> think like a hacker · > think like a hacker as ransomware grows attackers will be expanding once...
Transcript of > think like a hacker · > think like a hacker as ransomware grows attackers will be expanding once...
> think like a hacker
https://goo.gl/Pwr2Uy
> think like a hacker
> think like a hacker
pope @blesstheInfoS
ec
james
dir. IT
> think like a hacker
pope @blesstheInfoS
ec
james partner
> think like a hacker
DC801/DC435
SAINTcon, BSidesSLC, BlackHat NATO tech, NATO CyberSecurity
degrees/certs
pope @blesstheInfoS
ec
james
> think like a hacker
> think like a hacker
> think like a hacker
lockpick
> think like a hacker
lockpick badge clone
> think like a hacker
lockpick badge clone
bypass tools
> think like a hacker
lockpick badge clone
bypass tools
35mm film?
> think like a hacker
lockpick badge clone
bypass tools
35mm film?
lying
> think like a hacker
checks
> think like a hacker
checks
master keys
> think like a hacker
checks
master keys password
s
> think like a hacker
checks
master keys password
s
badge makers
> think like a hacker
checks
master keys password
s
badge makers
servers
> think like a hacker
checks
master keys password
s
badge makers
servers
HR data
> think like a hacker
> think like a hacker
who, what, why?
> think like a hacker
why are these people attacking me?
Money, loot, cash, filthy lucre,
greed … get the idea? In fact, it can be money even when it’s not money”
> think like a hacker
secondary motive
“Many of the attacks discussed in this report have what we call a ‘secondary motive’, which we define as when the motive of the incident is to ‘aid in a different attack’. We filter these out of the report because it would overshadow everything else if we didn’t. One example is where the bad guy compromises a web server to repurpose it to his own uses (e.g., hosting malicious files or using it in a spam or DoS botnet). Even criminals need infrastructure. “It is a far, far better thing” that someone else manages it for free, rather than having to pay for it yourself.”
> think like a hacker
how does hacking really happen?
➢ i would phish you ➢ and/or walk in the front door (login), with your bad
passwords or known password from a breach ➢ i would attack your organization with your authentication,
local admin ➢ and/or ransomware your organization
❏ missing patches
> think like a hacker
> think like a hacker
phishing
phishing is a criminal activity using
social engineering techniques.
“Phishers” attempt to fraudulently acquire sensitive
information, such as passwords, personal information, military operations, and credit card/
financial details, by masquerading as a trustworthy
person or business in an electronic communication.
> think like a hacker
portals
links
credential harvesting
payloads
access to your browser
access to your system
admin?
> think like a hacker
portals
links
credential harvesting
payloads
access to your browser
access to your system
admin?
> think like a hacker
phishing > think like a hacker
phishing > think like a hacker
https://internationalcinematechnologyassociation.com/about-icta/
> think like a hacker
phishing > think like a hacker
https://ashraffayadh.com/8/index.html France Reply to: [email protected]
phishing > think like a hacker
phishing > think like a hacker
phishing
> think like a hacker
> think like a hacker
> think like a hacker
> think like a hacker
phishing questions?
> think like a hacker
passwords
> think like a hacker
hacking passwords
● dictionary attack ● brute forcing ● entropy ● random - flip a coin! ● pattern guessing ● cracking hashes
> think like a hacker
used to be now is
● Contain at least eight alphanumeric characters.
● Contain both upper and lower case letters. ● Contain at least one number (e.g., 0-9). ● Contain at least one special character
(e.g., !$%^&*()_+|~-=\`{}[]:";'<>?,/). ● Cannot contain username ● Cannot be used last XXX times ● Must change every 90 days
● not in a dictionary ● not reuse from service/
system to service/system
● length is preferred ● two factor, two factor,
two factor
multifactor doesn't cut it - one compromised...
> think like a hacker
used to be now is
● Contain at least eight alphanumeric characters.
● Contain both upper and lower case letters. ● Contain at least one number (e.g., 0-9). ● Contain at least one special character
(e.g., !$%^&*()_+|~-=\`{}[]:";'<>?,/). ● Cannot contain username ● Cannot be used last XXX times ● Must change every 90 days
● not in a dictionary ● not reuse from service/
system to service/system
● length is preferred ● two factor, two factor,
two factor
multifactor doesn't cut it - one compromised...
> think like a hacker
questions?
> think like a hacker
ransomware
> think like a hacker
money, money, money
FBI has stated that the use of ransomware has reached an all-time high. In the first three months of 2016 alone, cybercriminals have collected $209 million by extorting businesses and
institutions to unlock computer servers. Ransomware is estimated to have made over $1 billion in 2016, with total losses being even higher once related business costs are factored in.
> think like a hacker
● BTC/XMR/XVG/SUMO has allowed attackers to anonymously monetize their target ● attacks originate from other compromised systems which leads FBI/law enforcement with little to nothing to go off when tracking down good attackers ● ransomware in 2016 saw more attacks against businesses and more often than ever before. There is no indication that the trend will be reversing anytime soon ● ransomware has already targeted the following industries: health care, police, banking, education, transportation, hotel, government, and industrial control systems
> think like a hacker
● BTC/XMR/XVG/SUMO has allowed attackers to anonymously monetize their target ● attacks originate from other compromised systems which leads FBI/law enforcement with little to nothing to go off when tracking down good attackers ● ransomware in 2016 saw more attacks against businesses and more often than ever before. There is no indication that the trend will be reversing anytime soon ● ransomware has already targeted the following industries: health care, police, banking, education, transportation, hotel, government, and industrial control systems
> think like a hacker
● BTC/XMR/XVG/SUMO has allowed attackers to anonymously monetize their target ● attacks originate from other compromised systems which leads FBI/law enforcement with little to nothing to go off when tracking down good attackers ● ransomware in 2016 saw more attacks against businesses and more often than ever before. There is no indication that the trend will be reversing anytime soon ● ransomware has already targeted the following industries: health care, police, banking, education, transportation, hotel, government, and industrial control systems
> think like a hacker
● BTC/XMR/XVG/SUMO has allowed attackers to anonymously monetize their target ● attacks originate from other compromised systems which leads FBI/law enforcement with little to nothing to go off when tracking down good attackers ● ransomware in 2016 saw more attacks against businesses and more often than ever before. There is no indication that the trend will be reversing anytime soon ● ransomware has already targeted the following industries: health care, police, banking, education, transportation, hotel, government, and industrial control systems
> think like a hacker
● as ransomware grows attackers will be expanding ● once an industry is targeted variants are built to attack all major systems used by that industry ● ransomware netted very conservatively over a billion dollars in 2016 ● the number of ransomware variants grew by a factor of 30x in 2016 ● every 40 seconds, an organization gets hit with ransomware, up from every two minutes in 2016
> think like a hacker
● as ransomware grows attackers will be expanding ● once an industry is targeted variants are built to attack all major systems used by that industry ● ransomware netted very conservatively over a billion dollars in 2016 ● the number of ransomware variants grew by a factor of 30x in 2016 ● every 40 seconds, an organization gets hit with ransomware, up from every two minutes in 2016
> think like a hacker
● as ransomware grows attackers will be expanding ● once an industry is targeted variants are built to attack all major systems used by that industry ● ransomware netted very conservatively over a billion dollars in 2016 ● the number of ransomware variants grew by a factor of 30x in 2016 ● every 40 seconds, an organization gets hit with ransomware, up from every two minutes in 2016
> think like a hacker
● as ransomware grows attackers will be expanding ● once an industry is targeted variants are built to attack all major systems used by that industry ● ransomware netted very conservatively over a billion dollars in 2016 ● the number of ransomware variants grew by a factor of 30x in 2016 ● every 40 seconds, an organization gets hit with ransomware, up from every two minutes in 2016
> think like a hacker
● as ransomware grows attackers will be expanding ● once an industry is targeted variants are built to attack all major systems used by that industry ● ransomware netted very conservatively over a billion dollars in 2016 ● the number of ransomware variants grew by a factor of 30x in 2016 ● every 40 seconds, an organization gets hit with ransomware, up from every two minutes in 2016
> think like a hacker
why bother? what can happen?
> think like a hacker
“YOUR SERVERS, NETWORKING EQUIPMENT, AND FILES ARE ALL ENCRYPTED”
The decryption key is stored on a secret internet server and nobody
can decrypt your files until you pay and obtain the private key
2 BTC is due now per auditorium or 35 BTC is due now for an entire chain In 24 hours the price will double to 4 per auditorium and 70 per chain
To pay: download the Tor Browser from http://torproject.org In the Tor Browser go to https://cinemaransomware.onion
(Only available via Tor Browser)
Input this public key and follow the instructions on the server &&68-frankly-DEAR-damn-66&&
Once payment has been made the movie can be resumed in under 10 minutes
ransomware - who has paid?
education
K-12
charter
universities
hospitals
police departments
loads of businesses, nonprofits, home users, etc
what they encrypt
files
backups
shares
network drives
DropBox, OneDrive, Drive, Box, etc.
external USB drives, sticks, etc.
> think like a hacker
ransomware - who has paid?
education
K-12
charter
universities
hospitals
police departments
loads of businesses, nonprofits, home users, etc
what they encrypt
files
backups
shares
network drives
DropBox, OneDrive, Drive, Box, etc.
external USB drives, sticks, etc.
> think like a hacker
> think like a hacker
questions?
hacking goals; get local admin/domain admin/
system creds
> think like a hacker
you got phished or used a bad password
good news to me you are local admin!
> think like a hacker
you got phished or used a bad password
good news to me you are local admin!
> think like a hacker
with local admin i can ➔ disable/bypass AV ➔ install whatever i want ➔ disable/bypass UAC ➔ circumvent policies
> think like a hacker
but i want system
> think like a hacker
how hard is it to go from local admin to system privilege?
> think like a hacker
> think like a hacker
how do i take down your org from here?
> think like a hacker
i need highly privileged users
> think like a hacker
enumerate
> think like a hacker
> think like a hacker
i know what hosts i want but how do i get them?
> think like a hacker
> think like a hacker
grab passwords dump hashes
> think like a hacker
> think like a hacker
it’s not always that easy
sometimes it’s easier
> think like a hacker
angry puppy
> think like a hacker
angry puppy
death star
> think like a hacker
Backups Revision Control
Offsite backups Reduce access
No local admin Disable macros
Anti-exploit software Patch Ad blockers
Awareness training Don’t click on links
Don’t open attachments Remove software (flash/java/etc)
> think like a hacker
AV w/behavioral real time scanning
SFP / DKIM
Backups Revision Control
Offsite backups Reduce access
No local admin Disable macros
Anti-exploit software Patch Ad blockers
Awareness training Don’t click on links
Don’t open attachments Remove software (flash/java/etc)
> think like a hacker
AV w/behavioral real time scanning
SFP / DKIM
Backups Revision Control
Offsite backups Reduce access
No local admin Disable macros
Anti-exploit software Patch Ad blockers
Awareness training Don’t click on links
Don’t open attachments Remove software (flash/java/etc)
> think like a hacker
AV w/behavioral real time scanning
SFP / DKIM
Backups Revision Control
Offsite backups Reduce access
No local admin Disable macros
Anti-exploit software Patch Ad blockers
Awareness training Don’t click on links
Don’t open attachments Remove software (flash/java/etc)
> think like a hacker
AV w/behavioral real time scanning
SFP / DKIM
> think like a hacker
> think like a hacker
Questions?
http://www.blackroomsec.com/updated-hacking-challenge-site-links/
70 sites which offer free challenges for hackers to
practice their skills.
> think like a hacker
https://goo.gl/Pwr2Uy
> think like a hacker
https://goo.gl/dqrm66
> think like a hacker
One Cinema's struggle to take it easy