If you are new to hacking, or not a hacker at all - check the 'Terms explained' section at the bottom of this article.
1. Know Yourself, Know Enemy.
Knowing both offense & defense also helps with working in a team, and in cybersec industry this practice is known as 'purple teaming'.
In simulated attacks (penetration tests), Red Teamers/Pentesters cooperate with Blue Team, by providing reports & documentation that describes how the protected systems should be patched, and explains what needs to be done to 'harden' the system against real attacks.
-- said Haris Pylarinos, Founder & CEO at Hack The Box.
In my case, I plan to put my efforts in a following way:
- 2/3 of my time & effort into offensive techniques (red teaming),
- 1/3 of my time & effort into defensive techniques (blue teaming).
Might take some time still, however, before i'll go for defensive-oriented courses. For now focusing on offense, on pentesting.
--
2. Hide your plans, then strike like Thunderbolt.
If enemy detects you during preparation, information gathering phases, the suprise element is lost.
He or she can also block your IP addresses, disconnect and 'harden' the attacked systems, or prepare for an attack in many different ways.
Subtlety and quietness are of paramount importance.
-- motto in Kali Linux, often attributed to Rumi, or Ram Dass.
As an additional note, the subtle approach can be time-consuming, and requires more skilled personnel. In real, professional situations, pentesting must be performed within a certain time frame, as agreed in the contract with the customer. Therefore, pentester must think and plan for it, must consider how much time he or she can spend on subtlety in the information gatering phases of the pentest.
--
3. To fight or not to fight?
Basic trick is diplomacy, and hacking possibility can be used as additional argument, as force argument.
In some cultures, bringing a knife to diplomacy table is additional argument for price bargains. Hacking possibility argument can be like a knife, in this case.
--
4. Underestimating the Enemy.
In hacking case, too little force means less skilled personnel, less time and cheaper, worse tools used to attack you.
Or if it's you who attack, they will spend less of resources to protect against your attack.
--
5. Win first, then go to battle later.
This means a truly strategic approach ensures success is virtually guaranteed before the actual battle or confrontation begins, rather than hoping for a win during the fight.
Information gathering and enumeration of the targets in a meticulous, diligent way, before actual exploitation attack is performed, is the standard part of the pentesting (hacking) methodology.
Information gathering and preparation can refer to:
- OSINT (Open Source Intelligence) practices,
- Nmap scanning (including version scans and operating system scans),
- Banner Grabbing,
- Other Information Gathering practices - either manual or with use of appropriate automatic tools,
- Searching for vulnerable points in attacked system (vulnerability analysis),
- Searching for premade exploits (perhaps modifying them too), and/or preparing one's own custom exploits,
- Organizing notes, so they can be easily accessed and browsed through (this should be useful in later attack steps,
it should make the communication within the team easier, and should help in preparing documentation/reports
to the customer and/or blue team, after the pentest ends).
After completing fully & diligently all of these preparation steps, succesful offensive hacker should form a final attack plan, and when ready - execute it.
... then more information can be uncovered, and hacker should adjust his or her attack plans as he or she proceeds - using all of the information and tools at his or her disposal.
--
6. Victory comes with it's Price.
This means that achieving goals, whether in war, business, hacking or personal pursuits, demands a willingness to accept the costs involved, rather than expecting effortless triumph.
Sacrifice and Effort: The 'price' of victory isn't just money or resources but also personal sacrifices, hard work, and perseverance.
Commitment: It highlights that victory isn't a given; it must be earned through dedication and a resolute willingness to put in the necessary effort.
Strategic Outlook: In a strategic sense, it suggests that leaders must be prepared for the costs of conflict or competition and be willing to bear those costs for the desired outcome.
In hacking, each attack's target and goal, requires specific, individual, complete preparations.
--
7. Thinking is the Way.
Perhaps diplomacy or blowing up enemy's data center with explosives are easier, cheaper, better ways.
--
8. Be like Water, friend.
It's about embracing change, being resilient, and finding new ways around or through obstacles, whether in martial arts, in hacking, or in life itself.
To be 'like water', means to be flexible, adaptable, and formless, rather than rigid or stubborn.
In hacking/pentesting, after the initial preparation, planning & information gathering phases there's attack phase. When the attack phase begins, and new informations are uncovered, hacker should be able to adjust his or her plans, to adapt.
To be able to adapt during attack, one must prepare, plan, and train for it, before the actual attack begins.
--
9. Master the Basics.
--
10. Discipline, Dedication, Focus & Lifelong Practice.
 |
 |
The word 'concentration' in above quote means two things:
1. Focus & discipline needed during the hacking activity,
2. Discarding unneccesary activities, so there's more time for hacking.
--
11. See the Unseen.
To see the unseen, one must:
- Understand underlying motivations,
- Perceive weaknesses and strategic openings that aren't immediately visible to the naked eye,
- Develop broader perspective, embracing a deeper, more profound understanding of target's environment.
In the internet, there are hidden resources, like hidden webpage adresses, or data hidden to the internet search engines like google or bing.
Before attacking the target, do information gathering, uncover hidden resources (use OSINT, Directory Busting, Fuzzing, and perhaps the other means). Try to understand the general purpose of the target system, how the attacked subsystems work together, what are their roles in the larger context, and search for clues of how their purposes are implemented (tools, protocols, configurations, perhaps more...).
In Martial Arts, obvious goal is to 'beat the opponent', but if we know the enemy and situation, we may decide whether to ridicule him or her, knockout, break jaw or make him or her lose teeth, or just protect someone from his or her agression.
In hacking, depending on enemy and situation, protecting our resources is often not enough, there might be need to locate the attacker and collect evidence for lawyers, for example. The more of resources we want to protect, the more goals we have, the more expensive and time-consuming the whole operation is. Or if it's us who is attacker, sometimes we want to read specific sensitive data, modify webpage, gain control over certain subsystem(s), install ransomware, or just gain admin account access. Or something else.
Knowing the enemy, understanding the attacked target (or attacker's goals and motives), can help in discerning what's more important and what's less, what are our goals (more specific and technical than just the pentest's scope), and where/how these can be found/reached. It can help in forming the 'battle plans', can be useful in many ways - from password guessing attempts (manual or automated) to assigning priorities of the battle. We must also decide how much resources and personnel we assign to each of goals, and who is responsible for what.
Knowing Yourself and Knowing Enemy (including knowing unseen) has uses in Risks Management, and in Planning for Operations Costs and Investment Returns.
--
12. Do not give up too easily.
-=- but this quote is still very Martial Arts, in this blog author's opinion. -=-
Do not give up too easily.
Don't let the laziness, frustration, or fear (of being caught, failing, or losing data) stop you.
If one tool doesn't work during a certain scenario, seek the other means.
Sometimes the attacked system's defense mechanisms trigger the alarm and/or block you when you use more aggressive or risky means, but don't let that stop you when it's wise. There's the difference between a lost battle and the lost war.
Often the attacked systems can be reset, and/or trying again permitted.
During an ethical hacking task execution (pentest), there are limits of how far one can go with the attack. One should remain within the pentest's scope, as agreed & written in the contract with the customer, and one should try to not break the attacked system, should make backups and restore the system after the pentest is concluded.
Martial Arts are not about killing or hurting the sparring partners too, afterall.
Let's not be criminals.
--
... and so on ...
Terms explained.
In this section we'll briefly introduce some of the cybersecurity concepts, and define terminology used in this article.
1. Offensive approach.
In general, there are 3 or 4 phases in offensive hacking (red teaming, pentesting):
1.a. Information gathering & analysis,
1.b. Exploitation, 1st phase of an attack; goal here is to gain 'initial foothold'
on attacked machine - access to system shell, often with low-privileges user
account,
1.c. Post exploitation, including privilege escalation (to root user for example),
1.d. Lateral movement (also called: 'pivoting', or 'tunnelling'), connecting to other
computer systems in a local network of attacked machine.
After lateral movement, these steps are repeated - until we run out of local machines or reach our goals first.
- When, in this article, I use word: 'preparation' or 'information gathering',
I mean step 1.a.,
- When I use word 'attack', I mean steps 1.b. and 1.c., perhaps 1.d. too,
and sometimes also 1.a. again.
2. Defensive approach.
I do not know much about defending yet.
When I refer to 'defending' (blue teaming), I mean defense techniques, including:
2.a. Upgrading versions & installing security patches: in installed applications/services,
and in the operating systems,
2.b. Preparing security incident response plans,
2.c. Monitoring systems (including logfiles) & tools that inform about possible
attack situation,
2.d. After detecting attack: raising alarm, announcing security situation, executing
appropriate incident response plans.
No comments:
Post a Comment