One more post for network security students:
The internet is a complex construction of devices and connections that spans the globe. It can be difficult to conceptualize every aspect of the internet to use it securely. By understanding how black hats find targets and how they create attacks against those targets, the cybersecurity defenses we build are improved. Knowing what information is made public is the first step. Once you know what is exposed to attackers on the internet, you can deploy your own defenses.
How the Internet Works
To comprehend how a black hat finds and exploits you on the internet, it is important to understand some fundamental concepts. The internet began as a project in the Advance Research Projects Agency (ARPA), a United States government organization tasked with researching new technologies to maintain a lead over the Soviet Union.
In the 1960s, ARPA began working on a tool that would protect US communications during a nuclear attack. Because nuclear bombs could easily wipe out massive amounts of infrastructure, the US military needed a communications network that could reactively realign itself should part of the country be attacked.
How Black Hats See the Internet
When a black hat accesses the internet, they’re often trying to figure out how they can get past the public network and look into a private network. This can be exceedingly difficult because many of the systems that make the internet what it is today are designed specifically to prevent people on a public network from seeing what’s going on in any private network.
When an adversary focuses on a target, their first step is often to determine how they can move from the public side of a network to the private side. Once they’re in the private network, they can work on finding their specific target and executing the attack to get whatever they’re after, whether that’s disrupting business as usual or stealing data. To perform all these actions successfully, many black hats rely on a certain set of steps to maximize their attack’s potential.
The Black Hat Attack Methodology
Not every attack by a black hat follows a specific pattern or set of steps. But most attackers must accomplish certain objectives before they can fully realize their goals. Several models classify these objectives, but one of the most famous is the Lockheed Martin Cyber Kill Chain (CKC). The CKC consists of seven steps that a black hat must accomplish for their attack to be effective. These steps involve activities undertaken before, during, and after many cyberattacks:
- Reconnaissance—During the reconnaissance phase of the CKC, the attacker learns everything they can about their target. They begin by collecting any data considered public information.
- Weaponization—In the next step, weaponization, the black hat creates an actual attack to use against a target. With the information gathered from the reconnaissance phase, they plan and create the tools they’ll need.
- Delivery—Once the black hat has a weaponized package, whether it’s malware, a phishing website, or some other form of attack, they’re ready to deliver. Again, this requires using the information gathered during the reconnaissance phase to decide what the best method of delivery will be.
- Exploitation and installation—To reach private networks, attackers must compromise the private network before they can fully access it. This compromise usually involves the adversary establishing backdoors.
- Command and control, and attack on objectives—During the command and control and attack on objectives phases, the black hat uses the backdoor to establish a foothold in the system. From there, they can use it as a base to identify further systems to exploit. This is known as pivoting.
How Black Hats Find You
If you look closely at the phases of a black hats attack, you’ll notice that one of the most important steps is the first one: reconnaissance. If an adversary can’t find any useful information about their target, they’ll have an extremely difficult time delivering an effective attack.
Black hats find reconnaissance information mostly from publicly available sources, which people often create without realizing what they’re exposing. Often, misconfigured systems openly communicate on the internet, exposing services that an organization might not want available to the public. You can see many of these open systems by using Shodan, a tool that scans the internet for open services and systems. After a scan, Shodan puts its findings in an easy-to-use database that is open to the public to search through.
Using Shodan isn’t the only way to find useful information online. A ton of data on the internet might help a black hat craft an attack.
How to Hide from Black Hats
The examples of how an adversary gathers information might seem far-fetched, but they describe real-life techniques that black hats have used. When people post information publicly, attackers can use it to find cracks in their security, allowing the attackers to craft the perfect attacks against a person or organization. The best way to defend against these attacks is to implement operational security (OPSEC).
OPSEC is the process of understanding and minimizing any information that could be used against you. For civilian organizations, OPSEC is about protecting information that a black hat could use to attack your organization. The best way to ensure your OPSEC is to keep three rules about the internet in mind when posting information: the internet is open, public, and forever.
- The Internet Is open—When you’re using the internet, assume that anyone can see what you’re doing or sharing, including any data moving across the network. It’s up to you to protect that information by determining how you send it.
- The Internet Is public—The internet is completely public; anyone can get online as long as they have the right connection set up or pay a company, like an ISP, to use their equipment. In many ways, access isn’t even tied to a specific person. It’s possible, legal, and often best to hide who you are on the internet by using usernames or hiding your IP address.
- The Internet is forever—The best rule to adhere to when posting any information to the internet is to assume that everyone will be able to see it, so craft what you say with that assumption in mind. If you think the post might hurt you or provide information that others can use against you, it’s best not to post it in the first place.
Understanding the three rules of the internet will help you practice OPSEC if someday you work for an organization that needs to prevent sensitive information from becoming public. By being mindful of how you post your personal information, you’ll notice information that black hats could potentially use to attack your organization. You could also teach others in your organization, especially new hires, about the importance of limiting the information they share with the public. This behavior will make your organization more secure overall. After all, the less information an attacker has, the harder it is for them to attack