ima - anatomy of an attack - presentation- 28aug15
TRANSCRIPT
![Page 1: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/1.jpg)
The Anatomy of an Attack:Think Like a Criminal
![Page 2: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/2.jpg)
About Your PresentersKen Smith
• Employment
• Senior Consultant, SecureState, LLC.
• Professor of Network Security, University of Mount Union
• Cyber Security, Curriculum Development, Notre Dame College
• Formerly of 5th Special Forces Group (Airborne)
• Education
• BS, Computer Info Systems, University of Dayton
• AA, Arabic Language and Culture, Defense Language Institute
• MA, Security Policy Studies, Notre Dame College
• Areas of Specialization
• Physical Security, Wireless Encryption, and Mobile Devices
Benjamin Brooks, CISSP
• Employment
• Consultant, SecureState, LLC.
• Equipment Architecture and Configuration Validator, US
Special Operations Command
• Leading Chief Petty Officer, US Navy Special Warfare, Tactical
Information Operations, SEAL Team-5
• Education
• BA, Political Science, University of Illinois
• Areas of Specialization• Policy, IT Partnering, Wireless Technologies and Mobile
Devices
![Page 3: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/3.jpg)
Agenda
• Basics Booster
• State of Affairs
• Oh, the Places They’ve
Breached!
• Threat Actors
• The Attacker’s Mind
• A Paradigm Shift
• Operation OatmealGhost
• Q&A
![Page 4: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/4.jpg)
Basics Booster
Confidential Information
Information Security
Confidentiality
AccessibilityIntegrity
![Page 5: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/5.jpg)
State of Affairs
• Breaches continue in spite of budget increases• Industry and size agnostic
• Attacks are increasing in frequency
• Variety of threat actors• Not much in common at first glance
• Deeper analysis reveals shared mindsets
• Need for fundamental change in our approach to security
![Page 6: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/6.jpg)
Regulations and Frameworks
![Page 7: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/7.jpg)
Breached 2014
![Page 8: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/8.jpg)
Breached 2014
Other
Data Classification
Sensitive Data Management
Anti-Virus/Anti-Malware
Data Loss Prevention (DLP)
Virtual Private Network
Data Discovery
Firewalls
Forensic Tools
Security Governance
Identity & Access Management
Mobile Device Management
Web Application Firewalls
Encryption, Tokenization
Intrusion Detection & Prevention
Endpoint Security
Security Incident & Event Management (SIEM)
0% 10% 20% 30% 40% 50% 60%
Technology Investments After The 2014 Breaches
34%
![Page 9: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/9.jpg)
Breached 2015
![Page 10: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/10.jpg)
Threat Actors
![Page 11: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/11.jpg)
The Attacker’s Mind : Always Assume a Breach
![Page 12: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/12.jpg)
The Attacker’s Mind
• Attack methods are unpredictable
• Tools and exploits released continuously
• New indicators of compromise
• Attack methodology is not!
• Independent of background
• Recognizable behavior
![Page 13: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/13.jpg)
The Attacker’s Mind
Enumeration
• Users• Services• Port Scans• Operating
Systems• Vulnerabilities
Exploitation
• SQL Injection• Leverage
Vulnerabilities• Establish
Foothold• Evasion
Techniques• Human
Element
Privilege Escalation
• Configuration Files• User Pivoting• Backups• Scripts• GPO
Preferences•Mimikatz
Post Exploitation
• System Pivoting• Network
Pivoting• Persistence• Pillaging• Destruction• Exfiltration
Discovery
• OSINT• DNS•Whois• Network•Metadata• Social Media
![Page 14: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/14.jpg)
The Hacker’s MindCuriosity Problem Solvers
Defiant
Detail-Oriented
Determined
Sense of
Community
![Page 15: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/15.jpg)
A Paradigm Shift
![Page 16: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/16.jpg)
A Paradigm Shift• Compliance-driven security testing
• No social engineering• Notify IT/Security teams of testing• Small time windows• Single lane assessments
• We’re on the same side
• Attackers don’t limit themselves• Why should you?
![Page 17: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/17.jpg)
A Paradigm Shift – One Phish, Two Phish• Spam is not phishing
• Gone are the days of the Nigerian Prince
• Modern attacks• Targeted• Well-developed and researched• Timely
• Can be a touchy subject• People feel tricked and distrustful• This is something to embrace (to an extent)
![Page 18: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/18.jpg)
A Paradigm Shift – Red Phish, Blue Phish• Verizon’s 2015 Annual Attack Vector Report• 23% of recipients open phishing messages• 11% open malicious attachments
• Median time to first click• 22 seconds
• All it takes is one
![Page 19: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/19.jpg)
A Paradigm Shift – Time and Scope• Verizon report• 37% breaches contained within hours• 30% contained within several days
• Numbers are post-discovery• Fireye 2012 report • Average cyberespionage attack continued unchecked for 458 days before discovery
• Detection-deficit • 8-16 hour penetration tests aren’t good enough
![Page 20: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/20.jpg)
Operation OatmealGhost
![Page 21: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/21.jpg)
Scenario
• Target Profile
• Multinational
• Decentralized
• Trophies
• Intellectual Property
• Merger/Acquisition Info
![Page 22: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/22.jpg)
Send in the Team!
![Page 23: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/23.jpg)
Attack Vectors
![Page 24: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/24.jpg)
Attack Vectors
![Page 25: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/25.jpg)
Attack Vectors
![Page 26: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/26.jpg)
Timeline of Events
26
N - 14•Recon Begins• Targets Identified•Hardware Ordered• Sites Collected•Metadata Collection
N
•Brute Force Lotus Notes
N + 2• Shipped Payloads
N + 4
• Lotus Notes Recon TROPHY
•USB Payload Connects Back To C2
N + 4(+ 5HR)
•Multiple Domain Administrators TROPHY
*** Unrestricted *** Pivoting
![Page 27: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/27.jpg)
Highlight Reel
Access To Lotus Notes Permitted Monitoring & Countermeasures
Global Penetration
Regained Access After Blocking
Gained Access To Chat Server – Began Chatting As Admins
Listened to & Recorded Conference Calls
![Page 28: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/28.jpg)
After Action Review (AAR)• What went right?• Extended time period • Inclusion of social engineering as a vector• Reactions were legitimate
• What went wrong?• Defenses had been focused on traditional
barriers• Reacting to events over email• Admin staff act hastily without understanding
the situation
![Page 29: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/29.jpg)
After Action Review (AAR)What Should Have Been Done Differently?• Think Like an Attacker Before/During/After
• Where are our weaknesses?• What is an attacker likely to do next?• Social Media – Don’t be specific!
• War gaming• Attack Your Own Organization• Seek Out Weakness Throughout The Organization
• Remove Limitations on assessments• A penetration test can be more• Think beyond compliance• Include Social Engineering
Become Proactive NOT Reactive!
![Page 30: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/30.jpg)
After Action Review (AAR)Top Three Things You Can Do• Educate
• Educate
• Educate!
![Page 31: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/31.jpg)
War Room Technical Blog
Confidential Information
https://warroom.securestate.com
@SS_WarRoom
![Page 32: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/32.jpg)
Confidential Information
Q&A@p4tchw0rk
@technlogian
![Page 33: IMA - Anatomy of an Attack - Presentation- 28Aug15](https://reader036.vdocuments.site/reader036/viewer/2022062823/5876c7d11a28ab6d5a8b6393/html5/thumbnails/33.jpg)
A Paradigm Shift - Phishing
https://github.com/securestate/king-phisher