Inside Cyber Warfare - Jeffrey Carr [92]
Delivery of targeted attacks
Once the attacking organization has discovered and developed a suitable exploit for a 0day vulnerability, the attacking organization moves onto the target-selection phase. Many times, target selection is given two primary considerations: the value of the information that will be obtained from a particular target and the difficulty of successful exploitation (to include likelihood of detection). 0day exploits often are deployed against personnel who have security clearance, are directly responsible for handling sensitive data, or can provide a stepping stone into a targeted organization. This makes high-ranking officials an attractive target for attacks. The costs of developing a reliable exploit in popular software is reasonably high, and sophisticated organizations will deploy 0day exploits only against those targets that will yield a solid return on vulnerability investment. Organizations deploying 0day exploits are careful to avoid detection because once the 0day is detected, it quickly loses value, as patches are developed and specific countermeasures are put in place. The technical sophistication and technical reliability of the exploit will greatly affect the likelihood of detection (or lack thereof).
Once the exploit to be used is chosen and the target selected, the attacker must deliver the exploit to the target. One of the most popular delivery methods for 0day exploits is email. Email is the lifeblood for many organizations, allowing for the exchange of information in an effective and convenient manner. Virtually every email server blocks dangerous file types such as executable (.exe) files, batch files (.bat), and scripts (.vbs), but almost every email server allows Word documents (.doc) or other Office documents to be delivered. In this case, the attacker delivers the exploit hidden deep inside a Word document, allowing it to travel unabated through the victim organization’s networks to the intended target.
Sophisticated attackers do not simply identify the email address of the target and send away; extensive reconnaissance is done before the actual exploit is sent. Collection of upcoming travel agendas, known associates, naming conventions for documents, and other details help build creditability and increase the likelihood of a successful exploit. Much of this information can be gleaned from public sources such as Google or public websites. Figures 10-4 and 10-5 show some of the types of information that can be retrieved about high-profile targets with open source intelligence (OSINT).
Figure 10-4. Sensitive information found via OSINT
Figure 10-5. Contact information for military units found through OSINT
Sophisticated organizations use OSINT and traditional intelligence-gathering methods to collect a good operational “picture” of the target. For example, if an attacker has identified a commanding officer (CO) of a unit within one of the US military branches as the target, he would spend time to enumerate several associates that work closely with the CO. If the attacker has obtained a list of contacts (like the one shown in Figure 10-5), he could contact various members of the CO’s staff, collecting bits of intelligence to paint the operational picture surrounding around him. Pieces of information that would be valuable to an attacker include upcoming events, email addresses of associates, names and nicknames for associates, and other contact information related to the target and associates.
Once the attacker has collected intelligence on the target and the target’s associates, he can build a convincing scenario for attack. For example, after the attacker enumerates the email addresses associated with the various associates of the CO, he can forge an email that appears to come from an associate related to an upcoming event. An example email is shown in Figure 10-6.
Figure 10-6. Forged email