Post on 12-Jan-2017
The Anatomy of an Attack:Think Like a Criminal
About Your PresentersKen Smith
• Employment
• Senior Consultant, SecureState, LLC.
• Professor of Network Security, University of Mount Union
• Cyber Security, Curriculum Development, Notre Dame College
• Formerly of 5th Special Forces Group (Airborne)
• Education
• BS, Computer Info Systems, University of Dayton
• AA, Arabic Language and Culture, Defense Language Institute
• MA, Security Policy Studies, Notre Dame College
• Areas of Specialization
• Physical Security, Wireless Encryption, and Mobile Devices
Benjamin Brooks, CISSP
• Employment
• Consultant, SecureState, LLC.
• Equipment Architecture and Configuration Validator, US
Special Operations Command
• Leading Chief Petty Officer, US Navy Special Warfare, Tactical
Information Operations, SEAL Team-5
• Education
• BA, Political Science, University of Illinois
• Areas of Specialization• Policy, IT Partnering, Wireless Technologies and Mobile
Devices
Agenda
• Basics Booster
• State of Affairs
• Oh, the Places They’ve
Breached!
• Threat Actors
• The Attacker’s Mind
• A Paradigm Shift
• Operation OatmealGhost
• Q&A
Basics Booster
Confidential Information
Information Security
Confidentiality
AccessibilityIntegrity
State of Affairs
• Breaches continue in spite of budget increases• Industry and size agnostic
• Attacks are increasing in frequency
• Variety of threat actors• Not much in common at first glance
• Deeper analysis reveals shared mindsets
• Need for fundamental change in our approach to security
Regulations and Frameworks
Breached 2014
Breached 2014
Other
Data Classification
Sensitive Data Management
Anti-Virus/Anti-Malware
Data Loss Prevention (DLP)
Virtual Private Network
Data Discovery
Firewalls
Forensic Tools
Security Governance
Identity & Access Management
Mobile Device Management
Web Application Firewalls
Encryption, Tokenization
Intrusion Detection & Prevention
Endpoint Security
Security Incident & Event Management (SIEM)
0% 10% 20% 30% 40% 50% 60%
Technology Investments After The 2014 Breaches
34%
Breached 2015
Threat Actors
The Attacker’s Mind : Always Assume a Breach
The Attacker’s Mind
• Attack methods are unpredictable
• Tools and exploits released continuously
• New indicators of compromise
• Attack methodology is not!
• Independent of background
• Recognizable behavior
The Attacker’s Mind
Enumeration
• Users• Services• Port Scans• Operating
Systems• Vulnerabilities
Exploitation
• SQL Injection• Leverage
Vulnerabilities• Establish
Foothold• Evasion
Techniques• Human
Element
Privilege Escalation
• Configuration Files• User Pivoting• Backups• Scripts• GPO
Preferences•Mimikatz
Post Exploitation
• System Pivoting• Network
Pivoting• Persistence• Pillaging• Destruction• Exfiltration
Discovery
• OSINT• DNS•Whois• Network•Metadata• Social Media
The Hacker’s MindCuriosity Problem Solvers
Defiant
Detail-Oriented
Determined
Sense of
Community
A Paradigm Shift
A Paradigm Shift• Compliance-driven security testing
• No social engineering• Notify IT/Security teams of testing• Small time windows• Single lane assessments
• We’re on the same side
• Attackers don’t limit themselves• Why should you?
A Paradigm Shift – One Phish, Two Phish• Spam is not phishing
• Gone are the days of the Nigerian Prince
• Modern attacks• Targeted• Well-developed and researched• Timely
• Can be a touchy subject• People feel tricked and distrustful• This is something to embrace (to an extent)
A Paradigm Shift – Red Phish, Blue Phish• Verizon’s 2015 Annual Attack Vector Report• 23% of recipients open phishing messages• 11% open malicious attachments
• Median time to first click• 22 seconds
• All it takes is one
A Paradigm Shift – Time and Scope• Verizon report• 37% breaches contained within hours• 30% contained within several days
• Numbers are post-discovery• Fireye 2012 report • Average cyberespionage attack continued unchecked for 458 days before discovery
• Detection-deficit • 8-16 hour penetration tests aren’t good enough
Operation OatmealGhost
Scenario
• Target Profile
• Multinational
• Decentralized
• Trophies
• Intellectual Property
• Merger/Acquisition Info
Send in the Team!
Attack Vectors
Attack Vectors
Attack Vectors
Timeline of Events
26
N - 14•Recon Begins• Targets Identified•Hardware Ordered• Sites Collected•Metadata Collection
N
•Brute Force Lotus Notes
N + 2• Shipped Payloads
N + 4
• Lotus Notes Recon TROPHY
•USB Payload Connects Back To C2
N + 4(+ 5HR)
•Multiple Domain Administrators TROPHY
*** Unrestricted *** Pivoting
Highlight Reel
Access To Lotus Notes Permitted Monitoring & Countermeasures
Global Penetration
Regained Access After Blocking
Gained Access To Chat Server – Began Chatting As Admins
Listened to & Recorded Conference Calls
After Action Review (AAR)• What went right?• Extended time period • Inclusion of social engineering as a vector• Reactions were legitimate
• What went wrong?• Defenses had been focused on traditional
barriers• Reacting to events over email• Admin staff act hastily without understanding
the situation
After Action Review (AAR)What Should Have Been Done Differently?• Think Like an Attacker Before/During/After
• Where are our weaknesses?• What is an attacker likely to do next?• Social Media – Don’t be specific!
• War gaming• Attack Your Own Organization• Seek Out Weakness Throughout The Organization
• Remove Limitations on assessments• A penetration test can be more• Think beyond compliance• Include Social Engineering
Become Proactive NOT Reactive!
After Action Review (AAR)Top Three Things You Can Do• Educate
• Educate
• Educate!
War Room Technical Blog
Confidential Information
https://warroom.securestate.com
@SS_WarRoom
Confidential Information
Q&A@p4tchw0rk
@technlogian
A Paradigm Shift - Phishing
https://github.com/securestate/king-phisher