your browser fingerprint the browser fingerprints the tricky one because it's it turns out it is basically uniquely identifying of your browser just looking at what you've installed on it your fonts your plugins and everything else

it's enough data points for most websites to uniquely identify you from everyone else um for that my recommendation is a disposable uh VPN with a virtual machine so if you've got an absolutely brand new pristine VM with a browser that you've never installed anything in no plugins no extra fonts that is as generic a fingerprint as you can generate and therefore gives least information and identifying capability the email's way worse because it's a two-way communication medium so you actually need to give someone an address which will reach you and so if you want to be anonymous you now need to use an address which doesn't have anything to do with your identity or your job and then be very careful about

who you give that out to and this becomes basically like running in full Alias you're now in deep cover all the time and it's it's hard to do business in Deep Cover cover so the problem of avoiding targeting an email I think is is somewhat intractable but doing it for web doing dealing with these these targeted you know snipers at the watering hole scenarios that's a that's achievable if if kind of a pain so what do we how do what does this mean for our defensive strategy how do we need to be thinking about you know now that we know we've got the Tet I love this cartoon it's an old old old cartoon um you

know what do we need to be doing differently or thinking differently so there's an old saying right you can fool some of the people all of the time and all of the people some of the time the fact that you can't fool all of the people all of the time really isn't relevant to the attacker they don't care right they just need to fool some of the people all of the time uh and you really can't train your way out of this uh you know there's just enough people who click on whatever and and just say no is not a good choice either you can't opt out of the internet you can't like I said you can't choose

not to open the attachment from your boss just because it might contain malware you know when in fact you know you're being told to go open this thing and do something with the document so the other problem is that with targeted attacks detection Works worse when you need it most right those targeted attacks are the ones that are going to do the most damage because they've thought about it they've targeted you they' they've got all these things in place but simultaneously this is the time when they're comfortable using those zero days and the the brand new exploit they built and the tools that they haven't used anywhere else because they are the least likely to be

detected they'll have the use of them for the longest possible time so you know usual claran call for Next Generation security whatever that name being uh I I think one of the keys though is is got to be getting towards security against unknown attacks and just knowing you know the the exploit will happen and you will not detect it and Building Systems that mean that won't kill you don't lose everything just because you got infected you got you clicked on something I think that means instant automated and painless recovery whether or not you detect things so just making sure you can cycle all the time uh and containment and damage minimization I think we're starting to

see a lot of companies doing these sorts of tools where uh the application that's going to get exploited runs inside some sort of a a virtual machine it's it's sandboxed away from other things so that when that happens it doesn't get to run away and destroy the rest of your network and and and steal all your data and user resistant or user tolerant design just because you can't trust your users your users are going to click things they're going to open links they're going to share things they're going to reuse passwords they're going to do all the things that we keep telling them not to do uh ideally you want to make sure that just because

someone's a human being doesn't mean that you know you automatically have lost your corporate security I I really like the idea of isolation for this isolating the application from the desktop isolating the application from uh the network making sure that when the malware attacks that application it doesn't then get to Pivot and do other things it doesn't get to go from the browser to the email or from the browser to the file system keeping that tightly contained and also in the network I it's really easy to write a little uh JavaScript that will use websockets to enumerate the internal network of your target without even exploiting the browser right they just look at a page

and it goes and scans all the IPS on the local network it works out what the local IP space is scans all the IPS and returns back information about it and then you can oh that looks interesting I want to I want to go after that so isolating both the desktop and the network I think is critical otherwise you're just allowing them to go look around for soft underbellies and I'm liking virtualization a lot for this so the same way it helps with identity protection and your anonymity it also helps with this kind of isolation right you can you can put the put the app in a box and as soon as you're done using the

app you could burn the box down and next time you need to use the app you spin up the new VM and it's you know from from a reference image and you've gotten rid of all the malware and all that's gone uh makes the you know restores really quick and easy and you can keep them small so one of the problems you see is often that that one you'll start virtualizing but then you move to the whole desktop you know you're starting to move towards the vdi solution but now you've just sort of moved your whole problem into the cloud and if I compromise the vdi then I get all your data so you want to keep the box that

can get compromised as small as you can so the amount of damage they can do to the stuff in that box is minimized you know if they compromise your browser they only get the browser and only the stuff that you've done in the browser this session they don't get the email and the rest of the systems and then just making sure that the rebuild process happens whether or not you detect anything right you don't want to say I'm going to wait until I see malware in this box uh to to you know launch my restore you want to say okay every time you close a tab or every time you close the browser or every time

you finish with your email burn it down start again because there might have been some malware in there and you wouldn't know and you can't count on knowing I think just from an architectural point of view trying to reduce the amount of data that's floating around uh when I was doing a started anonymizer our we actually called it the prime directive was you will not keep data about your your user's activity right if it exists it can be stolen if it's if you've got logs if You' got any kind of data at all it can get out there whereas if you design the architecture from the beginning to not have that kind of information then

the hacker can't get it or you know the government can't come along and do to you what they're doing to Apple and insist on you try to reverse engineer things out and you know give them a back door well if it's not there you know you you don't have those kind of

leaks so that's all the time I've got I think thanks very much I really appreciate your time and uh have time for any [Applause] questions so just UHD like to thank Lance for your Val valuable know knowledge to share with all of us and uh on behalf of bsides and um Fitbit we'd like to offer you a [Music] Feb there we go sure and thank you folks for joining um have a quick announcement so uh there will