cybersecurity red team, blue team iii.pdf•possible google-hacking intrusion •acquiring...
TRANSCRIPT
![Page 1: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/1.jpg)
CYBERSECURITY RED TEAM, BLUE TEAM
OLLI Summer 2016
Tom Manteuffel
Slides: http://www.olligmu.org/~docstore
![Page 2: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/2.jpg)
Plan of The Course
Week I - How did we get here?
Week II - Red Team: Hacking 101
Week III - Blue Team: Defending the home computers
![Page 3: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/3.jpg)
Phases in a Major Attack
Reconnaissance
• Open source investigation
• Possible Google-hacking
Intrusion
• Acquiring persistence, command-and-control
• Privilege escalation
Network Discovery
• Scanning
• Footprinting
Host Capture
• Data capture and encryption
Exfiltration
• Data transfer to source
![Page 4: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/4.jpg)
Cyberwarfare
![Page 5: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/5.jpg)
Will there be a Cyberwar? There already has…
Has among the highest
Internet usage in the world
Has free Wi-Fi virtually
everywhere
First nation to conduct
voting purely online
Where Skype was
invented
And it happens to be where the first
cyberwar was launched…
![Page 6: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/6.jpg)
Cyberwar 1.0?
April 2007
Denial of Service attacks targeted
Estonian Parliament, banks, ministries,
newspapers and broadcasters.
The attacks followed Estonian
Parliament’s decision to relocate a bronze
post-WW II Monument to the Red Army .
The attacks triggered
militaries around the world to
prepare for cyber attacks.
NATO established its Cyber Defense
Center in Estonia in 2008.
![Page 7: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/7.jpg)
Stuxnet
Malware targeting Iranian nuclear centrifuges
was developed by nation-state(s).
Eventually escaped to the wild, causing
headaches for civilian infrastructure
Was largely thought to be effective.
But…
![Page 8: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/8.jpg)
Titan Rain
A long series of cyber attacks starting around 2001 targeting
Lockheed Martin, Sandia Labs, DIA, Redstone Arsenal, etc.
Generally attributed to Chinese (PLA) entities
Billions of dollars worth of stolen intellectual
property has been taken overall.
Attacks may have moderated since a September
2015 informal promise by Xi JinPing to Obama that
China would constrain its attacks.
![Page 9: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/9.jpg)
Verizon’s Annual
DBIR
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
![Page 10: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/10.jpg)
Verizon DBIR 2016
Nation-state vs. organized crime Who is responsible?
What are they after?
![Page 11: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/11.jpg)
Verizon BDIR 2016
How does malware get in?
![Page 12: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/12.jpg)
Research on Specific Threats
Recent cyber-espionage research published in 2015/2016
• APT28 (FireEye)
• APT30 (FireEye)
• Duqu Threat Actor (Kaspersky)
• Morpho Group (McAfee)
• Various Actors/Campaigns (Kaspersky)
• Project CameraShy (Threat Connect)
• Various Actors/Campaigns (CrowdStrike)
Arm yourself with information…
![Page 13: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/13.jpg)
So What Can One Do to Protect Oneself?
![Page 14: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/14.jpg)
Be Password Savvy
Consider using a password manager
LastPass 4.0
RoboForm
Sticky Password
LogmeOnce
![Page 15: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/15.jpg)
Use an Up-to-Date Antivirus
Avast Free Antivirus 2016
AVG AntiVirus Free (2016)
Panda Free Antivirus 2016
Bitdefender Antivirus Free Edition (2014)
Check Point ZoneAlarm Free Antivirus + Firewall 2016
Sophos Home
All these are free…
![Page 16: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/16.jpg)
You Can Submit Malware Here
![Page 17: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/17.jpg)
Antivirus Used on VirusTotal
![Page 18: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/18.jpg)
This is just the last
seven days activities…
![Page 19: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/19.jpg)
Keep Up-to-Date on Patches
Consider using a tool to detect unpatched software
Microsoft Baseline Security Analyzer
Personal Software Inspector
Always accept patches when offered, especially Adobe
(including Flash), Java and Browsers
![Page 20: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/20.jpg)
Free Endpoint Protection
Install one and see if it fits your needs…
![Page 21: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/21.jpg)
Microsoft Tools
![Page 22: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/22.jpg)
Good Source for Info/Downloads
![Page 23: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/23.jpg)
Other Tools
![Page 24: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/24.jpg)
More Tools
![Page 25: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/25.jpg)
Don’t Websurf as Administrator
![Page 26: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/26.jpg)
Browser Safety Habits
Disable automatic Javascript
and other scripting languages
Minimize Tracking
Suppress ads and popups
Or…
![Page 27: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/27.jpg)
To Fight Ransomware…
Backup!
And maybe try…
![Page 28: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/28.jpg)
Email Security
Also be wary of
attachments!
![Page 29: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/29.jpg)
If you are a bit tech savvy…
Try Application Whitelisting…
Adobe
MS Word
Outlook
Windows
Explorer Firefox
System
Fire
![Page 30: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/30.jpg)
Application Whitelisting
Look up Windows Family Safety feature and use ‘child accounts.’
Recommended reading
Application whitelisting is like the inverse of antivirus, which
attempts to block known-bad programs. Whitelisting permits
only known-good programs.
![Page 31: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/31.jpg)
Some more ideas…
• Turn off the computer when not in use
• Occasionally examine Windows Task Manager
• Windows EMET is free, and helps---if you’re tech savvy
• Can try anti-rootkit freeware:
Vba32 Anti-Rootkit
![Page 32: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/32.jpg)
What To Do If You’ve Been Hacked
![Page 33: Cybersecurity Red Team, blue team III.pdf•Possible Google-hacking Intrusion •Acquiring persistence, command-and-control •Privilege escalation Network Discovery •Scanning •Footprinting](https://reader034.vdocuments.site/reader034/viewer/2022051904/5ff58e4e3628e26e8c382c20/html5/thumbnails/33.jpg)
Compared to those who defend corporate
and governmental networks…
…you have a chance!
Happy surfing….