In order to better defend IT systems, organizations should not only pay attention to technical defenses, but look at physical threats through a technique called offensive threat modeling, according to two security experts at Black Hat Europe in Amsterdam.
Most IT organizations test and assess their systems for technical weaknesses that can be exploited. But IT departments should also take the perspective of physical attackers into account, said Rafal Los, chief security evangelist at Hewlett-Packard, and Shane MacDougall, principal partner at security consulting firm Tactical Intelligence, at a combined keynote during Black Hat Europe in Amsterdam.
Rather than taking the attitude of the good guys looking at the bad guys, white hat hackers and penetration testers should step into the shoes of the attacker to determine threats that are possibly overlooked using conventional threat modeling.
"Humans can be rather unpredictable unless you understand them well," Los explained, pointing out that employees are often a weak link when it comes to securing networks and applications.
Security can be breached in many ways, MacDougall emphasized. "If the IT team goes to a bar, the attacker can join them," he said, adding that attackers can use social media to keep track of real-time movement. After buying a few rounds of alcoholic beverages and getting the team "appropriately lubricated," it's the perfect time for an attack. Later in the night when an attack on the network is launched, the attacker can have a higher degree of confidence that immediate response on the part of the IT team may not be forthcoming, he explained.
Other methods that can be used to compromise security are blackmail, bribery or other incentives like sexual honey traps or exploitation of gambling habits. Also, attackers could target homes of executive employees or use so-called social engineering attacks on the workforce.
"Disgruntled employees are really easy to find," Los said. On the other hand, devoted employees could also be used to gather information, by the attacker posing as a customer or related vendor.
To test these weaknesses, Los and MacDougall advise getting a whiteboard and making a list of all possible weaknesses, physical and technical. Then security testers should make a High Payoff Target List (HPTL) of employees, or assets, including highly ranked executives and security personnel. Other assets like sales personnel, vendors and support staff can be added to that list, because they also can allow access enterprise or provide propriety information.
This target list can than be broken down into points of attack. This way, the parts of the system that can be readily compromised are identified. Profiles of possible risks are made, including family members, hobbies, conferences, behavioral analysis and psychological and sociological profiling, among other things. Once that is done the state of all the possible threats can be assessed, making sure that IT maintenance schedules are noted. "Every year very secure systems are exploited if their defenses are down for 30 seconds, do you think that is an accident?" Los emphasized.
As a next step, the highlighted weaknesses can be tested for compromise. The attacks can range from on-site attacks to logical attacks and social engineering.
"You really want to identify as many users at risk of compromise in a company," according to MacDougall. This can also be done at conferences. "If they have a smartphone or entrance badge: grab it and exploit it," he said.
The security experts emphasized that some of the methods described in their keynote are "illegal and unethical," stating that they do not endorse them and that they want to identify how attackers can use the offensive threat model to effectively launch and manage attacks.
After a test operation, the results must be polled. Both researchers said that the polling process is an ongoing one, and should be repeated from time to time. "Monitoring the assets is critical," MacDougall said. People that are compromised during such an undertaking can lose their jobs, the researchers said, although in most cases that might not be wise or necessary. "I never recommend cutting an asset loose," said MacDougall, citing risks of future attacks and the possibility to turn the bad apple around.