Thinking like a criminal improves cybersecurity for IBM
January 2020 by IBM X-Force Security
X-Force Red is the offensive security division of IBM Security. This team of researchers is employed to test the limits of organisations’ security, uncovering weak points in both physical and cybersecurity that may be exploitable by attackers. GlobalData looks at one of their most successful techniques. GlobalData’s technology writer Ellen Daniel says: “By ‘thinking like a criminal’ X-Force Red comes up with new and creative ways of infiltrating organisations before an attacker does.
“One such technique has been dubbed ‘warshipping’. X-Force Red researchers have successfully shipped in packages containing cheap but powerful computers, small enough to go unnoticed, making it possible to infiltrate an organisation from within its walls.”
Charles Henderson, global managing partner and head of X-Force Red, says: “We started looking at new and interesting ways we could get on folks’ wireless networks, in ways that we could also do surveillance on our clients that they may not have thought of with their physical security practices, and warshipping came out of that.
“We could put anything in the box, we could put something very mundane [inside], and I don’t even care if they throw that something in the box away, there’s a tendency to keep the box and bring it into a facility.
“If I have a specific target in mind at a company, I can actually address it to them and it’s delivered to them. Warshipping is very directed.
“With one client, we were targeting their secure facility, the facility that actually as a person, even as a trusted vendor, I was not allowed into, and when you went in, you were swept for electronic devices. You couldn’t bring a cell phone in. It was a very highly secured R&D facility. We shipped warshipping in, and not only did it get in in one day, it was walked right into the facility.
“And they actually had what’s called a Faraday cage that prevented RF [radio frequencies] from leaving the facility, they had it shielded. The warship is smart enough to start recording everything in that facility, and it can’t get home over the mobile network while in the facility, but it records to memory on the device. And when it was removed from the facility and could phone home, it dumped all that data.”
With a plethora of new methods at their disposal, how can organisations prepare for the type of attack cybercriminals may deploy next? Henderson believes this involves a more complete vision of security.
“Treat a package just like you would a criminal. Meaning, if you wouldn’t let a person into a facility, why are you letting an untrusted package in?...More importantly, though, on a grander scheme, start thinking like an attacker, whether it’s physical, whether it’s your network, whether it’s an application layer, even whether it’s hardware. You need to think through the eyes of an attacker.”