Book Review chapter 3

Chapter 3 Lecture
By
Professor Henry A. McKelvey

In Chapter 3 We will discuss the following objective:
1) How we handle data and information and why it is problematic
2) Be able to provide examples of threats
3) Determine the difference between nation and non-nation state threats
4) Know the difference between AHM and Penetration Testers
5) Describe the AHM components
6) Explain the hacker’s thought process
7) List and describe the APT hacking core steps
8) Describe and explain the APT hacker attack phases

How we handle data and information and why it is problematic
Today we are handling much more data than we did in the past few years this has caused a very problematic situation that involves our lack of knowledge about how to handle these large amounts of data. The facts are there are limits to the data handling resources, these limits lead to compromises of the systems used to store the data. Given that there are compromises the sheer amount of data causes compromises to go undetected and undiscovered.
When compromises are discovered there is a tendency to sit on the information until instructions are given to inform the public about the compromises, this leads to the discoveries not being reported in a timely fashion. This is a chain reaction that leads to the following:
1) Not all the facts of any specific compromise are always uncovered
2) Some facts that are released might be misleading or even incorrect
3) Data and information are not disclosed in an open manner
These three factors are what eventually lead to distrust of the system to detect and warn of current and impending breaches.

The lack of trust can be seen as a vulnerability that leads to threats against the system. Threats are defined as any person, situation, thing, or event that can exploit a weakness in a system.
When it comes threats systems are actually at the mercy of such threats because of many factors take for instance these few:
· Techno-Criminals:
· Skimmer Evolution
· Skimmers are used by individuals who may not have technical ability but can gain access to machines.
· See page 32-33 in the book
· Hacking Power Systems
· Smart-meter tampering
· Power Jacking USB supplied Power Systems
· Defeating physical controls
· Unsophisticated Threat:
· Hollywood Hacker
· Unskilled but use complete immersion of technology against targets
· Social Engineering tactics
· Neighbor from Hell
· Wi-Fi Attacks, e-mail spoofing to others
· Using attack methods to cast blame on others
· See page 35-37 the Barry Ardolf Story
· Smart Persistent Threats
· Kevin Mitnick
· Gaining Access to Computer Systems
· Social Engineering
· Using knowledge of the interaction of people and system
The above are examples of threats to a system which are as real as the recent NASA breach through the use of a Raspberry Pi which is a small embedded processor computer, which was setup to channel data from the NASA network to some location in China. This attack would thus come under the heading of Techno-Criminal and Smart Persistent Threat. The threats can be layered to provide levels of sophistications and complexity. When defining who uses hackers to carry out attacks, usually this occurs in countries that are called nation states; These countries usually hire hackers to carry out attacks on other countries to disavow any responsibility for the attacks, to avoid direct contact, and to be able to claim that the attack was not carried out by them. These Nation-States are defined by the following:
1) A nation state is a geographical area that can be identified as deriving its political legitimacy from serving as a sovereign nation. A state is a political and geopolitical entity, while a nation is a cultural and ethnic one.

Taking into mind that this is a political definition, which is used to differentiate a Nation-State from a Non-Nation State which is:
1) A nation in which there is a cultural diversity, and from this cultural diversity no one ethic group holds complete national autonomy.

The differences between the two are an implication that there is often unrest in Nation-States caused by the attempt to maintain homogeny while trying to keep up with the modern world which tends to favor diversity as a means of functioning. An example of this is to be found in Islamic countries in which there is a clash between the old world and the modern world.

There are various attacks that have been carried out by Nation States and these are: RSA Attack, MITM Attack, and Carrier IQ Attack
In addition there are attacks carried out against Nation States: Stuxnet, Duqu, Flame
The point here is that both sides use hackers to carry out attacks against each other.

There are often misconceptions about Penetration Testers and Advanced Persistent Threat Hackers. This misconception has often led to the belief that ATP Hackers can be compared to Pen Testers. There is a fundamental flaw to this belief. The flaw is the failure to notice that APT Hackers and Pen-Testers have different goals and thus deploy a different methodology to hacking . Thus the following can be ascertained.
· AHM = APT Hacker Methodology
· A skill set that allows for big picture understanding of attacks and attack methods
· A methodology that avoids segmentation of attack methods
· PTM = Penetration Tester Methodology
· A skill set that allows for convergent and directed understanding of attacks and attack methods
· A methodology that’s seek to segment attack methods
Understanding that there are differences between APT Hackers and Pen-Testers show that using one to define the other is a mistake. The following chart shows the fundamental differences in method:

Understanding the differences between Pen Testers and APT Hackers helps in understanding the underlined issues that involve APT Hackers. However what exists is the knowledge that they both use the same core steps to obtain their goals. These core steps are:

· Reconnaissance
· Enumeration
· Exploitation
· Maintaining Access
· Clean up
· Progression
· Exfiltration

Enumeration uses tools like ping and traceroute to determine if the element is present on the network
Reconnaissance use tools like Nmap to test network elements for open ports
Exploitation is used to launch attacks against open ports based of vulnerabilities of the programs on those open ports
Maintaining Access is what hackers do when the setup access points and back doors in systems
Clean up involves the removing of the evidence that the intrusion occurred, this involves the removing or altering of log files, and possibly altering the files of IDS and IPS software
Progression involves the attacking of other systems from the other system to avoid detection and to set up the ubiquitous gathering of data.
Finally exfiltration is the retrieving and dissemination of gathered data, along with the eventual removal of the hacker from the system which may take months or even years.

The APT Hacker will use the following Attack phases to gain entry to systems:
Reconnaissance
Gather all information and data on a system
Spear Social Engineering
Manipulate persons who can be used for access
Remote and Wireless
Target remote users and wireless users to exploit wireless weaknesses
Hardware Spear-phishing
Use custom built devices to infiltrate buildings and locations
Physical infiltration
Target any place that the main target will or might locate to (hotel rooms, third party locations, etc…)

The goals of the APT Hacker is to get into a system and remain there until all information of that system has been exfiltrated and used by the APT Hacker for personal, monetary, or political gain.