The Italian Job - Hacking Team Exposed
In July 2015, the Italian-based Company known as The Hacking Team were themselves hacked. Over 400GB of data was ex-filtrated and published in the public domain. Emails, design documents, legal agreements, invoices and alike were all published.
This weekend an anonymous hacker published a guide entitled “Hack Back! - A DIY Guide”. In his document the author appears to claim responsibility for the 2015 attack. He documents his motivation and then offers advice for other like-minded individuals. What this offers us is insight into the chronology of the attack and with it some object lessons to lessen the likelihood and impact of similar attacks in future.
Picking through the report a number of salient points stand out:
Defence in Depth. The attack was targeted and had every intention of getting in. This type of threat needs to be addressed by asking 'when?' and not simply 'if?' Once inside the Company network, the hacker managed to traverse the Company infrastructure with little difficulty. Protecting the soft-skinned inner workings of an organizational infrastructure is equally important. Minimizing the services within a company network are just as essential to minimizing those presented to the outside world.
Monitor & Assess. Firewalls logs can give advanced warning of these types of attack. Network mapping, port scanning and enumeration may well be countered by the firewall and Intrusion Prevention Devices (IPS) but to not monitor and assess the data they produce is to lose the Indicators & Warnings (I&Ws) that could indicate that something was likely to happen.
Updates & Patching. There should be no surprise that updates and patching are essential. The attacker was able to exploit a known vulnerability within the network management system Nagios. Interestingly, the attacker became aware of the Nagios system only after they "spied" on the sysadmins (see below).
Separation of Networks but Know your Network! This attack was possible because backup and management networks that should have been segregated, were not. Separation of operational and management networks is a useful technique for protecting infrastructural, especially when the management network requires administrative privileges. In this attack, the adversary was able to interrogate and dump the email server backup images.
Watch and Protect the Privileged. We often say that one of the greatest challenges is monitoring those with privileged accounts. Many organizations, especially government related require security clearances to protect from the "insider threat". However, what this incident teaches us that once in, the bad guys make a bee-line for the sysadmins to monitor their activities in order to gain greater knowledge and understanding of the Company and it's infrastructure There is somewhat of a mind-set change here, should we not be monitoring the privileged users and their workstations? Not because we do not trust them, but for their own protection and to ensure they are too are not being watched by network sniffers, key-loggers and similar?
Egress Monitoring. One final observation is that a lot of data was ex-filtrated. Why was this not noticed? This is hardly uncommon in attacks where intellectual property is the target. Implementing a Data Theft or Data Loss Prevention (DTP/DLP) solution and monitoring will lessen the likelihood and potential impact of this type of attack.