The exploitation phase offers a threat actor his or her first opportunity to celebrate a victory. One of considerable size well into the active stages of a cyber attack. This celebration also represents an organization’s failure on two fronts:

  • Failure to prevent a weaponized object from entering the environment and
  • Failure to detect the object once it’s inside.

Other issues leading to a successful exploitation include failing to prevent user interaction with web-based threats. Merely browsing to a malicious site could trigger the execution of code designed to exploit a vulnerable client.

Lost in Translation?

Let’s start with the ultimate holiday movie reference, Home Alone. Exploitation is the moment when Marv gets smacked in the face by a clothing iron.

Lets’ review the setup:

Weaponization – Kevin ties a string to the handle of a heated clothing iron. He lowers the opposite end into the basement via laundry chute. In the basement, he links the free end of the string to an actual light bulb and positions the fixture near the ceiling. It is now disguised to appear extraordinarily similar to a real functioning light.

Delivery Kevin shuts off all of the lights in the basement. He also carefully balances the iron on the edge of the second story laundry chute.

Exploitation – Marv walks around the dark basement. He happens upon an enticing light bulb. Marv yanks on the string to turn on the “light.” The lamp does not turn on. Instead, the downward force on the line tips the iron from its balance into freefall. The iron falls an entire story through the laundry chute before landing on Marv’s face. A victory for Kevin!

In the physical world, this exploitation was immediately apparent to Marv. In the cyber world, without the proper tools in place, actions of exploitation may not be quite as noticeable.

The main reason you may not catch an exploited weakness is that of the hacker’s need to be hidden. Once found, threat actors can be booted out of a system before they have the information they need. Stealth is critical in a cyber attack. Typically, an attacker needs to mask his or her presence until it’s too late for the defender and organization. Once a weakness is exploited, the hacker nests into a system, and determines the best way to maximize their gains. And your losses.

There are two important things to note:

  1. Exploitation cannot exist without vulnerability.
  2. Not all vulnerabilities are technical.

Let’s expedite an expedition into the technical aspects of Exploitation!

Strictly put, exploitation is code designed and executed to leverage a specific weakness on a target system. The goal? They want to gain administrative or root privileges. A broader definition includes exploiting human nature using social engineering to obtain sensitive information. However, that is outside of this lightly technical discussion.

Technical vulnerabilities even exist in applications or operating systems themselves.

Examples include:

Buffer overflow/underflow –  a program is purposefully written to manipulate your data processors. When it executes, it ends up writing malicious code onto your hardware/firmware. Almost like when your odometer for 999,999 miles turns over that last mile. You don’t have a spot for the one to show up on 1,000,000, so instead, you get the returned value of “000,000”. 

Integer overflow/underflow – same sort of idea as above, but dealing with a mathematical computation, and based on the space available for the answer.

Signed value bug – again same idea, but this time it exploits an odometer capable of holding a negative number (negative ‘sign’ lending its name to the issue)

Double free/null pointer – A program’s settings are purposefully reset to corrupt the program’s memory processors. Or the program is set to look for a value that isn’t there. The program then crashes and leaves the files of the application vulnerable to being overwritten.

Format string, etc. – Say you have an online program that asks a user for input. %ReadMe(_If_you_can_read_this,_this_could_be_a_program_I_put_onto/your_question/ which_now_executes.code.exe) and takes it over, due to how programming languages work. Bye-Bye, Bitcoins!

Some vulnerabilities require user interaction to exploit, and some do not (e.g., WannaCry).

The weaknesses exploited in the Home Alone example include Marv’s lack of attention to details, the darkness of the basement, and his unprotected face.

Marv’s failure detecting the trap of the weaponized clothing iron led him to a situation that, according to an actual doctor, is more often than not a severe emergency. Hockey players wear helmets and visors to protect against such injuries. They are also vigilant, or they risk a bone-jarring body check from an opposing player. Marv should wear such body armor to help him against the risk of injury, especially given his risky choice of occupation.

Likewise, computers need software updates and security patches along with endpoint protection (anti-malware) software as their armor in the digital world. Installing next-generation firewalls and a network-based intrusion prevention system with various sensors is a wise course of action, and gets you beyond the basics of protection.

Since computers exist for human use, they also depend on human awareness for protection against threats.

We can see from the movie that Marv’s assumption that Child Kevin would be incapable of violence is foolish. He wasn’t expecting the threat and failed in noticing that the light was hanging from a string emerging from the laundry chute.

“But it’s just an email or a website; I can close out of it easily enough. What harm could it really do?”

Cybercriminals prey on this lack of awareness and use the above assumption to their advantage. The dark basement is your email inbox, and you are Marv, walking around, turning on lights to open an email. Instead of one light bulb, you have hundreds of lamp chains to check. Before pulling on each string, use these tips to check for threats. Update and patch your computers, and install anti-malware software.

Stage IV: Exploitation – Best Defense: Technology Traps, and as Always, Awareness.