undefined | Better HN

0 pointsbadrabbit6y ago0 comments

Yes a few, very few compared to the rest. You will note I said most of them don't use 0 days and even 1 days. A lot attempt exploitation in some form of another, typically for vulns older than a few months.

It's simply too easy to use other means of delivery.

Look at drive by: https://attack.mitre.org/techniques/T1189/

In most cases the only thing exploited is the sites hosting their malware (typical joomla/wp sites).

Spear phishing attachment: https://attack.mitre.org/techniques/T1193

I see about 3 examples out of 40 that use exploits.

Spearphishing link: https://attack.mitre.org/techniques/T1192/

2/20

https://attack.mitre.org/techniques/T1190/ only 5 examples for public facing asset exploit,mostly sql injection.

Mitre is not a complete list but they do a good job of keeping up with APT techniques. The most famous ones indeed use 0days and that is one of the reasons they're famous. But the end of the day they should be noteworthy based on damage done not "coolness" of the hack.

Software exploitation is a thing but not only is it seen less and less, modern mitigations are making a lot of the techniques obsolete. Look at the fall of exploit kits as an example.

0 comments

TACIXAT6y ago

I do not consider spear phishing an advanced attack (despite many governments doing it). Credential theft definitely is not. Malicious docs generally are not (as they are typically just macros that the user has to run).

Watering holes can be depending on how the malware is delivered once the user visits the site. If it just tries to download it and hope they click, that is not advanced IMO.

I do agree that this is what most organizations face as threats though. Resources like these are for people who want to eventually sell exploits, hunt for bugs, or learn enough to analyze them effectively. I do not think these are for teaching someone to teach corp users to not run docms.

badrabbitOP6y ago

No no no...

It is the threat that is advanced not the technique. That was my whole point. If corp users with all their security teams are still victims how much more are individuals. Or does the world outside of tech bubbles not exist?

Also, macros and docm are only small vector, most non technical people for example would open say...a jar file with a PDF icon that came from an email from a compromised account of someone they know, and trust me I've seen plenty of non corp users without the typical mandatory phishing training fall victims,lose large sums of money,etc...

I have no clue why you don't think spear phishing is an advanced thechnique. Just recently I stumbled upon a word exploit being used and it was not "spear" phising just normal stuff. Does it have to be sophisticated and impressive to be advanced? Often, the most damaging exploits are the ones with minimal attack complexity (a CVE vector that adversley affects the score mind you). Regarsless of your opinion , the offensive way is to use the easiest and quietest method.

As to my comment, the author stating the material teaches people "core cybersecurity concepts" is what I disagreed with. Memory safe lanuages and exploit mitigation solutions make these software exploit techniques very difficult to pull off. Plus, any decent EDR solution easily detects and blocks exploitation of browsers,productivity apps and other well known initial access vectors, so you're basically left with mostly linux that is not hardened and even then only on servers and network devices since most people don't run Linux desktop (and to my point the post does not even touch windows).

Essentially, my point is that any infosec education that is not informed of current practical threats and attacks while very fun to go through, it may not provide as much value as you think.

Even in a tech company/startup where everyone uses linux and mac, it is much more important to have good security architecture and hygeine, do authentication properly (you're exploit proof but someone exposed their ssh private key and got you pwned),knowing risk analysis, threat modeling,incident response,etc... Is much more "core" while exploitation of software and even spearphishing are "edge" concepts.

TACIXAT6y ago

>Does it have to be sophisticated and impressive to be advanced?

Yes. I think this is where our opinions differ. It is always a joke to be reading a blog post about an advanced attacker and the exploit is, as you say, the user clicked a jar with a pdf icon.

I agree completely about things that add value to corporations. This is why I am not working corporate security at a startup. I do not care so much about implementing U2F policies or server authentication methods, even though these are much more impactful for the business. I work for a small company, work on less impactful things (in regards to corporate security), and enjoy myself considerably more. If I could stomach the other stuff I would make more money, but I prefer to enjoy my work and hack on obscure things.

Your namesake with eternalblue is quite advanced (even though it was n-day). That stuff is interesting. Reverse engineering that stuff is interesting. I think these things prepare people to do that sort of work.

1 more reply

j / k navigate · click thread line to collapse

0 pointsbadrabbit6y ago0 comments

It's simply too easy to use other means of delivery.

Look at drive by: https://attack.mitre.org/techniques/T1189/

In most cases the only thing exploited is the sites hosting their malware (typical joomla/wp sites).

Spear phishing attachment: https://attack.mitre.org/techniques/T1193

I see about 3 examples out of 40 that use exploits.

Spearphishing link: https://attack.mitre.org/techniques/T1192/

2/20

https://attack.mitre.org/techniques/T1190/ only 5 examples for public facing asset exploit,mostly sql injection.

Software exploitation is a thing but not only is it seen less and less, modern mitigations are making a lot of the techniques obsolete. Look at the fall of exploit kits as an example.

0 comments

TACIXAT6y ago

Watering holes can be depending on how the malware is delivered once the user visits the site. If it just tries to download it and hope they click, that is not advanced IMO.

badrabbitOP6y ago

No no no...

Essentially, my point is that any infosec education that is not informed of current practical threats and attacks while very fun to go through, it may not provide as much value as you think.

TACIXAT6y ago

>Does it have to be sophisticated and impressive to be advanced?

Yes. I think this is where our opinions differ. It is always a joke to be reading a blog post about an advanced attacker and the exploit is, as you say, the user clicked a jar with a pdf icon.

1 more reply

j / k navigate · click thread line to collapse