Hollywood Hackers versus real life

From iGeek
Jump to: navigation, search
CSICyber.jpeg
While I'm not exactly an intrusion or defense expert, I do know more than about 99% of the public and have a CISSP (a broad and recognized security credential). There are many more specialized certifications for being a penetration expert: and no that’s not a euphemism for porn star, at least not in this context — that’s someone who can get into systems.

Hollywood is fake

The majority of Hollywood (whether TV or Movies) are comically bad to anyone with a basic understanding of the topic. This being a great example of what hacking doesn’t look like at all:

Real life is boring

The basics of the topic are that if you're an attacker, you spend weeks collecting missiles (attack vectors) and payloads (info/systems they target, once they get in). Then boom, you launch the attack, and wait to see what they can extract.

These missiles and payloads (exploits) are often available in nefarious corners of the internet (dark web file sharing, hacker hang-outs and the like), and they vary in complexity, and sophistication. But many are just exploits of old versions of platforms (operating systems) and are blocked in the latest releases, which is why keeping your OS “up-to-date” is such a necessary tactic for defense. Since most people don’t keep up and are lazy, you can often use stale missiles on stale systems — and there can be ways to figure out system versions, to know which missiles to launch.

Many of these attacks/attackerers (who just put other people’s missiles and payloads together) are maligned as “script kiddies" since they didn't create the missiles or the payloads, they just combined them -- e.g. They didn't code, they just wired things together / scripted. This is stuff a teenage with limited technical knowledge can do. They have kits, that help you wire together attacks, practically, “hacking for idiots” type books/programs.

If you're one of the real coders, you spend weeks/months finding a vector (weakness in a version of the OS, firewall, application) to make a missile. And from hours to years making a payload, that can do something you want (steal data, or figure out the next level you want to get to).

Every software problem can be solved with another layer of abstraction

Ethical hackers (white hats) are constantly looking for exploits, and then warning the platform/application companies of the exploit, and they give them 30-90 days before they announce what they found. (To trumpet their abilities), and sometimes are paid bounties for finding the exploits. Unethical hackers (grey or black hats), are constantly looking for exploits, and then they can use them, sell them for more money than the bounties, or share them for fame (ego strokes) before letting the company know (and giving them time to fix them). But most of the easy exploits have been discovered long ago, thus many are taking days or months to find — and you’re competing with all the other hackers who are also looking for these things for fame or money. Each one is a valuable asset for missile or payload writers.

There are also layers of defenses. For example you have a firewall preventing you from getting into the network at all (or limiting how you can pass information in/out), then once inside that, you have to find the machine(s) you want access to (which might be in special contained subnetworks), then you have to get to the program or data that you want access to. Each of these is a separate attack (a missile) that delivers a playload, which is probably a missile that takes you to the next level, that delivers another payload and so on.

The majority of time is spent figuring out where what you want is, since unless you worked there (or interrogated someone who knows their system layout intimately), a network is like walking into a strand building (without any maps or guides): the first and hardest step is figuring out where to go. Remember, if you look like you don’t know what you’re doing, then you’re a target for security. So walk with purpose, go in one door, see what’s there, and leave — like you have places to go and things to do. The more you explore at one time, the more suspicious you look — but the more times you come in and leave, the more likely you are to have someone ask who you are, and what you’re doing. It’s a delicate dance to find what you want, before being detected. Once detected, it’s pretty much game over. (They can block that missile, and you have to start at the top, with a new missile).

So normally, the attacks are layered too — you get past level one, try to do it discretely, so that you can explore, figure out what the next target is, get a missile payload for that (to get some data out), figure out if that’s what you want, then go to the next level. Each done over hours, days or more. It’s not usually a real-time event. It’s sneak, explore, cover your tracks, and get out, and then come back when the next layer is ready. If they detect anyone level, they shut that down, and maybe all the others — so you’re back to square one, but with a better idea of what you’re looking for (or at least what you’re not looking for, based on prior failures).

And the opposite for defense, you hope that you’re able to detect the person, and if you’re lucky, in all the noise of network traffic, you happen to spot something odd, and all you have to do is block that one missile, which is easy. But since there were missiles above and below the one you detected — you normally try not to alert the intruder, get copies of that missile, analyze the payload, and figure out where the missile came from (to block the missile above, and below as well). One of the tricks here is leaving honey-pots (rich looking targets, that are really alert-bots/land mines to tell the security folks that an attack is happening).

Conclusions

In the end, both sides are slow processes. It’s often weeks of silent probing, subtle analysis of the network, systems, and applications that are being run. Building an attack plan, and then fire. See if your code or attack extracted what you wanted. And if it didn’t, leaving enough cookie crumbs for yourself to know what try next. (While trying to hide any evidence/crumbs from the defense team to know what to block).

Very, very rarely is there a live hack, with both sides aware of what’s going on. And if the defense ever wants to stop it, they can just block the attacker with a push of the button. So most of this kind of hacking looks more like one side building a mine field, and the other side trying to get through it undetected, than live shooting back and forth.