Chapter 1
Hacking a Business Case
If you're communicating with a business owner, chief executive officer (CEO), chief information security officer (CISO), or just someone who needs to make a case to upper management on why hacking is beneficial to companies, then this chapter is for you. The chapter is not packed with practical hacking exercises like the remaining chapters are; rather, it focuses on the reasons why companies need hackers. We explain why we believe that the best route to improving an organization's cybersecurity is for you, your team, and your employer, to adopt a purple team mentality and begin thinking like malicious hackers. The purple team way of thinking is the amalgamation of traditional blue and red teams—the defenders and the attackers.
If you know the enemy and know yourself, you need not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Sun Tzu, The Art of War
To be a CISO is to lead an army. To be effective, that army needs to know itself and know its enemy. In other words, you need a team trained to think like hackers. You need a team that proactively works to identify all the ways that the enemy could attack and then build stronger infrastructures—from patching software vulnerabilities to creating security policies and cultures. Businesses need hackers, and that is the subject and focus of this chapter.
All Computers Are Broken
At Hacker House, we have a saying: “All computers are broken.” A hacker does not “break” a computer, network, or software; rather, the computer was already broken to begin with, and the hacker shows you just how broken it is. Modern-day computing is built on a foundation of trust and naivety that predates modern commerce. Security simply wasn't there by design in the beginning, and (almost) everything since then had to be built on this unstable base.
Being accountable for the security of information within any organization today is a bold task. That job typically resides with an organization's CISO. The CISO is responsible for ensuring that an organization's IT infrastructure and data (including digital and nondigital data, such as paper records) are adequately protected from disaster, whether it be a system failure, natural phenomena, or malicious cyberattack. In smaller organizations, the official job title of CISO may not exist, in which case the business owner or CEO will probably take on this role. It is a huge responsibility to keep company assets safe from the relentless, invisible, and ubiquitous attacks that constitute cybercrime. If something goes wrong (which sadly it so often does), it can go badly wrong. A data breach can result in grave financial and reputational losses for businesses, and CISOs can lose their career or business—all from the click of a mouse and a few keystrokes of a tech-savvy attacker.
CISOs practice information security, often shortened to infosec, a term that is used to describe an entire industry sector. Infosec means protecting data and preventing access to computer systems from unauthorized entities. Infosec involves balancing the usability of computer systems and their software with security. A completely secure system, if such a thing could exist, would likely be totally unusable for most businesses and users. For example, imagine a computer unplugged from the Internet, locked in a vault, and buried beneath the surface of the earth in a faraday cage to prevent external interaction.
Since organizations must open themselves up and allow the public (and employees) to connect to their services, a completely secure system isn't a possibility except for extreme edge cases. Let's look at a few of the challenges that a CISO may face.
In 2019, there were many high-profile cases of large organizations getting hacked.
- Whatsapp, an instant messaging application, was found to be vulnerable to an attack that would allow the attacker to take control of a victim's smartphone and negate the effects of Whatsapp's end-to-end encryption. This encryption allowed users to send private messages to one another (Whatsapp's greatest selling point).
- Security company Trend Micro had customer records stolen by its own employee. Those records were used to make scam calls to customers to defraud them. This case highlights the importance of internal security controls and not just the protection of public-facing services.
- Credit card provider Capital One had the personal details of more than 100 million customers stolen by a malicious hacker who supposedly exploited a misconfigured web application firewall—a technology designed to protect websites from attack! The stolen records consisted of names, physical addresses, Social Security numbers, and bank details. After the news hit in July 2019, Capital One projected attack-related costs of up to $150 million.
- In December 2019, UK company Travelex hit the headlines when it was affected by a ransomware attack. In a ransomware attack, attackers effectively steal data and demand a ransom for its return. The ransom in this case was $6 million, although it appears that Travelex was able to recover its data without paying the criminals. This cannot be said of all organizations and individuals that have been affected by ransomware.
These are just a tiny fraction of the breaches that take place all the time. If you think the frequency and impact of these hacks is scary, then consider that this situation is only projected to become worse. The number of potential vulnerabilities within companies and the volume of data, as well as our legal and moral responsibilities to that data, are increasing at exponential rates.
Moreover, these threats are increasing much faster than traditional infosec's ability to handle them, with its reliance on expensive external penetration testers— that is, those with specialized skills designed to find and report an organization's computer security vulnerabilities. Consequently, CISOs find themselves in an almost impossible position—trying to protect more with diminishing resources. Something has to change.
Thankfully, it has. You're about to discover how purple teaming—the act of developing highly skilled internal security teams and strong corporate security cultures—is not only possible but also practical, simple, and cost-effective.
Purple teaming is the modern and efficient approach to corporate cybersecurity, and it is desperately needed in every business, whether small corporate outfits or multinational conglomerates. To put it another way, purple teams are essential for every company as they provide you with insight to how attackers operate and guidance on how to prevent attacks from succeeding.
The Stakes
Before we dive in to find out what purple teaming is and how it works, let's take a closer look at the hazardous context in which most CISOs and businesses currently operate.
What's Stolen and Why It's Valuable
Data is valuable. Data can be used to manipulate perceptions, transfer exorbitant amounts of money, win elections, take down competitors, get executives hired or fired, hold people and assets hostage, perhaps even start wars … the list goes on and on. To put it briefly, data is the new wealth generation for businesses. It's a big business.
Unfortunately, many companies (except the CIOs and CISOs in them, of course) do not realize the value of their data. “Why would anyone want to steal our photos or the login details used by receptionists?” Does this sound familiar? A better question to ask today is, “Why wouldn't they want to steal this data?” It really is best not to presume which data is or isn't valuable—it all is to an attacker. Malicious hackers value data because it can easily be traded on the black market for a quick buck if need be. Often, that's the only motivation an individual or group needs to steal data.
Data is defined as information in raw format that can be manipulated into usable information. Data is everywhere: payroll, sales figures, bank and credit card details, personal identification, emails, analytics, passwords, surveillance, statistics, government files, medical records, scientific reports, legal documents, subscription information, competitor websites, financial records … the list goes on, and on, and on. Of course, the “smarter” we get (smartphones, smartwatches, virtual assistants, smart plugs, smart thermostats, smart refrigerators, video doorbells, electric cars, smart door locks … again, it's a long list), the more data there is, or rather, the more unsecured data there is.
The Internet of Vulnerable Things
Unfortunately, as smart as devices have become, when it comes to security, the majority are not smart at all. Whether it's because manufacturers are unaware of or overwhelmed by the risks, or simply because they choose to ignore them (security investment impacts profit margins after all), millions of smart devices are being churned out every year absent of effective built-in security. These devices—billions of them—are used in homes and businesses every single day, and most of them put our valuable data at risk.
The reality, which CISOs know all too well, is that we do not have an Internet of Things (IoT)—we have an “Internet of Vulnerable Things.” CISOs now have to think twice before agreeing to the installation of smart thermostats throughout the company's property portfolio or whether board members should be wearing smartwatches (and that's if anyone even thinks to run those decisions by them first).
To top it off, companies are becoming increasingly accountable in a legal sense for the data that they hold and process (and rightfully so). For example, the European Union's General Data Protection Regulation (GDPR) legislation means that companies need to implement the same level of protection for data, such as an individual's IP address or cookie data, as they do for names and addresses. Some of the key privacy and data protection requirements of GDPR include obtaining consent from subjects for data processing, anonymizing collected data to protect privacy, providing data breach notifications, safely handling the transfer of data across borders, and requiring certain companies to appoint a data protection officer to oversee GDPR compliance.
Blue, Red, and Purple Teams
Traditional infosec is based on the premise of blue teaming and red teaming (although not all companies have, or necessarily require, either in their strictest form). For the sake of clarity, let's quickly summarize what that looks like.
Blue Teams
Blue teams are the “white-hat” defenders—those who work on a systems-oriented approach, performing analyses of information systems to ensure security, identify security flaws, verify the effectiveness of security measures, and make sure that all security measures continue to be effective after implementation. Blue team members typically comprise IT help-desk staff, system patchers, backup and restore staff, basic security tool managers, and so on. Data centers of larger companies may hire network administrators to watch over their network and to respond after intrusions. Ideally, a blue team will be able to see whether an attack is taking place and take steps to mitigate the attack before any real damage is done.
Red Teams
When it comes to more in-depth security, most CISOs have had little choice but to bring in red teams, which are independent groups of professionals who challenge an organization to improve its effectiveness by assuming the role of adversary (attacker). Red teams use the same tools and techniques that real, malicious hackers use. Attack campaigns can last several weeks to months. There will usually be a specific objective of the operation, such as the “theft” of valuable data from the company. At the end of the engagement, the red team should work with their client's blue team to address the issues found and suggest remedial action.
Red teams should not be confused with penetration testers. A penetration tester performs a security assessment of an organization's computer network and is the subject of this book. This security assessment will typically last several days. At the end, a report is issued that points out security flaws and vulnerabilities. A penetration tester will often work alone and is not expected to perform the same in-depth attack as a red team would. That being said, penetration testers should adopt the same kinds of methods used by a traditional red team and use the same techniques that malicious hackers would use.
Large private businesses (especially those heavily invested as government/defense contractors, such as IBM and SAIC) and U.S. government agencies (such as the CIA) have long used red teams. Smaller organizations will use a penetration tester, often on an annual basis, to give them an indication of their security posture.
Once the engagement is over, it's up to the organization's blue team or other skilled external consultants to take action on the suggestions of the red team or those specified in the penetration tester's report. At this point, some problems may arise. Once upon a time, this disjointed approach to infosec may have been OK, getting the job done to a functioning degree. Now, however, it rarely succeeds.
One of the biggest problems involves taking action on the red team's recommendations or a penetration tester's reports. This step often isn't completed (or even started) due to the reasons described next, and thus the reports may then become little more than a box-checking exercise to appease shareholders. The reasons why this may be the case include the following:
- Inadequate training: Blue teams often don't know how to act upon the reports due to a lack of skills outside of common tasks such as reconfiguring firewalls, updating software, and changing passwords.
- Lack of resources: Many corporations say that their cybersecurity teams are understaffed, and since a huge amount of the budget is spent on penetration testing, there is often little scope for bringing in more resources.
- Limited time: It is difficult for companies to redirect staff resources to go through long technical reports and patch vulnerabilities, especially when blue teams are often fighting fires on several fronts.
- Lack of incentives: It can be challenging for CISOs to motivate staff to go through a lengthy penetration test report, created by someone else (who was likely paid significantly more money), and patch vulnerabilities.
Sometimes, when red teams or penetration testers (whether internal or external) point out flaws, blue team members get defensive; finger-pointing, animosity, and internal chaos ensue. Subsequently, CISOs may find themselves dealing with HR issues as much as they do technology.
Fundamentally, the gap between traditional blue and red teams, attackers and defenders, is too wide. CISOs need people on board who understand the tactics, techniques, and procedures used by cyber-enabled attackers and how to build better defenses against them. CISOs need an internal team that is able to dig out potential problems and patch them proactively, whether that's a case of updating the operating system on workstations or catching wind of an idea to install Internet-connected thermostats throughout the company's buildings and be able to assess whether that would, or wouldn't, be a good idea.
Purple Teams
When considering the security of their data and computer systems, a small business owner may be thinking something along these lines:
Both of these scenarios are possible by adopting the purple team mentality.
Purple teaming is the simple and obvious solution to the explosive growth in breaches and data loss. In purple teaming, a team of experts takes on the role of both the red team and the blue team with the intention of anticipating attacks and addressing vulnerabilities and weaknesses before they can be exploited by malicious third parties. Purple teams are responsible for a company's overall security posture. They are proactively engaged with understanding and evaluating risk through technical simulations. They know what a company's digital assets (the true value of every organization) are, where they are stored, and how to protect them by building better networks and systems.
This approach enables traditional blue team IT staff to understand how underlying vulnerabilities are exploited by hackers (and/or red teams). Purple teams are better trained to “turn on the human firewall” by being better educated in the common methods of social engineering used by cybercriminals and malicious insiders, such as phishing, a technique whereby emails are sent to employees to have them click a malicious link. There are many variations of this type of attack, but all social engineering attacks rely on first exploiting the human factor rather than the computer system itself.
The best way to close the skills gap for any red or blue team is to merge them into a single purple team where all members gain the necessary skills and understanding in information technology (IT), software development lifecycles, social engineering, penetration testing, vulnerability management, patching, system configuration, and hardening to standards such as the Security Technical Implementation Guides (STIGs) from www.nist.gov. A purple team is always in “ready-to-be-breached” business mode.
This is absolutely necessary. If we are to implement truly effective security practices, companies must empower their own people to understand cybersecurity risks. It's as simple as that. This shift toward making security an operational core of the business means that CISOs are no longer looking—and spending—outside of the company.
With a purple team in place, there is no longer any need to pay external consultants to run a prolonged penetration exercise against a company's infrastructure, which could cost tens to hundreds of thousands of dollars. Companies can get the same results from their purple team, while not having to ask the chief financial officer (CFO) for funding. There will no longer be delays waiting for reports that may or may not be understood and implemented anyway. There will no longer be clocks ticking on the careers of CISOs. Instead, time, money, and energy are focused on innovation and growth.
For a purple team to work, everyone needs to have an understanding—a practical understanding—of what malicious hackers can do to a network. Everyone also needs to have an understanding of how internal systems—the hardware, operating systems, off-the shelf software, and bespoke software—work and how they can be fixed and patched to mitigate risks. We are not saying that the whole team must be experts in all of these areas, but they must know enough about each other team member's areas of expertise to be able to work together effectively and to empathize with one another.
Hacking is Part of Your Company's Immune System
To make the shift into effective infosec, you have to rethink the way that you approach security. This starts by throwing out all of the fear-based brainwashing that society has told us about hacking—the guys in hoodies, dark basements, and criminality. Here's why this is critical: the real answer to effective cybersecurity is for corporations to learn how to be hackers—that is, to be able to do what the hackers do.
It makes sense. To build great defenses, you need to know what's coming at you. No one would go to war without doing recon on their adversaries, analyzing their own weaknesses, and then putting measures in place to strengthen them. However, this is what companies do all the time—they fail to look carefully at their own weaknesses. For organizations to become more resilient to cyberattack, they have to think like hackers, period.
One way that we often approach this subject is to ask clients and students, “Have you ever broken into your own home?” Of course, most have (usually they've lost their keys and had to climb in through the bathroom window at least once). It is a great way to illustrate the necessity of thinking like a hacker—you've tried to break into your own home, so why have you not tried to break into your own digital systems? You might start by mapping out the assets you own, thinking about potential points of entry, visualizing where and when people are in it, and so on.
We can think of companies in the same way. After all, this is how attackers think. The benefit of taking things apart and breaking things down to the component level is that we can then reverse-engineer effective security solutions and implement attacks that help us better understand how to protect our assets.
Therefore, you are now invited to replace your old ideas about hacking with this one: Hackers are persistent, stealthy, targeted, and data driven. Hacking is the pursuit of knowledge.
To make companies more secure, we need to establish new cybersecurity habits throughout the organization. This is essential because most small and medium-sized enterprises don't survive cybersecurity attacks, whether or not that's because of failure to encrypt software, update files, allowing shared credentials, ensuring that employees do not click on suspicious links, and so on. In other words, employees are one of the biggest areas of vulnerability inside organizations.
Employee errors are often the result of not following procedure, lacking expertise, and interacting with web applications and websites every day. It follows, then, that an empowered security posture relies heavily on everyone within an organization being educated and committed to security. Research from Protiviti's 2017 Security and Privacy Best Security Practices report (www.protiviti.com/US-en/insights/it-security-survey) confirms this. It details the top four key findings as follows:
- Having an engaged board and security policies. (This makes a huge difference.)
- Enhancing data classification and management (data mapping and understanding where all your assets are located).
- Security effectiveness hinges on policies as well as people.
- Vendor risk management must mature.
These practices may have been extremely difficult to implement in the past. With purple teaming, however, they are achievable because with skilled and engaged internal purple teams, CISOs have the human and intellectual resources required to create and deploy effective security policies and cultures throughout a company.
Purple teams are better able to minimize human error throughout the company by proactively setting and communicating security policies, ensuring that employees are aware and engaged with the security practice. They can help to ensure that everyone in the company, from the reception staff to the CEO, knows how to implement security process, from understanding social engineering and phishing to alertness over suspicious links. This way, the entire company becomes an extension of the purple team.
Practically speaking, policies may include data protection plans (appointing a data protection officer is an essential part of that), emergency procedures (so that everyone knows, and is trained on, what to do if there is a breach, such as backing up data and auto updates), and user awareness.
Getting the board to commit is also easier once security becomes part of the company culture. In fact, high board engagement in information security is a significant factor in creating that culture. Again, we can refer to Protiviti's IT security survey, which shows that high board engagement results in management having a far better understanding of the company's “crown jewels” (data), better data classification policies, and better communication with employees about what exactly a company's data is and how to treat it.
But how do you get the board engaged? First, you shouldn't use scare tactics. What you really need to do is get people to feel good about and value their data. A suggestion for helping this to happen is to adapt the language that we use around infosec. For example, boards are happy, familiar with, and expect to discuss financial risk, market risk, liquidity risk, and so on. So, let's put cybersecurity in their language, renaming it as data risk or informational risk. (When this happens, the message tends to hit home.) You also need to find ways of making data-risk reports less technical so that everyone can understand the content. This is important, as 54 percent of boards say that cybersecurity reports are too technical (Bay Dynamics Osterman Research, 2016).1
Summary
All computers are broken. There is no such thing as a completely secure system. Organizations large and small are attacked on a regular basis, often resulting in the theft of huge chunks of customer data. The situation does not appear to be improving, and with a steady influx of new (often Internet-connected) devices and software applications, an understanding of information security is more important than ever.
To protect our data, we need to understand its value and proactively work to prevent its theft or extortion. Combining the expertise of attackers and defenders, understanding the approaches used by bad actors, and promoting a better security culture are ways in which we can protect ourselves, our organizations, and our data.
Whether you are working alone for a client or within a team that has adopted, or is currently adopting, the purple team mentality, you will find the contents of this book invaluable. Perhaps you are just starting out in infosec, or perhaps you are a seasoned IT professional seeking to bolster your skillset. This book was written for you.
We will examine the facets of a typical organization's infrastructure—the technologies that almost all of us rely on today—that are often misunderstood when it comes to security. First, we'll cover some important legal and ethical considerations in Chapter 2, “Hacking Ethically and Legally.” Then, in Chapter 3, “Building Your Hack Box,” we provide technical demonstrations that show you how to configure your own system for ethical hacking or penetration testing. In the following chapters, we cover numerous hacking techniques, examine high-profile vulnerabilities, and explain important hacking tools. In the penultimate chapter, we take a look at passwords and how they can be extracted from files that you've recovered during your adventures. Finally, we'll show you how to put your findings into a report that can be given to a client or senior staff member, explaining the issues you've found and how to address them.