Ethically Exploiting Vulnerabilities: A Play-by-Play
In the world of security, there is no completely secure application or piece of software. At any point in time, a new vulnerability can be discovered, or a new exploit disclosed. The significance of recent exploits such as Log4Shell and PrintNightmare has led many organizations to re-evaluate how they efficiently and effectively discover and patch vulnerabilities before they can be exploited by an attacker.
As most organizations have expanded their technology stacks to keep pace with IT modernization and to help streamline remote work productivity, there are a host of systems and applications that cybercriminals can now exploit to gain access to sensitive company data. Keeping track of the risks and vulnerabilities within each technology is an ongoing challenge for business leaders and security teams, especially as company data is often highly dispersed across technologies and housed within different platforms.
One way to begin the process of better protecting company assets from an attack revolves around being more selective about which vulnerabilities to spend resources on.
The priority of a threat or vulnerability is subjective and will vary depending on the size of the company, the industry it operates within, and the type of data it retains. Companies need to determine if a malicious threat is affecting something that is core to their operating system and how it may impact their business. Sometimes a threat is hibernating, waiting for local privilege escalations, at which point the attacker will strike. Companies need visibility into their vulnerabilities before the malicious hacker has a chance to attack.
To do this and determine the severity of a threat, security teams cannot rely strictly on scanners anymore. If an organization is only running the same scans that the hackers run, they’re doing the bare minimum to prevent automated attacks. This may work in the short term … until the company is specifically targeted for an attack. In this case, the bad guys will be doing much more than the scanners — they will be finding new vulnerabilities, chaining vulnerabilities together, and finding new attack vectors.
Organizations must have knowledge of the same exploits that hackers have,beforethe hackers do, and patch them. One of the best ways to achieve this is utilizing ethical hackers — red teams, pen testers, bug bounties. They go beyond just using scanners. Ethical hackers find vulnerabilities that aren’t being scanned for and create proof of concepts for attacks.
Here’s a quick synopsis of how an ethical hacker could work to protect your organization by exposing vulnerabilities in advance:
Step 1: Obtain access
Hackers can often buy access to a company’s internal system through the Dark Web for only a few hundred dollars. Alternatively, they can find access through leaked credentials, phishing, or other social engineering strategies.
Step 2: Active reconnaissance
Once into the company’s internal system, they perform broad reconnaissance, including a network sweep. By doing so, they can enumerate networks, services, directories on hosts, vulnerabilities, and privileges. Using command-line controls, the hacker can look for open ports, such as Web ports, server message blocks (SMB) ports used for network shares, and remote desktop ports for managing workstations.
Step 3: Check for low-hanging vulnerabilities
Why pick the lock when the door is left open? Ideally, an attacker would first hope to find vulnerabilities for SMB ports, such as SMBGhost or WannaCry. If the organization has done a good job patching those SMB vulnerabilities and hardened your system, an attacker would then need to continue looking for opportunities.
Step 4: Target weak applications
In the attack scenario, the hacker would eventually find a vulnerable unpatched application.
Step 5: Elevate privileges
Unless you’ve disabled any default setting, the hacker would then escalate privileges from a basic user to a system user almost instantly, without the user ever knowing.
Step 6: Pass-the-hash
The hacker could then look for any hashes left by high-level users who logged into the endpoint in the past. Once found, a pass-the-hash attack can be executed to get access to systems as the highly privileged user, without knowing the actual user’s password.
Step 7: Extract privileged credentials
By eventually extracting the proper credentials, the attacker could then gain access to the Domain Controller, giving them host access to Windows domain resources, as well as more workstations and other servers within the domain. With this, the hacker could manipulate systems, exfiltrate sensitive information, and essentially do anything they wanted on the domain.
This synopsis sheds light for a security team on just how easily an attack could be possible. Yet because the hacker was on the organization’s side, no damage was really done, and valuable insights were collected on where/how to patch any open attack vectors and reduce the risks of malicious attackers discovering them first.
In the mind of many ethical hackers, one of the biggest questions is where to draw the line. Is it OK to take advantage of an exploit if the intent is to shed light on the vulnerability? Where does a demonstration of a proof of concept cross that line into unethical territory? Would something as benign as sending a harmless email from a company account or even just typing into a Word document deserve scrutiny?
There’s a fine line between a hacker and an attacker. Hacking itself is not a crime; rather, it is the motive and how a hacker applies their knowledge that differentiates doing criminal work and doing good work. Whether it’s a security team, a red team, or a pen-testing group, or just an individual who found a vulnerability, one should much rather want to know about it before a malicious hacker does. It’s much more difficult to clean up an attack than it is to prevent it.
With the right intentions, hacking can make the world a safer place. Just make sure to get permission — stay legal and do it with the right authorizations. Most hackers are good citizens looking to make the world a safer place.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.