How i'm going to own your organization v2
Upcoming SlideShare
Loading in...5
×
 

How i'm going to own your organization v2

on

  • 632 views

DerbyCon 2013

DerbyCon 2013
How i'm going to own your organization

Statistics

Views

Total Views
632
Views on SlideShare
393
Embed Views
239

Actions

Likes
0
Downloads
10
Comments
0

23 Embeds 239

http://404hack.blogspot.com 140
http://www.scoop.it 55
http://404hack.blogspot.de 11
http://404hack.blogspot.ca 4
http://404hack.blogspot.co.uk 4
http://www.hanrss.com 4
http://404hack.blogspot.fr 2
http://404hack.blogspot.in 2
http://404hack.blogspot.tw 2
http://404hack.blogspot.nl 2
http://404hack.blogspot.jp 1
http://404hack.blogspot.com.tr 1
http://404hack.blogspot.ru 1
http://404hack.blogspot.fi 1
http://404hack.blogspot.com.au 1
http://404hack.blogspot.com.ar 1
http://www.newsblur.com 1
http://404hack.blogspot.hu 1
http://404hack.blogspot.se 1
http://404hack.blogspot.sg 1
http://404hack.blogspot.com.es 1
http://404hack.blogspot.ch 1
http://www.feedspot.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • I should have called this presentation not how I'm going to own your organization but instead how its likely already “owned”. Let me ask you a question. No one needs to raise their hands just acknowledge in your mind. How many of you think your network has already been compromised and just has not been found yet?Makes it hard to sleep at night I bet?This presentation should actually be titled how likely is it that your organization is already owned not how I’m going to own your organization in just a few days.I am going to ask you a question that I don’t want you to answer just to take a moment and think about it. Is your network already compromised and you just haven’t found out about it yet?That thought probably keeps you up at night, or it should.
  • My 8 Year old wants to see Daddy on Video So I will be adding in my own censorship. Sorry no cussing at DerbyCon from me this year.
  • Don’t die at DerbyCon. If you get to the terminal and swell up like a balloon then start having chest pains. don’t FLY. Apparently some airlines done like people dying on them at 30,000 feet.
  • Note: Software cracker back in the day was cool using SoftIce. I was actually reversing code before reversing was cool. Then cracker turned out to be a term for a white guy. Not so cool anymore.Please take out your phones and turn them up all the way I want it to feel as though we are all sitting in a meeting and I'm presenting while all of your phones are going off this will really make me feel at home for the rest of this presentation I thank you in advance.Everyone please enter my twitter id in your phone.(pause)Who entered my twitter ID and turned on their cell phones? Raise of hands.You have just been social engineered.
  • Soft-ICE Used in the late 80’s and 90’s as .. Look it up on twitter. Soft ice was a utility that was used back in the 80s and 90s for crackers and was a utility we could use at the time to remove dongle cracks, passwords, game cracks and copyright keys, it was also used to create actual patches. I didn’t realize it at the time but I was actually a software reverse engineer before there was malware or the internet as we know it today.
  • VirusTotal is a website that provides free checking of files for viruses. It uses up to 46 different antivirus products and scan engines to check for viruses that the user's own antivirus solution may have missed, or to verify against any false positives.[1]Files up to 64 MB can be uploaded to the website or sent via email.[2] Anti-virus software vendors can receive copies of files that were flagged by other vendors however were missed by their own engine, they use this information to improve their own software and, by extension, VirusTotal's own capability. Users can also scan suspect URLs and search through the VirusTotal dataset.VirusTotal was selected by PC World as one of the best 100 products of 2007I started using virus total about three years ago and worked my way up from the bottom of being pretty much a nobody just using the toolfor face value and eventually started collaborating with other members who were pretty advanced in the community and really knew advanced techniques for reversing.
  • Throughout the course of a year I became good friends with many members of the virus total community and started collaborating with researchers across the globeThis is what malware research looks like now. Landing zonesRedirectors.Everything from Packers, Xor,and obfuscated URLs. Anything you can think of our adversaries are doing and are continuing to advance their techniques and we have continued to crack them
  • From virus total a few of the researchers that became close friends would form a group with one really brilliant leader and formed MalwareMustDIe. The group based its principles to find these malware Kits and track their KITS, analyze the data and then do full disclosures on how the kits worked. Some of the research included the discovery of blackhole toolkit 2.0 using Tor networks. Pseudo-dynamic URLs, and most recently the tracking and the beginning of taking down the khilos botnet.
  • What do they want? This is all depends on the threat actor, some just want to see the world burn, what do the rest want? Many are after IP, financial information, destroying company reputation, etc. Intellectual propertyFinancialsCustomer reputation MoneyContactsDestruction
  • Organizationsfrom various sectors are spending vast amounts of money on advanced threats. Managers, CISOs, and CIOs are speaking with industry leaders on various tools which may or may not fit within their budget, they are selling these tools as a silver bullet solution. The reality is most organizations already have an arsenal of tools and not enough staff to review the data that's already being collected and monitored in their production environment, adding even more tools to this sort of environment means the analysts cannot ingest all the data quickly enough to form a picture of what's actually occurring on the network. The reality is the adversary has the same or similar tools and knowsexactly what tools your organization uses and they know how you use them and I'll tell you why. For the single-purpose of staying a step ahead of these tools and continuing to perfect their obfuscation techniques.
  • And your manager puts massive box of tools on your desk and tells you how you deploy this in our network. It's going to be the end-all be-all to protect our environment and everybody's going to be happy rightYou probably have had a similar experience where a supervisor has handed you the next silver bullet tool to stop the next APT/Advanced Threat/ whatever phrase or acronym you prefer. The reality is they think this will make them look great and you will be happy too bad this is not reality.
  • How does an adversary gain information about an organization? This information is learned using what is called social profiling, this can be accomplished on sites similar to, LinkedIn, Facebook, Twitter, and Google. With the use of these sites an adversary has the ability totrack your organization andcreate an organizational chart,down to who reports to whom and which manger reports to which director and which director reports to which VP and so forth. This includes phone numbers, email addresses, personal blogs, and through social engineering can even obtain information of where children go to school, what someone's personal schedule is, and what packages you're expecting in the mail. People like to talk about themselves andthey like to blog, tweet, and post on Facebook about what the are doing, also leaving geolocation information on pictures. Withoutproper privacy settings on any of these platforms this information is practically public to the entire world!Cree-pyMaltego and NetGlubThe Harvesterhttp://checkusernames.com/ Check Usernames - Useful for checking the existence of a given username across 160 Social NetworksHuman Intelligence (HUMINT)Methodology always involves direct interaction - whether physical, or verbal.Gathering should be done under an assumed identity (remember pretexting?).Key EmployeesPartners/SuppliersIMINT can also refer to satellite intelligence, (cross over between IMINT and OSINT if it extends to Google Earth and its equivalents).Covert Gathering - CorporateOn-Location GatheringPhysical security inspectionsWireless scanning / RF frequency scanningEmployee behavior training inspectionAccessible/adjacent facilities (shared spaces)Dumpster divingTypes of equipment in useOffsite GatheringData center locationsNetwork provisioning/providerFoundstone has a tool, named SiteDigger, which allows us to search a domain using specially strings from both the Google Hacking Database (GHDB) and Foundstone Database (FSDB).
  • Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story http://resources.infosecinstitute.com/social-engineering-a-hacking-story/
  • How would you enumerate the targets infrastructure without touching it?
  • So what do I wantwith all thesetools??? Network blocks owned AS NumbersEmail addressesExternal infrastructure profileTechnologies usedPeremetertoolsPurchaseagreements 3rd party vendorsRemoteaccessApplication usage Browser user agents…Defense technologies Humancapability
  • And these individual targets are going to be inside your organization closest to the data he's trying to get access to to achieve his objective. And this can all be done with a simple phone call toan individual administrative assistant and actually use the personal information he received on the Internet to use against her or him. All this to make that individual perceive that they are giving information to a person they know or trustThe targets are going to be within your organization and be the least path of resistance to the accounts and data the threat actor is trying to access. This will be done with simple phone calls to colleagues, administrative assistants, and other associates using the information learned through social profiling to gain trust and access. All of this is used to gain a false sense of trust in order to get the individual targets drop their defenses.
  • So with all this reconnaissance information we can build a profile of what tools are being used at the perimeter, what operating systems are used on the workstations potentially account names maybe even passwords. One such tactic might actually be having the admin look underneath the keyboard for a posit note which has the account and password forgotten when their boss went to a conference. All this can be built into a program that can be used once inside the organization. Exploits can be written used against specific operating systems Applications like browsers Adobe flash even down to the what version each application is using all using social engineering.With all of the social reconnaissance completed the attacker then will begin to build a profile of tools that are being used on the perimeter, what OS is being used on the workstations, account names, and even passwords. Once this information is is organized and accounted for the attacker can then use a the organizational information learned from social engineering as well as the technical information to craft an exploit. I have no idea how you are going to get an admin to look under the keyboard or if it is their keyboard how do you gain physical access? How would you get and admin to look under their bosses keyboard?
  • A small package for a POC was created using a stripped down version of ettercap. Only a few of the functions were used to reduce the footprint of the file for execution in memory including the video card.The payload also contains copies of fake patches to various browser types. Google Chrome is the example here.
  • So with all this packaged up and can now create a method of delivery. in this case he chooses a spear phishing attack which is going to use against the administrative assistant. Emails going to contain a link or several links that will actually do http get functions build a well known Application called blackhole toolkit. Payload inside this blackhole toolkit isn't going to be fake antivirus to be that special exploit that the adversary created both making the Advanced threat tools and the cyber security department if even detected respond to this as a typical malware campaign We have now packaged and chosen our method of delivery which will use the information we learned from our social engineering against the administrative assistant. There will be an email sent which will contain a link or several links which will preform an http get function to a well known application called the Blackhole Toolkit. The payload will not be a fake AV, it will be the exploit created by the adversary to bypass the advanced threat tools and the information security team appearing to be a typical malware campaign.
  • So the email is delivered most likely making it through your perimeter because the scoring is fairly low it's a single target. All this was of course tested against your perimeter with several other fake fishing type campaigns via several recipients or potentially single-user with nothing more than a URL and a short message and a DNS query from the link when clicked on actually being nothing but a harmless http or https string none of which would cause an alarm by any of your perimeter tools This could even be a DNS query resolving to a local address in the United States by monitoring the destination domain with tools like Umbrella or other DNS activity tools. The email or emails are delivered through the various when the actual spear phishing campaign occurs with again a link that actually downloads the toolkit itself when clicked or is embedded in email as an attachment. Still a low score. New version of BHEK, single user recipient, and obfuscated quite well. Once the emails clicked and the payload is delivered the dropper BHEK actually extracts its contents with various premeditated exploits by either embedded into memory or even a video card. The exploit could be a utility that spoofs browser updates Adobe products, cloud storage like dropbox or vulnerabilities in your known operating systems All which were gathered during the reconnaissance phase. The objective here is what's been known and used for a long time with tools like metasploit or other hacking tools; a jump host The advocacy wants off this machine and onto another machine as quick as possibleThe spear phishing campaign will most likely make it through as it is only directed to one address. All of this was of course tested against the perimeter with several other fake phishing type campaigns via several recipients or potentially a single-user with nothing more than a URL and a short message and a DNS query from the link, when clicked on will be actuallynothing more than a harmless http or https string none of which would cause an alarm by any perimeter tools This could even be a DNS query resolving to a local address in the United States by monitoring the destination domain with tools like Umbrella or other DNS activity tools. The email or emails are delivered through the various spear phishing campaigns whichagain contain a link that download the toolkit, and when clicked is launchedor is embedded in email as an attachment(again requiring execution). These will still have a low score. New version of BHEK, single user recipient, and obfuscated quite well. Once the emails clicked and the payload is delivered the dropper BHEK actually extracts its contents with various premeditated exploits by either embedding into memory or even a video card utility. The exploit could be a utility that spoofs browser updates for something along the lines of Adobe products, cloud storage like dropbox or vulnerabilities in your known operating systems All which were gathered during the reconnaissance phase. The objective here is what's been known and used for a long time with tools like metasploit or other hacking tools; a jump host The adversary wants off this machine in order to jump onto another machine as quickly as possible.
  • At this point there is no requirement for any command-and-control there's no contact from the exploit from any machine compromised by lateral movement The only objective is to harvest the data on the infected machine and only then make a connection to a predetermined location and transport mechanism like ssl http or FTP. The key here is I'm already inside the perimeter. The advocacy is in the squishy center of your network. The infected hosts can remain silent for as long as the advocacy deems fit for sufficient information gathered and the security department to company forget the original alert of the infected host from the phishing infection. This exfiltration of data could even be transmitted form several of the hosts in a peer-to-peer sharing application in several simultaneous transmissions like a bit torrent.
  • A few days later the target companies financials,accounts, passwords, network IP addresses of critical systems show up on pastebin or in the media or are sold off to the highest bidder.
  • Do you see the obfuscation?
  • Duration: 10 minutesDescribe the behavior as well as perspective on counter-intelligent models and defenses against these mapped steps.
  • Duration: 10 minutesDescribe the behavior as well as perspective on counter-intelligent models and defenses against these mapped steps.
  • Duration: 10 minutesKey Points: This is an important piece, and is part of what makes the APT adversary "advanced"Hard to detect. This is where collaboration with other peer groups can help tremendously by sharing intelligence. OSINT, Intelligence feeds, Research sites.
  • This was five pages long
  • See the hits for one DGA name as its rotated in sequence.
  • Key Points:CVsZero-day attacks
  • Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversaryProvides a framework for working forward and backward in order to gauge effect and identify mitigationsArticulates prioritization and strategyIdentifies data gaps and source collection requirementsEnables adversary attribution and campaign trackingDrives investigations to completionIntelligence feeds into gaining more intelligence
  • 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been looking for.3. Stop wasting money on tools that are always one step behind the adversary and always promising "that feature is in the next release" Bull*BEEP*4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together.5. RSS research feeds are your friend. Pull out indicators you can use for detection tools. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc.6. Most important of all. Have a damn good incident response plan. Know what and how you're going to recover from this type of breech when it finally hits your organization.

How i'm going to own your organization v2 How i'm going to own your organization v2 Presentation Transcript

  • “How I'm going to own your organization in just a few days” The Malware obfuscation attack Introduction to the Cyber Kill Chain™ @RazorEQX http://404hack.blogspot.com
  • SafetyTIP
  • @RazorEQX • Army 1985-89 • Cracker • Starving Nurse • Gamer turned Networker • Network Guy • Firewall Guy • Hacker • Malware Reverse Engineer
  • USER: This is very bad file
  • Access to facebook to the setting bars.. CODE: SELECT ALL http://www.facebook.com/ abe2869f-9b47-4cd9-a358-c22904dba7f7 Settings aPlib cmpressor's trace: CODE: SELECT ALL aPLib v1.01 - the smaller the better :) Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved. More information: http://www.ibsensoftware.com/ Pony gates: CODE: SELECT ALL http://webmail.alsultantravel.com:8080/ponyb/gate.php hxxp://alsultantravel.com:8080/ponyb/gate.php hxxp://webmail.alsultantravel.info:8080/ponyb/gate.php hxxp://198.57.130.35:8080/ponyb/gate.php CODE: SELECT ALL <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32"
  • @Malwaremustdie • Are a group of dedicated Malware Researchers. • Recognize that Malware is a serious threat. • Recognize that Malware inhibits Internet technology. • Agree that Malware is an obfuscation for AdvancedThreats.
  • Kelihos Update • http://malwaremustdie.blogspot.com/2013/08/the-quick- report-on-48hours-in-battle.html
  • What DoTheyWant?
  • The Silver Bullet Solution This product will save your life and put your kids through college Sounds good. Give me two!
  • I feel so safe………
  • How do they get your Information? Reconnaissance Social Media Social Engineering Search Engines Professional Networking
  • Social Engineering Resources Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story
  • Paterva: Maltego Maltego is a program that can be used to determine relationships and real world links between: – People – Groups (Social Networks) – Companies – Organizations – Web Sites – Domains
  • Maltego
  • Maltego
  • TheTarget XYZ Corp. Hi I'm social engineering you.Oh great! Its in my human nature to help anyone in anyway I can.
  • TheWeapon
  • Some Hints /usr/local/share/ettercap/etter.dns tools.google.com A 10.10.10.10 # NSURL *url = [NSURL URLSTRING:@10.10.10.10:xxxx”;
  • The Delivery
  • Take the Bait: Installation
  • The Expected Response Its all clean now.
  • Operation “Where is myTarget” Action on Objectives SSL
  • Exploitation ExfiltrationExhibition Exposure
  • Introducing "Cyber Kill Chain™" • Concept derived from offensive military doctrine: – Navy: Find, Fix,Track,Target, Engage, and Assess – OODA Loop: Observe, Orient, Decide, and Act – Key concept: Cyber Kill Chain™ defines how an adversary moves from target observation to a final objective. As with any chain, if any link breaks, the whole process fails • Turn it into our advantage: – "To compromise our infrastructure, the bad guys have to be right every step; we only have to be right once"
  • Cyber Kill Chain™ Model • Intrusion Cyber Kill Chain™ Detect Deny Disrupt Degrade Deceive Recon Weaponize Delivery Exploit Installation Command & Control Actions on Objectives IncreasingRisk
  • Internet Mail Server User User Open this attachment! CLICK!COMMAND & CONTROL ESTABLISHED! Data Exfiltration Begins
  • Cyber Kill Chain™ Model Recon • Research, identification, and selection of targets • Crawling Internet websites looking for email addresses or information on specific technologies • Research conducted on business relationships and supply chain • Enumeration of systems and infrastructure – Active – Passive Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • Cyber Kill Chain™ Model Weaponize • The tool that puts the remote access trojan with an exploit into a deliverable payload • Application data files such as Microsoft Office documents orAdobe PDF files serve as the weaponized payloads • Compromised websites hosting malformed Java or Flash files Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • Cyber Kill Chain™ Model Delivery • Transmission of weapon into targeted environment • The three most prevalent delivery vectors for weaponized payloads are – Emails with attachments or embedded hyperlinks – Compromised website with malicious code – USB drives or other removable media Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • DGA: Domain Generation Algorithm
  • DNS Queries
  • Cyber Kill Chain™ Model Exploit • After the weapon is delivered to target host, exploitation triggers attackers’ code • Most often, this exploits an application or operating system vulnerability • In most cases, exploitation occurs when users are – Coerced to open an executable attachment – Leveraging a feature of the operating system that executes code automatically Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • Cyber Kill Chain™ Model Installation • Typically occurs immediately after the exploit is complete • The install is often a backdoor or a tool grabber • Also installation might occur during lateral movements by the attacker Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • Cyber Kill Chain™ Model C2 • Typically the compromised host must beacon outbound to its Internet controller server to establish command and control (C2) channel • APT malware typically requires manual interaction vs. acting autonomously • Once the C2 channel is established, attackers have "hands-on- the- keyboard" access Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • Cyber Kill Chain™ Model Actions on Objectives • Attackers begin collecting, encrypting, and exfiltrating data from compromised systems. • Attackers may further propagate themselves throughout the internal network in lateral compromises. • While exfiltration is the most common objective, attackers could also violate the integrity or availability of data as well. • Consider what would happen if the attacker modified certain critical internal critical data. Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  • Cyber Kill Chain™ Model Benefits • Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversary • Provides a framework for working forward and backward in order to gauge effect and identify mitigations • Articulates prioritization and strategy • Identifies data gaps and source collection requirements • Enables adversary attribution and campaign tracking • Drives investigations to completion • Intelligence feeds into gaining more intelligence
  • Lessons learned: • 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation. • 2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been looking for. • 3. Stop wasting money on tools that are always one step behind the adversary and always promising ”That feature is in the next release” • 4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together. • 5. OSINT - RSS research feeds are your friend. Pull out indicators you can use for detection tools and track events to correlations to form campaigns. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc. • 6. Most important of all. Have a damn good incident response plan. Know what and how you're going to recover from this type of breech when it finally hits your organization.