153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Thinking Like an Attacker: What does it take to attack a system Eric Thayer Senior Engineer Assured Information Security (AIS) 153 Brooks Road Rome, NY Eric Thayer Senior Engineer Assured Information Security (AIS) 153 Brooks Road Rome, NY 13441

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Who are we?  AIS is a security research company primarily serving the DoD  Our mission is to analyze, understand, characterize and exploit cyber systems using adversarial techniques  Started as a group of hackers and have maintained the mentality since 2001

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Am I qualified to talk about this?  Performing “Offensive Cyber” since 2002 ◦First AIS employee hired to perform red team assessments ◦Offensive research could not be acknowledged at the time ◦The term Cyber did not have the same meaning then  System Administrator and Unix Security Admin for the DoD for five years prior to that ◦Developed security monitoring tools ◦Participated in multiple incident response exercises ◦Supported the Air Force Research Laboratory in Rome, NY Network Operations Center Defensive Information Warfare Laboratory

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | What is an attacker?

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | What drives an attacker?  Curiosity ◦How did they make that work ◦What are they doing with this data ◦Why do I have to do this this way  The desire to make something do what it was not intended to do ◦Circumvention of others protections ◦“Outwitting” the designer or developer  The challenge associated with successfully breaking a system ◦The notoriety, satisfaction, and challenge of compromising a system ◦Who doesn’t like to see things blow up?  Money…

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | What is the role of an attacker?  Attackers are responsible for the identification and disclosure of vulnerabilities within a system through various means ◦Funded research ◦Interesting personal project ◦The search for more money  Provide insight into system design and security that is not always evident to designers, developers, and users ◦Security professionals view every target as a challenge ◦The question of how could I break that is always in the back of their mind  Serve as the “dark side” to help maintain the delicate balance between good and evil

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | How do you become and attacker?  First you must be able to ask the question “Why?”, or “How?”, or even “What if?” ◦Curiosity is the catalyst of all good findings ◦Following up on those questions is how most of us got our start  More importantly, you need a technical background with in depth understanding of the basics of computing ◦What’s going on inside the box ◦How is software designed and built ◦How does the systems design impact the operation ◦How are things talking to each other ◦What is the software development/maintenance process

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | What else do you need?  An understanding of the foundations of security ◦What are the basic types of vulnerabilities ◦How are systems exploited ◦What techniques are usually applied to analysis of a particular class of target ◦What is actually required to get code execution ◦What measures are in place to prevent certain types of exploitation  Respect your elders, you may not be the first one to show interest a particular target ◦Learn from the work of others and use their experience to feed your curiosity ◦Build on their foundation and use the tools and/or techniques they used to help in your assessment

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | How does this apply to the IoT?  Embedded platforms are becoming increasingly advanced ◦Full operating systems ◦Support for complex networking and communications protocols ◦Real time feedback/diagnostic interfaces ◦Feature rich user interfaces  Lack of protection mechanisms in “closed” systems and networks makes for a rich target environment ◦Trusted relationships and communications between nodes ◦Open, unauthenticated protocols ◦Decreased security to allow for integration of components  “Why does a _____ need to be secure, nobody would ever want to attack that?”

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Great, lets attack something!  Develop an understanding of the target ◦Analyze available documentation ◦Review the design ◦Interact with system and observe normal behavior  Identify goals for the assessment ◦Define what you are attempting to achieve  Perform targeted system analysis ◦Manual and scripted interaction with components, services, or interfaces ◦Hardware/Software analysis Identify hardware functionality Extract software and determine behavior Identify the basic functionalities and features that may allow for exploitation ◦Investigate design, development, and implementation weaknesses  Develop “exploitation” techniques How?

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Understand your target  To effectively exploit a target you must understand its behaviors and limitations  Define what the system is capable of ◦How does it operate? ◦How do components communicate with each other? ◦What forms of access exist?  Determine what functional features exist and identify how they can be exercised ◦Use the target system as user would ◦Monitor behavior and interaction of components ◦Identify a behavior of interest and develop more comprehensive tests  Build an understanding based on observation ◦Documentation ◦Interaction ◦Monitoring of behavior

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Define your goal  What do we want to impact ◦The system as a whole ◦Physical controllers connected to smart embedded systems ◦Servos and actuators ◦Blinky lights ◦The manufacturer’s reputation  What is our driving force ◦Intelligence ◦Theft ◦Profit ◦Personal harm ◦Just because I can  What may have been done in this area before

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Achieving your goal  Determine what it is that you want to do and the impact you want to have ◦Think about how you are going to achieve that goal and what information you may need ◦Interact with and monitor the system to collect the required data  Identify the components of the system that may be useful in helping you achieve our goal ◦What dependencies may exist that could help exploitation ◦Are certain components of the system weaker than others ◦Do remote access/communications vectors exist  Observe the system and refine your approach ◦Trial and error is common practice ◦Observe behavior and adjust accordingly

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Before performing the analysis  Although the technique for every assessment is similar, the process is driven by the understanding of the target ◦The more you know about the system under the hood the easier the assessment will be ◦In depth knowledge and clearly defined goals will help focus the assessment and manage scope  Every target system will be different ◦Remote access techniques will vary ◦OS may be Linux based, it may not ◦Exposed services could exist  The purpose and design criteria for the system will set the bar for protections ◦Purposefully designed systems often present a hardened attack surface ◦Integration of legacy systems often introduces security holes ◦Multiple systems from various suppliers integrated into a single solution… Things to remember before getting into the weeds

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Targeted system analysis  Identify the basic features that may allow for exploitation ◦Network communications ◦Input processing ◦Exposed services ◦Software updates  Interface with the target through the exposed interfaces and observe the resultant output for anomalies ◦Develop test cases to stress system operation ◦Generate network data or program input to test functionality ◦Manipulate data, timing, and sequencing  Extract software and data and perform more in depth reverse engineering ◦Perform static and dynamic analysis ◦Identify functional system blocks and interfaces ◦Trace data flow

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Develop an exploit  Exploitation is an art, not a science, initial attempts at generating an effect don’t always work ◦These are complex systems, there is often logic and preconditions that must be met ◦Understanding of the targets operation in certain scenarios may require further investigation ◦Educated trial, error, and observation are key to successful exploitation  Exploitation is not limited to code execution, unintended use of features can also be an exploit

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Now what?  Define your goals based on what you know ◦Learning is an iterative process ◦As your knowledge of the target evolves, you will need to refine your goals  Understand what has been done already ◦Build upon what others have accomplished ◦Learn from their mistakes  Understand the potential issues associated with attacking any system ◦There are some things that just may not work ◦Time, budget, and resources are most commonly your limiting factors  Remember, an exploit does not have to provide a means to execute code, but a severe vulnerability will have a much more meaningful impact

153 Brooks Road, Rome, NY | | Brooks Road, Rome, NY | | Can you hack it trivia