Thinking like an attacker

The best defense is a good offense! See things from your enemy’s point of view! It takes a thief to catch a thief! All great advice, however, it is a bit hard to utilize them without knowing the context in which they apply. The goal of this post is to provide that context. Who are the attackers? What are their goals? Where are they? That’s what we will cover!

Who is the attacker?

Anyone! The technological advancement of the last few years made it really easy to find and exploit various vulnerabilities. You do not need a vast amount of knowledge to execute attacks. Some are as simple as inputting a URL into the tool and clicking the “Hack” button. This created a lot of self-proclaimed hackers better known as script-kiddies and they are out to get you. For them, it is all fun and fame.

The more dangerous type of attacker is after larger gains. They are mostly cyber criminals trying to profit from every single hack. They are more advanced but still far from a serious attacker. If you have something that is worth attacking, and you surely do, they will eventually turn your way.

On the top of a food chain are “black hat hackers”. Some are for hire, and others do it for their reasons. These individuals or teams are capable of launching highly sophisticated attacks and developing tools required to execute such attacks. These instruments and services are often sold or offered for rent. Several nation-states are known to use such software.

The above three categories are a good representative sample of the attackers you may face. Obviously, there are lots of room in between these groups, but they are general enough to give you a big picture. Now, let’s see what they might be after.

Goals and gains

Attackers are not necessarily out to destroy and devastate. For some it earns their living. Yes, it is still a crime, but understand: they have nothing against you in particular. Why you then?

“I have nothing of value” — you may think. Oh boy, are you mistaken. Let’s see how an attacker thinks.

You process payment information — great, credit card data for the win!

You handle PII data — lovely let’s sell it on the black market!

You have a secure internal network and do not handle sensitive data on internet facing machines — all right, let’s sell access to your internal network via the compromised frontend!

You have registered users — hm okay, they surely reuse passwords, let’s try it at a few big services and sell those that work.

You just host a static blog read by thousands of people every day — jackpot, let’s create zombiesout of your visitors!

You only serve a static web page without too many views — perfect for hosting malware used by other attacks!

You have a long forgotten machine running in isolation — it will make a great jump box, i.e. to mask the origin of the real attack!

Again there are gaps between these, but you get the idea. The definition of value is very subjective. You must consider the attacker's interpretation and match that in defenses. So where are these attackers?

They are everywhere

Their physical location is no longer relevant. Thanks to open proxies, rooted jump boxes and Tor it is hard to attribute attacks. It is a problem on a nation state level as well. In the cyber world, it is sometimes impossible to distinguish the hack of a few script kiddies carried out from a basement, from a government sponsored strike costing lots of money.

It is also worth noticing that, a considerable number of breaches occur with the help of an insider.

Conclusion

Sooner or later you will be attacked. By now, you probably have an idea why. As the saying goes, there are two types of companies: those who are breached, and those who do not know yet.

Next time you are about to say “you have nothing of value”, think again!