When I look at a system and think about its security model, the first thing I start poking around at is where I think security is weakest. For instance, if my target is a Microsoft SQL Server box, I don’t generally look for a weakness in SQL Server itself. I start looking at the operating system, I look at accounts that may have access, and since I’m really worried about the data being taken, I look to see how backups are handled and where they are written to.
I believe I started to think like this because of playing a lot of chess growing up. In chess, the name of the game is to checkmate the enemy king. However, once you get past a certain proficiency level, direct attacks against don’t work initially. I learned to accumulate advantages elsewhere and press those advantages until the enemy king was vulnerable. That’s how I think about attacking a system.
Of course, the history of warfare also teaches us to think this way. A bad actor isn’t going to play fair. This isn’t a jousting contest between two knights. It’s about one side who’ll do anything to win and the other side having to plan and prepare for such an adversary. Case in point, the Maginot Line looked to be source of strength for France against an invasion by Germany. The problem was that while France built the series of fortifications on the French/German line, It did not do so along the French/Belgian one. After all, in a likely conflict, Belgium would remain neutral and Germany would be forced to try it’s hand at the French/German line. But Germany didn’t play fair. It ignored Belgium’s neutrality and rolled through the nation, into France, and took out the French forces at the Maginot Line from behind, thereby allowing full access across the French/German border. This is the way bad actors will “fight” if they want our assets.
While this talk is about five years old now, it covers how I would go after SQL Server if I were the bad actor. The principles haven’t changed. I’m going to go after the weakest link. Why do more unnecessary work? This isn’t about fighting the beat someone’s strength. I don’t have time for that. If I am doing this to make money, the faster I’m in and out, the better. I have less chance of getting caught and I have more time to raid someone else. Same thing is true if I am an opposing corporation or nation. You can decided to “fight fair,” but I guarantee you there are plenty of adversaries out there who won’t.