Hacker Series - Exit Strategy
OR...5 Ways To Keep Your Insides Inside
Shawn Stewart
Mr. Stewart has 28 years of experience with hundreds of international, commercial, military, and government IT projects. He holds certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell, and others. He has a Masters in Cybersecurity, a Bachelors in IT, a Minor in Professional Writing, and is a published author.
I am a hacker and I am in your corporate computer network. The great thing about computer networks is all computers in the whole company are connected to every other computer. It’s also the bad thing. Because I was able to gain access to the dinosaur you call an Exchange Server AND this server has administrative right on all the servers, I can access every single Windows computer on the network and see what files are where. With this level of access, I can also access every database, system, and file you thought were safe in Amazon Web Services (AWS), Google, SalesForce, and any other Cloud applications. Click the links to read Part 1 (Link) and Part 2 (Link) of this Series.
What A Hacker Wants
But first, I need to properly introduce myself to your corporate files. I need to know who I’ve hacked now. See, contrary to popular belief, the vast majority of hacks and data breaches are caused by opportunity and means, not motive. You know, the legal requirements to prove guilt in criminal proceedings? Have you not seen Law and Order or CSI? I have the means, the computer and skills. The opportunity is lazy IT or corporate nincompoops leaving their computer system doors unlocked, windows down, and keys in the ignition. How bad was it in 2023? (Link)
Legal filings, tax returns, and insurance paperwork are what I’m after first. It will tell me everything about your company, your financial situation, and, most importantly, how much cybersecurity insurance you have. Why? Insurance will pay half of a ransom. The company is expected to pick up the other half. If the max payout is $1 million, I know I can comfortably ask for $2 million. I might also find you have a pool of cash in the bank. If I can find that login info, I can siphon that out, too. If the company is required to report breaches to the Securities and Exchange Commission (SEC), I can use that as leverage if you don’t pay the ransom or turn you into the SEC for a breach, just to be a pain.
Hackers Love Your False Sense of Security
This is the part where you say in a very snooty voice, “well, I have multifactor authentication, firewalls, end-point protection, and a Security Events and Incident Management (SEIM) system. I will know when I get hacked.” You sure? The average hacker spends nearly 300 days inside an organization before getting noticed. By getting noticed, I mean the hacker encrypts all their files and asks for money. In that time, the hacker has already pilfered through every file, customer, and bank the company has. Not to mention, I will hide malware and scheduled malware installs on every Windows, Linux, and Mac I can access.
And that’s the best part. If I find a company that’s loose with its customer data, I might also find thousands of personal data records, credit card numbers, bank accounts, or straight up blackmail material that I can use or sell. You see, poor security doesn’t just directly affect the company or individuals. I can now work my way through every employee, customer, vendor, government agency, contractor, and partner. The possibilities are endless! All because the CEO didn’t want to increase the IT budget to upgrade the email server.
Choose Your Own Adventure – Hacker Edition
- To lock all files with ransomware and get paid to release the data – Click Here!
- To exfiltrate all the data and sell it on the Dark Web – Click Here!
I’m only joking. I’m doing both! You see, part of my research includes finding your competitors. How much would you pay for your biggest competitor’s customer list or financial records or employee list? Why do you think a hacker stays in a system for so long? They are slowly exfiltrating all the useful data and files out of the company. Can’t do it too fast because that will raise red flags. Plus, I have to get to know you, intimately. How much do your C-Levels make? Can I access their bank accounts? Does your company hold any government contracts? Can I steal proprietary corporate or state secrets? Who wouldn’t want to hack KFC or Coke and get those recipes?
Once I have all the data I could ever want or need, I keep an open tab on the place. Maybe Research and Development keeps pumping out unpatented items or medical research. Or I might play the stock market with insider information. It’s happened! Think about all the deepest, darkest secrets your company has showing up on the front page of national news. Now think how much you’ll pay me not to release them.
Happy Hacker Trails To You
Ah, well, I am bored with this place, so I make sure every computer in your company, especially the C-Levels personal computers, phones, laptops, tablets, and toasters, are loaded and ready with Ransomware. At midnight on Sunday I trigger it. By the time anyone notices, it’s toooooooo late. I’m asking for $3.5 million because last year’s tax return was smoking hot. I’ve also emptied the company bank account because Janice had the login in a text file and the second-rate bank you use doesn’t require authorization of funds transfers. You walk in on Monday morning and it’s pure chaos!
“It’s OK,” you think. “I have insurance and backups just for this sort of thing.” You call in your IT boss and together you call the insurance company to start a claim. They request you add your attorney and they bring in their auditor. They need full access to the network and start negotiations with me. Well, not me directly, my team. I’m busy working my way into another circus.
The good news is the hacker has agreed to release all files if the ransom is paid. The bad news is you lied on your insurance forms and your insurance company will not be paying ANY of the ransom! So, you decide to NOT pay the ransom. You’ll just restore from backups and start fresh. Yeah, I thought of that, too. The first server I locked was the backup server. Oh, and you now realize why the IT manager nearly quit when you refused to store physical copies offline and offsite. You can faintly hear my wild laughter all the way from Beijing. You talk to the Board of Directors and they are less than amused but agree to pay the ransom.
CHA-CHING! Thank you for the Bitcoin! Now, I have a choice to make. Do I decrypt all your files and let you go back to work or take the money, stop responding to you, and never release the files? I love companies like yours. Why? Because you will never learn. I release your files. Auditors and security professionals swarm your place for the next week. You install the most expensive, I mean, highest quality cybersecurity system on the market. You are being monitored inside and out, 24/7. The Board decides to keep you on in a narrow vote.
You Should Have Listened
One intelligent cybersecurity analyst says you need to burn the entire network to the ground. That means every server, workstation, laptop, and anything with storage or that can run code. Then, you must rebuild from scratch to ensure no backdoors or remote access trojans are hidden anywhere. But the auditors already told you I got in through the Exchange server and you shut that down already. And you can’t possibly go back to the board with your hand out. Not now. You assume there’s no way I’m getting back in there again. See what Microsoft says you should do (Link) compared with what the Cybersecurity and Infrastructure Security Agency (CISA) says you should do (Link) – LOL! Both say BURN IT!
So, you tell him no, it’s too expensive. Leave it like it is. After all, we have the highest quality systems in place now. Except that no one is really monitoring the logs. And, when they installed the latest system, instead of a deep-dive to learn the business, they cut corners. They missed the Malware I left hiding in the printers and video surveillance systems. I set every Windows Scheduler in the company to pull it from its hiding places and try to install it after 6, 12, and 18 months.
Sidebar about auditors – Let me tell you what insurance auditors will NOT do. They will not search every log file to find out EXACTLY how I got in. Why not? Because after 300 days, you don’t have any log files left. There is no way an insurance auditor knows how I got in after that much time. They simply find any vulnerability from the outside and blame that. If they’re aren’t any, they’re standard response is it must have come in through a Spam email. I’ve seen it personally and I should be giving them a cut because they are lying to you!
Don’t Call It A Comeback!
Why do I wait so long to trigger Malware installs? Short-term memories. Once the place is stable for a few months or a year, dumb companies will always cut costs and remove the expensive monitoring. ALWAYS! I will be back in your company in good time and I will make even more next time. I might even put you out of your misery and not unlock the files next time. Statistics say that half of all companies that experience a ransomware event are out of business in a year. Imagine the odds after TWO successful ransomware events. Best. Boss. Ever. Anyway, I have my multi-millions and I’m off to find another sucker.
Five (5) Best Practices to Keep Your Insides Inside:
(Also avoid that roast beef place)
1) Baselining and Monitoring – You don’t know what you don’t know. So, get a clue! Start by performing in-depth traffic flow monitoring of you network and do it consistently for at least a month. Then, you can see what your network looks like during normal operations. Continuously monitoring will then alert when the baseline moves from normal. But how do you know I’m not already in your network?
2) Egress Internet Traffic Blocking – Access to the Internet is not a God-given right. In fact, most people in your organization have absolutely no business on the wasteland of the web anyway. All egress traffic should be limited by content, throughput, and destination. Why should Sammy in Sales send slides to Syria? He shouldn’t! All Internet traffic should also be constantly reviewed by a next-generation firewall, one capable of decrypting all secure web traffic before it comes and goes, just to be safe. What about privacy? This isn’t a Democracy and no one in the company has the right to open everyone up to data breaches.
3) Multi-Factor Authentication (MFA) – When are you going to learn? Every single login to every single device and website login MUST HAVE MULTI-FACTOR AUTHENTICATION! If someone logs into your email, your phone better light up asking if it was you or the application should ask you to verify in someway outside of a password. Something you know (password), something you have (phone), and something you are (fingerprint). Two out of three should be required before seeing any data ever.
4) Segmentation – Why is that printer still on the same physical network as SalesForce? Build a secure server for all your printers that require authenticated MFA approvals before allowing anyone access. That includes physical local access. If you can’t keep your warehouse devices updated or you have an old centrifuge that only works with Windows 98, keep those systems AWAY from your data networks. Create a separate physical network that can only communicate with the firewall. Then, limit who and what it has access to. In most cases, it doesn’t need to be on your data network at all.
5) Passwords and Access Control – Don’t get me started on the poor password policies of even Fortune 500 companies. Besides MFA, passwords must be at least 12 characters long, with a diverse set of upper and lower case letters, numbers, and special characters. Yes, they do need to change every 3 months and, no, you cannot reuse any passwords ever. And the most important thing, DO NOT USE THE SAME PASSWORD IN MULTIPLE PLACES! Read about Password Managers here. (Link) Assume every website you have an account with will someday be hacked. So far, 80% of the websites most of us have ever logged into has lost your password to a breach. And for Pete’s sake, don’t give access to files, folder, and printers to users who flat out don’t need it. Go that extra mile and turn off copy capabilities on files and folders. Turn off the ability to download files from email unless you are on a certificate-validated corporate computer. Keep that data inside! Pete will thank you.
Need Help?
Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.