Following the cyberspying breaches at Google, Adobe, Yahoo!, Intel, Juniper
and others, there's been much discussion and dissection of targeted attacks. But
rarely is an individual operation laid out in step by step detail. And rarer
still is an account told from the hacker's perspective.
Adriel Desautels runs Netragard, a cybersecurity consultancy that, among
other services, performs penetration tests on clients to expose their security
vulnerabilities.
In a blog post
Monday evening, Desautels laid out a recent hacking operation that his SNOsoft
research team was hired to perform on a bank client. Though he doesn't name the
target, he describes step by step the social engineering involved in sussing out
the bank's defenses, including staging a fake job interview with unwitting
employees of the company. The technical strategy for breaching the bank's
defenses--a targeted, booby-trapped PDF attachment--isn't a surprise. But the
detailed description of the preparation for that exploit is a rare window into
the hacking process.