Krypt3ia

I watched the BruCON talk Saturday by Chris Nickerson “Top 5 ways to destroy a company” and was surprised at some of the things that were proposed on stage. On the other hand, I can agree with some of what he said too. For years I have lamented much the same thing that Chris did on stage. All too many times you give the client a report after actually finding major vulnerabilities and they either just don’t get it, or, and this is more often the case, don’t seem to care about the findings. You can “root the shit” out of them as Nickerson said, and still, they just look at you and say “So?”

The truth of the matter for me comes down to a few different factors:

1. A lack of understanding the results that you present them
2. A lack of situational awareness to understand that those same vulnerabilities can lead to dire results when used by a motivated aggressor
3. A lack of latitude or perhaps initiative on the part of assessment specialists to flesh out these scenarios within the reports and the meetings to discuss the findings with the client

Nickerson too gets to this and asks;

Well why does that happen?

• What we give them isn’t important. Managers don’t care about shells!
• They don’t care about what we care about!

What do they care about?

• The product line
• The Brand
• The Employees
• The Bottom Line

I would also add “Their own asses” to this list as a fifth because really, what else really motivates an employee (including C levels) is whether or not the decisions that they make will cause great financial loss and in the end, their dismissal. Of course you then face the task of once again getting that horse to the trough to drink, and you know how that usually goes huh? This is where Chris kind of went off the rails for me and I think more than a few people watching the talk. It would seem that the advocating of “destroying” the business would be counter productive to having a job yourself, once you had performed the magic tricks that he suggests.

Top 5 ways to destroy a company

• Tarnish the brand
• Alter the product
• Attack the employees
• Effect financials directly
• ** Your turn! **

The talk really did not elaborate on the how to do this with regard to getting a company to sign off on this in the first place and then as to how to carry them out, proving the concept without actually causing harm to the company that you are assessing. It has been my experience in the past that if you actually explain cause and effect in a report as well as the meeting, you can get across the real meaning to that shell you have gotten. The problem then becomes whether or not your client “gets it” You can explain it flawlessly but still not yield the changes that your findings require because those people you just presented your findings to “just don’t care” as Nickerson said. So his premise is quite right. You have to actually hit them where it hurts to get action sometimes. But just how do you do that, get it across to the client, and not get your ass thrown out or arrested for those actions?

The talk goes on to highlight something that actually isn’t so new to intelligence agencies both nation state and other. It’s called “Profiling” You profile the target, you get to know what makes them tick, and if you are aiming to do them harm, you look for their weak points and then exploit them. This is much the same thing you would do to a computer system, application, or network to attack it. What Chris was saying but not really saying directly, is that you have to take the precepts of “Information Warfare, Guerrilla Warfare, and Intelligence Analysis/Operations” and use them all to profile the target and formulate a plan of attack. By using these techniques (aka footprinting a network say) you apply it to the whole business to determine how you “could” destroy them, or perhaps more to the point, damage them into reactionary actions (and for all intents and purposes in this talk “listening to the security industry”)

The unfortunate thing though that this talk did not cover is that even when you show people you have “access” to something, and you tell them what you “could” do, you still may not get the reaction that you need to get from them to actually fix the problems. This is where the talk breaks down for me because I frankly just don’t see too many assessments happen out there with a “carte blanche” SOW that says you can do anything to them you want. All too often the client wants specific things checked and gives you only small amounts of time for targeted attacks. So sure, you can go change a pdf file of their prospectus, and print one out to show the management, but will presenting that actually change their minds? After all, I still think that human beings are quite bad at determining long term threats like this.

Overall though, Nickerson has it right. Use chained exploits (not in the regular definition you may be used to here) to escalate access and then use the information to show “how” you could affect the supply chain, or the financials of a company. Or, how you could steal certain types of data to sell to competitors, maybe even just how to hold it hostage. The problem is that without actually committing the acts, all too often you come off as a fiction writer in their minds as well as they look at you thinking;

“But, he’s just some uber geek… this won’t happen in real life, I mean we hired these guys because they can do it.. INCONCEIVABLE!”

It all comes down to how you present the data and scenarios to the client that will get them to react… Or not, as the case may always be… Until they are really compromised and by then, its too late.

So, where does that leave us? In the same position really, but it behooves us to be better communicators with the clients. We need to be able to perform the following actions in every assessment:

1. Profile the business overall, where they are in the market, and their history
2. Profile their business model and their product or products
3. Profile their request for an assessment by you (why are they doing it? SOX? PCI? or are they interested and engaged)
4. Profile the employees and C levels (are they engaged? Do they buy in on security?)
5. Formulate scenarios that would cause varying levels of damage (targeting them)
6. Meld not only the technical side of things but also look at their processes. If they are lacking there, you are likely to see much more potential for high collateral damage exploits or chained exploits

Unless you can put a whole picture together and then prove it if they actually give you a go ahead, then you are just another technical monkey saying “Look Shells!” as Nickerson put it.

I think that is what he was driving at through all of the ranting…

So, consider this the paradigm change… Consider what you do “Information Warfare” and not just hacking assessments. Perhaps then, once the industry takes that next step to herd the cats, we will see change in the clients understanding of why we find these things and say “You’re fucked!” This is something that has been written about before. Without changes, the security industry will continue to only be as effective as long as those you are working for are already engaged and understand security issues.

CoB