Active Defence A chance to fight back. Dott. Agostino PANICO Rome, 09/06/2016

Transcription

1 Active Defence A chance to fight back Dott. Agostino PANICO Rome, 09/06/2016

2 $ cut -f5 -d: /etc/passwd grep -i panico PhD La Sapienza University of Rome Master Governance e Audit dei Sistemi Informativi Master Degree Information Turin Politecnico GPEN, GCIH, GWAPT, ecppt, emapt, ewpt, ecre, CCNA, CCNA Security, CompTIA Security+, A/LA ISO27001:2013 Co-Author Botnet Mitigation CCDCOE SANS Mentor for SEC504, SEC542, SEC560 2

3 Agenda Current Strategies Why go Through the Trouble Our Network from an Attacker Prespective Step 1 Design Mistakes OODA Active Defence 3

4 Why Current Strategies Are Not Working Offensive: You will need to attack Defensive: Know our limitations Go back 5 or 6 years... What were they saying to defend networks? Patch AV IDS/IPS/Firewall 4

5 Why Current Strategies Are Not Working What are they saying now? Patch AV IDS/IPS/Firewall Do you see the beginning of a bad pattern? 5

6 6

7 7

8 Just a Few Questions What are three AV companies? What are three IDS companies? What are three firewall companies? Who are the biggest? What is the total market share? 8

9 Just a Few More Questions Who are your main adversaries? China? Russia? Organized crime? 9

10 AV Bypass DEMO 10

11 One Last Question Do you think these adversaries have the ability to bypass the limited technologies we just mentioned? 11

12 But Why Go Through the Trouble? One Of the easiest ways for an attacker to hide or event attack your systems is to blend in Many people think that attackers use only exploits to spread through your network Rather, attackers use built-in services and commands to compromise additional systems, such as SSH or RDP with accounts and passwords from the first system compromised This is not caught by your IDS because it is normal traffic 12

13 Count Your Layers of Defense From the outside in Router > firewall > IDS > WAF > level 80 Paladin > data From the inside out AV? Possibly a content proxy? This not only applies to your network, but it also applies to your target s system Start thinking. What defenses do the bad guys use? 13

14 But it Gets Worse Just Your Standard, Everyday Exploit.. 14

15 .Really 15

16 Our Own Protocols Work Against Us How Many of these Trigger an Alert? Domain 16

17 First Three Commands C:\> net view => Show Shares and Systems!!! C:\> net user /domain => Users!!!!!! /F %n in (users.txt) /F %p in (pass.txt) use \\DOMAINCONTROLLER\IPC$ /user:domain\%n %p 1>NUL 2>&1 [*] %n:%p use /delete \\DOMAINCONTROLLER\IPC$ > NUL 17

18 First Three Commands C:\> net view => Show Shares and Systems!!! C:\> net user /domain => Users!!!!!! /F %n in (users.txt) /F %p in (pass.txt) use \\DOMAINCONTROLLER\IPC$ /user:domain\%n %p 1>NUL 2>&1 [*] %n:%p use /delete \\DOMAINCONTROLLER\IPC$ > NUL 18

19 GPP Some things Should never be automated May 13, 2014 MS Possible clear text credentials Accessible by anyone Located in groups.xml file on SYSVOL Pull and decrypt with PowerSploit or Metasploit s GPP 19

20 Shares Stop worrying about Domain Admin Have fun It is about the love and the learning PowerView > ShareFinder Then, sift through the files Oh My 20

21 Time for a Shift.. A shift in our thinking is required A change in what we test A change in how we test A change in how we relate to our networks 21

22 Step 1 Admit you have a problem 22

23 VERIZON DBIR In 93% of cases, it took attackers minutes or less to compromise systems. Organizations, meanwhile, took weeks or more to discover that a breach had even occurred and it was typically customers or law enforcement that sounded the alarm, not their own security measures. 23

24 M-TRENDS The median number of days anorganization was compromised in 2015 beforethe organization discovered the breach (orwas notified about the breach) was

25 M-TRENDS The median number of days anorganization was compromised in 2015 beforethe organization discovered the breach (orwas notified about the breach) was

26 M-TRENDS The median number of days anorganization was compromised in 2015 beforethe organization discovered the breach (orwas notified about the breach) was

27 Key Underline Issue Monitoring Capabilities Lacking Staffing Levels Architectural Shortcomings Poorly Skilled Analysts Costantly evolving Threat Landscape Rapidly Changing organizations Prevention Oriented Represents an outdated model 27

28 Key Underline Issue Monitoring Capabilities Lacking Staffing Levels Architectural Shortcomings Poorly Skilled Analysts Costantly evolving Threat Landscape Rapidly Changing organizations Prevention Oriented Represents an outdated model 28

29 Where we can turn 29

30 Design for fail and not fail to design 30

31 Design for fail and not fail to design 31

32 Architectural key change Design for fail Accept and Expect Compromise Expect the pivot, look for the pivot Perimeter + Prevention Holistic + Detection 32

33 Realize The Truth 33

34 How quickly would you know If a new system popped on your network If a new service started listining on a port If an Admin install a new client app If a new path for a browser extension dropped If someone logged in locally using a service account If a local admin account started authenticating 34

35 OODA Whomever can do these things the fastest lives: Observe Orient Decide Act Originally developed for figher-pilots With current security model how many can you impact?. And Remember... Orient or Dis-Orient 35

36 In other words... All Warfare is Based Another Way To Put It On Deception Sun Tzu 36

37 Active Defence Is Not About Hacking Back (well, just a little) About one technical solution Revenge 37

38 Active Defence Is About Having a Range of Solutions Tipping OODA in our favor Putting Risk in Hacking Networks 38

39 Active Defence It is one thing to cause a stolen computer to report its IP address or it s geographical location in an effort to track it down. It is something completely entirely different to violate federal wiretapping laws by intercepting the electronic communication of the person using the stolen laptop Jude Walter Rice 39

40 Active Defence Characterization The Active Defence AAA : Annoyance Attribution Attack 40

41 Annoyance What we mean? Demo Weblabirinth Honey Ports PortSpoof Artillery 41

42 Attribution What we mean? Word Web Bugs Honey Badger User Physical Location Dionaea - Malware Trapper Decloak - Real IP Revealed 42

43 Attack What we mean? Demo Come on.. No demos for this Need a Warrant 43

44 44

45 THANKS 45