SlideShare une entreprise Scribd logo

How i'm going to own your organization v2

Télécharger en tant que PPTX, PDF
R
RazorEQX

DerbyCon 2013 How i'm going to own your organization

FormationTechnologie
1  sur  41
“How I'm going to own your organization in just a few days” The Malware obfuscation attack Introduction to the Cyber Kill Chain™ @RazorEQX http://404hack.blogspot.com
SafetyTIP
@RazorEQX • Army 1985-89 • Cracker • Starving Nurse • Gamer turned Networker • Network Guy • Firewall Guy • Hacker • Malware Reverse Engineer
USER: This is very bad file
Access to facebook to the setting bars.. CODE: SELECT ALL http://www.facebook.com/ abe2869f-9b47-4cd9-a358-c22904dba7f7 Settings aPlib cmpressor's trace: CODE: SELECT ALL aPLib v1.01 - the smaller the better :) Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved. More information: http://www.ibsensoftware.com/ Pony gates: CODE: SELECT ALL http://webmail.alsultantravel.com:8080/ponyb/gate.php hxxp://alsultantravel.com:8080/ponyb/gate.php hxxp://webmail.alsultantravel.info:8080/ponyb/gate.php hxxp://198.57.130.35:8080/ponyb/gate.php CODE: SELECT ALL <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32"
@Malwaremustdie • Are a group of dedicated Malware Researchers. • Recognize that Malware is a serious threat. • Recognize that Malware inhibits Internet technology. • Agree that Malware is an obfuscation for AdvancedThreats.
Kelihos Update • http://malwaremustdie.blogspot.com/2013/08/the-quick- report-on-48hours-in-battle.html
What DoTheyWant?
The Silver Bullet Solution This product will save your life and put your kids through college Sounds good. Give me two!
I feel so safe………
How do they get your Information? Reconnaissance Social Media Social Engineering Search Engines Professional Networking
Social Engineering Resources Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story
Paterva: Maltego Maltego is a program that can be used to determine relationships and real world links between: – People – Groups (Social Networks) – Companies – Organizations – Web Sites – Domains
Maltego
Maltego
TheTarget XYZ Corp. Hi I'm social engineering you.Oh great! Its in my human nature to help anyone in anyway I can.
TheWeapon
Some Hints /usr/local/share/ettercap/etter.dns tools.google.com A 10.10.10.10 # NSURL *url = [NSURL URLSTRING:@10.10.10.10:xxxx”;
The Delivery
Take the Bait: Installation
The Expected Response Its all clean now.
Operation “Where is myTarget” Action on Objectives SSL
Exploitation ExfiltrationExhibition Exposure
Introducing "Cyber Kill Chain™" • Concept derived from offensive military doctrine: – Navy: Find, Fix,Track,Target, Engage, and Assess – OODA Loop: Observe, Orient, Decide, and Act – Key concept: Cyber Kill Chain™ defines how an adversary moves from target observation to a final objective. As with any chain, if any link breaks, the whole process fails • Turn it into our advantage: – "To compromise our infrastructure, the bad guys have to be right every step; we only have to be right once"
Cyber Kill Chain™ Model • Intrusion Cyber Kill Chain™ Detect Deny Disrupt Degrade Deceive Recon Weaponize Delivery Exploit Installation Command & Control Actions on Objectives IncreasingRisk
Internet Mail Server User User Open this attachment! CLICK!COMMAND & CONTROL ESTABLISHED! Data Exfiltration Begins
Cyber Kill Chain™ Model Recon • Research, identification, and selection of targets • Crawling Internet websites looking for email addresses or information on specific technologies • Research conducted on business relationships and supply chain • Enumeration of systems and infrastructure – Active – Passive Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model Weaponize • The tool that puts the remote access trojan with an exploit into a deliverable payload • Application data files such as Microsoft Office documents orAdobe PDF files serve as the weaponized payloads • Compromised websites hosting malformed Java or Flash files Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model Delivery • Transmission of weapon into targeted environment • The three most prevalent delivery vectors for weaponized payloads are – Emails with attachments or embedded hyperlinks – Compromised website with malicious code – USB drives or other removable media Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
DGA: Domain Generation Algorithm
DNS Queries
Cyber Kill Chain™ Model Exploit • After the weapon is delivered to target host, exploitation triggers attackers’ code • Most often, this exploits an application or operating system vulnerability • In most cases, exploitation occurs when users are – Coerced to open an executable attachment – Leveraging a feature of the operating system that executes code automatically Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model Installation • Typically occurs immediately after the exploit is complete • The install is often a backdoor or a tool grabber • Also installation might occur during lateral movements by the attacker Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model C2 • Typically the compromised host must beacon outbound to its Internet controller server to establish command and control (C2) channel • APT malware typically requires manual interaction vs. acting autonomously • Once the C2 channel is established, attackers have "hands-on- the- keyboard" access Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model Actions on Objectives • Attackers begin collecting, encrypting, and exfiltrating data from compromised systems. • Attackers may further propagate themselves throughout the internal network in lateral compromises. • While exfiltration is the most common objective, attackers could also violate the integrity or availability of data as well. • Consider what would happen if the attacker modified certain critical internal critical data. Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model Benefits • Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversary • Provides a framework for working forward and backward in order to gauge effect and identify mitigations • Articulates prioritization and strategy • Identifies data gaps and source collection requirements • Enables adversary attribution and campaign tracking • Drives investigations to completion • Intelligence feeds into gaining more intelligence
Lessons learned: • 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation. • 2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been looking for. • 3. Stop wasting money on tools that are always one step behind the adversary and always promising ”That feature is in the next release” • 4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together. • 5. OSINT - RSS research feeds are your friend. Pull out indicators you can use for detection tools and track events to correlations to form campaigns. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc. • 6. Most important of all. Have a damn good incident response plan. Know what and how you're going to recover from this type of breech when it finally hits your organization.

Recommandé

OWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls PresentationOWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls PresentationOWASP Atlanta
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullSeniorStoryteller
 
Security War Games
Security War GamesSecurity War Games
Security War GamesSeniorStoryteller
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 

Recommandé

OWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls PresentationOWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls PresentationOWASP Atlanta
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullSeniorStoryteller
 
Security War Games
Security War GamesSecurity War Games
Security War GamesSeniorStoryteller
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Building Security Controls around Attack Models
Building Security Controls around Attack ModelsBuilding Security Controls around Attack Models
Building Security Controls around Attack ModelsSeniorStoryteller
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of DreamsGreg Foss
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014Chong-Kuan Chen
 
Addios!
Addios!Addios!
Addios!Chong-Kuan Chen
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxvamshimatangi
 

Contenu connexe

Tendances

Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysisChong-Kuan Chen
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 

Tendances (20)

Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
Malware collection and analysis
Malware collection and analysisMalware collection and analysis
Malware collection and analysis
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
Addios!
Addios!Addios!
Addios!
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 

Similaire à How i'm going to own your organization v2

Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxvamshimatangi
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxSuhailShaik16
 
Reducing the Impact of Cyber Attacks
Reducing the Impact of Cyber AttacksReducing the Impact of Cyber Attacks
Reducing the Impact of Cyber AttacksJames Cash
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to executionAlgoSec
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.pptShivaniSingha1
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
Where to Start When Your Environment is Fucked
Where to Start When Your Environment is FuckedWhere to Start When Your Environment is Fucked
Where to Start When Your Environment is FuckedAmanda Berlin
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Hacking from the Inside
Hacking from the InsideHacking from the Inside
Hacking from the InsideClaranet UK
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...North Texas Chapter of the ISSA
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewRobert Herjavec
 

Similaire à How i'm going to own your organization v2 (20)

Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptx
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Reducing the Impact of Cyber Attacks
Reducing the Impact of Cyber AttacksReducing the Impact of Cyber Attacks
Reducing the Impact of Cyber Attacks
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
building foundation for ethical hacking.ppt
building foundation for ethical hacking.pptbuilding foundation for ethical hacking.ppt
building foundation for ethical hacking.ppt
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
Where to Start When Your Environment is Fucked
Where to Start When Your Environment is FuckedWhere to Start When Your Environment is Fucked
Where to Start When Your Environment is Fucked
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Hacking from the Inside
Hacking from the InsideHacking from the Inside
Hacking from the Inside
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 
LIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR OverviewLIFT OFF 2017: Ransomware and IR Overview
LIFT OFF 2017: Ransomware and IR Overview
 

Dernier

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 

Dernier (20)

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 

How i'm going to own your organization v2

  • 1. “How I'm going to own your organization in just a few days” The Malware obfuscation attack Introduction to the Cyber Kill Chain™ @RazorEQX http://404hack.blogspot.com
  • 2.
  • 4. @RazorEQX • Army 1985-89 • Cracker • Starving Nurse • Gamer turned Networker • Network Guy • Firewall Guy • Hacker • Malware Reverse Engineer
  • 5.
  • 6. USER: This is very bad file
  • 7. Access to facebook to the setting bars.. CODE: SELECT ALL http://www.facebook.com/ abe2869f-9b47-4cd9-a358-c22904dba7f7 Settings aPlib cmpressor's trace: CODE: SELECT ALL aPLib v1.01 - the smaller the better :) Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved. More information: http://www.ibsensoftware.com/ Pony gates: CODE: SELECT ALL http://webmail.alsultantravel.com:8080/ponyb/gate.php hxxp://alsultantravel.com:8080/ponyb/gate.php hxxp://webmail.alsultantravel.info:8080/ponyb/gate.php hxxp://198.57.130.35:8080/ponyb/gate.php CODE: SELECT ALL <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32"
  • 8. @Malwaremustdie • Are a group of dedicated Malware Researchers. • Recognize that Malware is a serious threat. • Recognize that Malware inhibits Internet technology. • Agree that Malware is an obfuscation for AdvancedThreats.
  • 9.
  • 12. The Silver Bullet Solution This product will save your life and put your kids through college Sounds good. Give me two!
  • 13. I feel so safe………
  • 14. How do they get your Information? Reconnaissance Social Media Social Engineering Search Engines Professional Networking
  • 15. Social Engineering Resources Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story
  • 16. Paterva: Maltego Maltego is a program that can be used to determine relationships and real world links between: – People – Groups (Social Networks) – Companies – Organizations – Web Sites – Domains
  • 19. TheTarget XYZ Corp. Hi I'm social engineering you.Oh great! Its in my human nature to help anyone in anyway I can.
  • 21. Some Hints /usr/local/share/ettercap/etter.dns tools.google.com A 10.10.10.10 # NSURL *url = [NSURL URLSTRING:@10.10.10.10:xxxx”;
  • 23. Take the Bait: Installation
  • 24. The Expected Response Its all clean now.
  • 25. Operation “Where is myTarget” Action on Objectives SSL
  • 27.
  • 28. Introducing "Cyber Kill Chain™" • Concept derived from offensive military doctrine: – Navy: Find, Fix,Track,Target, Engage, and Assess – OODA Loop: Observe, Orient, Decide, and Act – Key concept: Cyber Kill Chain™ defines how an adversary moves from target observation to a final objective. As with any chain, if any link breaks, the whole process fails • Turn it into our advantage: – "To compromise our infrastructure, the bad guys have to be right every step; we only have to be right once"
  • 29. Cyber Kill Chain™ Model • Intrusion Cyber Kill Chain™ Detect Deny Disrupt Degrade Deceive Recon Weaponize Delivery Exploit Installation Command & Control Actions on Objectives IncreasingRisk
  • 30. Internet Mail Server User User Open this attachment! CLICK!COMMAND & CONTROL ESTABLISHED! Data Exfiltration Begins
  • 31. Cyber Kill Chain™ Model Recon • Research, identification, and selection of targets • Crawling Internet websites looking for email addresses or information on specific technologies • Research conducted on business relationships and supply chain • Enumeration of systems and infrastructure – Active – Passive Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • 32. Cyber Kill Chain™ Model Weaponize • The tool that puts the remote access trojan with an exploit into a deliverable payload • Application data files such as Microsoft Office documents orAdobe PDF files serve as the weaponized payloads • Compromised websites hosting malformed Java or Flash files Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • 33. Cyber Kill Chain™ Model Delivery • Transmission of weapon into targeted environment • The three most prevalent delivery vectors for weaponized payloads are – Emails with attachments or embedded hyperlinks – Compromised website with malicious code – USB drives or other removable media Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • 36. Cyber Kill Chain™ Model Exploit • After the weapon is delivered to target host, exploitation triggers attackers’ code • Most often, this exploits an application or operating system vulnerability • In most cases, exploitation occurs when users are – Coerced to open an executable attachment – Leveraging a feature of the operating system that executes code automatically Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • 37. Cyber Kill Chain™ Model Installation • Typically occurs immediately after the exploit is complete • The install is often a backdoor or a tool grabber • Also installation might occur during lateral movements by the attacker Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • 38. Cyber Kill Chain™ Model C2 • Typically the compromised host must beacon outbound to its Internet controller server to establish command and control (C2) channel • APT malware typically requires manual interaction vs. acting autonomously • Once the C2 channel is established, attackers have "hands-on- the- keyboard" access Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • 39. Cyber Kill Chain™ Model Actions on Objectives • Attackers begin collecting, encrypting, and exfiltrating data from compromised systems. • Attackers may further propagate themselves throughout the internal network in lateral compromises. • While exfiltration is the most common objective, attackers could also violate the integrity or availability of data as well. • Consider what would happen if the attacker modified certain critical internal critical data. Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • 40. Cyber Kill Chain™ Model Benefits • Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversary • Provides a framework for working forward and backward in order to gauge effect and identify mitigations • Articulates prioritization and strategy • Identifies data gaps and source collection requirements • Enables adversary attribution and campaign tracking • Drives investigations to completion • Intelligence feeds into gaining more intelligence
  • 41. Lessons learned: • 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation. • 2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been looking for. • 3. Stop wasting money on tools that are always one step behind the adversary and always promising ”That feature is in the next release” • 4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together. • 5. OSINT - RSS research feeds are your friend. Pull out indicators you can use for detection tools and track events to correlations to form campaigns. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc. • 6. Most important of all. Have a damn good incident response plan. Know what and how you're going to recover from this type of breech when it finally hits your organization.

Notes de l'éditeur

  1. I should have called this presentation not how I&apos;m going to own your organization but instead how its likely already “owned”. Let me ask you a question. No one needs to raise their hands just acknowledge in your mind. How many of you think your network has already been compromised and just has not been found yet?Makes it hard to sleep at night I bet?This presentation should actually be titled how likely is it that your organization is already owned not how I’m going to own your organization in just a few days.I am going to ask you a question that I don’t want you to answer just to take a moment and think about it. Is your network already compromised and you just haven’t found out about it yet?That thought probably keeps you up at night, or it should.
  2. My 8 Year old wants to see Daddy on Video So I will be adding in my own censorship. Sorry no cussing at DerbyCon from me this year.
  3. Don’t die at DerbyCon. If you get to the terminal and swell up like a balloon then start having chest pains. don’t FLY. Apparently some airlines done like people dying on them at 30,000 feet.
  4. Note: Software cracker back in the day was cool using SoftIce. I was actually reversing code before reversing was cool. Then cracker turned out to be a term for a white guy. Not so cool anymore.Please take out your phones and turn them up all the way I want it to feel as though we are all sitting in a meeting and I&apos;m presenting while all of your phones are going off this will really make me feel at home for the rest of this presentation I thank you in advance.Everyone please enter my twitter id in your phone.(pause)Who entered my twitter ID and turned on their cell phones? Raise of hands.You have just been social engineered.
  5. Soft-ICE Used in the late 80’s and 90’s as .. Look it up on twitter. Soft ice was a utility that was used back in the 80s and 90s for crackers and was a utility we could use at the time to remove dongle cracks, passwords, game cracks and copyright keys, it was also used to create actual patches. I didn’t realize it at the time but I was actually a software reverse engineer before there was malware or the internet as we know it today.
  6. VirusTotal is a website that provides free checking of files for viruses. It uses up to 46 different antivirus products and scan engines to check for viruses that the user&apos;s own antivirus solution may have missed, or to verify against any false positives.[1]Files up to 64 MB can be uploaded to the website or sent via email.[2] Anti-virus software vendors can receive copies of files that were flagged by other vendors however were missed by their own engine, they use this information to improve their own software and, by extension, VirusTotal&apos;s own capability. Users can also scan suspect URLs and search through the VirusTotal dataset.VirusTotal was selected by PC World as one of the best 100 products of 2007I started using virus total about three years ago and worked my way up from the bottom of being pretty much a nobody just using the toolfor face value and eventually started collaborating with other members who were pretty advanced in the community and really knew advanced techniques for reversing.
  7. Throughout the course of a year I became good friends with many members of the virus total community and started collaborating with researchers across the globeThis is what malware research looks like now. Landing zonesRedirectors.Everything from Packers, Xor,and obfuscated URLs. Anything you can think of our adversaries are doing and are continuing to advance their techniques and we have continued to crack them
  8. From virus total a few of the researchers that became close friends would form a group with one really brilliant leader and formed MalwareMustDIe. The group based its principles to find these malware Kits and track their KITS, analyze the data and then do full disclosures on how the kits worked. Some of the research included the discovery of blackhole toolkit 2.0 using Tor networks. Pseudo-dynamic URLs, and most recently the tracking and the beginning of taking down the khilos botnet.
  9. What do they want? This is all depends on the threat actor, some just want to see the world burn, what do the rest want? Many are after IP, financial information, destroying company reputation, etc. Intellectual propertyFinancialsCustomer reputation MoneyContactsDestruction
  10. Organizationsfrom various sectors are spending vast amounts of money on advanced threats. Managers, CISOs, and CIOs are speaking with industry leaders on various tools which may or may not fit within their budget, they are selling these tools as a silver bullet solution. The reality is most organizations already have an arsenal of tools and not enough staff to review the data that&apos;s already being collected and monitored in their production environment, adding even more tools to this sort of environment means the analysts cannot ingest all the data quickly enough to form a picture of what&apos;s actually occurring on the network. The reality is the adversary has the same or similar tools and knowsexactly what tools your organization uses and they know how you use them and I&apos;ll tell you why. For the single-purpose of staying a step ahead of these tools and continuing to perfect their obfuscation techniques.
  11. And your manager puts massive box of tools on your desk and tells you how you deploy this in our network. It&apos;s going to be the end-all be-all to protect our environment and everybody&apos;s going to be happy rightYou probably have had a similar experience where a supervisor has handed you the next silver bullet tool to stop the next APT/Advanced Threat/ whatever phrase or acronym you prefer. The reality is they think this will make them look great and you will be happy too bad this is not reality.
  12. How does an adversary gain information about an organization? This information is learned using what is called social profiling, this can be accomplished on sites similar to, LinkedIn, Facebook, Twitter, and Google. With the use of these sites an adversary has the ability totrack your organization andcreate an organizational chart,down to who reports to whom and which manger reports to which director and which director reports to which VP and so forth. This includes phone numbers, email addresses, personal blogs, and through social engineering can even obtain information of where children go to school, what someone&apos;s personal schedule is, and what packages you&apos;re expecting in the mail. People like to talk about themselves andthey like to blog, tweet, and post on Facebook about what the are doing, also leaving geolocation information on pictures. Withoutproper privacy settings on any of these platforms this information is practically public to the entire world!Cree-pyMaltego and NetGlubThe Harvesterhttp://checkusernames.com/ Check Usernames - Useful for checking the existence of a given username across 160 Social NetworksHuman Intelligence (HUMINT)Methodology always involves direct interaction - whether physical, or verbal.Gathering should be done under an assumed identity (remember pretexting?).Key EmployeesPartners/SuppliersIMINT can also refer to satellite intelligence, (cross over between IMINT and OSINT if it extends to Google Earth and its equivalents).Covert Gathering - CorporateOn-Location GatheringPhysical security inspectionsWireless scanning / RF frequency scanningEmployee behavior training inspectionAccessible/adjacent facilities (shared spaces)Dumpster divingTypes of equipment in useOffsite GatheringData center locationsNetwork provisioning/providerFoundstone has a tool, named SiteDigger, which allows us to search a domain using specially strings from both the Google Hacking Database (GHDB) and Foundstone Database (FSDB).
  13. Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story http://resources.infosecinstitute.com/social-engineering-a-hacking-story/
  14. How would you enumerate the targets infrastructure without touching it?
  15. So what do I wantwith all thesetools??? Network blocks owned AS NumbersEmail addressesExternal infrastructure profileTechnologies usedPeremetertoolsPurchaseagreements 3rd party vendorsRemoteaccessApplication usage Browser user agents…Defense technologies Humancapability
  16. And these individual targets are going to be inside your organization closest to the data he&apos;s trying to get access to to achieve his objective. And this can all be done with a simple phone call toan individual administrative assistant and actually use the personal information he received on the Internet to use against her or him. All this to make that individual perceive that they are giving information to a person they know or trustThe targets are going to be within your organization and be the least path of resistance to the accounts and data the threat actor is trying to access. This will be done with simple phone calls to colleagues, administrative assistants, and other associates using the information learned through social profiling to gain trust and access. All of this is used to gain a false sense of trust in order to get the individual targets drop their defenses.
  17. So with all this reconnaissance information we can build a profile of what tools are being used at the perimeter, what operating systems are used on the workstations potentially account names maybe even passwords. One such tactic might actually be having the admin look underneath the keyboard for a posit note which has the account and password forgotten when their boss went to a conference. All this can be built into a program that can be used once inside the organization. Exploits can be written used against specific operating systems Applications like browsers Adobe flash even down to the what version each application is using all using social engineering.With all of the social reconnaissance completed the attacker then will begin to build a profile of tools that are being used on the perimeter, what OS is being used on the workstations, account names, and even passwords. Once this information is is organized and accounted for the attacker can then use a the organizational information learned from social engineering as well as the technical information to craft an exploit. I have no idea how you are going to get an admin to look under the keyboard or if it is their keyboard how do you gain physical access? How would you get and admin to look under their bosses keyboard?
  18. A small package for a POC was created using a stripped down version of ettercap. Only a few of the functions were used to reduce the footprint of the file for execution in memory including the video card.The payload also contains copies of fake patches to various browser types. Google Chrome is the example here.
  19. So with all this packaged up and can now create a method of delivery. in this case he chooses a spear phishing attack which is going to use against the administrative assistant. Emails going to contain a link or several links that will actually do http get functions build a well known Application called blackhole toolkit. Payload inside this blackhole toolkit isn&apos;t going to be fake antivirus to be that special exploit that the adversary created both making the Advanced threat tools and the cyber security department if even detected respond to this as a typical malware campaign We have now packaged and chosen our method of delivery which will use the information we learned from our social engineering against the administrative assistant. There will be an email sent which will contain a link or several links which will preform an http get function to a well known application called the Blackhole Toolkit. The payload will not be a fake AV, it will be the exploit created by the adversary to bypass the advanced threat tools and the information security team appearing to be a typical malware campaign.
  20. So the email is delivered most likely making it through your perimeter because the scoring is fairly low it&apos;s a single target. All this was of course tested against your perimeter with several other fake fishing type campaigns via several recipients or potentially single-user with nothing more than a URL and a short message and a DNS query from the link when clicked on actually being nothing but a harmless http or https string none of which would cause an alarm by any of your perimeter tools This could even be a DNS query resolving to a local address in the United States by monitoring the destination domain with tools like Umbrella or other DNS activity tools. The email or emails are delivered through the various when the actual spear phishing campaign occurs with again a link that actually downloads the toolkit itself when clicked or is embedded in email as an attachment. Still a low score. New version of BHEK, single user recipient, and obfuscated quite well. Once the emails clicked and the payload is delivered the dropper BHEK actually extracts its contents with various premeditated exploits by either embedded into memory or even a video card. The exploit could be a utility that spoofs browser updates Adobe products, cloud storage like dropbox or vulnerabilities in your known operating systems All which were gathered during the reconnaissance phase. The objective here is what&apos;s been known and used for a long time with tools like metasploit or other hacking tools; a jump host The advocacy wants off this machine and onto another machine as quick as possibleThe spear phishing campaign will most likely make it through as it is only directed to one address. All of this was of course tested against the perimeter with several other fake phishing type campaigns via several recipients or potentially a single-user with nothing more than a URL and a short message and a DNS query from the link, when clicked on will be actuallynothing more than a harmless http or https string none of which would cause an alarm by any perimeter tools This could even be a DNS query resolving to a local address in the United States by monitoring the destination domain with tools like Umbrella or other DNS activity tools. The email or emails are delivered through the various spear phishing campaigns whichagain contain a link that download the toolkit, and when clicked is launchedor is embedded in email as an attachment(again requiring execution). These will still have a low score. New version of BHEK, single user recipient, and obfuscated quite well. Once the emails clicked and the payload is delivered the dropper BHEK actually extracts its contents with various premeditated exploits by either embedding into memory or even a video card utility. The exploit could be a utility that spoofs browser updates for something along the lines of Adobe products, cloud storage like dropbox or vulnerabilities in your known operating systems All which were gathered during the reconnaissance phase. The objective here is what&apos;s been known and used for a long time with tools like metasploit or other hacking tools; a jump host The adversary wants off this machine in order to jump onto another machine as quickly as possible.
  21. At this point there is no requirement for any command-and-control there&apos;s no contact from the exploit from any machine compromised by lateral movement The only objective is to harvest the data on the infected machine and only then make a connection to a predetermined location and transport mechanism like ssl http or FTP. The key here is I&apos;m already inside the perimeter. The advocacy is in the squishy center of your network. The infected hosts can remain silent for as long as the advocacy deems fit for sufficient information gathered and the security department to company forget the original alert of the infected host from the phishing infection. This exfiltration of data could even be transmitted form several of the hosts in a peer-to-peer sharing application in several simultaneous transmissions like a bit torrent.
  22. A few days later the target companies financials,accounts, passwords, network IP addresses of critical systems show up on pastebin or in the media or are sold off to the highest bidder.
  23. Do you see the obfuscation?
  24. Duration: 10 minutesDescribe the behavior as well as perspective on counter-intelligent models and defenses against these mapped steps.
  25. Duration: 10 minutesDescribe the behavior as well as perspective on counter-intelligent models and defenses against these mapped steps.
  26. Duration: 10 minutesKey Points: This is an important piece, and is part of what makes the APT adversary &quot;advanced&quot;Hard to detect. This is where collaboration with other peer groups can help tremendously by sharing intelligence. OSINT, Intelligence feeds, Research sites.
  27. This was five pages long
  28. See the hits for one DGA name as its rotated in sequence.
  29. Key Points:CVsZero-day attacks
  30. Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversaryProvides a framework for working forward and backward in order to gauge effect and identify mitigationsArticulates prioritization and strategyIdentifies data gaps and source collection requirementsEnables adversary attribution and campaign trackingDrives investigations to completionIntelligence feeds into gaining more intelligence
  31. 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.2. Don&apos;t take a crimeware kit for face value. You might have missed the advanced threat you&apos;ve been looking for.3. Stop wasting money on tools that are always one step behind the adversary and always promising &quot;that feature is in the next release&quot; Bull*BEEP*4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together.5. RSS research feeds are your friend. Pull out indicators you can use for detection tools. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar&apos;s selling domains to crimeware organizations.. etc.6. Most important of all. Have a damn good incident response plan. Know what and how you&apos;re going to recover from this type of breech when it finally hits your organization.