The Enemy: Protecting Your Organization from Blackhats
Intelligence is never too dear.
—Francis Walsingham, spymaster general for Elizabeth I
In Part I, we discussed the concept of the Honeynet, defining it and its value to the security community, explaining how it works, and summarizing the risks and issues involved. In Part II, we explained how to analyze the data a Honeynet captures and from this analysis gain intelligence on the opponent. The Honeynet provides a "reality check" to see what the enemy is truly doing and to observe blackhats in their natural state. In Part III, we discuss what the Honeynet Project has unearthed about blackhats. What we cover should not be seen as generalizations about the entire blackhat community. Instead, the tools, tactics, and motives we discuss are the ones that the Honeynet Project has encountered time and time again during the past several years. These lessons focus on blackhats who randomly search for and exploit vulnerable systems. In general, rather than research, identify, and develop their own tools and exploits, in this segment of their community blackhats use existing tools and known exploits. As you will soon learn, these threats, though not highly sophisticated, apply to almost every organization.
For the past several years, the Honeynet Project has identified common tools, tactics, and motives shared by the blackhat community and has used this information to create a common methodology. Regardless of who you are and what systems you run, your organization is at risk. In this chapter, we discuss this methodology and how these threats apply to your organization. In Chapters 10 and 11, we review specific examples of honeypots compromised in the wild. By understanding the blackhat's methodologies, you will have a better idea of who your enemy is and the threat you face.
A threat we all face is what is commonly known as the script kiddie methodology, the probing for and exploiting of the easy kill. The script kiddie methodology represents someone looking for the path of least resistance. The person's motives may be different, but the goal is the same: to gain control the easiest way possible, usually on as many systems as possible. The attacker does this by focusing on a small number of exploits and then searching the Internet for the given vulnerability, sooner or later finding targets.
Some of these blackhats are advanced users who develop their own tools and leave behind sophisticated backdoors. Others have no idea what they are doing knowing only how to type setup at the command prompt. Regardless of their skill level, the blackhats share a common strategy: randomly search for a specific weakness and then exploit it. It is this random selection of targets that makes this strategy such a dangerous threat. Inevitably, your systems and networks will be probed; you cannot hide. We know administrators who were amazed to have their systems scanned when they had been up for only two days and no one knew about them. There is nothing amazing here. Most likely, their systems were scanned by a blackhat who happened to be sweeping that address block.
If this technique were limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds are that no one would find you. However, this is not the case. Most of these tools are easy to use and are widely distributed; anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate; think of it as a type of Internet baby boom. Because the Internet knows no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us. With so many users on the Internet using these tools, it is no longer a question of whether you will be probed but when. If your system has been connected to the Internet for more than 24 hours, you probably have already been probed.
This is an excellent example of why security through obscurity fails. You may believe that if no one knows about your systems, you are secure. Or, you may believe that your systems are of no value, so no one would probe them. Some organizations take security seriously and have highly secured systems and networks. However, all that needs to happen is a single mistake: a single system not patched, a misconfigured firewall rulebase, an intrusion detection system plugged into the wrong port, or a system that has an unsecured service accidentally started. It is these very systems that the script kiddies are searching for: the unprotected system that is easy to exploit, the easy kill.