Anatomy Of A Break-In - InformationWeek
10:00 AM
How Online Attackers Target Your Business - And How to Stop Them
May 03, 2017
One of the best ways to develop an effective cyber defense is to think like your attacker and then ...Read More>>

Anatomy Of A Break-In

Ride along as a team of security pros pokes holes in the security perimeter of one large company that thought it was safe.

A large multinational company was about to undergo a full security audit, and the CIO didn't want any surprises. He was looking for advance warning of any problems that might be discovered in the formal audit so he could be ready with a remediation plan.

The company, which employs more than 10,000 people, is responsible for critical elements of physical infrastructures around the world and is regularly targeted by a wide variety of bad guys, including terrorists and foreign governments. The CIO believed the company had some problems with physical security and end-user systems but thought he had the servers and network locked down.

To get a true picture of the company's overall security, the CIO hired my team to do a preassessment without informing the majority of employees. For political reasons, he had to let several people know the test would be performed. And just to make my job more of a challenge, the director of the network operations center vowed my team wouldn't break into his systems or facilities.

Most of the company's assessment funds had been allocated to the formal audit, so the preassessment budget was tight. We had an advantage in that I'd been at the facility before for an unrelated reason, so I knew the makeup of the main facility and some of its physical weaknesses, which would save us a day or so of reconnaissance.

Open-Source Intelligence
We typically begin an espionage simulation by gathering intelligence on the company's physical, technical, and operational infrastructures, and on its personnel. Our search revealed a variety of information about the contracts the company was pursuing, as well as details on its facilities. Most troubling, we found maps of some facilities in high-risk areas, which could help malicious parties target the company and its people. We also found a corporate phone directory intended for internal use. This would have immense value for the social-engineering attacks we were planning.

We uncovered information about the company's generic technical architecture by looking at trade Web sites and postings the company's IT staff had made to newsgroups. We knew the company had a Windows infrastructure with Sun Microsystems computers handling most of the server duties. Knowing the hardware and software let us predict technical vulnerabilities and helped us prepare to target the systems, both internally and externally.

We also found a variety of corporate domains to target. Later we learned that the people responsible for managing the company's Internet presence didn't know about some of these domains, which provided back doors into the company. Along the same lines, our search turned up more than 100 Web servers, though the IT staff had figured there were fewer than a dozen. We learned of the discrepancy when we informed someone from the CIO's staff of our findings at a breakfast meeting our first day on-site.

As happens in about half our reconnaissance efforts, we found evidence of illicit employee activities. For example, one employee was using his company E-mail account to sell information on how to perform criminal activities.

After a day and a half of this preliminary investigation, we ventured on-site. Three of us were involved in the internal test: Kevin, a technician familiar with attacks on Unix and Windows (the company's typical environments); Jeff, who would focus on social engineering and could assist on the technical side; and me. My focus was on the "black bag" aspects of the test--physically going into a high-risk environment to steal information or perform other high-risk tasks to support the espionage operations.

Our first job was to get into the building complex, which housed multiple tenants sharing a common entrance. An outside firm handled the facilities management and physical security.

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll