Cyber Range
Blog14 minute read

Hacker mentality: Goals for breach and attack

Explore the hacker mentality, including motivations and tactics, with practical advice for improving your organization's security posture through gamified team training exercises.

Cybersecurity is rife with adages, and one that resonates profoundly is, "As cyber defenders, we must be effective all the time, while a hacker only needs to be successful once." In most cases, hackers can take their time finding the right combination of events to breach a system, as deadlines do not typically bind them. They often stumble upon weaknesses through trial and error. However, some do have specific targets in mind, as depicted in "Ghost in the Wires" by Kevin Mitnick, which offers a glimpse into the minds and goals of many notorious hackers. 

Rather than focusing on a particular type of hacker or style of attack, I'd like to delve deeper into what motivates attackers. Understanding their motivations allows defenders to think like adversaries and identify potential targets. By gaining insight into the minds of attackers, defenders can better anticipate and counteract cyber threats. An attack surface in cybersecurity refers to the sum of all vulnerabilities that an attacker could potentially exploit in a system or network. By reducing the projected attack surface, defenders limit the number of potential entry points available to hackers, enhancing their overall security posture.

Hacker backer

The term "hacker" initially emerged in the 1950s and 1960s at MIT, embodying a positive connotation of ingenuity and mastery in programming, where it signified individuals who could creatively overcome or extend the capabilities of computer systems. This period also saw the crystallization of the "hacker ethic," a set of principles advocating for open access to information, skepticism towards authority and the ambition to use technology for societal improvement. These principles guided the early pioneers of computing and the internet, emphasizing innovation and the positive potential of hacking skills. A notable reference to the term from this era is found in Steven Levy's book "Hackers: Heroes of the Computer Revolution," (Levy, Steven. Hackers: Heroes of the Computer Revolution. 25th Anniversary Edition, O'Reilly Media, 2010), which documents the stories and philosophies of these early hackers, illustrating the term's original spirit of exploration and excellence in the realm of computing. 

In the 1980s, the term "hacker" began to shift towards negative connotations, influenced by the media's portrayal of individuals engaging in unauthorized computer break-ins, a narrative amplified by the personal computing boom and films like "WarGames" (1983). This depiction contributed to the public associating hacking with illicit activities such as data theft and the spread of malware. Despite this, the hacking community sought to differentiate ethical hacking, like penetration testing, from criminal acts. Over time, distinctions within the community emerged, with terms like "white hat," "black hat," and "grey hat" hackers to describe those hacking for beneficial reasons, malicious purposes or in-between, respectively. Nonetheless, a vibrant hacker culture persists, emphasizing privacy, information freedom, and security research through events like hackathons and conventions, maintaining the original spirit of innovation and problem-solving. This evolution is reflected in "WarGames," where a young hacker unintentionally accesses a military supercomputer, highlighting the potential dangers and misunderstandings surrounding hacking practices during the era.

Idle hands

People become hackers for different reasons. Some enjoy the thrill of exploring restricted systems and networks. Others want to show off their technical abilities or earn respect in the hacking community. On the other hand, some hackers may be motivated by financial gains, using their skills to steal sensitive information, such as credit card numbers or personal data, which can be sold on the dark web. Others may engage in cyber attacks for political reasons, seeking to promote a particular agenda or cause by disrupting critical infrastructure or stealing classified information. Still, others may hack as a form of revenge, motivated by a desire to retaliate against an organization or individual they perceive has wronged them. Understanding these motivations is crucial for cybersecurity professionals looking to anticipate and counteract cyber threats effectively. 

Amateur hackers risk inadvertently damaging systems they infiltrate, while professional hackers are more strategic and targeted in their attacks. While professional hackers can cause significant harm, amateur hackers may unintentionally breach areas with lower defense postures. The goals of amateur hackers are typically less focused and could include seeking bug reports or probing defensive measures. It's important to note that both types of hackers present potential cybersecurity threats and must be taken seriously.

Changing landscape

As bug bounty programs have become increasingly available, the motivation for amateur hackers to probe unknown systems is waning as these revenue-identified venues are safe spaces to probe. Additionally, advances in artificial intelligence (AI) are set to significantly enhance system defenses, making it easier to identify low-level attempts at intrusion and reduce accidental threats in the cyber landscape. 

By marking system parameters as private and implementing clear policies disallowing probing or unauthorized access, organizations can further deter amateur hackers by making the potential rewards not worth the risk. This will lead to a decline in amateur hackers as they transition to more legitimate pursuits. AI is a double-edged sword in the ever-evolving cybersecurity game. While defenders harness AI to automate the mundane tasks of log analysis, freeing up resources to fortify their defenses against more sophisticated threats, hackers are compelled to elevate their methods. Automating such tasks on the defenders' side effectively renders low-level attack strategies obsolete, forcing attackers to abandon rudimentary approaches that once preyed on the oversight of overwhelmed security teams. 

This technological arms race inherently filters out the less experienced hackers, who cannot keep pace with the sophistication required to breach AI-enhanced defenses. Only the most skilled and innovative attackers remain competitive, pushing the boundaries of cyber warfare with advanced techniques and evasion strategies.

As a result, the landscape becomes a battleground for the elite, where the deployment of AI by defenders raises the bar for security and demands a higher level of ingenuity and expertise from attackers. In this dynamic environment, the use of AI by both parties continuously shapes a more sophisticated and challenging domain, driving the evolution of cybersecurity strategies on a global scale. 

Throughout 2023, the cybersecurity landscape witnessed a significant escalation in the sophistication and organization of cyber threats, marked by the rise of more organized hacking groups, state-sponsored actors, and enterprising, loosely knit hacking collectives. These groups have leveraged advanced techniques and coordinated efforts to launch targeted, high-impact cyber-attacks across the globe. State-sponsored actors, in particular, have been at the forefront of engaging in cyber espionage and sabotage that align with national interests. At the same time, organized hacking groups have demonstrated remarkable sophistication in their attacks, often employing ransomware and phishing campaigns that exploit vulnerabilities in critical infrastructure and corporate networks. Simultaneously, loosely knit hacking collectives have emerged, utilizing social media and dark web forums to share tools, techniques and intelligence, thus democratizing access to hacking capabilities and enabling a broader range of actors to partake in cybercriminal activities. This evolution underscores a shift towards a more organized and collaborative approach to cyber attacks, posing an unprecedented challenge to global cybersecurity defenses. 

As amateur hackers transition to professional status, we expect to see a larger pool of strategic hackers that defenders must prepare for. Organizations must stay informed about these trends and invest in AI-powered cybersecurity solutions to stay ahead of emerging threats and protect their assets. By combining advanced technology with human expertise, organizations can effectively detect and respond to complex attacks and safeguard their critical infrastructure against sophisticated adversaries.

Weakest link

CrowdStrike's Global Threat Report for 2024 highlighted the emergence of organized nation-states and professional groups as the dominant forces in the threat landscape. The number of identified threat groups drastically increased year-over-year, with lower-level attackers being deterred by improved defensive postures. This elevated the threat from organized actions. 

The observation that employees revealing their credentials and theft of valid credentials were the most significant threats in 2022 leads perfectly to the outcomes witnessed in 2023. The report found that ransomware was the most common type of cyber attack in 2023, with credential compromises often leading to these attacks. Cyber criminals effectively locked up critical files and systems to extort payment from victims, often demanding amounts equal to or greater than the cost of creating a digital twin environment. This left organizations gambling on the difficult choice: pay now or risk paying more later. 

The report highlights the importance of securing employee credentials and properly training employees on potential threats to the growing threat of ransomware attacks, particularly from organized groups. As cybercriminals become increasingly sophisticated, organizations must proactively protect themselves against these threats. Implementing multi-factor authentication, regularly reviewing access controls, and monitoring for anomalous behavior can help mitigate the risk of credential compromise and reduce exposure to cyber threats. Organizations can protect their valuable assets by prioritizing employee education, taking proactive security measures and enhancing cyber resilience. 

Low hanging fruit

Ransomware attacks continue to be a significant threat to organizations in 2023. One of the most common methods to introduce ransomware into a network is phishing emails, a popular attack vector for cyber criminals. Attackers use social engineering techniques to trick users into clicking on malicious links or downloading infected attachments, which can then deploy ransomware onto their systems. These attacks rely on the user's lack of awareness and education, making employee training critical in preventing successful phishing attacks. 

Another standard method attackers use is Remote Desktop Protocol (RDP) exploitation. RDP allows remote access to a victim's network, which can be easily exploited. Attackers can use brute force attacks or stolen credentials to access an organization's network and install and execute ransomware. To mitigate this risk, organizations should secure RDP connections with robust authentication mechanisms, such as multi-factor authentication, and restrict access to authorized users only. Regular patching and vulnerability management can also help reduce the risk of RDP exploitation. 

Software vulnerabilities are another standard method attackers use to introduce ransomware into a system. Attackers can exploit known vulnerabilities in software applications through drive-by downloads or malvertising campaigns, which can automatically infect a user's system with ransomware when they visit a compromised website. Organizations should implement a robust patch management program to ensure all software and applications are regularly updated and free from known vulnerabilities. 

Manual-driven cyber attacks became an increasingly significant threat to organizations in 2023. Unlike automated attacks that rely on scripting methods, manual-driven attacks involve a nefarious operator who has obtained stolen or forged credentials to gain access to the victim's network. These attacks are more challenging to detect and prevent due to their sophisticated and targeted nature, often involving social engineering techniques and human intelligence. 

Manual-driven attacks offer significant gains, including the theft of sensitive data, intellectual property and proprietary information. Attackers can move laterally within the network, escalate privileges and carry out various malicious activities such as data exfiltration, ransomware attacks or other forms of cyber crime. These attacks can be devastating, resulting in financial gain, increased bargaining power and a competitive advantage for the attacker. 

To maximize their chances of success, attackers must adopt a comprehensive approach to manual-driven attacks, carefully selecting targets based on their value and vulnerabilities. They must develop sophisticated social engineering techniques to bypass defenses and establish a foothold in the target network. Once inside, attackers must move quickly to identify high-value assets and extract sensitive data without detection. 

Despite these challenges, manual-driven attacks can be highly effective when executed correctly. However, it's important to remember that offensive cyber operations have significant risks, including legal liabilities and reputational damage. Organized groups are becoming increasingly effective at carrying out manual-driven attacks due to their distributed nature, which allows them to leverage a wide range of skills and expertise. Additionally, many organized groups are protected by the nation-states sponsoring their actions, providing them with immunity from prosecution. 

The value of the target must be carefully weighed against the potential costs of the operation. The risks associated with manual-driven attacks must be carefully considered before proceeding to ensure that the benefits outweigh the possible consequences.

Get in the game

With just a few hours of research, possibly with the help of AI tools, a game designer can create a series of challenges highlighting the tactics and techniques used by cyber criminals in recent attacks. Replicating these attack vectors provides valuable insights into what an actual Indicator of Compromise (IOC) looks like, enabling defensive teams to build more effective defenses. 

To create a foundational defense tailored to their specific needs and risks, organizations must understand the scope and limitations of OEM security packages and define the attackers' goals and methods. Regularly monitoring for signs of unauthorized activity and implementing multi-factor authentication, access controls and anomaly detection can help mitigate the risk of cyber threats. 

However, these measures alone are not enough. Blue team defenders must drill on this process, gaining a deep understanding of what they are seeing within dashboards and logs. Regular training and exercises can help ensure that defensive teams have the skills and knowledge to effectively detect, respond to, and prevent cyber-attacks. By taking proactive measures and building a culture of continuous learning and improvement, organizations can reduce their exposure to cyber threats and protect their valuable assets.

Easy button

Identifying high-value targets in your network and creating emulated environments for practice is time-consuming, requiring a deep understanding of the process flow for attack vectors. However, with consistent effort and practice, defensive teams can build a robust catalog of challenges that will help refine their defensive posture and response actions. 

Gamification can enhance the effectiveness of emulated environments in cybersecurity defense. Organizations can motivate security teams to practice more frequently and build a deeper understanding of attack vectors by incorporating game-like elements such as scoring systems, leaderboards and rewards. This approach can help foster a culture of continuous learning and improvement, making it easier to keep up with the constantly evolving threat landscape. 

Emulated environments are an essential part of a comprehensive gamified cybersecurity defense strategy. Keeping a concise view of how the defensive posture changes with new additions of hardware and applications is critical in detecting emerging threats. The deeper into SOC operations that this understanding can be driven, the more robust the team will see and respond to cyber attacks. 

It's important to remember that building a competent defense takes time, effort, and consistent practice. While eliminating all cyber threats may never be possible, organizations can significantly reduce their exposure by implementing proactive measures and fostering a culture of continuous learning and improvement. By taking a holistic approach to gamified cybersecurity defense, including emulated environments, organizations can protect their valuable assets and build resilience against emerging threats.

The ocean is wide…but it's also deep

In this post, I emphasize the importance of emulation as a technique for creating controlled environments in cybersecurity. While emulation and simulation are used for testing defensive measures, they differ in critical ways. Emulation involves replicating the behavior of another system or device using hardware or software components, providing a highly accurate representation of real-world systems. This makes it well-suited for testing defenses against specific threats or attack vectors. 

Building an emulated environment is a resource-intensive process that typically involves creating a digital twin of the systems under evaluation. Unlike simulation, which models a system or scenario without replicating its exact behavior, emulation provides a full stack view of events with accurate log files and attack vector representations. This allows defenders to understand the attacker's mindset, anticipate their next move and prevent further damage. 

While both techniques have advantages and disadvantages, emulation's accuracy and completeness make it an essential tool for cybersecurity professionals seeking to build robust defenses against real-world threats. Implementing an emulated environment requires a significant investment of resources but provides valuable insights into attacker behavior and the opportunity to test defensive measures against specific threats. I believe emulation is the way forward for organizations looking to enhance their cybersecurity capabilities.

Think bad thoughts

By following this methodology, interested readers can gain valuable insights into their network and improve their ability to defend against cyber threats. Participating in cyber games and security challenges can help develop a hacker mentality, enabling defenders to anticipate potential attacks and identify high-value targets. By simulating real-world scenarios, security professionals can test their defenses and refine their response strategies while honing their skills in a safe and controlled environment. 

Through these experiences, defenders can learn how to establish perimeter and internal controls, detect network anomalies, and deploy honeypots to alert for attempted breaches. By understanding the attacker's perspective and anticipating their tactics, defenders can stay ahead of potential threats and protect their valuable assets more effectively. 

In today's dynamic threat landscape, cybersecurity professionals must think like hackers and anticipate possible attacks. Cyber games and security challenges offer a unique opportunity to do just that, providing a safe space for defenders to test their skills, refine their strategies, and ultimately strengthen their defenses against real-world threats.