Now this is a post that matters. If you follow any of my content you probably have noticed that I post a bunch of things, some of it seemingly random. This is because I tend to post just about whatever is bothering me at a given moment. I try to use my blogging really honestly, and so I just honestly post! However, that isn’t to say that what I’m posting doesn’t have some merit to it.
I think stealth has a lot of merit to it. I don’t mean stealth aircraft, though there certainly is some merit to them (I have opinions about this subject too). But I mean physical stealth, ninja stuff! I have loved being ‘sneaky’ since I was a little kid. I used to run about trying to sneak up on my friends. I know I’m biased, but as I recall I was actually quite good at it.
If you’ve read my post on how I got started in cybersecurity then you know that it was this obsession with being a sneaky bugger that got me interested in video games like Splinter Cell which eventually resulted in me finding cybersecurity.
I’m saying all this not to bore you; but to be clear that I have some amount of bias here about the subject of stealth. I know that I do. But I still think I have something real to say about it!
Okay so here goes. In the near future I think physical (shadow) stealth is going to become increasingly important in the information security field. By extension this also means that it will become increasingly important in the other related fields such as in military operations (though it’s already quite important there). You see, we’re getting better and better at securing at least the network perimeter of many companies against intrusion. Certainly some of the same tricks still work today like they used to work in the past. But increasingly for many companies this is not the case.
It used to be that you could be guaranteed to easily gain and maintain access to a company with a phishing email. This is still absolutely possible today, but the writing is on the wall that malware attacks via phishing aren’t going to be around forever. It has definitely become harder in the past 5 or so years to land malware on a user’s device using this technique. So what you’re left with instead is trying to use a ‘credential harvester’ style attack in many cases.
These styles of attack are also becoming increasingly difficult to successfully use as companies work to adopt FIDO standards and move away from ‘phishable’ credentials. What you’re left with is that phishing is becoming harder and harder, as are many other perimeter attacks.
It used to be that you could be assured you would find a way into a network with or without phishing. You could find server assets in a DMZ and from a compromise of one of those work your way into the corporate network. However the move to cloud has complicated this. At a minimum the move to cloud has made it so that the pathway from web accessible server assets is more distant to the corporate environment.
At the end of the day, the secret you may want to know, is that physical access is becoming arguably, easier. Take a look at the following and you’ll start to see how:
- FIDO standards (physical access to credentials)
- Remote work (proliferation of location)
- VPN and location or device restrictions (trusted device/trusted location)
There is a real possibility that many companies are going to implement all the latest and greatest of information security controls in an attempt to stop cybercrime, only to open themselves up to greater physical intrusion.
So ‘physical intrusion’ can mean a lot of things. It’s not just that you need to ‘sneak’ physically. You can be loud, very loud even. Or you can use traditional ‘social’ or ‘ruse’ based access attempts. I’ve done plenty of these in my years as a pentester. I’ll give you reasons why I think all the alternatives to ‘shadow stealth’ have significant drawbacks.
Using a ruse is a popular method with information security companies to perform a ‘physical pentest’. For this you dress up as someone that should have a reason to be in the building you’re attempting to gain access to; then essentially lie about why you are there in order to convince the security, or whomever else, to allow you in.
I have three major issues with the ruse technique.
With recent increases in the ability for facial recognition software to easy locate someone based on what they look (and an increasing proliferation of cctv), a ruse is no longer a real technique that can be relied upon to produce a safe result for the participant in a real world scenario. Forget pentesting, where if you get caught you congratulate the defenders. For real thieves and cybercriminals being caught even after the fact can be deadly. To this end, they never wish to reveal their face. Pentest companies that continue to sell ruse based pentests do their clients a disservice if their clients fear high tier adversaries like this.
Legitimately there is only one hope here, that for the near future concerns over disease continue to support a ‘mask wearing culture’. You will not want to take your mask off once inside the target building. If you can pass that off as caution against pathogens you may still stand a chance, for now.
The reason that a ruse approach has been so traditionally successful is due to a historical inability for large companies to communicate rapidly internally. It is very realistic that one end of the company might order a construction team to enter the building, but forget to tell the doorman. This type of this has happened for thousands of years! For this, people know to generally just assume that it’s an oversight, or that the person they’re talking to is telling the truth. Most of the time, it is true!
Increasing interconnectedness makes this less and less of an issue however. Now if you want to confirm that the construction crew really should be there, it’s easy. Increasingly the ease with which information systems make it possible to track these sorts of things also mean that many companies are installing enforcement such as “scannable work orders” where the front desk can actually verify the work order is valid without having to call anyone.
Even if you manage to gain access to portion of the building by disguising yourself as pest control, does that mean you have access to the server room? I’ve done this type of ruse, and been denied the server room because simply “why do you need to go in there?” Smarter buildings mean more locks that only allow certain personnel access. It means having to call for additional review to gain the access you really want. This means getting caught 9 times in 10 with any actual target.
Even if you manage to get yourself literally hired as a legitimate pest control person by your target company. Even if they give you a badge. That badge probably doesn’t get you into the server room. To gain access to the server room you’ll still be trying to ‘sneak’ in. You’ll just be using your ruse to get close (a legitimate tactic, but it still emphasizes my point).
You may need to bring tools with you to help you defeat security systems. You may be picking locks, or blinding cameras. You may need to open secure hatches, or even move from floor to floor outside the walls of the building. These techniques require that you are not seen at all while carrying them out. In many cases the equipment required for them also must avoid detection.
If you ‘force’ entry, you leave a trail. This means you only have a certain amount of time to use any access that you might have gained. This is certainly going to be a popular strategy with cybercriminals because of how easy it is. It will be used by low tier adversaries I guarantee it. But in almost all cases, if you break into a home in an obvious manner, or pull a gun and demand to be let into the server room, you might get in. But your access will be almost immediately revoked.
The only time this type of strategy should be considered is when there is a legitimate target that can be gained with quick access. For example, if you knew of a location of highly sensitive information, and could simply go grab the hard drive and walk away with it.
I won’t write much here because so much has already been written about the unreliable nature of double agents. But suffice it to say that recruiting someone to get you access is very possible – but dangerous. This is likely to be one of the most commonly used techniques by spy agencies in the coming decade or two. But it will not be without its issues. Moles are notorious for being exceptionally expensive, dangerous, unreliable, and just as likely to feed you bad information that leads you into a trap.
Simply put, if you attempt to coerce someone into giving you access, even if it succeeds it likely won’t succeed for long. If you force them to hand over their password with a weapon, you’ll need to keep that weapon on them. The moment you let it up they’ll reveal what is happening to their employer and you’ll lose your access. There are ways to make this access last slightly longer. But generally they involve co-workers noticing quickly that their peer isn’t showing up to the office and your access disappearing only slightly later in the day.
Stealth is coming
In the very near future physical access will be king for the ‘beachhead’ portion of any good hack. That physical access will require you to avoid detection if you want to maintain your access. It will likely require you to overcome physical security measures; and it will also likely involve not wanting to be seen without a mask on. Once that beachhead on the network is secured, then the traditional hacking can begin.
I think many companies, nations, syndicates will continue to use the same old game. But any of them which discover the viability of physical stealth will soon come to dominate the field in the near future. I know if I was making the call for them, I might put out a sign:
Actual Ninjas Wanted.