6 Questions Hackers Use As A Base To Select A Resource To Exploit

Studying the “Hacker Logic” can help us to know how hackers choose their target and how can we make our defenses stronger, explained at Randori by David “moose” Wolpoff.

A huge shift towards the cloud can be easily noticed in the past few years. Another shift to remote working enforced by the Covid-19 pandemic situation is a massive contribution to the cloud trend. And all this has led to an increase in cyberattacks against cloud systems by more than 200% in the past years. As a result, Blue-Team is forced to stay more alert and consider more than ever security measures to stay safe and secure against any form of cyberattacks.

An increase in the number of assets in the cloud for security purposes adds difficulties for the protectors. However, difficulties being built-up for the defenders doesn’t mean it would be easy for an attacker to choose such a target. Even the hackers have a boundary that limits their time and money, so they cannot scan every single asset on the cloud. The attackers are bound by restrictions at times, to work in a given time and a specific budget.

The “Hacker’s Logic” is the main concept or perspective to be focused on to understand, learn and get better on what attackers look for choosing a target, avoiding being the target, and making the defense more efficient. One can understand the hacker’s attitude about choosing the asset and making an attack by asking and answering 6 questions which can lead to lower attack risks and much more efficient security measures.

Enumerability – What facts and details can I gather externally about the Asset?

Basically, it asks about what and how much information can the attacker gain about the asset (can be a technique, software, or even a person of a specified company/organization). The more fine and detailed knowledge the attacker gains the higher are the chances of the attack being successful as the attacker plans the attack on the analyses of gained knowledge. For instance, if the hackers or attackers somehow gain the details about the versions of software being used, they can do a detailed study about the attack and run version-specified exploits.

Criticality – How valuable the target is for me?

Money, time, effort, and risk are always indulged in the attackers every single step. They analyze anything and everything on the target critically to make sure that the target would let the attackers achieve their goal. Exploiting security services like firewalls and VPNs are considered the primary key to break in that may allow them to access the complete network. Authentication system exploitation and breaking in the credential stores are much more valuable to the attackers. So, the attackers tend to use the most precise tools to exploit and gain access to. Access or critical data or exposed data are much less valuable for the attackers.

Weakness – Is the asset considered to be exploitable?

A target of high interest for an attacker is not fixed to be from a high ranking in the CVE List. There have been instances of exploits off the CVE list and were never considered to be exploitable. It is also to be considered that some may be exploitable theoretically and still haven’t been done so far or isn’t possible practically. Attackers also have to consider the expenses of exploiting the asset. Generally exploits take time to happen and since time is money for attackers, they are bound to consider the tools required are whether available in public or are to be built or to be bought.

Post-exploitation Potential – If I pwn the target, how hospitable can it stand out to be?

An environment that allows the on-going exploit to stay and complete without being detected is considered hospitable by attackers. Like a considerable environment where pivoting and malware can work and has quite a few or no defenses. Highly secure software or networks are never a considerable and hospitable environment. Attackers generally use external devices as hosts that are connected to the network externally like desktop phones or VPNs as they are the unprotected ones. Much of the appliances nowadays are built with Linux that consists of some tools and userspace due to which they stand out to be the best hospitable assets having great post-exploitation potential.

Research Potential – How much time is required to build a target-based exploit?

Attackers or the hackers have to do the maths to develop a target-based exploit and how much will that cost. Attackers also perform Vulnerability research on the asset to search for vulnerabilities and possible exploits. The cost of vulnerability research and the tools required define whether the asset is even worth attacking or not. Any further found barriers can possibly force stop the attack on specific targets.

Applicability – Is there a repeating ROI establishing an exploit?

Learning about the attacker’s business models can give us the biggest perspective of a hacker’s working. Since almost any attacker/hacker has to invest money, research, time, and human workforce to build tools to exploit and so they expect the maximum ROI possible. Attackers also try to understand and build tools and exploits that could cover a huge number of victims in a single attempt or cover a specific technology exploit used by various organizations.

Attackers don’t decide to perform an attack by looking at a bug or vulnerability, there are a huge number of other factors that are to be considered for an attack. Also, they need to manage the resources they are provided with to achieve their aim. Overall, shifting our mindsets from just defending to how hackers think can help us bring a massive change to securities and defenses and can lead to falling numbers of cyber attacks.

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.