*This piece originally appeared in the Community Blog section of the ISACA web site, where it was posted by a member. We encourage members to post relevant, timely posts to the Community Blog (on your ISACA.org profile page, click “Create My Blog”). Select submissions will be reposted to the ISACA Now blog with the authors’ permission.
So, your attacker has managed to work out how to craft an Advanced Evasion Technique (AET) to circumvent the Perimeter Security Devices in the form of Firewalls, IDS and IPS, and have managed to gain a Shell—so what!
Well it’s here where none of the recent AET security debates (thus far) have gone on to consider the implications. So having already considered, researched and practiced the next level of infiltration, please allow me to expand.
On some recent security panels discussing and dissecting the AET, one may have observed that the conversations were at a very high level and did not consider the technological implications or the in-depth implications of what an AET can mean in real time. This would seem to have been lost.
So let us assume that our attacker has leveraged an AET with an old exploit, which was presented in such a way it was not detected by the current configuration of the security devices. From this point on the AET matters not, as in this case the attacker has gained access to a Shell (AKA the Command Line).
Again, I can attest from research, security testing and evaluations, it is here where the real issues can start to manifest. To reflect the sentiment of hackers and attackers, it is not they who are particularly smart. Rather it is the targets that are, at times, particularly dumb at employing (or not employing) security. I guess it is here where the breakdown of security skills may play a small part.
Understanding the fundamentals of technical security here are of paramount importance to assure that the core of the enterprise is protected. Or, to put that another way, that the core of the enterprise is not vulnerable. (Many organisations consider their perimeter impregnable, and it is here where our assailants can really demonstrate their personal adversarial prowess and levels of skill on the Command Line, which they have gained access to via Shell.)
In so many cases, the first issue that is encountered is either excessive privilege associated to systems that have not been locked down. Even today I am personally amazed at how many organisations allow their user base, or a large proportion of their user base, to have administrative access!
Once systems have been penetrated, the attackers may start to poke around, seeking out what may be achieved and/or invoked from the Command Line. PowerShell and the beloved wmic (Windows Management Instrumentation Command Line (wmic:root\cli>), which provide rich platforms to do many things, are only limited by the imagination of the successful attacker. And there are many more options that may be leveraged in the pursuit of cyber compromise.
So the recommendation here is this—do not just debate the AET as if it was the final conversation point, but consider the implications and post the effective AET doing its stuff. Again, I can only attest that such security observations should not be based on just a verbal account of what the vectors of threat may be, but should be based on robust fact, research and firsthand experience!
Professor John Walker, CISM, CRISC, FBCS, CITP, ITPC
CEO, Secure Bastion LTD, UK
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now link in the blue box on the left.