Any fisherman (or phisherman) will be quick to tell you one truth—things do not always go as planned. No matter how much time and effort you put into preparation, you are sure to encounter a few surprises.
Recently, my wife and I had planned the perfect Sunday adventure. We decided to target a remote river lake tailwater in a serene setting with no foot access and extremely minimal boat access. The unnamed river flows through a canyon surrounded by palisades that reach 200-300 feet tall. History documents this waterway as being on Daniel Boone’s path after he escaped from the Shawnee and traveled to the famous Fort Boonesborough, where he would warn the colonials of an approaching siege. Oh yeah, I had also heard whispers that trophy-sized rainbow and brown trout inhabit these waters.
How could this day get any better? Outside of a splash of bourbon, it really couldn’t.
Picking Our Spots
With a little studying of Google Earth, we were able to find a path into this lightly traveled and lesser-known waterway. I identified small boat ramp on a connecting waterway that would require a quick four-to-five-mile trek on the river to reach our destination. A quick check of the weather maps looked promising. There was a small chance of showers, but any rain seemed like it should be quick and provide a reprieve from the warmth of the hot summer sun.
So, we packed the coolers, loaded our gear, and made the one-and-a-half-hour drive to our entry point.
After navigating down a single lane winding road on the side of a small canyon, we approached our boat ramp. We’re greeted by yellow tape surrounding the ramp area and with a small poster board sign attached to a fold-out chair that reads “Ramp Closed.”
It turns out there’s a new judge in town, and he’s putting the lockdown on folks operating businesses with delinquent permits. Dang.
Plan B It Is
What do we do? Do we tuck our tails and head back home? No way—the key to success is persistence and agility.
We’re out of cell phone service range at this point so we truck back and start looking for another access point. Unfortunately, this is the only ramp on this pool of the river that is suitable for a motorboat. You see, the Kentucky River has a series of 14 locks and dams over the course of the river. Unfortunately, these locks were abandoned by the U.S. Corp of Engineers in the 80s. This means that boaters can no longer lock through the dams. The water in between those locks is known as pools.
If there’s only one way into the pool, and that location is closed, you’re out of luck. Hmm – if only this could apply to securing my infrastructure?
There was another option though.
Originally, we had planned to target the tailwater—downstream of the dam. At this point, that is not possible. We decide to move upstream of the dam. Unfortunately, there’s no trophy trout there, but we can adapt to other species. The palisades are still there, but rather than being in a river at the canyon’s bottom, we’ll be floating near the top. Daniel Boone still traveled these waters, and the sun is still shining.
So, we trek to our new put-in, launch the boat, prep our gear, and we’re off!
Then, The Storm
Finally, a few hours later than planned, we’re on the water and everything is perfect… except for the looming dark clouds that seem to be forming almost instantly from a bluebird sky.
You see, here in Kentucky we are blessed with pop-up storms. I’m no meteorologist (is anyone really?), but I understand the culmination of the heat and humidity will create the perfect conditions for storms to appear out of thin air. Sure enough, those dark clouds open with rain. We’re three miles from our put-in, in the middle of a torrent and our rain gear was left in the truck.
What do we do? Nothing. Sit back, anchor down, and let it rain. Three inches of rain in the boat later, the sun re-appears. We start casting to rocky banks with some chunky streamers and enjoy a great day on the water.
What does any of this have to do with cyberattacks and cybersecurity?
Everything.
Persistence and agility are skills that all attackers possess and utilize. They are also skills that you possess and can utilize. Understanding this parallel will allow you to approach your cyber footprint with methodical logic that will serve as a very valuable tool. This idea can be applied when proactively securing an environment or when responding to cyberattacks.
Attackers are Agile and Persistent!
Let’s think about a few examples and parallels.
Flexibility in Finding Access
My hunt for an access point to reach my goal is the same thing an attacker does when executing recon on your business. They will spend a significant amount of time researching your surface to find the best possible entry point for cyberattacks.
The entry point could be an inadvertently exposed port, a downgraded application, a misconfigured service, or anything else that might be navigable. Don’t fool yourself and believe that when you discover and secure that entry point the attackers pack up and walk away, though. They’re going to continue to study your map (recon data) to identify another path. And guess what—if that map doesn’t reveal a path in, they will be agile enough to quickly shift their focus to another context altogether.
Perhaps you have properly secured your remote administration portal and the attacker decides the easiest path is to switch to highly targeted social engineering cyberattacks that will ultimately deploy command and control.
You Can’t Really Hide Access
My lack of cell phone service reminded me of attempting to obfuscate a service by changing the default port. The service is still there, I just must travel to another location to see it.
I see this often. Folks deploy remote connection services on non-standard ports and think it will not be discovered. What happened when I hit the ramp that was closed (like a default port would be)? I went back to the map to identify another way in.
Attackers will start by scanning the most popular ports, but if you are a target and they exhaust those efforts, they will resort to full port scanning and fingerprinting. This means those services will be discovered and the hidden “boat ramp” will still be found. The fact of the matter is this: if that port is risky enough that they have taken the time to obfuscate it, does it really need to be exposed to the internet anyway?
Perhaps take an application IP approved list approach or secure it behind a VPN. Sure, these things take time and effort, but that is the reality of all good things. Security is no different.
Make it Dam Secure
The river dams are just like network segmentation. You may not be able to keep someone out of the river—but in Kentucky, they sure can keep you out of a segment of the river.
With all the recent news surrounding supervisory control and data acquisition (SCADA) attacks this comparison seems obvious.
We know that many SCADA systems are deployed using legacy and antiquated technologies. With this inherent risk in mind how do you properly secure those environments?
Segmentation, baby!
Put some river locks in your network and keep folks out of the SCADA environment. Don’t integrate SCADA with your enterprise network. Don’t permit untethered access into that environment. Establish well-controlled environments that only permit access from required systems and users.
And for those systems that have access in—make sure they do NOT have untethered access to the internet.
All of this will limit any potential cyberattacks from getting out of hand.
Persisting After the Storm Passes
Those rainstorms we ran into were just like localized threat hunting.
While Mother Nature was blasting me with a downpour, most other boaters went blazing for the ramp. Just like an attacker would, I persisted despite challenges. I moved out of the main channel and waited patiently in a cove for the storm to pass.
So, imagine you have identified a compromised user workstation and unleashed the storm of the century on that system (meaning, you rebuilt it entirely). You dust your hands and walk away feeling a sense of pride in successfully defeating an attacker.
This is quite short sighted.
Did you dissect that exploit to understand all techniques deployed in these cyberattacks? Did you investigate the system for signs of privilege escalation or lateral movement? It’s very likely this system was just the boat ramp that allowed them access to the river, and by the time you discovered they had been there, they were already well upstream.
This means that after the storm passes, they will still be there. Another thing to consider is that when you show your hand to an attacker like this, this is a trigger for them to do one of two things; lay low and wait for the storm to pass or turn it into high gear and launch a full-scale attack (like a ransom).
Final Thoughts
So, realize that you inherently possess the skills to think like an attacker. You just must recognize how to use them based on your other experiences.
Kill-chains follow common logic that we use in our own lives every day. Applying method and logic to your thought process when securing your environment helps you better understand how cyberattacks happen and prevent them.
Attackers are human, they follow the path of least resistance and are driven by profit. They are persistent and agile.
If we expect to stop more cyberattacks, we must think like an attacker and be persistent and agile as well.
For more information about how to prevent cyberattacks, help improve your business’s security, or for some helpful technical resources, visit oldfrsecure.kinsta.cloud/team-ambush.