Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
DETECTING CYBER ATTACKS
LAN NGUYEN
VERAMINE
XIN CHÂN THÀNH CẢM ƠN CÁC NHÀ TÀI
TRỢ
VERAMINE 2
OUTLINES
• General Security Problems
• Need to handle to secure IT computer networks
• Computer Systems, Hardware, Softwar...
GENERAL SECURITY PROBLEMS
1. Authenticity
• Multifactor. Should include Hardware-Support factor. E.g. Taiwan ID cards with...
GENERAL SECURITY PROBLEMS
3. Confidentiality
• Reduce protecting TBs to thousands bits
• Following Encryption Standards. C...
GENERAL SECURITY PROBLEMS
6. Monitoring and Auditing
• High Quality Data Collection: Wide Variety but Not too much
• About...
GENERAL SECURITY PROBLEMS
8. Investigation
• From alerts, find intrusion scope, timeline, approaches and signatures
• Trac...
SECURITY DESIGN PRINCIPLES
Principle Explanation
Open design Assume the attackers have the sources and
the specs.
Fail-saf...
DETECTIONS
• All about https://attack.mitre.org/wiki/Technique_Matrix
• The Attack Dictionary
9
ESCALATION OF PRIVILEGE (EOP)
• Attacker exploit bugs to raise privilege level, such as from user
to system
• MITRE says “...
CREDENTIAL DUMPING
• Harvesting passwords
• Tools: mimikatz, gsecdump
• With System level, open lsass.exe process to decry...
LSA PACKAGES
• Windows Security Support Provider (SSP) DLLs are loaded into the
Local Security Authority (LSA) process, th...
CHANGE DEFAULT FILE ASSOCIATION
• File association selections are stored and edited in the Windows
Registry
• Modify the f...
FILE SYSTEM PERMISSIONS WEAKNESS
• Processes execute binaries with improperly set permissions then the
binary may be overw...
ACCESSIBILITY FEATURES
• Windows contains accessibility features launched with a key
combination before user logon. An adv...
DISABLING SECURITY TOOLS
• Killing security software or event logging processes, deleting
Registry keys…
• Build tamper-re...
FILE DELETION
• Adversaries may remove malware, tools to clean footprint
• Should preserves a copy of every binary that wa...
APPINIT DLLS
• For persistence, DLLs specified in the AppInit_DLLs value in
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTC...
BYPASS USER ACCOUNT CONTROL (UAC)
• Elevate privileges to perform a task under administrator-level
permissions by promptin...
COMPONENT OBJECT MODEL HIJACKING
• Adversaries can use this system to insert malicious code that
can be executed in place ...
LOCAL PORT MONITOR
• A port monitor can be set through the AddMonitor API call to set a
DLL to be loaded at startup. This ...
Vous avez terminé ce document.
Télécharger et lire hors ligne.
Prochain SlideShare
What to Upload to SlideShare
Suivant
Prochain SlideShare
What to Upload to SlideShare
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

Partager

Lannguyen-Detecting Cyber Attacks

Télécharger pour lire hors ligne

Veramine-Detecting Cyber Attacks

  • Soyez le premier à aimer ceci

Lannguyen-Detecting Cyber Attacks

  1. 1. DETECTING CYBER ATTACKS LAN NGUYEN VERAMINE
  2. 2. XIN CHÂN THÀNH CẢM ƠN CÁC NHÀ TÀI TRỢ VERAMINE 2
  3. 3. OUTLINES • General Security Problems • Need to handle to secure IT computer networks • Computer Systems, Hardware, Software, Data • Detections • Tactics, Techniques and Common Knowledge 3
  4. 4. GENERAL SECURITY PROBLEMS 1. Authenticity • Multifactor. Should include Hardware-Support factor. E.g. Taiwan ID cards with weak random. • Mutual Authentication: e.g. may help prevent fishing • FIDO: Strong Authentication Standard. U2F: Universal Second Factor (Yubico) • Zero Trust 2. Authorization / Access Control • Very widely applied to Principals and Resources • Separate Networks. Classified Networks. • Role-based Principals • OS: Ring 0 – Ring 3 4
  5. 5. GENERAL SECURITY PROBLEMS 3. Confidentiality • Reduce protecting TBs to thousands bits • Following Encryption Standards. Crypto Agility • Key Management is Vital. Hardware Security Module (HSM) 4. Integrity and Non-repudiation • Signatures and Authenticated Encryption • Code Signing: Signing process need to be carefully protected. E.g. Ccleaner AV. Flame. • You can say Blockchain belongs to cybersecurity • Side effect: Not deniable and accountability. E.g. Signing off releasing software 5. Availability • DDOS • Build efficient software: CPU, RAM, Network • Data Replication and Backup 5
  6. 6. GENERAL SECURITY PROBLEMS 6. Monitoring and Auditing • High Quality Data Collection: Wide Variety but Not too much • About Processes, Users, Network, Protocols, Registries, Files, Services, Permissions • “CCTV” Cameras to Record and Replay 7. Detection • Data Analysis to find intrusion alerts. Good data collection means good detection • Rule-based and Machine Learning 6
  7. 7. GENERAL SECURITY PROBLEMS 8. Investigation • From alerts, find intrusion scope, timeline, approaches and signatures • Track the intrusion spans: malicious user logons, C&C connections… • Search, correlate and analyze on Memory, Files and other data 9. Response • From Investigation results, find a good plan to quickly cleanup the IT network • Isolate, suspend and stop malicious endpoints, users, processes, binaries, network traffic 10.Remediation and Prevention • Measures, policies and rules to prevent similar attacks 7
  8. 8. SECURITY DESIGN PRINCIPLES Principle Explanation Open design Assume the attackers have the sources and the specs. Fail-safe defaults Fail closed; no single point of failure. Least privilege No more privileges than what is needed. Economy of mechanism Keep it simple. Separation of privileges Don’t permit an operation based on a single condition. Total mediation Check everything, every time. Least common mechanism Beware of shared resources. Psychological acceptability Will they use it? 8
  9. 9. DETECTIONS • All about https://attack.mitre.org/wiki/Technique_Matrix • The Attack Dictionary 9
  10. 10. ESCALATION OF PRIVILEGE (EOP) • Attacker exploit bugs to raise privilege level, such as from user to system • MITRE says “Detecting software exploitation may be difficult” • But detection is possible with 100% accuracy, no FP or FN, based on security permission data 10
  11. 11. CREDENTIAL DUMPING • Harvesting passwords • Tools: mimikatz, gsecdump • With System level, open lsass.exe process to decrypt and read passwords • Detection is highly accurate 11
  12. 12. LSA PACKAGES • Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process, then have access to passwords • Modify some Registries to add new SSPs • Detection by monitoring these Registries • HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages • HKLMSYSTEMCurrentControlSetControlLsaNotification Packages • HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages • HKLMSYSTEMCurrentControlSetControlLsaOSConfigSecurity Packages 12
  13. 13. CHANGE DEFAULT FILE ASSOCIATION • File association selections are stored and edited in the Windows Registry • Modify the file association to call an arbitrary program for a file extension • Detection when the default File Association registry key is modified [HKEY_CURRENT_USER]SoftwareMicrosoftWindowsCurrentV ersionExplorerFileExts 13
  14. 14. FILE SYSTEM PERMISSIONS WEAKNESS • Processes execute binaries with improperly set permissions then the binary may be overwritten with another binary using lower level permissions • The replaced binary will also execute under higher level permissions, which could include SYSTEM. This technique can also be used for persistence. • Service binary replacement and Installers loading from weakly-ACL'd directories. • Detection when a process running at high privilege loads a binary that is ACL'd to allow low privilege user tampering. 14
  15. 15. ACCESSIBILITY FEATURES • Windows contains accessibility features launched with a key combination before user logon. An adversary can use it to get a command prompt or backdoor without logon. • In recent Windows, the replaced binary needs to be signed for x64, must reside in %systemdir%... The debugger method is a workaround. • Detection by Monitoring Registries within HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options 15
  16. 16. DISABLING SECURITY TOOLS • Killing security software or event logging processes, deleting Registry keys… • Build tamper-resistant security software • Detection by Deception/Traps of Security Software 16
  17. 17. FILE DELETION • Adversaries may remove malware, tools to clean footprint • Should preserves a copy of every binary that was loaded by any process on any system • They can go to Binary Analysis Pipeline (BAP) to assess a suspicion score to it. • And download to any customer. 17
  18. 18. APPINIT DLLS • For persistence, DLLs specified in the AppInit_DLLs value in HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows are loaded by user32.dll into every process that loads user32.dll. • Detection where an application has modified the AppInit DLL registry settings. 18
  19. 19. BYPASS USER ACCOUNT CONTROL (UAC) • Elevate privileges to perform a task under administrator-level permissions by prompting the user for confirmation. • Bypass e.g. rundll32.exe load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory. Or malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. • Detection by tracking the state of each process token and reports any token changes, e.g. unexpected Integrity Level (IL) change from Medium to High 19
  20. 20. COMPONENT OBJECT MODEL HIJACKING • Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. • Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component. • Detection by monitoring Registries of COM, such as Icon Overlay Handler. 20
  21. 21. LOCAL PORT MONITOR • A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL will be loaded by the print spooler service, spoolsv.exe. Or, an arbitrary DLL can be loaded for a pathname to HKLMSYSTEMCurrentControlSetControlPrintMonitors. • The spoolsv.exe process also runs under SYSTEM level permissions. • Detection monitoring registry keys under HKLMSYSTEMCurrentControlSetControlPrintMonitors • Better, Detection highlights any unknown, new, or suspicious Print Spooler service DLL image loads 21

Veramine-Detecting Cyber Attacks

Vues

Nombre de vues

968

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

769

Actions

Téléchargements

16

Partages

0

Commentaires

0

Mentions J'aime

0

×