Hacker for hire
It takes an average of ten minutes for Tyrone Erasmus to break into his victims' networks.
"Four minutes is my personal record," boasts Tyrone Erasmus. Four minutes from launching a cyber-attack to achieving unfettered access to the juicy inner workings of a victim's corporate network. Erasmus is a professional bad guy. He hacks into companies, stealing their secrets and generally making their security teams look incompetent. Managing consultant at security specialist firm MWR InfoSecurity, he and his teams are hired to audit their clients' security, mimicking the behaviour of criminal syndicates that are after the same valuable details: financial systems, intellectual property and trade secrets. "I'm a bad guy who plays by good guy rules," he proclaims, with a nearly straight face.
Since the '70s and '80s, when hackers like Kevin Mitnick and John Draper burst onto the scene, corporate information security has improved greatly, it's far stronger and...haha. Just kidding. "We have a 100-percent success rate," Erasmus says, deadpan.
That's depressing, but his brand of security testing leans towards an educational outcome, he says. "We're about changing perspectives. People working in security tend to have a specific mind-set that's often not suited to dealing with a targeted attack. We're here to show them what would really happen if they were targeted. Afterwards, we walk them through our findings and you can see lightbulbs going on."
Being a hacker for hire comes with a great deal of responsibility. "You're in a position of power a lot of the time. You're handling really sensitive stuff, you're in a position to transfer money out of a company..." For a moment, Erasmus looks lost without a white cat to stroke, but maintains he and his team operate strictly within the confines of the law. "You have to just laugh it off and get on with the job. It takes a special mind-set to be a criminal - I haven't got it."
Targeted attacks are those that involve the malicious actors specifically attacking a chosen victim until the target objective is reached: usually stealing personal information like credit card details or trade secrets. And that breed of attack is on the rise, with hundreds of millions of data records stolen every year, from victims large and small. That is very different from the daily hum of background attacks like viruses and network scans - those are the easy threats that basic security practice should defeat with ease.
"You can think of threat actors as a triangle," he says. "At the base, you have amateur hackers, and at the top, there's the government hackers who are always going to get in if they want to. Most organisations have a threat profile that targets attackers somewhere in the middle. Just make sure you can defend above that level, and you'll be fine."
But a high-level targeted attack, such as the infamous attack on Sony this year, is conducted with skill and precision and the odds are tilted heavily towards the attackers, even those wearing white hats. "I suppose you could say the deck is stacked in our favour," Erasmus muses. "Unless there's someone like us on the defending side, it's always going to be stacked in our favour." Like a professional criminal operation, MWR is a well-funded, motivated and highly skilled, up against victims who are oblivious and frequently untrained.
Would you even know if Tyrone was inside your network? Probably not. "We've had assessments where there's absolutely no alert until the report lands on someone's desk. Usually, if we are detected, we just change tactics until something succeeds. Eventually, something always does."
Tools of the trade
Like the Hollywood comedy of two thieves bumping into each other in the dark, Erasmus says it's not unheard-of for a security tester to catch a real attacker red-handed. "We've had situations where we're midway through an assessment and we find signs that someone else has been there first. Lingering malware on devices, intrusion command-and-control servers, things like that. That usually kicks off a whole separate project to stop that attack."
MWR, like many security firms, also operates a research division that hunts the holy grail of hacking tools: so-called zero-day vulnerabilities. Zero-days are bugs that are as yet unreported, with no available fixes and no known defence. The Karate Kid cranekick of security. And while MWR has a solid track record of finding such bugs - Erasmus recently co-authored The Mobile Application Hacker's Handbook - his team usually doesn't need them, not against the inept security at most companies.
Most of the tools and techniques used by professional hackers are fairly simple; they are just carefully prepared, Erasmus says.
"Custom malware and social engineering works nearly all the time. We've only had to actually break into a building once. That's Plan E." The only forbidden ground is attacking employees' personal lives - a restriction that would not bind a criminal, Erasmus notes. "We don't hack their home WiFi or steal personal phones."
"You need to set up infrastructure and craft your e-mails and get your payloads ready - that can take a few days of work. From the time you send your first e-mail, you'd generally be looking at about ten minutes to achieve penetration." From there, it's just a question of spidering through the network, attacking resources and escalating privileges until the final goal is obtained.
Basic steps would make his life a lot harder, he admits. "Keep your systems patched, use Google Chrome, encrypt your data, and train all your people to be more security aware."
Tyrone himself takes extraordinary steps to thwart attackers: "All our data, everywhere, is encrypted: hard drives, mobile devices, everything. We use two-factor authentication for everything. I use a VPN on my mobile phone, to block WiFi attacks. And I have alerts to detect suspicious behaviour on my devices in case something sneaks through." Extraordinary steps they may be, but not rocket science. If we all followed suit, we'd be a lot more secure.
This article was first published in Brainstorm magazine. Click here to read the complete article at the Brainstorm website.