Hackers are human. Hopefully that doesn’t surprise you too much. Being human means that they are subject to human tendencies, like taking the path of least resistance.
To a hacker, this means avoiding the most protected way to an asset. They know that no one can simply walk into the room where a business keeps its crown jewels. Similarly, the applications that present the most risk to an organization will be the most heavily gated and most thoroughly tested. Trying to get through would be like slamming one’s head repeatedly into a big brick wall — something most humans tend to avoid.
So hackers find a less protected route by pivoting. The concept of pivoting has strong roots in the historical principles of warfare. Savvy generals eschewed attacking the middle of the opponent’s defensive line, normally the point of heaviest fortification. The infamous Pickett’s Charge at Gettysburg is a notable example of the futility of this approach. Instead, these generals used flanking maneuvers to find the weakest point in the defenses and, when sufficiently positioned, deftly pivoted to roll up the opponent’s line “like a wet blanket.”
As the ongoing thrust and parry of cyber security evolved and defenses became more efficient, the attackers also adopted the pivot approach. Here’s how it works: first, assume the most important machines or applications will be the most heavily fortified; however, with limited budget and resources, assume that there will be weak points in the defenses. Now, find the best entry point that encounters the least amount of resistance, and use that pathway to methodically work your way to the real target.
The first use of the pivot was at the machine level, largely because applications were not yet widely exposed via the Web. True to form, it soon became apparent that it was folly to directly attack the database server because it was too well protected. Instead, the relentless attackers found they could gain entry through the weaker roll-up defenses on their way to the database server.
These same attackers soon found that they had an unlikely ally to help them execute their flanking maneuvers — the carbon-based life form. To this day, CISOs will freely tell you that it is the employees who are the weakest link in the defensive line. Attackers frequently gain their initial entry point by simple phishing techniques or other forms of social engineering. If you don’t believe me, just send me your social security number and the account number of a major credit card for a free study on the subject and, as a bonus, you can help me access millions of dollars for an exiled Ethiopian prince.
Once in, attackers leverage common mistakes in design and/or coding to gain the necessary credentials to pivot to the next step in the network. They may need multiple pivots, but because of the privileges gained along the way, they eventually are able to traverse the network to the target machine.
Pivot points are also useful because they are often not heavily monitored. The attacker slips in through the back door where no one notices, and, once in the network, can move about without much risk of being noticed. This is why threat reports commonly cite long periods between the initial breach and detection, and why detection often comes through third parties and not the attacked organization. Low resistance and stealth are quite the inviting target.
Today, the pivot concept is frequently applied in the world of applications. As more and more processing came out from behind the firewall to the Web, attackers noticed that there were fundamental, frequently repeated bugs in software that provided ready entry points. In response, organizations took a risk-based approach to application security testing, applying testing cycles to those applications identified as representing the highest risk of attack. In some cases, this left large portions of the application portfolio untested, or tested at a superficial level. In other cases, applications were tested, but with the box checked for the auditors. In these cases the results were not applied toward fixing the problems found.
Many organization take great pride in noting they tested the top 20 percent or 30 percent of their applications based on their assessment of risk. What they are really saying is that they are content to leave 70 percent or 80 percent of their other applications untested — providing a plethora of pivot points to the bad guys.
There has been some glimmer of recognition lately about the importance of testing the entire breadth and depth of an organization’s application portfolio. Several breaches in the past two years have been traced back to what seemed to be inconsequential applications that, in fact, had all of the components needed for a successful pivot. In some cases, the applications were so inconsequential as to be off the radar of the organization completely. Remember, attackers are relentless.
But as ground is gained, it is being lost elsewhere with mobile applications and IoT. Recently, a combined research team from the University of Michigan and Microsoft released the results of an in-depth analysis of an IoT home command center, the Samsung SmartThings platform. The platform serves as a control hub for a variety of connected devices for the home. This is all tied together with software from the device manufacturer or through applications provided by the associated SmartThings community.
The study showed that the software was readily exploitable and provided pivot points to the other devices connected to the platform. The researchers actually constructed four attacks which included creating a new lock code for the connected door locks, giving them a key to the house. The pivot was not contained by the SmartThings platform, as attackers could get to the home network and then proceed to other connected devices on the home network. Once out on the home network, anything connected to that network became fair game. This is why there is concern about smart thermostats and other smart devices. Hacking them is not the end goal; instead, they are used as pivot points to access far more valuable assets.
The study also noted that many of the exploits they used to gain their pivot points would not have been found through a simple automated application scan. This is proof that just “checking the box” provides only a false sense of security.
It’s all about the pivot. The shortest distance between two points may indeed be a straight line; but, when you are an uninvited guest and the straight line is the most heavily defended path, the pivot is a necessary tactic.
Bottom line, any defensive strategy that does not consider the pivot is on a straight line to failure.
