Criminal minds in the channel

Thinking like a hacker makes good data governance sense, notes Andy Green

What can you learn from reading the exploits of the most successful hacking ring ever brought to justice? Recently, the US Attorney's Office in New Jersey unsealed their indictment against a mostly Russian one. An American co-conspirator was also named.

This gang of cyber-criminals is alleged to have snatched about 160 million credit card numbers, resulting in more than $300m in losses over seven years.

Scanning the indictment, I was left with the strong impression that this group had a rock-solid business model, excelled at executing their plans and was actually good at following IT security principles – in fact, better at this than their victims.

According to the government's investigation, heavily reliant on chat sessions between the principal hackers, stolen credit card numbers were sold through wholesale networks. US numbers would go for $10, Canadian ones for $15 and European numbers for $50 each.

The hacking gang, which the government accurately referred to as an organisation, would offer bulk discounts too – that is, corporate payment schedules. The distribution network would then resell stolen data through their channels to end users.

By the way, this hacking organisation did not take credit card payments for their services – just bank wire transfers and Western Union. This was a good move on their part because, don't you know, credit card numbers are vulnerable to theft.

Their hacking craft was a little more advanced than that of the common cyber thief. They relied heavily on SQL injection to break into websites, rather than brute-force password guesses.

Their retailer, banking and credit card company victims validated yet again that these industries are the most heavily hacked sectors, as reported in the stats from Verizon's Data Breach Investigations Report. In a few cases, the hackers chose retailers based on the type of POS equipment, because they could install specially configured software sniffers to hoover up unencrypted card numbers.

Yet again, these mostly food and clothing retailers were PCI-compliant.

After breaking in, the hackers then had the more complex problem of where to find the credit card numbers and other personal identifying data. In hacker terminology, this is known as post-exploitation.

To get a better understanding of post-exploitation methodology, you'll need go over to the dark, or at least the grey, side. So I decided to take a look through the archives of Defcon, which is billed as the world's longest running and largest underground hacking conference.

I came across a good presentation on this subject written by two penetration testers (or pen testers, as it's abbreviated in the business). They noted that the job of the hacker is to hide in plain sight. In bold red font on one of their slides was the command: "Don't be an anomaly."

Another slide points out that getting root access is not necessarily a desirable goal for a hacker because it's also a user level that is most likely audited.

This is generally solid advice, but of course the hackers can't know ahead of time how users actually behave long term, and there is – ahem – software available that can spot atypical file access patterns.

Anyway, the two pen testers suggested that wannabe hackers come in as ordinary users and selectively hijack credentials and sessions. So which user should a hacker pick? The pen testers' overall advice was to know the target environment, learn who has access to what and then find out where the data is.

Hmmm, where have I seen these phrases before? Obviously, this is core IT data governance wisdom that every sys admin should be applying in their daily work.

It's perhaps a bit counter-intuitive that we have pen testers to thank for making a solid governance case in a presentation on post-exploitation techniques, but, in the upside-down world of hacking, it's the cyber thieves who are doing a better job than the targeted companies at seeing the value in the data and applying good IT practices.

VARs in the security space will soon be dealing with more cyber threats that have deep knowledge of their customers' IT systems and defences. This particular series of hacks point out that post-exploitation liabilities can be greatly mitigated through improved file system governance. Companies need to know their data as well as the hackers.

I have – and you should as well – little patience for those who want to scrimp on data governance as part of a security mitigation program. Ultimately, you want to be better than a cyber gang at really knowing your data.

Andy Green is a technical specialist at Varonis