Evaluating your infosec defences: think like the bad guys

null

“Commander Vimes didn’t like the phrase ‘The innocent have nothing to fear’, believing the innocent had everything to fear, mostly from the guilty.”

Terry Pratchett

You can’t protect your estate by thinking like a nice guy 

Infosec’s great defensive weakness is that, historically, the good guys have always been the nice guys. Information security officers, analysts, penetration testers and security consultants live in a parallel universe to the bad actors seeking to overcome their defences. Even the pentesters that get hired to be bad guys are just actors pretending to be gangsters. They talk the talk, but their guns are firing blanks. 

Before I continue, I had better say I’m using the term ‘guy’ only to preserve a few metaphors. So if you want to read ‘guys and gals’ everywhere or just ‘folks’, go right ahead.  

The problem with being a nice guy is that it’s difficult to think like a bad guy. You imagine how someone might attack your defences but then find out – often too late – that the bad guys didn’t play by your script. Instead, they made an end run around your defences, leaving you blindsided. 

Rules were made to be broken. Or just rewritten. 

I’m reminded of the famous board game, Monopoly. There are the rules. And then there are the unwritten rules. Distract your opponent so they don’t realise - until it’s too late - that you owed them rent they failed to collect. Hide money under the board so that you can plead poverty when negotiating to purchase property from another player. Use a prearranged set of coded hand signals to team up with a supposed opponent and collectively drive another victim into bankruptcy, then split the loot between you.  

The bad guys don’t play by your good guy rulebook. They can steal stuff out of your trash, looking for sensitive information they can leverage, then ring your support desk, pretending to be a bona-fide user, or perhaps a key business partner.  

They can steal corporate laptops from hotel rooms, or the trunk of your car. They can infiltrate your organisation as low-level employees or even office cleaners, and then filch passwords, carelessly pinned to screens, or rummage through unlocked desk drawers when no-one’s looking.  They can bribe, coerce or even blackmail your employees into divulging sensitive information.  

Or perhaps they’re not low-level criminals at all. Some people just like breaking things for the intellectual challenge, or for the kudos, or even to ensure their tenure in academia. Don’t forget, security research is a thing now. 

Nice guys finish last 

When you’re evaluating your infosec defences, put yourself in the bad guys’ shoes.

Think about physical security; perhaps protecting your house from a burglar. To guard against someone using a hammer, you put in toughened glass windows but then the burglar simply ‘bumps’ your door lock to get in. Bumping a lock involves using a special key and gently tapping it to force the pin tumblers of your door lock to align. The thief can then simply open the door and walk right in.  

Even better example comes from Randall Munroe at xkcd who said it perfectly in his webcomic.  

An analogous situation in information security is to use massive blacklists of file hashes to determine whether or not a piece of software is malicious. The bad guys got around this firstly by writing ‘polymorphic’ software where the hashes change constantly. Then they evolved their strategies to ‘live off the land’, avoiding the creation of suspicious files entirely by using techniques such as in-memory code injection. 

To defend against your attacker, you must become the attacker 

So start thinking like a bad guy. Visit forums where bad actors lurk and eavesdrop on their conversations. Learn how sensitive data such as credit card details is exfiltrated and then traded for money. Imagine that instead of that healthy salary you earn in Infosec, you had to live by stealing from others.  

Then start defending yourself. If polymorphic malware makes file hashes useless, you have to find new defences. For example, modern endpoint protection software can identify unusual patterns of activity, scanning memory for malware and identifying attempts to exfiltrate sensitive data. Google and other vendors are working on sophisticated AI systems that are intended to spot anomalous patterns of activity and adapt to attacks dynamically.  

Recognising that many attacks exploit social engineering, is your staff trained to spot these kinds of attacks? Get a professional social engineer in and test them, then do a “lessons learned” review. Are people a bit loose with security, with Post-It note passwords and unlocked drawers full of confidential documents? Ensure they understand how important it is to keep things locked up. 

Don’t forget that social engineering can also be a defence 

When you are trying to change behaviour to improve your defences, threats aren’t very effective.  Instead, use positive reinforcement. Social engineering, which is such an effective attack vector, can also be a valuable defence strategy.  

For example, FBI security officer Patrick Reidy advocates social engineering as an effective way of positively altering staff behaviour. To combat the proliferation of sensitive information copied via insecure USB devices, software was installed to ensure that whenever a USB key was inserted into a device, a dialogue appeared warning the user of the requirement to ensure that the information being copied was authorised. What Reidy found was that after only a month or two, the number of dialogue displays dropped to almost zero. Users simply stopped performing the dangerous actions unless they really did need to copy something. 

Practice makes perfect 

It’s not easy to think like the bad guys. You have to work at it. As with any skill, it takes time and practice to perfect. Keep these key points in mind as you hone your skills. 

Bad guys don’t have to play by your rules.

Locks can be ‘bumped’. Alarms can be jammed. Perimeter defences can be tunnelled under.  

Complicated defences may be overcome by simple attacks.

The WW2 French Maginot Line, impervious to bombs and tanks, was simply bypassed by the Germans, who attacked France via the Low Countries instead.

However much you want to defend your estate, the bad guys want to attack it even more.

You’re motivated by pride and job security. The bad guys are motivated by money and kudos. 

Then re-examine your infosec policies and defences.  You may be surprised at the new weaknesses you uncover. Sometimes, being a bad guy really is the best strategy.

Andy Mayo, Tachyon Engineering Team Lead at 1E  

Image Credit: Methodshop / Pixabay