Common Objectives

Persist presence

When an attacker can persist their presence on a target organization’s information systems, it means that they have reliable remote access via a back door to the target organization’s systems. This compromised system is also termed a beachhead or foothold as it is the initial location through which the attacker gains access to the target organization’s network.

Rather than executing the attack the moment that a foothold has been reached, competent attackers often set up the digital equivalent of a base camp from which they are able to reconnoitre the target organization’s infrastructure and systems. Many attackers spend months examining a network to determine what existing security and monitoring systems are in place before they begin to take the actions that will achieve their objectives.

Once a beachhead is established and the attackers have an accurate picture of the target organization’s infrastructure, the attacker can then upload and deploy their exploit toolkit to a location on the target organization’s network. The attacker can then use the tools in this toolkit to move laterally across the target organization’s network, compromising further system and elevating privileges.

Steal data

One of the oldest types of attacks is the theft of data. In the case of the 2013 Target data breach, attackers were able to successfully exfiltrate credit card data from the merchant and sell those credit card numbers on the dark web. Other well-known breaches involving the stealing of data have involved the internal communication of political parties that have later been publicly released as a method of discrediting the authors of that communication.

There are a variety of methods that can be used to steal data, from being able to extract information from databases using SQL injection attacks, through to the exfiltration of entire virtual machines when attackers gain control of virtualization infrastructure, export production virtual machines, and then upload the exported virtual machine files to the internet.

Hackstortion

Hackstortion is a term for the process that occurs when an attacker compromises a target’s network and then requests payment for a specific action to be taken. This action might be for the attackers to destroy sensitive data they exfiltrated rather than exposing that data to the public. Another action might be to return command and control target organization’s infrastructure to the original owner. Hackstortion can include data theft, though specifically involves a financial demand being placed on the organization, rather than having the data sold or released to the public without such a demand being made. The red team might simulate an attack where hackstortion is the objective pursued, either by exfiltrating data or taking control of the target organization’s infrastructure as proof that the organization was vulnerable to this approach.

One recent example of hackstortion occurred when a group of attackers compromised the information systems of a popular television production company and threatened to release digital copies of unaired episodes of popular shows to file sharing sites unless an extortion payment was made. Another example of hackstortion involved attackers who attacked dating sites, extracted personal data, and then threatened to expose that personal data to the public unless payments were made, or certain actions were taken.

Yet another form of hackstortion occurs when administrative accounts of cloud service providers are compromised. When this occurs, the attacker threatens to delete all infrastructure hosted in the account unless a ransom is paid within a certain short period of time. This period usually being less time than it would take for the attacked organization to recover administrative control through the cloud service provider’s support mechanisms.

Ransomware

Ransomware, also known as cryptoware, encrypts files and sometimes entire operating systems so that they are inaccessible unless a special decryption key is provided. The attackers will provide a decryption key that can be used to recover the encrypted systems for a fee, usually in a cryptocurrency like BitCoin. The red team’s goal might be to install ransomware as a method of demonstrating that the organization’s infrastructure was vulnerable to this attack.

Ransomware is effective because many organizations do not have comprehensive data backup and recovery strategies. Organizations are faced with the choice of losing almost all their data or paying the ransomware fee to have the data readily recoverable. Recent surveys indicate that approximately 60% of organizations suffered some form of ransomware attack in 2016. Reports also indicate that ransomware can be very lucrative to the attacker, which is one reason why ransomware attacks have become more prevalent.

Coin Miners

Coin mining malware is software that is used to perform calculations associated with crypto-currencies such as BitCoin. Rather than run coin mining software on their own infrastructure, with its attendant costs in hardware and electricity, coin mining attacks involve attackers running crypto currency mining software on the infrastructure of the compromised organization. The red team’s goal in an exercise might be to install coin mining malware, simulating this type of attack.

The payoff for the attacker is that they can generate crypto currency using the compromised infrastructure, with the attacked organization providing CPU resources. Another advantage of this type of attack is that unless an organization has a comprehensive and effective monitoring solution, it’s possible for the coin miners to run quietly in the background generating income for the attackers for some time without the target organization becoming aware that anything is amiss.

Destroy Systems

The objective of some attackers is to destroy the infrastructure of the target organization. This is possible because certain types of malware can execute code that causes harm to storage, memory, CPU, and networking hardware devices. This code functions by pushing these devices beyond their tolerances; for example, causing memory or CPU to overheat and fail. This type of attack has also been used by state actors against industrial equipment; for example, when Stuxnet was used to attack centrifuges in Iranian nuclear facilities.