Hackers Can Gain Network Access Via Social Engineering and Wait for New Zero-Day Exploits to Elevate Their Privilege
At Black Hat 2017, privileged access firm Thycotic surveyed 250 hackers to find out what was easy and what was hard about hacking into networks. At this year’s Black Hat, it conducted a similar survey (PDF) among 300 people that consider themselves hackers.
“This year,” Thycotic’s chief security scientist Joseph Carson told SecurityWeek, “we also wanted to better understand the types of hacker that exist, and their motives for doing what they do.”
The respondents self-identified as three groups that could traditionally be described as white hat (70%), grey hat (30%) and black hat (5%). The white hats describe themselves as ‘ethical’ hackers — they use their skills and knowledge for good purposes. “There’s another category — which is also ethical — but where they admit to crossing the line,” said Carson. “Their motivation is still to benefit the community; but they admit that some of their practices may actually be illegal.”
These tend to be independent researchers, and their work is often unrecognized, because, said Carson, “they tend to report their findings through anonymous channels.”
And then there’s the black hats — those who hack for illegal purposes and for personal gain. Only 5% of the respondents admitted to this; but none of them are likely to be full-time criminals. Law enforcement agencies always monitor Black Hat; and ‘unemployed’ attendees are of particular interest.
The 5% black hats are likely to have legitimate day jobs, and may well have been sent to Black Hat by their employer. It tends to confirm the findings of Malwarebytes this summer — many companies have one or two employees who moonlight to the dark side.
“Another area we wanted to examine,” Carson told SecurityWeek, “is whether staying up to date with the latest software is any protection against hackers.” Specifically, Thycotic wanted to know whether current OSs are easily compromised, and asked the question, ‘Which OS did you conquer the most in the past 12 months?’.
“What was really surprising,” said Carson, “was that Windows 10 — even though it is the latest and most secure operating system from Microsoft — is still easily exploitable by hackers. More than one-third of the compromised OSs were Windows 8 and 10. It goes against the common viewpoint that having the latest fully patched system will keep you secure. You have to accept that being patched and up to date is not enough on its own.”
The most common method of hacking used by the respondents (56.03%) is social engineering — it’s easier and a lot cheaper than using a zero-day exploit. “Hackers confirmed that 50% of their exploits have uncovered employees re-using passwords that have been already exposed in other data breaches, giving hackers an easy way onto the network,” notes the report.
It is clear that users still do not understand the weaknesses in passwords. “A strong password isn’t just a lot of jumbled characters,” said Carson. “Before it can be considered strong, a password must combine three separate characteristics: it must be complex, unique, and not already compromised elsewhere.”
“One thing we did notice,” Carson told SecurityWeek, “is that using social engineering doesn’t automatically give the hacker privileged access and full network control. Hackers gain access and then wait for the arrival of new zero-day exploits that allow them to elevate their privilege.”
Carson pointed out that one such Windows 10 zero-day was disclosed a few weeks ago. “This likely means that over the past couple of weeks many companies that had a simple unprivileged account breach now have the potential for a major compromise occurring within their networks. Social engineering allows attackers to get one foot in the door and then they wait for either misconfiguration or a new vulnerability that they can easily exploit to move to the next level.”
These two findings from the hacker respondents — that patching doesn’t prevent hacking, and that most hacks come through social engineering — are key to Carson’s primary conclusion: organizations need to adopt zero-trust practices. “We learnt from last year’s study that least privilege and multi-factor authentication make life difficult for hackers,” Carson told SecurityWeek.
“We learn this year that 75% of companies have still not adopted this approach despite its effectiveness.” Zero trust implies the automatic assumption that an account has been compromised, and requires multi-factor authentication to prove otherwise. This is applied both when moving from the internet to the corporate network, and from one segment of the corporate network to another segment.
“The combination of least privilege and zero trust will make life too difficult for the hackers, and they will likely give up and move on to easier targets,” said Carson. Those hackers who have socially engineered a low privilege account and are waiting for a privilege escalation zero day will find they have to break in again before they can do everything.
“Every time the criminal returns to the network he is challenged again and has to use multiple and more sophisticated methods to continue the attack,” said Carson. “Combining the principles of least privilege and zero trust is not 100% protection, but it is a major deterrence against everyday hacking.”