4. Attack Vectors – Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations

© Morey J. Haber 2020
M. J. HaberPrivileged Attack Vectorshttps://doi.org/10.1007/978-1-4842-5914-6_4

4. Attack Vectors

Morey J. Haber1 
(1)
Heathrow, FL, USA
 

An attack vector is a technique by which a threat actor, hacker, or attacker gains access to a system, application, or resource to perform malicious activity. This can include everything from installing malware, altering files or data, or even some form of persistent reconnaissance. Attack vectors enable threat actors to exploit system vulnerabilities, poor configurations, and introduce items like stolen credentials to compromise a system. Attack vectors can include human elements in the form of deception, social engineering, and even include physical traits like fake identification badges. Attack vectors can consist of malware, malicious emails, infected web pages, text messages, social engineering, and many other forms of deception. All of these methods involve intentionally coding software to create a programmatic attack vector (except social engineering) to leverage a resource for malicious intent.

Technology like firewalls and endpoint protection solutions were originally designed to block these attack vectors, but, in recent years, they have fallen short to the creativity and intent of threat actors. No single protection method is entirely attack-proof. A defensive strategy that is effective today may not be tomorrow, because threat actors are innovative, motivated, and pushing the limits of security in their pursuit to gain unauthorized access into systems and resources. To that end, the most common malicious payloads used for privileged attacks are malware designed to steal credentials or create a vehicle for a persistent presence to engage in lateral movement. As an analogy, if an attack vector is thought of as the barrel of a gun pointed at a target, its payload can be thought of as the bullet that pierces the target. This assumes, however, that someone or something is pointing the gun and that the attack is not random or opportunistic. Unfortunately, in today’s world, we see these indiscriminate shootings too.

Password Hacking

Hacking of a password by a threat actor can be done using several techniques. Once successful, this can lead to administrator privileges if the account has been granted these rights in the first place. It’s yet another reason to limit the number of administrator accounts in an environment to minimize the surface area for these attacks. If the account is an administrator, the threat actor can easily circumvent other security controls, perform lateral movement, and opportunistically attempt to crack other passwords for other privileged accounts on the same or remote systems. As a point of reference, password hacking should not be confused with the former discussions on password exposure, such as shared passwords and the insecure documentation of passwords. Password hacking is a threat action that involves attackers attempting to crack or determine a password using a variety of programmatic techniques and automation. These are covered in the following sections.

Guessing

One of the most popular techniques for password hacking is simply guessing the password. A random guess itself is rarely successful unless it is a common password or based on a dictionary word. Flat-out guessing is somewhat of an art, but knowing information about the target identity enhances the likelihood of a successful guess by a threat actor. This information can be gathered via social media, direct interaction, deceptive conversation, or even data gleaned and merged or aggregated from prior breaches. The most common variants for passwords that are susceptible to guessing include these common password schemas:
  • The word “password” or basic derivations like “passw0rd” not found in typical password dictionaries.

  • Derivations of the account owner’s username, including initials. This may also include subtle variations, such as numbers and special characters.

  • Reformatted or explicit birthdays for the user or their relatives, most commonly, offspring.

  • Memorable places or events.

  • Relatives’ names and derivations with numbers or special characters when presented together.

  • Pets, colors, foods, or other important items to the individual.

For a threat actor to succeed at password guessing, it is not necessary to use automation for repetitive guessing. This method may be more labor-intensive and has mixed success rates. Password guessing attacks also tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts. For a threat actor, getting detailed information on the intended target usually involves advanced surveillance or inside knowledge. For the average person, it may just be a game of trial and error. In addition, if the account holder does not follow best practices and reuses passwords between resources, then the risks of password guessing and lateral movement increase dramatically. Imagine a person that uses only one or two base passwords everywhere for all of their digital presence. Unfortunately, this happens all the time.

Shoulder Surfing

Shoulder surfing enables a threat actor to gain knowledge of credentials through observation. This includes observing passwords, pins, and swipe patterns as they are being entered. This includes even observing a pen scribbling a password on a sticky note. The concept is simple, a threat actor is watching physically, or with an electronic device like a camera, for passwords and reusing them for a later attack. This is why, when using an ATM, it is always recommended to shield the entry of your PIN on a keypad to avoid a nearby threat actor from shoulder surfing your PIN.

Shoulder surfing represents one of the oldest privileged attack vectors and one of the easiest for anyone to leverage. For a threat actor, all they need to do is find a way to watch someone entering their secrets (password, PIN, etc.) on a data entry device.

Dictionary Attacks

Dictionary attacks are an automated technique (unlike password guessing) utilizing a list of passwords against a valid account to hack the password. The list itself is a dictionary of words (no definitions mind you) and basic password crackers use these lists of common single words like “baseball” to crack a password or hack an account. If the threat actor knows the resource they are trying to compromise, like password length and complexity requirements, the dictionary can be customized to target the resource more efficiently. Therefore, more advanced programs often use a dictionary on top of mixing in numbers or common symbols at the beginning or end of the attempt to mimic a real-world password with complexity requirements. An effective dictionary attack tool lets a threat actor do the following:
  • Set complexity requirements for length, character requirements, and character set

  • Allows for the manual addition of words, from names to other personally identifiable words

  • Can include common misspellings of frequently used words

  • Can operate with dictionaries in multiple languages

A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it will thwart a dictionary attack. There are just too many permutations for it to be successful.

Also, there are a variety of supplemental attacks based on dictionaries that are available to a threat actor. If the attacker knows the password-hashing algorithm used to encrypt passwords for a resource, rainbow tables can allow them to reverse engineer those hashes into passwords, if the password hash tables are exposed. Modern breaches have exposed vast troves of password hashes, but without a basis in the encryption algorithm, rainbow tables and similar techniques are nearly useless without some form of seed information.

Finally, the most common method to mitigate the threats of a dictionary attack is account lockout attempts. That is, after “n” times of wrong attempts, a user’s account is automatically locked for a period of time, manually unlocked by an authority, like the help desk or via an automated password reset solution. However, in many environments, especially for nonhuman accounts, account lockout attempts can have undesirable effects to business runtime. This setting is, therefore, sometimes disabled, and, if logon failures are not being monitored in event logs, a dictionary attack is an effective attack vector for a threat actor. This is especially true if privileged accounts do not have this setting enabled as a mitigation strategy.

Brute Force

Brute force password attacks are the least efficient method for trying to hack a password. It is generally the last resort based on mathematics. By definition, brute force password attacks utilize a programmatic method to try all the possible combinations for a password. This method is quite efficient for passwords that are short in string (character) length and complexity, but can become infeasible, even for the fastest modern systems, with a password of eight characters or more. Therefore, if a password only has alphabetical characters, all in capitals or all in lowercase (not mixed), it would take 267 (8,031,810,176) guesses (you have a better chance of winning the lottery!). This also assumes that the threat attacker knows the length of the password. Other factors include numbers, case sensitivity, and other special characters in the localized language. The truth is, a brute force attack with the proper parameters will always find the password. The problem is the time required may make the brute force test itself a moot point by the time it is done. And, the time it takes to perform the attacks is not only based on the speed required to generate all the possible password permutations, but also the challenge and response time of a failure on the target system. That last lag time is what really matters when trying to brute force a password.

Pass-the-Hash

Pass-the-hash (PtH) is a hacking technique that allows an attacker to authenticate to a resource by using the underlying NT LAN Manager (NTLM) hash of a user’s password, in lieu of using the account’s actual password. After a threat actor obtains a valid username and hash for the password using a variety of techniques, like scraping a system’s active memory, they then can use the credentials to authenticate to a remote server or service using LM or NTLM authentication. The attack exploits an implementation weakness in the authentication protocol, where the password hash remains static for every session until the password itself is actually changed. PtH can be performed against almost any server or service accepting LM or NTLM authentication, regardless of whether the resource is using Windows, Unix, Linux, or any other operating system. To that end, modern systems can defend against this type of attack in a variety of ways, but based on the weakness itself, changing the password frequently (after every interactive session) is a good defense to keep the hash different between the sessions. Password management solutions that can rotate passwords frequently or customize the security token are a good defense against this technique. Unfortunately, modern malware can contain techniques to scrape memory for hashes, making any active running user, application, service, or process a potential target. Once the hash is obtained, command and control or other automation allows for additional lateral movement or the exfiltration of data.

Security Questions

A common social technique used by financial institutions and merchants to verify a user against their account is to ask them security questions challenging them to respond to private and personal information. The sequestions are required by many organizations, when you set up a new account, as a form of two-factor authentication, and the correct answers are supplied during account creation. The end user is then prompted to respond to the security questions when logging on from a new resource, when you forget your password, or even when you reset your password. Some common security questions are these:
  • The city in which you were born?

  • Your high school mascot?

  • Your first car?

  • Your favorite food?

  • Your mother’s maiden name?

  • What was your first pet’s name?

  • Who was your first kiss?

However, these security questions themselves present potentially far-reaching risks. Think about these scenarios:
  • How many people would know the answer to any of these questions?

  • Are the answers to these publicly available online via social media, biographies, or even school records?

  • Have you played any social media games that may have revealed this information?

  • Have the security questions, and possibly their answers, been stolen in a previous breach?

The relationship is clear. The more places and people that know your security question answers, the more likely they can be answered by someone else. In addition, if the information is public, then it is really not a legitimate security question at all.

When a resource requests that you complete and use security questions, my recommendation is to use the most obscure questions that no one besides yourself may know, and remember never to share information that is similar online or with another site that uses the same security questions.

The scenario is similar to password reuse and social engineering. Security questions are social facts about yourself and, unfortunately, can be used on multiple sites. If someone invokes “Forget Password” on one resource, already owns your email or text message platform, and your security phrase is the same on multiple sites, the threat actor can continue to own you through lateral movement between accounts associated with your identity. Making all your passwords different, using different accounts and emails for different types of resources (banks, merchants, friends, and spam), and never reusing the same security questions will help prevent an exploit based on your security questions and answers.

Finally, if the information in security questions cannot be mitigated from your public profile, or has already been potentially shared with malicious individuals, consider the following:
  • Do not respond to the security questions in plain English. Consider using the philosophy of password complexity to obfuscate your answers. For example, if you were born in “Orlando,” consider the answer to where you were born to be “0rl@nd0”.

  • Consider providing false information for the responses to security questions. In reality, no one checks your answers. Just like a password, consider obfuscating the results with a blatant lie. So, for example, for the question of where you were born, you could answer “TheMoon.”

  • If the same security question is required across multiple sites, like where were you born, consider using your password manager to store a unique response for each site. While this may sound paranoid, security questions are a form of passwords and keeping each one unique across every site may offer protection against reuse attacks. Therefore, in your password manager, you may have been born in “0rl@ndo” for one URL and “TheMoon” for another.

Credential Stuffing

Credential stuffing is a type of automated hacking technique that utilizes stolen credentials comprised of lists of usernames (or email addresses) and the corresponding passwords (typically previously stolen from other data breaches) to gain unauthorized access into a system or resource. The technique generally involves large-scale automation to submit login requests directed against a web application and to capture successful login attempts for future exploitation. Credential stuffing attacks do not attempt to brute force or guess any passwords, the threat actor simply automates authentication based on previously discovered credentials using standard web automation tools. The result can be millions of attempts to determine where a user potentially reused their credentials on another website or application. Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites.

Password Spraying

Password spraying is a credential-based attack that attempts to access a large number of accounts by using a few common passwords. This is conceptually the opposite of a brute force password attack, which attempts to gain authorized access to a single account by pumping large quantities of passwords in over and over again. Brute force attempts, as discussed, can quickly result in the targeted account getting locked out. During a password-spray attack, the threat actor attempts a single commonly used password (such as “12345678” or “Passw0rd”) against many accounts before moving on to attempt a second password. Essentially, the threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique allows the threat actor to remain undetected, avoid account lockouts, and avoid hacking detection on a single account due to the time between attempts. If poor password hygiene has been used by any one user or on any one account—human or nonhuman—then the threat actor has succeeded in infiltrating the resource. The attack is compounded even further if any of these accounts are privileged.

In the real world, password-spray attacks typically are successful against cloud-based applications that are not monitored for failed logon attempts. The best mitigation for these attacks is to enforce password complexity and multi-factor authentication to every web-based resource. This is true for single sign-on (SSO) as well. SSO should never be implemented with only single-factor authentication.

Password Resets

How often do you change (not reset) your passwords? Every 30 or 90 days when prompted to at work? How about at home? How often do you rotate passwords for your bank account or social media? Probably not often enough, if ever. and surprisingly, that might be okay.

Without a password manager, keeping all of one’s passwords unique, complex, and rotated frequently is a daunting task, even for the most seasoned security professional. One mental schema used involves using the month, year, initials, and a few special characters with each password change so the pattern can be memorized. If the pattern is unique, and not shared, the risk can be minimized, but it still allows for guessing since it is a repetitive pattern.

Unfortunately, there is a common risk in resetting (not to be confused with changing) passwords that makes them targets for threat actors. Resetting a password is the act of a forced change of the password by someone else, not a change initiated by the users themselves. These risks include:
  • Pattern-based passwords (as described earlier) when reset

  • Passwords that are reset via email or text message and kept by the end user

  • Passwords reset by the help desk that are reused every time a password reset is requested

  • Automated password resets that are blindly given due to account lockouts

  • Passwords that are verbally communicated and can be heard aloud

Anytime a password is reset, there is a silent acknowledgment that the old password is at risk and needs to be changed. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password are a risk until the password is changed again by the end user or, worse, not changed by the end user at all. The password itself resides in the “ether” and the security of which is unknown. A threat actor can request a password reset once an identity has been compromised and then create their own credentials for the account. Anytime a user requests a password reset, the following best practices should be implemented:
  • The password should be truly random and meet the complexity requirements per business policy.

  • The password should be changed by the end user after the first usage and require, if implemented, two-factor or multi-factor authentication to validate.

  • Password reset requests should always come from a secure location. Public websites for businesses (not personal) should never have Forgot Password links.

  • Password resets via email assume the end user still has access to email to access the new password. If the email password itself requires resetting, another vehicle needs to be established, the preferred method being verbally on the telephone.

  • Do not use SMS text messages, because they are not secure for sending password reset information.

  • If possible, password resets should be ephemeral. That is, the password reset should only be active for a predefined duration. If the end user has not accessed the account again within the predefined amount of time, an account lockout will occur.

While changing passwords frequently is a security best practice for privileged accounts, resetting passwords and transmitting them through unsecure medium is not. The risks of performing frequent resets, and for large numbers of users, represent a risk in themselves since the initial reset password has been communicated using potentially unsecure techniques. For the individual, a simple password reset can be the difference between a threat actor trying to own your account and a legitimate reason the password needs to be reset. Businesses must be able to distinguish the threat from the legitimate need. And, for standard end users without privileged access assigned to their account, the latest NIST1 guidance does not recommend periodic password changes unless an indicator of compromise has been triggered.2

SIM Jacking

SIM jacking is a type of account hijacking and account takeover that targets the SIM (subscriber identity module) in a mobile device. The SIM is typically a removable integrated circuit (but not always, some devices like iPhones and iPads can have them coded into nonremovable firmware) intended to securely store the phone number and identity of a device owner, regardless of connectivity status. The hijacking, SIM splitting, SIM swapping, or SIM jacking of the identification number is typically performed electronically without the removal of the SIM card. The account takeover itself can occur in a variety of methods from:
  • Spoofed cellular access points and man-in-the-middle attacks

  • Identity theft when purchasing a replacement device

  • Weakness in two-factor authentication services that leverage voice or SMS text messages as a response

During the attack, a threat actor can capture your SIM number and recode another device with the same number to obtain nearly full access to your device (except physical). This allows access to phone calls, text messages, photos, and application data.

Since cellular mobile devices typically have a one-to-one relationship between the user (identity) and the device (asset), the privileges obtained by the threat actor are identical to the compromised user. This means they have full control, and if they root or jailbreak the device too, they can install remote software on the hijacked device as well. Therefore, once the threat actor has SIM jacked your device, they own you and everything you do on that mobile device, from personal photos all the way through access to work resources. This includes all your accounts and passwords you may use locally on your mobile device and potentially any credentials stored in a personal password manager, depending on attack vectors associated with its own implementation.

SIM jacking has grown into a considerable identity security crisis in the last few years and is a significant privileged attack vector. The best protection for this type of attack is to:
  • Enable a password or PIN (depending on carrier) to protect your SIM from access

  • Enable carrier protection to prevent stores and retailers from transferring a SIM from one device to another

  • Disable roaming access to unknown cellular carriers

  • Deploy a non-SMS text-based multi-factor authentication solution to protect all your applications and credentials from text-based attacks

Malware

The term malware is a portmanteau created by the contraction and combining of malicious and software. By definition, malware is any piece of computer software (including firmware, microcode, etc.) that was written with the intent of damaging devices, stealing data, and, generally, causing a resource to behave in ways not in accordance with its intended design or current state. Malware is often created by threat actors looking to:
  • Make money, either by spreading the malware themselves or selling it to the highest bidder on the dark web

  • Serve as a vehicle for protest and disruption, or to propagate real or “fake news”

  • Serve as a proof of concept designed to test or exploit existing security controls

  • Act as weapons of war between governments, terrorists, or other politically motivated groups

  • Conduct corporate espionage

  • Prove that it can be done, for personal amusement or for bragging rights

In general, there are eight different types and sources for malware:
  1. 1.

    Bugs: A type of error, flaw, vulnerability, or failure that produces an undesirable or unexpected result due to poor software coding or unexpected operational conditions. Bugs can exist in any type of software from local applications and websites. When bugs can be leveraged against an application and its data, they are called vulnerabilities, and the software used to leverage them are called exploits. It is important to note that a bug alone is not malware, but when leveraged it can be just as devasting.

     
  2. 2.

    Worms: Worms rely on bugs, vulnerabilities, and exploits to deliver a payload and spread duplicates of themselves to other resources. Initial infections are often hidden in attachments or file downloads, but once they execute, they can scan a network (or Internet) for other vulnerable systems to propagate. Based on their design, they consume vast amounts of bandwidth or operate in a slow, stealthy mode and, based on their intent, completely disable a network or web server. Ransomware that can self-propagate to infect multiple systems is a form of a worm.

     
  3. 3.

    Virus: A virus is any piece of malicious software that is loaded onto your website or computer without your knowledge. The intent of the virus may not be apparent from an initial infection and, in general, can reside on a resource until it is triggered to perform a malicious action.

     
  4. 4.

    Bots: Bots are malicious software programs created to perform a specific set of tasks with a known intent. Bots can be utilized by a threat actor to send spam or be used in a Distribution Denial of Service (DDoS) attack to bring down an entire website, network, or Internet-based service.

     
  5. 5.

    Trojan: A trojan piece of malware is based on Greek history and the city of Troy. Much like the mythical Trojan Horse, this malware disguises itself as a normal file or application and tricks the user into downloading, opening, or executing it. The payload can launch any other form of malware and continue to trick the user that their actions are actually interacting with a legitimate piece of software.

     
  6. 6.

    Ransomware: Ransomware (covered in Chapter 17) denies access to your files, typically through encryption, and demands a ransom (usually in the form of digital and cryptocurrencies) to release the threat actor’s grip on your data. If the ransom is paid, and the threat actor is operating a real ransomware service, they will provide a method to decrypt your files and allow you to gain access to the resources (files) again. In some cases, payment is made, and the threat actor has long abandoned their scheme, leaving the victim with infected systems and a financial loss that cannot be recovered.

     
  7. 7.

    Adware: Adware is a type of malware that automatically displays unwanted and potentially illegal advertisements to an end user. Clicking the ad could download malicious software, launch an exploit, or redirect you to a malicious website. The goal is to expose inappropriate services to the end user and trick them into performing additional steps to load more malware.

     
  8. 8.

    Spyware: Spyware is a type of malware that functions by spying on a user’s activity. These functions can include monitoring the user’s screen, capturing keystrokes, and even enabling the asset’s camera and microphone for surveillance. This information is collected and transmitted through the Internet or stored locally for later retrieval by the threat actor. In today’s world, next to ransomware, this is the most dangerous malware used by threat actors.

     
Each classification of malware has attack vectors that target the three pillars of cybersecurity, as illustrated in Table 4-1.
Table 4-1

Malware Mapped to the Three Pillars of Cybersecurity and Types of Attack Vectors

Malware

Privileged Attack Vector

Asset Attack Vector

Identity Attack Vector

Bugs

Worms

 

Virus

Bots

 

Trojan

 

Ransomware

Adware

  

Spyware

  

It is important to note, some malware requires user interaction to infect a resource, and some leverage weaknesses in the asset, or obtained privileges, to continue its nefarious mission. This is why some are categorized uniquely in each column and why there are three books in the attack vectors3 series covering each of these methods. And, of these eight types, any one can be used as a malicious software delivery mechanism for other attack vectors. With this in mind, the vast majority of malware needs administrative privileges to execute on a host and to infect a system. This is yet another reason the removal and management of privileged access is more than just passwords stored in a vault, it is a universal view of privileged management everywhere.

Other Techniques

Consider that almost every word in this book, eight letters and longer, can be potentially used in a password hacking attack, if security best practices are not enforced. In fact, every word shorter than eight letters could be a password on a system that does not meet very basic password complexity requirements in length. Once we add simple derivations of these words to include upper- and lowercase, and substitution of specific letters for numbers, like 0 for o, we have a finite list of words that people would statistically choose for a password. An automated program can systematically check against an account to discover if the user has made a cardinal mistake by selecting a guessable password or, even worse, is using a default password. This is why, every year, we see multiple publications listing the most popular passwords used, and reused, by users. While these are basic assumptions for a password hacking, they are relevant for securing passwords and privileges using truly randomized and highly complex passwords found in privileged access management (PAM) solutions. Leveraging PAM solution means the only viable method for a threat actor to guess a password is by using brute force or memory-stealing hash technology, as with pass-the-hash attacks. Fortunately, these are only minor players as threat actors mostly attempt to steal passwords.

Password reuse, default passwords, and poorly secured passwords make up the bulk of all password-related breaches in modern businesses and government. It should be pointed out that there are a wide variety of other techniques to steal passwords that may leverage multiple techniques, from watering holes to golden ticket attacks. The list is more extensive than this book can accommodate. The main point in referencing them is that they are not the initial attack vector for stealing a password. Techniques like watering holes rely first on compromising a website to subsequently steal a user’s login credentials. Social engineering may, or may not, play a factor. Golden ticket attacks are only experienced after the administrative rights of a domain controller are compromised. A threat actor had to compromise the domain administrator account first in order to create additional Kerberos certificates.

The key takeaway is that threat actors will always find another method to steal passwords. We will brand them with clever names and recommend best practices; but in the end, whatever the technique, they are ultimately after our privileged accounts.