Post on 31-Mar-2020
Version: 1.0
Date: 2015-11-03
Author: Avi Kravitz
Responsible: Avi Kravitz
Confidentiality Class: Public
Moderne Honigtöpfe im Zeitalter scheiternder Prävention
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
whoami
Bernhard
Schildendorfer | b.schildendorfer@sec-consult.com
Security Consultant | SEC Consult
… IT / Information Security in St. Pölten
… SEC-Consult since 02/2010
… Penetration Tester, Project Leader, …
… Responsible for Operations @ CyberTrap
… and some other interests
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
SEC Consult – Who we are (1)
Vienna (HQ) | AT
Wiener Neustadt | AT
Vilnius | LT
Berlin| DE
Montreal | CA
Singapore | SG
Moscow | RUFrankfurt | DE
Founded 2002
50+ Security Experts
350+ Security Audits per year
Globally operating SEC ConsultVulnerability Lab
Zurich| CH
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Advisor for information security
Expert for the implementation of security processes and policies(ISO 27001, BS 25999, GSHB)
Leading company for technical security audits
Specialist for web application security according to ONR 17700
Independent of product manufacturers
Our customers are public authorities, financial institutions and well-
known leading companies all over the world
Sectoral orientation (defence, public, finance, industry, SW development)
SEC Consult – Who we are (2)
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Case #1
a fraud.
5
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
6
Hey Phil!
Did u already take
care of the invoice?
It‘s important!
Frank, which invoice
are you talking
about?
CEO
CFO
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
7
Ohhh damn!!
It‘s attached to this
mail. Please take
care of it.
OK!
CEO
CFO
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
3 hours later…
8
Frank, I initiated the
transfer!What are you talkin
about?
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
9
CEO
Fraudster
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
WHAT IF
you could identify the fraudster?
10
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Later the same day…
11
Beispielbild - Optisches Auftreten des Einsatzteams kann abweichen
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
12
Frank, find
attached the
confirmation!
CFO
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
20 minutes later…
13
Intercepted Data
10/09/2015 05:28:33 PM - [SMB] NTLMv2-SSP Client : 5.31.128.11
10/09/2015 05:28:33 PM - [SMB] NTLMv2-SSP Username : TROUBLEMARS\arad
10/09/2015 05:28:33 PM - [SMB] NTLMv2-SSP Hash :
ARAD::TROUBLEMARS:1122334455667788:BF291E57152648994XXXX5FFC34EA6F3:01
01000000000000CB222026A702XXXXX80245F1155C1780000000002000A0073006D006
2003100320001001400530045005200560045005200320030003000380004001600730
06D006200310032002E006C006F00630061006C0003002CXXXXX450052005600450052
0032003000300038002E0073006D006200310032002E006C006F<snip>
Cracked password: moneymaker1982
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
30 minutes later…
14
Intercepted Data
10/09/2015 05:55:56 PM - [SMB] NTLMv2-SSP Client : 41.58.80.176
10/09/2015 05:55:56 PM - [SMB] NTLMv2-SSP Username : MicrosoftAc-
count\my-cool-nickname@outlook.com
10/09/2015 05:55:56 PM - [SMB] NTLMv2-SSP Hash : my-cool-
nickname@outlook.com::MicrosoftAccount:1122334455667788:D2CEXX0DABBBC3
FD08A6XXXXX89B00B:0101000000000000649CEDE9AXXXXX10108C9D7355FB6CA3D000
0000002000A0073006D006200310032000100140053004500520056004500520032003
000300038000400160073006D006200310032002E<snip>
Cracked password: homersimpson7
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
some days later…
15
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Case #2
an APT.
16
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
“The account of a user that was on vacation was locked due to failed logins”
- a SEC Consult client
17
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Recon
let‘s steal
the crown
jeweles
EstablishFoothold
let‘s plant
some remote
controllable
malware• Critical Vulnerabilities in
Web Applications
• Spear Phishing
• Drive-By Downloads
• etc.
Initial Compromise
let‘s find a way
into the company
information
gathering
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
• Weak Passwords
• Misconfigurations
• Bad Patchmanagement
• etc.
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Complete Mission
let‘s plant new
backdoors
let‘s move from system
to system until we find
what we‘re looking for
look for the
diamonds!
we got the
crown jeweles,
let’s deliver it to
our client
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public Foto: Fotolia 62727991, Westend61
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
They will come back
22
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
! Information security can no longer
prevent advanced targeted attacks
!Too much spending is focused on
the prevention
!Too little is spent on security monitoring
and response
!Tailored security breaches are inevitable
Conclusio
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
What to do?
24
Security is all about
knowing & preparation!
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
WHAT IF you are able to…
get their motivation?
get their TTP‘s
identify the attacker(s)?
25
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Knowing - Global Threat Intelligence?
Indicators of compromise (IOCs)/ Signature feeds
Malicious IPs
Malicious domains
Malware hashes
Phishing e-mails
Misc. fingerprints
The Art of Deception
We know your enemies
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Look in the Mirror…
28
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
CyberTrap
CyberTrap is a weak link in the exposed infrastructure
0
10
20
30
40
50
60
70
80
90
100
Application 1 Application 2 Application 3 Application 4 Application 5 Entry Point Application 7 Application 8 Application 9
SQL Injection
Fileshare
Default Passwords
File Uploads
0 Day Vulnerability
Outdated Software
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Be close to your enemies with CyberTrap!
Find out where they come into your system
Find out what tools they are using
Find out what they are after
Find out what their motivation is
CyberTrap gives you unique
LOCAL THREAT INTELLIGENCE
Know Your Enemy
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Hello!CyberTrap detected 4103 IOCs on the following units:
websrv01.wbdmz.local: 3122dbsrv01.wbdmz.local: 981
Click here to access the CyberTrap Dashboard.CyberTrap Notification System
31
13.04.2015
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
32
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Connection Atlas
33
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Activity Graph
34
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Live Alerts
35
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
StealthVulnerbility
Scan
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
• SQL Injection
• Broken File Upload
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
• RAT Malware
• Valid mcsync.exe
• DLL Hijacking
• Misc. Tools
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
Dump cached passwords
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
Network Scan
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
• Windows commands
• Remote cronjob
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Conclusio
42
Working time:
~ 3am - ~ 2pm (CET)
Identified motivation
Attributed infrastructure
Generation of signatures
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Takeaways
Prevention fails
Preparation is key
Improve monitoring & detection capabilities
Know your enemies
Increase time to defend
Homefield advantage
Do the homework
43
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Takeaways
44
„If you know your enemies and know yourself, you will not be imperiled in a hundred battles“
- Sun Tzu, The Art of War
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: [--Title--] | Responsible: [--Responsible--]
Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]
© 2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
© 2015 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: CybeDefence | Responsible: Avi Kravitz
Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public
Contact
45
GERMANY
SEC Consult Unternehmensberatung Deutschland GmbH
Ullsteinstraße 118
D-12109 Berlin
Email office-berlin@sec-consult.com
LITHUANIA
UAB Critical Security, a SEC Consult company
Sauletekio al. 15-311
10224 Vilnius
Tel +370 5 2195535
Email office-vilnius@sec-consult.com
RUSSIA
CJCS Security Monitor
5th Donskoy proyezd, 15, Bldg. 6
119334, Moscow
Tel +7 495 662 1414
Email info@securitymonitor.ru
SINGAPORE
SEC Consult Singapore PTE. LTD
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Email office-singapore@sec-consult.com
CANADA
i-SEC Consult Inc.
100 René-Lévesque West, Suite 2500
Montréal (Quebec) H3B 5C9
Email office-montreal@sec-consult.com
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Komarigasse 14/1
2700 Wiener Neustadt
Tel +43 1 890 30 43 0
Email office@sec-consult.com
THAILAND
SEC Consult (Thailand) Co.,Ltd.
29/1 Piyaplace Langsuan Building 16th Floor, 16B
Soi Langsuan, Ploen Chit Road
Lumpini, Patumwan | Bangkok 10330
Email office-vilnius@sec-consult.com
www.sec-consult.com
SWITZERLAND
SEC Consult (Schweiz) AG
Turbinenstrasse 28
8005 Zürich
Tel +41 44 271 777 0 | Fax +43 1 890 30 43 15
Email office-zurich@sec-consult.com
AUSTRIASEC Consult Unternehmensberatung GmbH
Mooslackengasse 17
1190 Vienna
Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15
Email office@sec-consult.com