• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Out of the Blue: Responding to New Zero-Day Threats

Out of the Blue: Responding to New Zero-Day Threats



Out of the Blue: Responding to New Zero-Day Threats, An Ethical Hackers View

Out of the Blue: Responding to New Zero-Day Threats, An Ethical Hackers View



Total Views
Views on SlideShare
Embed Views



26 Embeds 658

http://www.jirasekonsecurity.com 227
http://fpws.blogspot.co.uk 217
http://fpws.blogspot.com 129
http://fpws.blogspot.ru 27
http://fpws.blogspot.in 15
http://fpws.blogspot.ca 5
http://fpws.blogspot.com.br 4
http://fpws.blogspot.nl 4
http://fpws.blogspot.com.es 4
http://feeds.feedburner.com 4
http://fpws.blogspot.de 3
http://fpws.blogspot.fr 3
http://fpws.blogspot.hu 2
http://fpws.blogspot.fi 2
http://fpws.blogspot.com.au 1
http://fpws.blogspot.ch 1
http://www.linkedin.com 1
http://fpws.blogspot.be 1
http://fpws.blogspot.it 1
http://fpws.blogspot.dk 1
http://fpws.blogspot.sg 1
http://fpws.blogspot.jp 1
http://translate.googleusercontent.com 1
http://fpws.blogspot.gr 1
http://fpws.blogspot.co.nz 1
http://fpws.blogspot.co.il 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Criminals have adapted their attacks from generic and indiscriminate to personalized and targeted. Attackers continue to pursue personally identifiable information, but now this is used in targeted personalised emails that lure businesses to click and download malware. Spear phishing attacks can result in successful network compromises and data theft. The market opportunity today is for intellectual property (IP) and corporate credentials – we’ll look at a couple of examples shortly. Versatile, drag-and-drop toolkits allow criminals endless permutations of attack options, pursuing smaller businesses as the larger organizations improve their defences. Every business has a bank account, a customer database, a product design, or some other asset of value. Even if no data is stolen, every compromised system can add free compute cycles to a spam botnet.
  • The Operation Aurora source code thefts at Symantec, Google, Adobe, Intel and Morgan Stanley, targeted IP. They used multiple stages and avenues to enter the network and navigate to the data that had value. Many of them incorporated personal data gleaned from social media, as well as zero-day vulnerabilities. The first item of value stolen was often access credentials. Stolen credentials can open the doors to administration of the database, Web or email server. If it is the CFO’s credentials, it can be the authentication required to take over and withdraw funds from the corporate bank account.
  • The RSA attack in March 2011 theft of two-factor authentication data from RSA (a division of EMC) shows the strategic nature of these attacks: the intellectual property they stole from RSA “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” allowing criminals to break in at enterprises around the world.
  • RSA was hacked some time in the first half of March 2011 when an employee was successfully spear phished and opened an infected spreadsheet. As soon as the spreadsheet was opened, a zero day payload permitted the installation of a backdoor Trojan (Poison Ivy). From there, the attackers basically had free reign of RSA’s internal network, which led to the eventual dissemination of data pertaining to RSA’s two-factor authenticators.”
  • A team of hackers from French security firm Vupen dismantled Chrome’s security to win an HP-sponsored hackathon. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not for $60,000 in chump change. “ We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who ­purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.
  • How does advanced malware get past traditional barriers? Firewalls: no use if the user opens a mail attachment containing a well-disguised zero-day exploit! IPS: Signatures, packet inspection, DNS analysis and heuristics will not detect anything unusual in a zero-day exploit, especially if the code is heavily disguised or delivered in stages Antivirus: Since the malware and the vulnerability it exploits are unknown (zero-day), traditional antivirus will not detect it. The volume of vulnerabilities in browser plug-ins like Adobe and the exponential combinations of these browsers with operating systems make it hard for antivirus vendors to keep up. Email spam filtering: Spoofed phishing sites use dynamic domains and URLs, so blacklisting lags behind criminal activities. It takes more than two days to shut down the average phishing site. Malicious code can also be carried in on laptops or USB devices, infecting a machine and spreading within the network. In general, even up-to-date machines can be infected using zero-day exploits and social engineering techniques, especially when the system is off the corporate network. Eventually, the code will phone home to the criminal for further instructions, a new payload or to deliver login credentials, financial data and other valuables. Many compromised hosts provide a privileged base so the criminal can explore further or expand his botnet with new victims. Most organisations don’t analyse outbound traffic for these malicious transmissions and destinations. Those organizations that do monitor outbound transmissions use tools that look for “known” bad actor addresses and regulated data

Out of the Blue: Responding to New Zero-Day Threats Out of the Blue: Responding to New Zero-Day Threats Presentation Transcript

  • Out of the Blue:Responding to New Zero-Day Threats An Ethical Hacker’s View Peter Wood Chief Executive Officer First Base Technologies LLP
  • Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Member of ISACA Security Advisory Group Vice Chair of BCS Information Risk Management and Audit Group Corporate Executive Programme UK Chair FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2012
  • Agenda 1. Why zero-day threats are a concern to CIOs 2. Examples of zero-day attacks 3. Minimising your vulnerabilities 4. Responding to the CIO Beware: this presentation offers no easy solutions!Slide 3 © First Base Technologies 2012
  • Why CIOs are concerned • Criminals targeting intellectual property and corporate credentials • Attacks are strategic • Tools are ‘drag and drop’ • Malicious attacks cause 37% of data breaches (2012 Ponemon Cost of a Data Breach survey)Slide 4 © First Base Technologies 2012
  • Why CIOs are concernedSlide 5 http://www.net-security.org/secworld.php?id=11850 © First Base Technologies 2012
  • Examples of zero-day attacksSlide 6 © First Base Technologies 2012
  • The Aurora attackSlide 7 http://threatpost.com/ © First Base Technologies 2012
  • The Aurora attack “If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years. Nor is it a new development that the attackers used an 0day client- side exploit along with targeted social engineering as their initial access vector. What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack. And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops.” Dino Dai Zovi http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/Slide 8 © First Base Technologies 2012
  • The RSA attack • Research public information about employees • Select low-value targets • Spear phishing email “2011 Recruitment Plan” with.xls attachment • Spreadsheet contains zero-day exploit that installs backdoor through Flash vulnerability (Backdoor is Poison Ivy variant RAT reverse-connected) 5. Digital shoulder surf & harvest credentials 6. Performed privilege escalation 7. Target and compromise high-value accounts 8. Copy data from target servers 9. Move data to staging servers and aggregate, compress and encrypt it 10. FTP to external staging server at compromised hosting site 11. Finally pull data from hosted server and remove tracesSlide 9 © First Base Technologies 2012
  • Slide 10 http://blogs.rsa.com/rivner/anatomy-of-an-attack/ © First Base Technologies 2012
  • Organisations remain vulnerableSlide 11 © First Base Technologies 2012
  • Some background in the newsSlide 12 http://www.forbes.com/sites/andygreenberg/ © First Base Technologies 2012
  • Minimising your vulnerabilitiesSlide 13 © First Base Technologies 2012
  • Traditional thinking • Firewalls & perimeter defences • Anti-virus • SSL VPNs • Desktop lock down (GPOs) • Intrusion Detection / Prevention • Password complexity rules • HID (proximity) cards • Secure server rooms • Visitor IDsSlide 14 © First Base Technologies 2012
  • Think like an attacker! Hacking is a way of thinking: - A hacker is someone who thinks outside the box - Its someone who discards conventional wisdom, and does something else instead - Its someone who looks at the edge and wonders whats beyond - Its someone who sees a set of rules and wonders what happens if you dont follow them [Bruce Schneier] Hacking applies to all aspects of life - not just computersSlide 15 © First Base Technologies 2012
  • Do you know how vulnerable you are?Slide 16 © First Base Technologies 2012
  • Talk to the CIO before an attack! CIO, we need budget for: •Security standards and procedures •On-going staff training •Secure builds and secure development OR •On-going scans and penetration tests •Fixes to the problems we find … and we need sign-off for the risk! Remember: I said “no easy solutions”Slide 17 © First Base Technologies 2012
  • Need more information? Peter Wood Chief Executive Officer First Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Twitter: peterwoodxSlide 18 © First Base Technologies 2012