How we breached your network

Tim MalcomVetter
Sep 3, 2018 · 3 min read

Are you a budding security practitioner and want to demystify how breaches occur? Maybe you want to know the dark secrets that these “Red Teams” you hear about use to get initial access to their victim organizations?

Good. I wrote this for you.

(All of you “experts” can go read something else. This article is for the rest of us who want to break security failures down into their simplest forms. By the way, the “dark red team secrets” really aren’t that complex. Keep reading…)

I know of only 5ways, count them … FIVE WAYS … that an adversary can use to gain INITIAL ACCESS to their victims (if somebody knows another way, please tell me, because I’d really like to know):

1. Exploitable vulnerabilities in internet facing services (T1190)

2. Abusing internet-facing authentication mechanisms (T1133, T1078)

3. Phishing for malware execution (T1192, T1193, T1194; phishing for credentials is really just #2 above)

4. Gaining physical access to a network and connecting a rogue device (T1200, T1091)

5. Supply Chain Attacks (T1195, T1199)

That’s it.

Now, let’s ponder how to control each.

1. Apply patches to all of your commercial and open source software as soon as they are available and ensure your custom software doesn’t have any security defects in it (i.e. OWASP Top 10). Yes, 0 days happen (a “zero day” vulnerability is a security defect that is exploited before a fix is available), that’s why you need to monitor as well, although they are increasingly rare (which is a good thing).

2. Change/remove all default credentials from software installs and use strong, multi-factor authentication systems, and monitor for any signs of abuse. Single factor systems WILL be abused. Multi-factor will still face real-time man-in-the-middle phishing attacks, except perhaps FIDO U2F which looks promising for reducing the attack surface tremendously. You cannot prevent all attacks, so monitor as well.

3. Monitor for and block malware in ALL inbound communication channels, which could mean email, but could also mean instant messaging, customer-facing chat systems, forums, etc. Any input vector may be an attack vector. Don’t forget your users clicking on stupid content. You won’t block it all and attackers smartly know to vary between attachments and links to malware. Do not rely on Anti-Malware solutions on endpoint devices alone. Fight the good fight, so monitor as well.

4. Do not rely on physical security controls/policies alone. Implement controls to prevent and detect rogue devices. By the way, a malicious insider on your network has already bypassed your physical security perimeter, so monitor as well.

5. Supply Chain Attacks are where an attacker gets access to the software deployment pipeline of a vendor product or open source tool to introduce backdoor functionality into all consumers of that product. However, these are rare compared to the other vectors. Your response should be similar to #1 and #3, since it’s effectively malware that slips through the cracks and you may be required to patch or remove the vulnerable component. Also, don’t forget you still need to monitor your space.

These are obviously over-simplified examples of controls, but the concepts really are this simple. There are only FIVE types of attacks. A security program not considering ALL FIVE is lacking and will probably result in incidents. I also cannot overstate: MONITOR your environment. Prevention controls will never be perfect. A good security program prevents as much as it can, but what it cannot prevent, it detects and responds to as quickly and effectively as possible.

Here’s your homework assignment: Do you have controls for ALL FIVE in your environments?

P.S. Did you notice the T1234 numbers in each above? Those are the MITRE ATT&CK technique IDs.

Tim MalcomVetter

Written by

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade