Think like a Hacker, a Defense Strategy
by Katherine A. Nielander, CISSP, CISM, CEH, CNDA, CSIS, CSIE, CIAS Cybersecurity Instructor
Hundreds of people hoping to pivot into the cybersecurity industry often ask me what trait would most help an IT security professional excel. I always answer, “Think like a Hacker.” In less cryptic terms, I mean that a good defense requires that IT security professionals think like an attacker to defend their organizations tactically and preemptively. In general, security professionals need to develop “oblique thinking,” enabling an adversarial mindset that focuses on identifying assumptions and determining if and how these assumptions can be violated.
Hacking is all about exploiting vulnerabilities. Let us start with our most significant and most-valuable organizational asset, the human being. We are all aware that human beings can be easily manipulated using a hacker technique aptly named “social engineering.” As everyone in an organization is responsible for security, the current defense against “social engineering” has been “user awareness training.” However, before we get to the training, we must consider how the training is implemented, supported and delivered.
Policy dictates there is training, but as policymakers, do we consider the need for that ongoing, level-appropriate training? Do we think about the types of internal and external threats, and does the awareness training address the more common threats? Do we consider how the policy will be enforced administratively, technically, logically and even physically?
Most people in organization have the mentality of “oblique thinking.” This mentality will allow us to better “Think like a hacker” by applying the theoretical concept involving the five phases of hacking. Knowing the tools and methods attackers use can help us apply appropriate levels of defense in depth to deter or defend our organizations before cyber incidents occur.
Recently, I was asked to develop a cyber training presentation. It was suggested that I compare the most common tools used by hackers and the most appropriate defense tools. After hours of research, reaching out to peers and testing theories, I determined that there is no one-to-one comparison of tools but rather the application of a blend of administrative, technical, logical and physical tools across multiple spectrums. I have found that individuals within our industry still clash on best practices, so this will be a 10,000ft overview of Tools of the Trade. First, we must consider the five phases of hacking. This reading will focus on the (1) reconnaissance, (2) scanning (3) and gaining access phases.
Reconnaissance isthe phase where the attacker collects as much information as they can acquire about the target. These data searches may include identifying the target and finding data including the target’s IP Address Range, Network, DNS records, etc. In this stage, attackers commonly use Archive.org, Netcraft.com, ARIN’s Whois function and nslookup.While many tools can defend our organizations from such queries, most of us understand that common sense and good judgment are likely our best defensive options during this phase. To combat everyday disclosures from public sources, publish precisely what your organization wants to publish and nothing more – be careful of website revelations. To avoid ARIN disclosing data, use anonymous registration services and limit attacker access to pertinent company details. To limit the effectiveness of nsLookup, configure Name servers to disable DNS zone transfer for untrusted hosts. Configure web servers to prevent indexing of directories without index files and avoid keeping sensitive files and documents on publicly accessible hosts like FTP. Our whole purpose in this stage is to prevent the attacker from gaining information on the target, and we must map out and implement every defensive effort.
The Scanning phase helps the attacker determine specific information about the computers and other devices connected to the organization’s targeted network. Scanning can be considered a logical extension (and overlap) of active reconnaissance that helps attackers identify specific vulnerabilities. This phase uses tools like dialers, port scanners, network mappers, sweepers and vulnerability scanners to scan data. These tools allow attackers to map networks mapping and find weaknesses. A few of the most common attacker tools used in this phase are Nmap, Scapy, hping3, Telenet, Nessus and Metasploit, among others. This phase is quite extensive in its efforts, and the defense mechanisms should be just as comprehensive. Using the same tools as a hacker, identify architecture, systems, services and protocols. Test and test often for network, system, and human vulnerabilities using a variety of scanners, research and training and tie everything back to governance, risk, and compliance frameworks. Ultimately, you need to know and understand your system better than any intruder.
Gaining access is the last of the entry hacker attack phases. Password protection is the key to this phase. Once they bypass the firewall, attackers will employ all available tactics to break the password hashes. They use various tools, the most common being: Metasploit, Burp Suite, CeWL, Hashcat, THC-Hydra, Cain and Abel, and Jack the Ripper.
There are many ways defenders can fight back in phase three, but I have found that the Front line of defense is a strong password policy. Set up a strong Group Policy and enforce it by including passphrases, and salt, set up multi-factor authentication, and actively use biometrics. Social Engineering plays a huge role in this attack phase, and an attacker acquires access after a false phone call or well-crafted email. Multiple lines of defense are required in response to every avenue of attack. Thinking ahead rather than having a knee-jerk reaction to an incident will keep your organization one step ahead of the attacker.
While ongoing proof of compliance is a driving factor in how we, as cybersecurity professionals, do business, understanding the tools, processes and even an attacker’s way of thinking may help defend our most critical assets. We can only protect our organizations from attack when we can think like an attacker and understand the tools they use.
Every member of the organization, the management and the IT team needs to develop a certain level of “oblique thinking” to best combat the always-changing landscape traversed by our attackers.