Layer8 and the attack of the flying pigs
Lesley Kipling: CCE, CISA, CISSP, MCSE:+Security, CNESenior Security EngineerLaw Enforcement Tech LeadCSS [email protected]
Agenda
Microsoft CSS Security
Brief overview of the trends we’re seeing
Top 10 Microsoft Attack Vectors
Social engineering
Beast Demo
Tools
Microsoft CSS Security“Hacking the hackers”
Who we are
Incident Response specialists
What we do
Compromised = free MS support
TACTICAL mitigation
Postmortem analysis
Recommendations to help the customer secure against another attack
Get Security Support: http://www.microsoft.com/uk/protect/support/default.mspx
Trends we’re seeing
Sharp increase in cyber crime
Monetary incentive
Low risk of capture
Targeted attacks
Availability of web based info
Growth of the insider threat
Focus moving away from the OS
Attacking the applications
Combined with web app attacks
Attack Vectors:Our Customers Top 10
Social Engineering
Education (x3!), defence in depth, run as limited user, transparent security controls
Technological attacks:
Mass SQL Injection ASP.NET coding best practises, SDL for developers
Passwords Make em long and complex, change them every 90 days
Physical Attacks Bitlocker in advanced mode, disable 1394 device drivers, EFS, strong
passwords
Attack Vectors:Our Customers Top 10
Technological attacks, cont.:
Remote Code Execution Vulnerabilities Defence in depth, patch management
NULL Session Enumeration
Set RestrictAnonymous reg key – watch out for compat issues
http://support.microsoft.com/kb/823659
UnauthN Network Access
NAP, NAC technologies
VPN Servers
Harden the base machine, tighten access as per:
http://technet.microsoft.com/en-us/library/bb794723.aspx
Threat – Social Engineering
Why?
Most of your attackers already have access
It is a lot harder to configure users
Most attacks against layer 8 succeed immediately
http://zdnet.com.com/2100-1105_2-5195282.html
An example: Flying Pigs
Real example
vcodec.com
V-codec.com
vcodecdownload.com
vcodec-download.com
vcodecget.com
vcodec-get.com
vcodecpull.com
Vicodec.com
Vidcodec.com
vidscodec.com
zcodec.com
myspace.com/82959792
Another type of threat...
Evolution of Security Controls
Protection must move to the endpoints and the data
Network can no longer be the primary enforcement point
Social Engineering
THE best way to get hold of classified information
Products will in most cases NOT block the attack
KNOWLEDGE is the key to ensure this attack vector doesn’t work
Threat – Social Engineering
Demo: Beast Malware
Demo: Sysinternals\autoruns\WOLF
Questions?