A lot of people in the security industry are paid to think like attackers: pen testers, security consultants, software security experts. But some of these people have never met an actual black hat, so much of their work is necessarily based on what they think attackers might do in a given situation.
Considering the stakes in today’s security game, gleaning intelligence from professional attackers is an invaluable experience for researchers on the other side of the ball. Robert Hansen, a security researcher and CEO of SecTheory, has been doing just that in recent months, having a series of off-the-record conversations with spammers and malicious hackers in an effort to gain insight into their tactics, mindset and motivation.
In a blog post describing one such conversation, Hansen says that the attacker was lamenting the difficulty of executing targeted attacks against machines in high-value networks. Security systems are doing a fairly good job of making life difficult for him.
He’s not the type to hack randomly, he’s only interested in targeted
attacks with big payouts. Sure, if you really work at it for days or
weeks you’ll get in, almost always, but it’s not like it used to be
where you’d just run a handful of basic tests and you were guaranteed to
break in. The risk is that now when he sends his mules to go cash out,
there’s a chance they’ll get nailed. Well, the more I thought about it
the more I thought that this is a very solvable problem for bad guys.
There are already other types of bad guys who do things like spam, steal
credentials and DDoS. For that to work they need a botnet with
thousands or millions of machines. The chances of a million machine
botnet having compromised at least one machine within a target of
interest is relatively high.
Hansen’s solution to the hacker’s problem provides a glimpse into a busines model we might see in the not-too-distant future. It’s an evolutionary version of the botnet-for-hire or malware-as-a-service model that’s taken off in recent years. In Hansen’s model, an attacker looking to infiltrate a specific network would not spend weeks throwing resources against machines in that network, looking for a weak spot and potentially raising the suspicion of the company’s security team.
Instead, he would contact a botmaster and give him a laundry list of the machines or IP addresses he’s interested in compromising. If the botmaster already has his hooks into the network, the customer could then buy access directly into the network rather than spending his own time and resources trying to get in.
This tactic reminds me a little of the movie Wall Street. You have a
failing company (in this case a botnet that will probably only last a
year or two). If the company continues on it’s course it’ll make a
pretty good amount of money, but nowhere near as much as if the owners
break up the company into pieces and sell them off one by one to the
interested parties. Kind of an interesting/scary thought, but it could
easily be used to avoid the cost and danger of individual exploitation
against a company for a hacker interested in target attacks. Rather, a
brokerage for commodities (bots that come from interesting IPs/domains)
could be created and used to sell off the individual nodes.
This model makes sense on a number of levels and may well have been implemented already. The value of a large botnet for executing DDoS attacks or extracting valuable data from the compromised machines could be multiplied hundreds or thousands of times using this model.