As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.
Topic – Think like an Industrial Spy
Select a company. Thinking like a industrial spy, describe a hypothetical scenario on how you go about attacking their system and acquiring intellectual property.
Next, describe how the attack could have been prevented.
From March 15, 2012.
Wanting to steal intellectual property, I would search for a high gain, low effort target. Small businesses which do R&D seem like good targets to meet this criteria, since their business model relies on developing intellectual property yet they do not have the employees or likely the budget to perform extensive cybersecurity. To select my target, I read about the Small Business Innovation Research, SBIA, Program which provides grants from the Small Business Administration to companies that meet the following criteria: American-owned and independently operated, For-profit, Principal researcher employed by business, Company size limited to 500 employees. Their criteria for giving grants lines up perfectly with my criteria for targets, and their list of recipients is public record. (SBA)
I able to find a list of FY2011 recipients of the SBIR awards from the Environmental Protection Agency with a breakdown of recipients by environmental category of research. I decided to select a company whose category of research was Homeland Security and so I selected Operational Technologies Corporation of San Antonio, Texas. (EPA, 2012)
To collect intellectual property, I need access to their network. The first step after choosing the company is some minor reconnaissance that is checking over their website. There is a Contact Us page with direct email addresses and names for three employees as well as an information email. The direct person contacts will be the best for a well crafted phish, but the info email has the benefit of having a very small chance of being opened outside of the company network. (OTCorp, 2008)
To gain my actual access I will use Metasploit to craft malicious doc and pdf files containing Poison Ivy RAT payloads. (Vacca, 2009, p 55) Once the documents are opened on a vulnerable computer, the remote administration tool is dropped and executed and it calls back to the server I set up. Once that connection is established, I can browse the internal network at my leisure using the full control of the target system that the Poison Ivy gives me. (Codius, 2007)
This attack could have been prevented by intensive scanning of emailed documents and also by using hard to target workstations. The exploits I would be using are targeting Microsoft Office and Adobe Reader on Windows. If alternative software like FoxIt Reader and Openoffice were used then the exploits would fail to land. Likewise, Linux or Mac workstations would prevent the attack too.
Codius. (2007) Poison Ivy Remote Administration Tool Retrieved from http://www.poisonivy-rat.com/index.php?link=dev
EPA. (2012) Small Business Innovative Research:FY11 Awards: Full List Retrieved from http://cfpub.epa.gov/ncer_abstracts/index.cfm/fuseaction/outlinks.sbir/fullList/Yes/showYear/current
OTCorp. (2008) Contact Us Retrieved from http://www.otcorp.com/home/index.php?option=com_content&task=view&id=19&Itemid=34
SBA. Small Business Innovation Research Program Retrieved from http://www.sba.gov/content/small-business-innovation-research-program-sbir-0
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.
