A HACKER’S STORY

by

I live in a country that is under economic sanctions, and work full-time for a government spy agency. I am just 1 of 5000 hackers at our agency, and my job is to infiltrate American businesses for financial gain so that we can fund our military objectives. I have had thorough training, have a great team around me, and we have awesome tools.

I have a spouse and 2 kids, and a few of our relatives live with us. If I don’t hit my weekly quota it could be very dangerous for me and my family. Thank goodness in 2017 the NSA hacking tools were leaked; else it would be much more difficult for me to hit my quota.

From a high level, here is how I go about hacking an American small business. Notice after the initial intrusion it typically takes 200 days for my breach to be discovered. That gives me PLENTY of time to complete my objective.

Episode I

Who Am I?

Episode II How I Plan My Attack

First, I choose a victim, and I start by going after the low-hanging fruit. In America, that would be small organizations. Why? Because the perception (and reality) is that small orgs do not have the budget nor skillset to adequately protect their data.

This month our spy agency is running a campaign targeting American manufacturing. We have been briefed in great detail about this industry, what software they typically use, what is the common method of remote access, how they store data, what kind of backup systems, how they communicate, etc…

We are then provided with a list of U.S. manufacturers with sales under $50M since we perceive their security to be weak. I randomly select a company and start digging in. I spend a lot of time on their website, learning specifics about what they do and get the names of the key employees. I also perform web searches to obtain more of this information - it’s all out there, including on the Dark Web. On the Dark Web I might even find some stolen credentials for sale. I then choose my method(s) of attack, and which employees to target.

There are many ways to breach a system, including attacking Remote Desktop and planting malware. But today my attack vector of choice is Spear Phishing.

I first register a domain name with only 1 character different from my victim’s domain name. I then draft a legitimate looking phishing Email and landing page, with perfect spelling and grammar, using a previously successful topic (“The Upcoming Data Migration”). I then send the phishing Email to my target(s). If it doesn’t work, I customize a different Email from another successful template, then try again until successful. It’s only a matter of time.

Boom! The CFO clicks the link and provides their Email password into the form. And as luck would have it their cloud Email system syncs to the server’s Active Directory user database, so now I have access to the Email system AND the servers. I immediately setup an Email forwarder to capture the CFO’s Email for the next couple weeks; I will find gold in there. I also perform some port scanning and find a VPN, and after some trial and error I gain access to the network using open-source VPN software and the CFO’s credentials.

Episode III

How I Breach The System

Now that I have compromised both a mailbox and Active Directory, I assess what I have access to. After poking around for a few days I have identified that I am now capable of: • Monitoring the CFO’s Email. This will allow me to determine who to attack. • Email-impersonating the CFO. This will allow me to send trusted phishing Email to staff,

customers and vendors. Often this is done to redirect electronic banking deposits, but also to take over other user accounts.

• Averting the antivirus software. This will allow me to plant malware unobstructed. • Logging into Active Directory as the CFO on all premise and Cloud servers. This will allow

me to access any data on the servers that the CFO has access to. • Logging into Office 365 as the CFO. This will allow me to access any data on O365 that the

CFO has access to. • Downloading data and PII. This will allow me to gain intel, obtain HR data, and hold data

for ransom. • Encrypting data on servers, for purposes of holding for ransom. • Encrypting data on Office 365, for purposes of holding for ransom.

At this point there are a LOT of ways available for me to complete my objective. With any luck, in the next episode I will be able to expand my capabilities even further.

Episode IV

How I Identify My Capabilities Once Inside The System

Now that I have identified my capabilities within the system, I can start going after my objectives. It is critical that I remain hidden for many weeks at least, so I will not yet perform any action that could cause detection.

First off, I deploy lateral spreading malware to get access to Active Directory, using a tool that we purchased cheaply on the Dark Web marketplace. Then I utilize another widely known marketplace tool, Mimikatz, to download the network user database. Now I have the Domain Admin credentials and have full access to everything on the network, including the servers.

Next, using Group Policy I deploy an undetectable PowerShell keylogger on all computers. This eventually provides me with access to all Cloud data, like Office 365, Salesforce, and Accounting. This also provides me with access to the backup system, firewall, and antivirus console.

I now have everything I need to complete my objectives. There are other things I “could” do to acquire more information, but these items are not necessary at this time. My boss might change their mind later though.

Episode V

How I Laterally Spread Throughout The System

Now that I have access to all of my victim’s technologies, I can complete my assigned objectives, which are to: • Steal data, financial info, intellectual property, credit card data, and PII for ransom and/or

to be sold on the Dark Web. • Obtain intel for attacking other businesses. • Acquire data for personal identity theft against employees and their families.

Here is what I will do to complete my objectives, in this order: 1. Disable alerting from the firewall and Office 365. This will allow me to perform the next

two steps undetected… 2. Download all desired data from the servers, and then provide it to our deep analysis/AI

team to be used for future attacks. 3. Download all desired data from Office 365, and then provide it to our deep analysis/AI

team to be used for future attacks. 4. Destroy the server backups, then immediately… 5. Encrypt server and Office 365 data for a $100,000 ransom each, with a 48-hour deadline,

paid in untraceable Bitcoin. Even if the business could somehow restore from backup and choose not to pay, I will threaten to post online their financial info, intellectual property, credit card data, customer data, and PII.

All told, I was in the system for 6 weeks before I intentionally made my presence known. Time to move on to my next victim!

Episode VI

How I Complete My Objectives

We are a small Midwest manufacturer with roughly 40 employees. Just a run of the mill company – no reason to be a target – or so we thought.

We came into the office on a Tuesday and most of our systems were down. Everyone was panicking, including our IT person and our outsourced IT firm. We could not access our phone system, accounting system, line of business systems, quoting systems, documents, nor CRM. The only thing that worked was Email.

At 8:00a IT told us that we suffered a Ransomware attack and that we might be down for a few hours while they restore from backup. The ransom was $200,000, due in 48 hours. In the meantime, no one could locate our Business Continuity Plan, or really remember what’s in it. We were dead in the water: • We could not send or receive phone calls. All we could do was to instruct our phone line

provider to route all incoming calls to a single cell phone. • Finance did not know who to pay nor who owed us, nor could they generate reports. • Sales did not know who to call on, nor had access to proposals. • Production did not have jobs to run. • Customer Service had no phones nor CRM to work with. • HR could not access any of their systems.At 9:00a IT initiated the restore process for our Office 365 SharePoint and OneDrive data, but had yet to locate good server backups.At 9:30a we drafted a vague Email to our customers notifying them of an outage (not mentioning Ransomware), and that we would be up soon.At 10:00a we had a meeting with our parent company. They were breathing down our neck and were extremely disappointed.At 2:00p IT informed us that they were still trying to locate good backups. We lost confidence in IT. Knowing the worst-case scenario might be upon us, we decided to: • Send most of our staff home until further notice. • Notify our insurance company. • Immediately search for a security-driven Managed Services Provider. After talking with

several of our manufacturing colleagues, we were referred to Imagine IT.

Epilogue

The Impact of Our Breach: The Victim’s Story

Over the next couple days we do not regain access to our most of our systems, but by Wednesday morning had access to our Office 365 data, although we lost nearly a day’s worth of information.

On Thursday we negotiate the $100,000 server ransom down to $50,000, and the hacker then decrypts our server data. But we chose not to pay the Office 365 ransom, and the hacker then threatens to post our confidential Office 365 data online and on the dark web. After conferring with our parent company we decide to pay the O365 $50,000 ransom (also negotiated) and cross our fingers that our confidential data is never posted.

Over the next several days, Imagine IT determined the hacker was in our system for many weeks. But it was virtually impossible to determine exactly what was accessed and/or stolen. In the meantime, Imagine IT assessed our security strategy and created a comprehensive security plan going forward.

The overall impact was severe. All told, we:

• Were down for 3 days, and it took weeks to get all our systems fully functional.

• Lost some data forever.

• Lost $100,000 in Ransomware payments (not covered by insurance).

• Lost tens of thousands in revenue (only partially covered by insurance).

• Paid thousands in cleanup and recovery expenses (only partially covered by insurance).

• Damaged our reputation.

• Lost 15% of our customers.

• Laid off 10% of our staff.

• Got sued by staff for exposure of HR PII.

• Paid a compliance penalty.

• Suffered a significant insurance premium increase.

We learned an extremely harsh and expensive lesson, but now have a comprehensive security strategy that contains the 5 key areas of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. How did we accomplish this?

Weeks 1-2Imagine IT performed a Security Risk Assessment, for which we scored poorly (as to be expected).

Weeks 3-4Imagine IT executed the Assessment Remediation Plan (Security Shield): • Deployed many one-time security lockdowns, layered to block malicious activities at

multiple points of origin. • Deployed technologies that continually detect breach activity.

Week 5 Imagine IT deployed a Security Awareness Training program that provides the compliance and results to management: • Monthly email phishing campaign. • Quarterly security awareness training videos.

Week 6To keep our security strategy strong long-term, Imagine IT put us on a recurring process of: • Recurring Security Posture review. • Significant Security R&D targeting continual security posture improvement.

In our horrific breach scenario, the Security Shield would have stopped it, and early on. Here is how: • Spear Phishing: o Dark Web Monitoring would have allowed published

passwords to be changed as soon as they were posted.

o The CFO may have detected the phishing messages due to the Security Awareness Training.

o An [External Sender] Email banner would have flagged the phishing messages as coming from the outside.

• Mailbox Access: o Even if the CFO gave up their Email password, Two-

Factor Authentication would have blocked access. o Microsoft Cloud App Security likely would have

detected the suspicious login and locked out the account.

• VPN Access: o Two-Factor Authentication for VPN would have blocked the login. o The Intrusion Detection System would have detected unusual traffic on the network. • Antivirus Aversion: o Advanced Endpoint Threat Protection cannot be disabled, and would have been

much more challenging to avert. • Lateral Malware Spreading: o Advanced Endpoint Threat Protection would have blocked this type of activity. o Threat Hunting EDR detects this type of activity and would have auto-isolated the

infected endpoint before the malware could spread. • Group Policy Keylogger Rollout via PowerShell: o Advanced Endpoint Threat Protection would have blocked this type of activity. o Threat Hunting EDR detects this type of activity and would have auto-isolated the

infected endpoint before the malware could spread. • Downloading Data and PII: o The Intrusion Detection System would have detected unusual traffic leaving the

network early on. • Encrypting Servers: o Advanced Endpoint Threat Protection has a ransomware auto-rollback feature, and

would have protected the data. • Encrypting Office 365 Data: o 3rd Party Office 365 Backup would have allowed much faster recovery and much

less data loss.

The End (well not really – security is a never-ending journey)

In only 5 weeks our security score went from the bottom 20% to the top 1%. We are MUCH stronger. And in executing our new strategy we are extremely confident that we can now and forever avoid losses that would be due to breach activity… • Downtime. • Data loss. • Confidential information exposure. • Trade secrets and intellectual property. • Parent company / investor disappointment. • Cleanup and recovery expenses. • Damaged reputation (slowly being repaired) • Customer loss (slowly recovering, and we can now prove our high-security) • Lost revenue. • Layoffs. • Lawsuits. • Compliance penalties. • Insurance premium increases. • Business shutdown.We are no longer low-hanging fruit. As a matter of fact we are now at the top of the tree.