CompTIA Pentest+ PT0-002 – Section 3: Scooping an Engagement Part 2

16. Adversary Emulation (OBJ 1.2)

When you’re conducting an engagement, sometimes you might be asked to perform adversary emulation. Now, adversary emulation is a specialized type of penetration testing where you’re trying to mimic the tactics, techniques and procedures of a real-world threat actor during your penetration test. For example, maybe you’re conducting a penetration test against a defense contracting firm that’s responsible for writing the software code that’s used by military aircraft. That firm might be concerned with the possibility of a data exfiltration of their proprietary source code from a nation state actor. Now, for example, APT-25 is believed by experts to have been attributed to Chinese nation state actors who target the defense industrial bases contractors in the United States and an over in Europe with the goal of conducting data exfiltration and theft of their trade secrets.

Now, if you’re asked to emulate this threat actor, you would then need to use spear phishing messages that include malicious attachments or malicious hyperlinks because that is one of the common tactics, techniques and procedures that are used by this particular threat actor who is characterized as an advanced persistent threat or APT. Now, a threat actor is really just a generic term, and we use this to describe the bad folks out there who want to do harm to our networks or steal our secure data. Put simply, a threat actor is an unauthorized hacker. However, not all threat actors are created equal. So there’s different categories or tiers of adversaries out there. Some are structured. Some are unstructured. Some are more skilled than others. And there’s many different things that motivate each type of threat actor.

Now, we’re going to look at six main types of threat actors. Script kiddie, insider threat, competitor, organized crime, hacktivist and a nation state, or APT. The first type of threat actor is called a script kiddie. This is the least skilled type of attacker. Now, a script kiddie tends to use other people’s tools to conduct their attacks, and they don’t have the skills to develop their own tools like more advanced attackers might. Instead, a script kiddie uses freely available tools found on the internet or openly available security tool sets that penetration testers might also use. This includes things like Metasploit, Aircrack NG, John the Ripper, and many others they can use to conduct their attacks. Using these freely available vulnerability assessments and hacking tools, these script kiddies can conduct their attacks for profit, to gain credibility or just for fun. For example, there’s a program out there called Low Orbit Ion Cannon.

This is a simple program that’s often used by script kiddies to conduct a denial of service attack. The script kiddies will simply enter in a URL or an IP address into the input box and click the button labeled Go. Immediately, a barrage of traffic begins to flood the victim system to attempt a denial of service. It’s just that simple. There’s no skill or underlying knowledge required. They simply plug in a website address and hit Go. Now, script kiddies often don’t even understand the tools they’re using and the damage they can cause or even what those actions are performing. That being said, these script kiddies can still use simple tools to create some really undesirable effects to your organization’s network. The second type of threat actor we have is known as an insider threat.

An insider threat is an employee or former employee who has knowledge of the organization’s network, policies, procedures and business practices. The insider threat is one of the most dangerous for an organization because these people usually have authorized access to the network already making them both dangerous and difficult to find. An insider threat could be either skilled or unskilled, depending on who they are. For example, an unskilled insider might copy the organization’s files onto a thumb drive and then walk out the front door with them. Even though they were authorized to access those files, they were not authorized to remove them from the network or post them online, which then results in a data breach for your organization. Or you may have a very skilled insider threat who’s able to elevate their own user account permissions so that they can access data from across the entire network and then try to sell it to a willing buyer.

To prevent the insider threat, organizations need to put policies and enforcement technologies into place, such as data prevention to detect these insiders who are attempting to remove the data from the network. Also, all the organization’s standard internal defenses need to be properly configured, and cybersecurity analysts must search through the security information and event management systems to identify any patterns or abuse in order to catch the malicious insider. The third type of threat actor we have is a competitor. Now, a competitor is a rogue business that attempts to conduct cyber espionage against your organization. Competitors are focused on stealing your proprietary data, disrupting your business or damaging your reputation. Often, competitors will seek to use an employee as an insider threat inside your organization to steal the data from you, or they may attempt to break into your network over the internet themselves. The fourth type of threat actor we have is categorized as organized crime. Now, organized crime is a category of threat actor who’s focused on hacking and computer fraud in order to receive financial gain. Due to the internet’s wide reach, a criminal in one part of the world can hack the computer of somebody on the other side of the globe with ease and within seconds. Organized crime gangs often run different schemes or scams using social engineering or conduct more technical attacks using ransomware in order to steal money from their victims.

Organized crime hackers tend to be well funded, and they use sophisticated attacks and tools. The fifth type of threat actor is known as a hacktivist. Hacktivists tend to be comprise of politically-motivated hackers who target governments, corporations and individuals to advance their own political ideologies or agendas. For instance, an environmentalist might be considered a hacktivist if they hack into a logging company because they want to see that company stock prices fall in effort to drive them out of business, and thereby, they could save the forest. Hacktivist can be individuals or large groups. For example, Anonymous is a very large and well known hacktivist group. Hacktivists tend to vary in levels of organization from loosely organized to highly structured, and they can have a high level of sophistication in their attacks, or they can be very low. It really does depend.

Often though, these hacktivists tend not to be well funded. The sixth type of threat actor is known as a nation state or APT. Now, an APT is an advanced persistent threat. Now, an APT is the most skilled type of threat actor that you’re going to encounter. This is a group of attackers with exceptional capability, funding and organization, who have an intent to hack a particular network or system. Nation states don’t simply pick any network at random to attack, but instead, they determine specific targets to achieve their political motives. These incredibly organized team of hackers conduct highly covert attacks over long periods of time. In fact, on average, an APT is in a victimized network for six to nine months before network defenders actually discover the intrusion. And some have gone several years between the breach and their eventual discovery by defenders. Nation state actors are extremely good at what they do, and they’re very difficult to find in a network. Over the years, many nation states have also supported various threat actors that pose as hacktivists or organized crime groups too to maintain a plausible deniability for the hacks they’re conducting.

Other times, a nation state might use TTPs of a different nation state in order to implicate them in the attack. When this happens, it’s known as a false flag attack. For example, back in 2015, a French TV network, known as TV5MONDE, was taken off the air by a sophisticated cyber attack. The network’s website was also defaced by a group calling itself the Cybercaliphate, and made to look like it was launched by the Islamic state. When security investigators actually looked into the attack though, they found the attack was actually Russian in origin because the code using the attack was typed using Cyrillic keyboard during norming working hours in Moscow and St. Petersburg. If this was accurate, then this means a Russian nation state actor was trying to appear as an Islamic state actor. So they would be blamed for the attack making this a false flag attack. Now, each threat actor also conducts these attacks for different reasons and are motivated by different things.

This might be for greed or money, like crimeware and ransomware, or it might be for power, revenge or blackmail, such as in the case of an insider threat. For a script kiddie, it might just be for thrills, increased reputation or some kind of recognition from fellow hackers. An APT though, might hack for intelligence that they can gain this as a form of espionage to further their nation’s political agenda. By keeping these motivations in mind, an organization can build better defenses against each type of threat actor. So why is it important to consider the different types of threat actors? Well, as a penetration tester, you can use your knowledge of these threat actors to conduct threat modeling and emulation.

Depending on the objectives of the engagement, you may be told to simulate an attack by a script kiddie, a hacktivist, an insider threat or even an APT. Depending on which archetype we’re emulating, we’re going to model our techniques after that threat actor. For example, if you’re asked to simulate an APT attack, you’re going to have to develop your own custom codes and exploits which takes a lot more time and effort. And this is going to require a higher cost to conduct that assessment. On the other hand, if you’re asked to emulate a script kiddie, you can simply use open-source tools to conduct your attacks. Modeling an insider threat would require some insider knowledge, such as a username and password of an authenticated user or other inform that somebody would know as part of a known environment assessment. Now, these are all factors to consider during your planning and scoping phase of your engagement. In the industry, we like to categorize these different threat actors into tiers, and we call them tier one going up to tier six.

Now, tier one is for people who have little money and rely on off-the-shelf tools and exploits. You guessed it, these are your script kiddies. Next we have tier two. This is people who have little money, but they’ve invested in their own tools against known vulnerabilities. And this includes hacktivists like Anonymous. Tier three actors tend to invest a lot of money to find unknown vulnerabilities in order to make a profit. And this includes criminal hackers who create ransomware. At tier four, we find organized, highly technical, proficient and well-funded hackers who are working in teams to develop new exploits. And this includes some terrorist groups. Tier five includes nation states who are investing lots of money to create vulnerabilities and exploits. And these are your low-end APTs. And these are going to be some people who are state sponsored but maybe not working directly for state. And finally, we have tier six, which is comprised of nation state actors investing even more money to carry out cyber attacks and military and intelligence operations that achieve political, military and economic goals. This tier tends to be exclusive to the larger and wealthier countries around the developed world who essentially have an army of cyber attackers that are combined into their military intelligence agencies. Tier six threat actors also are known to conduct supply chain attacks. For example, back in 2020, there was an attack on the company SolarWinds that was allegedly tied to Russian nation state actors.

The threat actors hacked into SolarWinds in order to add a back door into the SolarWinds code base. SolarWinds had numerous corporations and governments as their users. So when this backdoor was embedded into their next update and release, all of these companies and government networks effectively became compromised and given over to this nation state actor. This attack was not directly targeted at SolarWinds though. It was really being directed at SolarWinds’s customers, making it a supply chain attack. Another attack credited to tier six nation states over the years was the embedding of root kits into Cisco routers and switches that were purchased from third-party suppliers. This is why supply chain management and using trusted suppliers becomes really important to the security of an organization. And it might be something you’re asked to consider as part of the scope for an engagement. Now, to summarize this lesson, you need to remember that as you climb up the tiers of threat actors, going from one to six, you’re going to see more money, more skill and more time being invested into the capabilities and attacks because more is at stake based on what the threat actor’s motivation is to conduct those attacks.

17. Target List (OBJ 1.2)

As we move forward with planning and scoping, we need to find a valid target for us to attack. This is conducted from a technical perspective as we go through our information gathering and vulnerability scanning phase. But as a penetration tester, we first are going to conduct target selection in the planning and scoping phase as we negotiate this with the targeted organization inside of our contract and our statement of work. We first need to ask is our targets going to be internal or external? Are they going to be first party or third party hosted? And if we can do physical attacks or if we can go after the users, if we can go after their wireless networks, if we can target applications and numerous other scoping concerns. That’s what we’re going to focus on in this lesson as we discuss target selection. And we’ll leave the more technical target selection for later on when we cover information gathering and vulnerability scanning at a later phase in the engagement. First, we have to determine if our scope is going to consist of internal or external targets. Internal targets are those inside the organization’s firewall and require us to be on-site, gain access through a VPN or exploit a user’s computer inside the organizational network and use that as a pivot point.

On the other hand, external targets are publicly facing targets which can be accessed directly across the internet such as a website, web application, email or DNS server in a screened subnet that’s outside of the protected local area network. Second, we have first party and third party hosted assets. Are the targets provided in our statement of work hosted by the organization itself in their own data center, in which case we call these first party hosted assets? Or are they going to be hosted by a third party service provider like Amazon Web Services, Microsoft Azure, Google Cloud or other cloud providers? Now due to the mass of migration into the cloud, there are a lot of third party service providers out there that are hosting different assets that you may or may not be able to include in your assessment scope. This includes the major cloud providers I just listed like Amazon Web Services, Microsoft Azure and Google Cloud, but there are also numerous smaller cloud service providers as well out there. During the planning and scoping phase, the target organization needs to inform us if we’re only allowed to attack their first party hosted servers or are we allowed to also go after the assets hosted in a third party environment.

For example, my company’s website, diontraining.com is hosted by a third party cloud service provider. If you were hired to conduct an engagement of my company’s e-learning platform, I have to first decide are you going to be allowed to go after our office networks and file servers that we host locally using our first party model or are you also going to be allowed to go after our website and e-learning platform which uses third party hosting. Maybe I only want you to go after third party hosted applications and if so, that has to be accounted for during the planning and scoping phase so that you can gain all the necessary permissions from that cloud service provider in addition to gaining permission from your client’s organization. Next, we need to discuss the physical aspects of the engagement.

Are we going to test the organization’s physical security? Do they want us to do an on-site assessment? Should we try to sneak past the guards, overcoming the security cameras, the pin pads and other physical security controls? Again, this is something that must be answered as part of the planning and scoping phase to determine if a physical assessment is going to be used. We have to know whether physical security is part of the assessment or are we just going to be hired to conduct a technical assessment of the network. If a physical assessment is going to be in scope, you’re also going to need to determine which locations are covered by the scope of the assessment. For example, my small company has employees and assets located across six different countries right now. If I hire you for an engagement, will you conduct an assessment of all six locations or just our main office or headquarters? Additionally, physical locations of the organization’s assets are usually going to be defined as either being on-site or off-site. An on-site asset is any asset that is physically located where the attack is being carried out.

For example, if you’re trying to break into my offices as part of a physical penetration test and gain access to my infrastructure, my server room or my employees, these are all considered on-site assets or targets. Conversely, off-site assets are defined as any asset that provides a service for a company, but is not necessarily located at the same place as that company. For example, I used to be an IT director for an organization whose data center was located in Italy, but we also had regional satellite offices located in four other countries spread across Europe. Often you’re going to find that these smaller regional offices or satellite offices have less stringent security than the main data center or headquarters. So if those off-site locations and assets are considered part of your engagement scope, you might find an easier way into the headquarters by pivoting through one of those off-site locations. In today’s modern deep parameterization environment, it is common that employee owned devices may also be categorized as an off-site location because their home office is essentially an extension of your headquarters network once they connect into that organizational network using a VPN. Next, we should also consider whether testing of the users is considered authorized or if it’s considered off limits.

Can we use spear phishing or even phishing attacks against the organization’s user base? Can we do social engineering against them? Can we try to trick the employees in order to get them to let us into the building and bypass their physical security? Now again, there’s no right or wrong answer to these questions. It’s all negotiable as part of the planning and scoping for the engagement. For example, in a past assessment, my team was told that we could not target any of the executives, but any of the regular users was considered fair game for our social engineering attempts. In other assessments, we’ve been told specifically to target the sales department to determine if the user awareness training they received a few months earlier was effective or not. Remember, users tend to be the easiest attack vector to go after, especially if they’re considered in scope for the assessment and you’re allowed to use various social engineering attacks against them. The next area of concern we have is regarding wireless networks. I’m always careful to ask an organization to specify which wireless network identifiers or SSIDs are within the scope of my engagements.

If we’re being asked to conduct wireless penetration testing, we need to ensure that we’re only targeting equipment that’s owned and operated by the organization that we’re actually doing the testing for because they’re the only ones who can grant permission for the networks they own and operate. For example, at many offices there’s a company wireless network and a guest wireless network. Or at a hotel there’s one wireless network for the point of sale systems and another one that’s used by the guests of the hotel. If we’re going to assess the hotel, we need to negotiate which network is in scope of the engagement and which one is outside of our scope. Are you allowed to set up an evil twin or rogue access point using the same or similar service set identifier as an organization’s trusted wireless network? Well maybe you are, maybe you aren’t. Again, there’s no right or wrong answer here. We just need to make sure that the penetration tester and the organization are both agreeing to the scope during the planning and scoping phase so we’re all on the same page.

As we consider the wired and wireless organizational networks, we also need to identify which assets are going to be considered in scope based on their IP addresses or IP ranges, the domain or subdomain associated with them or their DNS or Domain Name System servers. Now IP addresses of the in scope asset should include the appropriate network ranges and the autonomous system numbers known as ASNs. These ASNs are used by the organization as a globally unique identifier that defines a group of one or more IP prefixes that are run by one or more network operators that maintain a single clearly defined routing policy. ASNs are used with the border gateway protocol and if they are changed inadvertently, it can cause all sorts of disastrous routing issues for the organization’s traffic going over the internet. It’s also important to include a list of domains and subdomains that are considered in scope for the assessment. For example, since I use an elastic cloud architecture for my learning management system, we’re constantly adding and removing IP addresses behind our load balancer, but our domain names and our subdomain names are not changing rapidly.

Therefore, you should always have a list of our domains and subdomains that are considered in scope for the assessment. For example, maybe my website www.diontraining.com is considered in scope, but my support portal at support.diontraining.com is not in scope. By having a clear list of in scope and out of scope domains and subdomains, you can avoid any issues during the engagement. Also, you need to know if the organization will allow you to target or modify their DNS servers and its records. For example, are you allowed to conduct DNS poisoning? How about a watering hole attack as part of a social engineering campaign? Again, there’s no right or wrong answer here. It’s just up to you and your client to determine the proper scope for the engagement based on your objectives and goals that the organization has. Now the final area to think about is that of applications and more specifically, web applications and their application programming interface’s notice APIs.

If we’re going to do a web application test, are we going to be focused on a single application or all applications on a given web server? For example, if a penetration tester is assessing a web application, are they only looking at the code developed by the company or should they look at the applications underneath the code as well? Can the penetration tester target the Apache web server, the MySQL database, the PHP code or even the underlying software development kits known as SDKs? All these things may or may not be in the scope of the engagement depending on what was contracted and agreed upon by your company and your client organization. A web application and its associated APIs could be used for either public facing applications or they may only be internal to the organization. For example, in my company we have several APIs that we have developed in order to deliver courses, our labs, our textbooks and our exams to all of our students at diontraining.com. For example, in the version of this course located at diontraining.com, we also include hands on labs where students can enter a cloud-based penetration testing environment and practice with all different kinds of attacks and tools that we cover in this course.

Our learning management system though didn’t have this capability initially so we had to develop our own API that accepts a student’s unique user identification number, their email and the lab they want to access along with the secret authentication token. And in return, the API provides the link to launch the lab and this allows the students to click a button and access and utilize these cloud-based labs. Now during the scoping, it’s also important to determine if there’s a particular application on the client’s system that’s considered mission critical and therefore the client cannot afford to have it experience any downtime during the engagement. For example, a credit card processing application might be such a system in a retail environment while the patient record management application in a hospital might be equally important in that organization’s situation. The penetration tester and the client need to work together to both understand which applications or systems need to be excluded from the scope of the engagement to ensure that the organization can still be able to conduct its mission successfully during the attacks. Once again, this really depends on your negotiations with the client during the planning and scoping phase of your penetration test.

• Category: Uncategorized