Cyber Defense - How to be prepared to APT. Some examples of Cyber Attack Simulations.

1. Cyber Defense
How to be prepared to
APT
Simone Onofri
Leonardo Nobile
March 8, 2017

2. Agenda
- Welcome
- Threats landscape
- The Cyber Attack Simulation
- Scenarios and Lessons Learned
- Conclusion
2

3. Welcome and Intro
3

4. Creating industry leaders
4
Hewlett Packard Enterprise
Provides secure Hybrid IT and
Campus Mobility solutions built on its
next-generation, software-defined
infrastructure portfolio, accelerated by
innovative IT consumption models
Meg Whitman
President and Chief
Executive Officer
Revenue*
$33B
Enterprise Services & CSC
A pure-play, global IT services
company with world-class strength in
customer service and IT operations
Mike Lawrie
Chairman, President &
Chief Executive Officer
Revenue*
$26B
HPE Confidential
*Expected revenues

5. Welcome
Cyber Defense
5
As defined by the Russia – U.S. Bilateral
Commission the Cyber Defense is the:
“Organized capabilities to protect against,
mitigate from and rapidly recover from the
effects of cyber attack”
In HPE, there is a specific domain (Enteprise
Services > Security Services > Security Consulting
Services) that is focused on these capabilities, as
well as on other security competencies: SIEM,
Security Incident Response, Digital Forensics with
Penetration Testing, Social Engineering and
Vulnerability Scanning.
In order to have an holistic view of threats and
correlated defense, Cyber Defense works in
conjunction with other capabilities from the Cyber
Reference Architecture (CRA).
Source: https://www.files.ethz.ch/isn/130080/Russia-U%20S%20%20bilateral%20on%20terminology%20v76%20(2)-1.pdf
Vulnerability
Management (VM)
Intelligent Security
Operations (ISO)
- Security Information & Event
Management (SCS)
- Security Incident Response
(SCS)
- Digital Forensics, e-discovery
(SCS)
- Data Recovery, Secure
Disposal (SCS)
- Penetration testing (SCS)
- Social engineering (SCS)
- SCADA Testing (SCS)
- Vulnerability scanning &
management (SCS)
Physical Security (PS)
Cyber Defense (CD)
Identity &
Access
Management
(IAM)
Infrastructure
& Network
Security (INS)
Applications
Security (AS)
Data Protection &
Privacy (DPP)
Converged Security (CS)
Resilient Workforce (RW)
Security & Operations Management (SOM)
Strategy,
Leadership
& Governance
(SLG)
Risk & Compliance
Management (RCM)
Security Resilient
Architecture (SRA)

6. «There are only two types
of companies: those that
have been hacked and
those that will be»
Robert Mueller, FBI Director, 2012
6
Source: https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies

7. «100%»
Attacks probability, from a Risk perspective
7

8. Threats landscape
8

9. The new normal brings new challenges
days to respond to
a breach46
53%146 days to detect a
breach of attacks are
from insiders
and are most
expensive to
resolve
35%44%
$7.7M
admit one or
more of their
endpoints had
been breached in
the past two
years**
54
zero-day
vulnerabilities
in 2015
552M$21,155
average cost
of a breach*
daily cost of
resolving a breach*
personal records
were stolen or
lost in 2015
of breaches
are reported
by a third
party
55%
increase in
spear phishing
in 2015
9
Sources: Mandiant M-Trends 2016 Report,
*Ponemon 2015 Cost of Cyber Crime Study: Global
**SANS “State of the Endpoint Security” Survey March 2016

10. Enterprise IT
will continue to
transform
Regulation
complexities and
costs are rising
Scarcity of skills
remains a top
challenge
The adversary
is constantly
innovating
Most companies are overwhelmed by
security threats on the rise.
They are specifically concerned about
mobile and cloud computing, email/
web-based attacks, and IoT threats.†
Many companies struggle to hire and
retain qualified security specialists.
More than 1/3 of respondents†
rank the lack of in-house expertise as
the single greatest security
challenge.
Few companies are confident in their
ability to respond to security threats.
Only 6% of companies feel
“extremely well prepared” to respond
to a security breach.†
†MIT Technology Review Security Survey 2016; commissioned by HPE and FireEye
Protecting the enterprise is increasingly difficult to do alone
4
Attacks are escalating in scale, scope,
and sophistication…
…while protection is becoming even
more complex and expensive

11. The «Cyber» War Zone
How we are attacked
The attacker looks for
information using different ways
such as OSINT, CSINT e
TECHINT. When he has
enought information decide the
best (simple/efficent) way to
attack.
Gaining access to
the organization
using Social
Engineering (e.g.
Phishing) or 0-day
or Web based
attacks.
Adversary Research
Conduct
reconnaissance
Execute Objectives /
Capture
Organization borders
Exflitration
Infiltration
All the iterative process is
designed for an objective (e.g.
data steal, destruction /
disruption).
Data exfitrated
using e.g. rar file
with password.
«skilled and otivated
people with proper
technology»
Different attackers has
different objectives:
- Data Stealing
- Money
- Disruption/Distruction
- Hacktivism/Defamation
Remember attackers can
be also internal by
default (even if not
organized)
The foothold can be an
initial shell and load a
Malware possibility or
a Web shell. Now they
are into and internal
perspective.

Privilede
Escalation
Typically the first
access is low privileged.
Attacker needs to have
Administrative/root
access to have
passwords and
intercept traffic.
Move Laterally,
Expand foothold
Depending on the
objective, the attacker
needs to take other
systems inside the
network.
Having an internal
perspective, the
attacker looks for
interesting systems.
Establish
foothold

12. Cyber Attack Simulation
12

13. Cyber Defense
How it is possible to be protected from APTs
Cyber Attack Simulation
Using mix of methodologies such as
NIST, OWASP, OSSTMM, PTES and
CREST is it possible to learn how an
adversary can attack you and learn how
to improve the protection.
Compromise Assessment
Using a series of high quality Indicators
of Compromise and analysing hosts
and network traffic to learn if there is an
intrusion. In case of emergency it
should be possible to escalate to the
Security Incident Response.
Security Incident Response
Using a proven methodology based on
CERT and ISO 27000 Family (e.g. 27035
/ 27037) it will be possible to manage the
attacker when inside to the organization
and getting it out.
13
Compromise Assessment Compromise AssessmentSecurity Incident Response
Role play game, be the adversary to
compromise the target like an APT
Know if a network segment and hosts is
compromised or not
Threat hunting game, remove the adversary
from the target organization
During this kind of activities the key point is not if we found something
during this engagement, but if an adversary found them prior to us

14. Cyber Attack Simulation
The detailed approach, a part from Planning and Reporting
14
Research Infiltration “The Iteration” Exfiltration
− Know your enemy
− Use HPE threat
intelligence
− Competitive
Intelligence
− Know yourself
− Information
present about the
target (OSINT)
− Assess perimeter
technical security
capabilities
(TECHINT)
− Apply real world tools,
techniques and
procedures
− Deliver targeted attack
payloads
− Lateral movement within the network
− Circumvent internal protections
− Escalate privileges
− Discover potentially high value targets
− Consolidate access to target data
− Extract target data

15. Cyber Attacks Scenarios
15

16. Scenario #1
Web Attack
16
Rules of Engagement: our external primary IP was whitelisted on the IPS and we
had the permission to pivot. Not specific target, the fast way to get into the network.
Using TECHINT techniques we found an old website on a public subnet, so
statically with a good chance to be vulnerable.
In few days we compromised the web application exploting a mix of
vulnerabilities with a Local File Inclusion and the Administrative interface exposed.
The first thing was to drop a web shell in order to execute commands on the
Application Server – which was not directly connected to internet.
We conducted some enumeration to identify the best way to escalate. Found an old
version of nmap that with suid and interactive can be used to have root access.
In the internal search found a credential of the SSO into a configuration file (to
send e-mail) and used nmap to map the network.
Using data from the scan, we found a windows server with weak credentials using
a custom dictionary. So we have now the application and another server.
We used an exploit to escalate the privilege and gaining the administrative access
to the windows server. But to load file to the exploit was long.
We looked to the data of the external scan and there was also the VPN gateway
exposed (which is normal).
We used the SSO credential in order to login into the internal network via VPN,
accessing in RDP to the windows server.
We extracted all login information from the server (stored and in memory) to gain
accesso to the ohter part of the network.
So we found then an interesting file share with some confidential file. Take the flag
and copied it to our windows server and to our attacking machine via RDP
Cleaning up…

17. Scenario #1
Lessons Learned
17
1
Intel: For the Intel on the customer, we found effectively a good
habit on non-sharing information on social networks (due to
training), we focused on the technology part. For intel on threats
we found on Competitive Intelligence some interesting threats.
Tech: The external configuration of firewalls and routers was nice
and also on commercial web application. The problem used was
from an old (but maintaned) custom web applications. Also we
found a different policy for managing non-internet-facing servers.
2
SOC: there was a lack of visibility of internal events. This was the
opportunity to add sources to the SIEM.
3

18. Scenario #2
Phishing mail
18
Rules of Engagement: we was in a double blind engagement. Specific request
was made to concentrate on the e-mail channel.
Using different techniques we extracted a huge list of employees from internet and
obtained the mail format.
As a preliminary we dropped some links on internet in places we know some of
employees to enumerate their clients.
We created a phishing e-mail tuned with info obtained loaded with a specific
exploit. We sent in different wave. A good percentage of people clicked.
Between different waves a 0-day was published (technically 1-day) so we modified
our exploit to increase the chances to success.
Obtained some control on the customers machine, all users was logged with low
privileged account so we need to search something to became admin.
Also there was a centralized authenticated proxy which filter the big part of
communication. We changed the initial payload to connect to our C2.
After established a stable communication way, there was some notebook from the
outside the network who was not really updated and used an exploit to get Admin.
Having more visibility we waited the notebook to be plugged on the internal network
(the day after) and put a keylogger to look for most interesting password.
After connection we surfed into the internal network looking for our target. Then
taken another server to have a stable point inside.
In another server we found an interesting database, taken some records and
transferred to our PC
Cleaning up…

19. Scenario #2
Lessons learned
19
1
Intel: People - often referred as «Layer 8» - is the most complex
challange to manage. In general the organization found really
useful to have an idea of their information on the public internet.
Tech: Keep updated not only OS but all software present on PC,
in particular the one which runs with SYSTEM permissions.
Having visibility of not-updates clients. Consider clients such as a
bastian host.
2
SOC: The big control on ingress point (the proxy) with deep
inspection slowed the attack and limited the commands / vectors
to be used. SOC augumented the rules on the proxy.
3

20. Scenario #3
Physical access
20
Rules of Engagement: insider simulation, as an external consultant scenario. Was
considered pretty secure e.g. use only organization PCs binded with MAC addr.
While waiting for the sys admin to boot the new PC, there was some intelligence
gathering about technology inside and socializing with new colleagues.
Because there are something to wait and need to start on the strict deadline of the
project, a colleague provided the local admin password to install some tools.
Using the admin credential was installed a keylogger, waiting for the admin to have
the credentials, and a network sniffer.
Keylogger put its target when the sys admin used a password to connect the PC on
the AD, also the sniffer found a stage DB password from other people in the room.
We decided to use the hard way (also because the sysadmin explained is a
temporary pwd). Using the credentials we taken the database that was a system for
some kind of refunds.
Studied the staging system for a while. We was able to know the flow on how to
forge a refund record.
We that taken some time to attack the production servers using all the information
from the staging one to put the forged record and alter other points needed.
The first refund get out correctly*. We try other times. We used a common pattern
for queries, after a while this pattern was recognized by an operator.
Cleaning up…

21. Scenario #3
Lessons learned
21
1
Intel: Human aspect is always important from both side. The
judicious operator was able to identify the attack pattern.
Tech: Use of clear text protocols is very bad, in particular in an
internal network. Also staging was less secure than production.
2
SOC: After the cleaning up, the was was able in few hours to
reconstruct the attack flow. This because they had all the
information in a single point. Correlate also application log can be
useful.
3

22. Conclusion
22

23. «Give me six hours to chop down a
tree and I will spend the first four
sharpening the axe»
American motto attributed to Abraham Lincoln
23

24. «All warfare is based on deception.
Hence, when we are able to attack,
we must seem unable; when using
our forces, we must appear inactive;
when we are near, we must make the
enemy believe we are far away; when
far away, we must make him believe
we are near»
Sun Tzu, The Art of War, 5th century BC
24

25. Thank you!
25