To understand the mindset of cybercriminals, it helps to know the types of vulnerabilities they aim to exploit.

There’s an old saying: “It takes a thief to catch a thief”. In the security world, you don’t need to be a cybercriminal to catch one – but it certainly does help to understand the way they think.

To understand the mindset of cybercriminals, it helps to know the types of vulnerabilities they aim to exploit. Two things that commonly cause vulnerabilities are design flaws and insecure coding.

Why attackers love exploiting design flaws

Attackers view IT environments with the aim of getting the system to work against itself, getting vulnerable systems and applications to aid in, for instance, the theft of data and intellectual property.

One such design flaw, discovered as voice control of mobile devices was really beginning to take off, was astonishingly simple, allowing the human-friendly user interface of voice assistants to be easily bypassed, meaning iPhones could be told to call numbers of the attackers’ choice, or to open a malicious site from which further malware could be downloaded and installed.

The researchers from Zhejiang University who discovered the flaw found that translating vocal commands into frequencies too high for the human ear to hear could still be ‘heard’ by voice assistants and, for the technique to be put into practice, being within a few feet of the target smartphone with just a few dollars of additional equipment – including a tiny speaker and amp – was enough for it to be successful.

Targeting insecure coding

The other major vulnerability class is insecure coding. These vulnerabilities arise when programmers don’t follow the rules for secure programming and are – unfortunately – very common in the software world.

These vulns come in many forms – including memory-based bugs, which allow attackers to write code in places in memory where they shouldn’t be able to do so, as well as credential management vulns, where attackers can get access to credentials that they’re not supposed to see. Sometimes programs just show debugging information that can give adversaries more useful information that they can exploit.

One good example is the Sudo command bug (Sudo command being widely used in all Linux operating systems). The bug was discovered in January 2021 and allows an attacker to escalate privileges from being a user with no permissions at all to the root – the equivalent of an administrator – on a local host machine. Insecure coding potentially gives an attacker access to anything on the host, and there are millions of machines in use today that are vulnerable to this simple-to-exploit bug.

How do attackers find these vulnerabilities? A common technique is fuzzing, an automated software testing technique that looks for hackable software bugs by randomly feeding invalid and unexpected inputs and data into a computer program, in order to find coding errors and security loopholes.

The attacker will assume that somewhere in the program there is a hidden bug, and now has only two problems to solve. The first is finding out exactly where the bug is, and the second is figuring out what input must be passed through the program in order to trigger the bug.

Happily, vulnerability researchers can also exploit such techniques to find coding flaws and fix them. Tools for fuzzing are easy to run and the researcher doesn’t have to understand the whole program. He only needs to investigate a very small part of the software and let the program do the rest.

The key takeaway is that the best weapon a researcher has is learning to think like an attacker; to develop a similar mindset. By analyzing the same flaws attackers are looking for, researchers can find the exploitable gaps and enhance the security posture of their organizations.

The consequences of not doing so can be serious; exploiting the right vulnerability can result in a pathway through your defenses, or allow an attacker to escalate privileges and, in turn, compromise privileged accounts. The latter lies at the core of the cyber-attack cycle.

To learn more about how privileged access management can help break the cycle and help protect organizations’ most critical data, infrastructure and assets, download a complimentary copy of the Gartner 2021 Magic Quadrant for Privileged Access Management1:

1Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Abhyuday Data, Michael Kelley, Swati Rakheja, 19th July 2021

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.