Becoming the Adversary

Similar documents
Attackers Process. Compromise the Root of the Domain Network: Active Directory

MODERN DESKTOP SECURITY

A YEAR OF PURPLE. By Ryan Shepherd

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Cyber security tips and self-assessment for business

Cyber Security. Our part of the journey

Modern Realities of Securing Active Directory & the Need for AI

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Penetration Testing with Kali Linux

10 FOCUS AREAS FOR BREACH PREVENTION

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Advanced Threat Hunting:

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

How Breaches Really Happen

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

68 Insider Threat Red Flags

Segmentation for Security

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Information Security Controls Policy

cs642 /introduction computer security adam everspaugh

Evolution Of Cyber Threats & Defense Approaches

Remote social engineering techniques involving Microsoft Universal Naming Convention (UNC) function.

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Building a Threat-Based Cyber Team

Incident Scale

Forensic Network Analysis in the Time of APTs

Computer Network Vulnerabilities

Building Resilience in a Digital Enterprise

External Supplier Control Obligations. Cyber Security

Remote Desktop Security for the SMB

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

How NOT To Get Hacked

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

The Value of Automated Penetration Testing White Paper

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

A practical guide to IT security

Understanding the Changing Cybersecurity Problem

Cyber Security Audit & Roadmap Business Process and

Critical Hygiene for Preventing Major Breaches

Managing an Active Incident Response Case. Paul Underwood, COO

SearchInform DLP. Data Loss Prevention and Insider Threat Security

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Network Defenses 21 JANUARY KAMI VANIEA 1

CYBER SECURITY FOR MEDICAL COLLEGES

SHARE Session Protecting Critical Data on a z/os Mainframe: A New Attitude

Automated Context and Incident Response

Live Adversary Simulation: Red and Blue Team Tactics

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Onapsis: The CISO Imperative Taking Control of SAP

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Insiders: The Threat is Already Within

Security analysis and assessment of threats in European signalling systems?

Reduce the Breach Detection Gap to Minutes. What is Forensic State Analysis (FSA)?

Electronic Access Controls June 27, Kevin B. Perry Director, Critical Infrastructure Protection

RSA INCIDENT RESPONSE SERVICES

RastaLabs Red Team Simulation Lab

RSA INCIDENT RESPONSE SERVICES

Premediation. The Art of Proactive Remediation. Matthew McWhirt, Senior Manager Manfred Erjak, Principal Consultant OCTOBER 1 4, 2018 WASHINGTON, D.C.

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Governance Ideas Exchange

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

ANATOMY OF AN ATTACK!

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

: Administration of Symantec Endpoint Protection 14 Exam

Introduction to Threat Deception for Modern Cyber Warfare

Cyber Security. Building and assuring defence in depth

Service Provider View of Cyber Security. July 2017

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Locking down a Hitachi ID Suite server

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

Gladiator Incident Alert

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Man-In-The-Browser Attacks. Daniel Tomescu

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Security Awareness & Best Practices Best Practices for Maintaining Data Security in Your Business Environment

Effective Data Security Takes More Than Just Technology

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Security Solutions. Overview. Business Needs

Colin Gibbens Director, Product Management

Hacking Demonstration. Dr John McCarthy Ph.D. BSc (Hons) MBCS

Un SOC avanzato per una efficace risposta al cybercrime

10 Ways Credit Unions Get PWNED

Network Security and Cryptography. December Sample Exam Marking Scheme

Transcription:

SESSION ID: CIN-R06 Becoming the Adversary Tyrone Erasmus Managing Security Consultant MWR InfoSecurity @metall0id

/usr/bin/whoami Most public research == Android Something different today 2

Overview Introduction Viewing your organisation from the outside The attacker mind-set Mechanics of a targeted attack Case studies Defenders vs. attackers 3

Security in organisations What does security mean in your organisation? Fixing vulnerabilities Reaching some compliance standard Buying security equipment: firewalls/ips What are you actually trying to prevent? 4

Understanding your adversary Organisations don t have unlimited money for security Defence must be tailored to the motivations of your most likely threat actor If you understand what they are after, you will understand how to prioritise your security spend 5

Threat actors APT Serious Organised Crime Highly Capable Groups or Individuals More Targeted Likelihood of successful attack increases Motivated Individuals Script Kiddies / Amateurs Likelihood Of Attack 6

Threat actors APT Focus of this talk Serious Organised Crime Highly Capable Groups or Individuals More Targeted Likelihood of successful attack increases Motivated Individuals Script Kiddies / Amateurs Likelihood Of Attack 7

Your organisation Internal DMZ Internet Proxy 8

The attacker mind-set Attackers want what you have Money Intellectual property Client data Secret information Reputation <fill in your core assets here> 9

The attacker mind-set This information is on your internal network Select employees have access to it Attackers are also constrained by money Easier/quicker is always better ROI is important 10

The attacker mind-set They don t care about What security testing you have done Out of scope systems Rules for fair play They are relentless 11

Impact Team Note to Ashley Madison from Impact Team 12

Targeted Attack Mechanics

Internet Internal Perimeter breach What is it? 14

Internet Perimeter breach Internal network access from the internet! 15

Perimeter breach Classic techniques Attacking VPNs Web application vulnerabilities RDP Other remote access services e.g. SSH 16

$ Attacking the perimeter 17

Perimeter breach Modern techniques Client-side memory corruption exploits Abusing features in client software Watering hole attacks 18

$ Attacking a user over email 19

Perimeter breach (for cheapskates) Think less about memory corruption exploits Software targeting has to be perfect Exploit may fail Think more about features Office macros Java applets Click-once applications HTML applications Browser extensions 20

Our quickest perimeter breach Find email addresses using free tools $ python theharvester.py -d mwrinfosecurity.com -l 200 -b google 21

Our quickest perimeter breach account-update.xlsm 22

Our quickest perimeter breach 4 minutes later 23

$ Our quickest perimeter breach 4 minutes later 24

Privilege Escalation Likely have limited access once inside Need to escalate your privileges Either escalate on that host Or move laterally 25

Local privilege escalation Obtain SYSTEM Shared local admin password? Processes from other domain users steal token? More on this later 26

Lateral movement Don t use scanning and exploits This will get you caught Think Misconfigurations Active directory abuse 27

Lateral movement Local Admin passwords stored in group policy? Passwords lying around on file shares? Current compromised computer have admin access on any other computers? If you have any passwords, does any useful account have same password? 28

Lateral movement Privilege escalations are about finding local admin access on computers where Domain Admins have logged in Perhaps Domain Admin access is not required to do your evil deeds 29

Lateral movement Things to do with local admin access Steal user passwords (mimikatz) Steal SATs (incognito) Rinse and repeat until getting domain admin 30

Some attack paths to Windows Domain compromise 31

Post domain admin Classic techniques Dump domain hashes Crack passwords Pass the hash Modern techniques Golden tickets Overpass-the-hash DCSync Skeleton key 32

User exploitation (Raphael Mudge ) Abusing user access to obtain goals Methodology Find Access Observe Keylog 33

User exploitation Depends on goal of attackers Find user(s) with access to asset 34

Example: User exploitation Goal: Make a payment using finance systems Pull all active directory groups Read emails / Exchange groups Search for finance/disbursements group names 35

Example: User exploitation Get list of users in those groups Find them on network Netsessions API Event logs on Domain Controllers Many more Deploy secret VNC to machines 36

Example: User exploitation Start keylogger Watch them use applications Learn Learn Learn Do their actions need authorisation? Same process for authoriser 37

Solitaire session watched over VNC while waiting to see mainframe use 38

Example: User exploitation Gather stolen credentials for all parties involved Replicate entire business process Make payment 39

Domain Compromise Case Studies

3389/tcp - open Case study 1 RDP on perimeter Found RDP exposed on perimeter 41

3389/tcp - open Case study 1 RDP on perimeter No credentials! 42

Case study 1 RDP on perimeter Sent word document with image loading from UNC path 43

Listening on 445/tcp Case study 1 RDP on perimeter Capture NTLM challenge/response 44

3389/tcp - open Case study 1 RDP on perimeter Cracked password and logged in! 45

3389/tcp - open Case study 1 RDP on perimeter Searched file servers found service account password 46

3389/tcp - open Case study 1 RDP on perimeter Shared password with Domain Administrator 47

Send.docm over email $ Case study 2 Malicious macro Send word document with payload inside macro 48

$ Case study 2 Malicious macro Receive connection from compromised laptop 49

$ Case study 2 Malicious macro Group policy preferences contained local admin password for laptops 50

$ Case study 2 Malicious macro Hunted logged in domain administrators to their laptops 51

$ Case study 2 Malicious macro Logged into administrator laptops and stole token 52

$ Case study 2 Malicious macro Domain Controller access! 53

$ 443/tcp - open Case study 3 Watering hole attack Compromise immature subsidiary of mature company 54

$ 443/tcp - open Case study 3 Watering hole attack Employees of parent company use web application on subsidiary network 55

$ 443/tcp - open Case study 3 Watering hole attack Changed login page to include HTML application 56

$ Case study 3 Watering hole attack Compromised user on parent company 57

$ Case study 3 Watering hole attack User had administrator access on many machines 58

$ Case study 3 Watering hole attack Found a domain administrator logged in on one machine and stole token 59

$ Case study 3 Watering hole attack Compromise domain controller 60

Things to note None of these were memory corruption issues No 0-days Abusing features and misconfiguration allow attackers to perform low(er) cost compromises 61

Demo: domain compromise using no exploits 62

Defenders vs. attackers

Technologies and bypasses Defenders Perimeter firewalls Attackers Client-side attacks 64

Technologies and bypasses Defenders Perimeter firewalls Proxies Attackers Client-side attacks Proxy-aware payloads 65

Technologies and bypasses Defenders Perimeter firewalls Proxies Anti-virus Attackers Client-side attacks Proxy-aware payloads Bypassed binaries 66

Technologies and bypasses Defenders Perimeter firewalls Proxies Anti-virus IDS/IPS Attackers Client-side attacks Proxy-aware payloads Bypassed binaries Encrypted/modelled traffic 67

Technologies and bypasses Defenders Perimeter firewalls Proxies Anti-virus IDS/IPS Vulnerability scanners Attackers Client-side attacks Proxy-aware payloads Bypassed binaries Encrypted/modelled traffic Abuse software features 68

Defender vs. attacker mind-sets Defenders Block direct incoming and outgoing connections Block known bad binaries Block exploits and payload signatures on the network Detect port scans Attackers Abuse features and misconfigurations Never trigger AV Never scan Wherever possible, don t touch disk 69

The difference Do you see the gap? 70

The difference Being a good defender means understanding what attackers are doing Security products have their place But need to be tuned to be useful Detecting subtle events can be crucial to kicking out attackers before they plant roots 71

Conclusion Completely securing an organisation is impossible Making it more expensive for an attacker should be the goal It is much harder to attack an organisation that understands their assets, likely attackers and average level of skill Targeted Attack Simulations can help identify problem areas, validate security spend and train your SOC team 72

Next steps Short term List what your most sensitive assets are Theorize your most likely adversary Medium Term Does your organization consider the following Prevention measures Detection points Response to incidents Security awareness 73

Next steps Long term Protect your core assets with prevention measures, detection points, security awareness and have a response plan Validate your efforts with a Targeted Attack Simulation 74

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback