Iftach Ian Amit | September 2011                Pushing in, leaving a present and                pulling out without anybo...
Iftach Ian Amit | September 2011                                                      whoami                    • Not cert...
Iftach Ian Amit | September 2011                                                      Agenda All rights reserved to Securi...
Iftach Ian Amit | September 2011                                                      Agenda All rights reserved to Securi...
Iftach Ian Amit | September 2011                                                      Agenda All rights reserved to Securi...
Iftach Ian Amit | September 2011                                                      Agenda All rights reserved to Securi...
Iftach Ian Amit | September 2011                                                      1. Infiltration                    • ...
Iftach Ian Amit | September 2011                        Infiltration - Technical All rights reserved to Security Art ltd. 2...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    • Exploits!            ...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    • Exploits!          of...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    • Exploits!          of...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    • Exploits!          of...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    • Exploits!          of...
Iftach Ian Amit | September 2011                        Infiltration - Technical                                           ...
Iftach Ian Amit | September 2011                        Infiltration - Technical All rights reserved to Security Art ltd. 2...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    •       How about them ...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    •       How about them ...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    •       How about them ...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    •       How about them ...
Iftach Ian Amit | September 2011                        Infiltration - Technical                    •       How about them ...
Iftach Ian Amit | September 2011                             Infiltration - Human All rights reserved to Security Art ltd. ...
Iftach Ian Amit | September 2011                             Infiltration - Human                    • Not as in “I got you...
Iftach Ian Amit | September 2011                             Infiltration - Human                    • Not as in “I got you...
Iftach Ian Amit | September 2011                             Infiltration - Human                    • Not as in “I got you...
Iftach Ian Amit | September 2011                             Infiltration - Human                    • Not as in “I got you...
Iftach Ian Amit | September 2011                             Infiltration - Human All rights reserved to Security Art ltd. ...
Iftach Ian Amit | September 2011                             Infiltration - Human All rights reserved to Security Art ltd. ...
Iftach Ian Amit | September 2011                             Infiltration - Human All rights reserved to Security Art ltd. ...
Iftach Ian Amit | September 2011                             Infiltration - Human All rights reserved to Security Art ltd. ...
Iftach Ian Amit | September 2011                             Infiltration - Human                    •       eMails, web li...
Iftach Ian Amit | September 2011                             Infiltration - Human                    •       eMails, web li...
Iftach Ian Amit | September 2011                             Infiltration - Human                    •       eMails, web li...
Iftach Ian Amit | September 2011                             Infiltration - Human                    •       eMails, web li...
Iftach Ian Amit | September 2011                             Infiltration - Human                    •       eMails, web li...
Iftach Ian Amit | September 2011                             Infiltration - Human                   And... being nice/nasty...
Iftach Ian Amit | September 2011                             Infiltration - Human                   And... being nice/nasty...
Iftach Ian Amit | September 2011                             Infiltration - Human                   And... being nice/nasty...
Iftach Ian Amit | September 2011                             Infiltration - Human                   And... being nice/nasty...
Iftach Ian Amit | September 2011                             Infiltration - Human                   And... being nice/nasty...
Iftach Ian Amit | September 2011                2. Data Targeting & Acquisition                    • Weaponizing commercia...
Iftach Ian Amit | September 2011                                    Step 1: Basic Intel         What is the         target...
Iftach Ian Amit | September 2011                                    Step 1: Basic Intel         What is the         target...
Iftach Ian Amit | September 2011                               Who’s your daddy?                        And buddy, and fri...
Iftach Ian Amit | September 2011                               Who’s your daddy?                        And buddy, and fri...
Iftach Ian Amit | September 2011                               Who’s your daddy?                        And buddy, and fri...
Iftach Ian Amit | September 2011                               Who’s your daddy?                        And buddy, and fri...
Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011   15Tuesday, September 20, 11
Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011   15Tuesday, September 20, 11
Iftach Ian Amit | September 2011                Select your target wisely                            And then craft your p...
Iftach Ian Amit | September 2011                Not as expensive as you think          • ZeuS: $3000-$5000          • SpyE...
Iftach Ian Amit | September 2011                Not as expensive as you think          • ZeuS: $3000-$5000          • SpyE...
Iftach Ian Amit | September 2011                Not as expensive as you think          • ZeuS: $3000-$5000          • SpyE...
Iftach Ian Amit | September 2011                Not as expensive as you think          • ZeuS: $3000-$5000                ...
Iftach Ian Amit | September 2011                    Just make sure to pack     Experienced travelers     know the importan...
Iftach Ian Amit | September 2011                    Just make sure to pack     Experienced travelers     know the importan...
Iftach Ian Amit | September 2011                And set measurable goals                 • File servers                 • ...
Iftach Ian Amit | September 2011                From mass infection to APT              Mass infection:                   ...
Iftach Ian Amit | September 2011                From mass infection to APT              Mass infection:                   ...
Iftach Ian Amit | September 2011                From mass infection to APT              Mass infection:                   ...
Iftach Ian Amit | September 2011                From mass infection to APT                                          PATIEN...
Iftach Ian Amit | September 2011                                                      Control?                    •       ...
Iftach Ian Amit | September 2011                                                      Control?                    •       ...
Iftach Ian Amit | September 2011                                                      Control?                    •       ...
Iftach Ian Amit | September 2011                                                      Control?                    •       ...
Iftach Ian Amit | September 2011                                                      Control?                    •       ...
Iftach Ian Amit | September 2011                                                      Control?                    •       ...
Iftach Ian Amit | September 2011                                                      Control?                    •       ...
Iftach Ian Amit | September 2011                                                 3. Exfiltration                    • Avoid...
Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011   24Tuesday, September 20, 11
Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011   24Tuesday, September 20, 11
Iftach Ian Amit | September 2011                   How about them SSLs?                    • Cool.                    • Al...
Iftach Ian Amit | September 2011                         -----BEGIN PGP MESSAGE-----                                      ...
Iftach Ian Amit | September 2011                            Still “too detectable” All rights reserved to Security Art ltd...
Iftach Ian Amit | September 2011                            Still “too detectable”                         hQMOA1jQIm6UkL4...
Iftach Ian Amit | September 2011                                                      Much better                    • Thr...
Iftach Ian Amit | September 2011                                                      Resistance is futile All rights rese...
Iftach Ian Amit | September 2011                But you have no network                    • They killed 80, 443, 53 and c...
Iftach Ian Amit | September 2011                                           Kill some trees All rights reserved to Security...
Iftach Ian Amit | September 2011                To shred or not to shred? All rights reserved to Security Art ltd. 2002-20...
Iftach Ian Amit | September 2011                To shred or not to shred? All rights reserved to Security Art ltd. 2002-20...
Iftach Ian Amit | September 2011                            Yeah, good ol’e DD... All rights reserved to Security Art ltd....
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                                 Back to hi-tech (?)                                      ...
Iftach Ian Amit | September 2011                 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011...
Iftach Ian Amit | September 2011                 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011...
Iftach Ian Amit | September 2011                 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011...
Iftach Ian Amit | September 2011                 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011...
Iftach Ian Amit | September 2011                 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011...
Iftach Ian Amit | September 2011                 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011...
Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011   36Tuesday, September 20, 11
Iftach Ian Amit | September 2011                      Killing paper isn’t nice                    • Fax it!               ...
Iftach Ian Amit | September 2011                                                      Conclusions                    • Ava...
Iftach Ian Amit | September 2011                                                      Controls                    • Start ...
Iftach Ian Amit | September 2011                                                      Controls                    • Start ...
Iftach Ian Amit | September 2011                    • Where people leave data                     • Hint - spend time with...
Iftach Ian Amit | September 2011                                        Map your assets                                   ...
Iftach Ian Amit | September 2011                              And monitor them!                  They are YOUR assets     ...
Iftach Ian Amit | September 2011                            2 tips for monitoring                    • Pre-infiltration - s...
Iftach Ian Amit | September 2011                                                        Then...                           ...
Iftach Ian Amit | September 2011                                                      Questions?                       Tha...
Upcoming SlideShare
Loading in...5
×

Pushing in, leaving a present, and pulling out slowly without anyone noticing

2,759

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,759
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pushing in, leaving a present, and pulling out slowly without anyone noticing

  1. 1. Iftach Ian Amit | September 2011 Pushing in, leaving a present and pulling out without anybody noticing Iftach Ian Amit VP Consulting DC9723 CSA-IL Board member IL-CERT Visionary All rights reserved to Security Art ltd. 2002-2011 www.security-art.comTuesday, September 20, 11
  2. 2. Iftach Ian Amit | September 2011 whoami • Not certified • VP Consulting at Security-Art • Hacker, researcher, developer • I like crime, and war :-) • DC9723, PTES, IL-CERT, IAF All rights reserved to Security Art ltd. 2002-2011 2Tuesday, September 20, 11
  3. 3. Iftach Ian Amit | September 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3Tuesday, September 20, 11
  4. 4. Iftach Ian Amit | September 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3Tuesday, September 20, 11
  5. 5. Iftach Ian Amit | September 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3Tuesday, September 20, 11
  6. 6. Iftach Ian Amit | September 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3Tuesday, September 20, 11
  7. 7. Iftach Ian Amit | September 2011 1. Infiltration • Technical factors • Human factors • Command & Control in loosely connected environments All rights reserved to Security Art ltd. 2002-2011 4Tuesday, September 20, 11
  8. 8. Iftach Ian Amit | September 2011 Infiltration - Technical All rights reserved to Security Art ltd. 2002-2011 5Tuesday, September 20, 11
  9. 9. Iftach Ian Amit | September 2011 Infiltration - Technical • Exploits! of what??? All rights reserved to Security Art ltd. 2002-2011 5Tuesday, September 20, 11
  10. 10. Iftach Ian Amit | September 2011 Infiltration - Technical • Exploits! of what??? • Web, FTP, mail, SSL-VPN... All rights reserved to Security Art ltd. 2002-2011 5Tuesday, September 20, 11
  11. 11. Iftach Ian Amit | September 2011 Infiltration - Technical • Exploits! of what??? • Web, FTP, mail, SSL-VPN... • Will only get you the basic stuff All rights reserved to Security Art ltd. 2002-2011 5Tuesday, September 20, 11
  12. 12. Iftach Ian Amit | September 2011 Infiltration - Technical • Exploits! of what??? • Web, FTP, mail, SSL-VPN... • Will only get you the basic stuff • 3rd party tools used (LinkedIn, SalesForce, SaaS applications)... All rights reserved to Security Art ltd. 2002-2011 5Tuesday, September 20, 11
  13. 13. Iftach Ian Amit | September 2011 Infiltration - Technical • Exploits! of what??? • Web, FTP, mail, SSL-VPN... • Will only get you the basic stuff • 3rd party tools used (LinkedIn, SalesForce, SaaS applications)... • Harder to get *although nice to have as reproducible on many targets All rights reserved to Security Art ltd. 2002-2011 5Tuesday, September 20, 11
  14. 14. Iftach Ian Amit | September 2011 Infiltration - Technical The problem: Small attack surface All rights reserved to Security Art ltd. 2002-2011 6Tuesday, September 20, 11
  15. 15. Iftach Ian Amit | September 2011 Infiltration - Technical All rights reserved to Security Art ltd. 2002-2011 7Tuesday, September 20, 11
  16. 16. Iftach Ian Amit | September 2011 Infiltration - Technical • How about them windows? All rights reserved to Security Art ltd. 2002-2011 7Tuesday, September 20, 11
  17. 17. Iftach Ian Amit | September 2011 Infiltration - Technical • How about them windows? • Win XP still the dominantly deployed OS on clients (both in corporate and government settings) All rights reserved to Security Art ltd. 2002-2011 7Tuesday, September 20, 11
  18. 18. Iftach Ian Amit | September 2011 Infiltration - Technical • How about them windows? • Win XP still the dominantly deployed OS on clients (both in corporate and government settings) • Win 7 is no big deal All rights reserved to Security Art ltd. 2002-2011 7Tuesday, September 20, 11
  19. 19. Iftach Ian Amit | September 2011 Infiltration - Technical • How about them windows? • Win XP still the dominantly deployed OS on clients (both in corporate and government settings) • Win 7 is no big deal All rights reserved to Security Art ltd. 2002-2011 7Tuesday, September 20, 11
  20. 20. Iftach Ian Amit | September 2011 Infiltration - Technical • How about them windows? • Win XP still the dominantly deployed OS on clients (both in corporate and government settings) • Win 7 is no big deal • Attack surface is much broader (spell Adobe, Symantec, WinZip, AOL, Mozilla, etc...) All rights reserved to Security Art ltd. 2002-2011 7Tuesday, September 20, 11
  21. 21. Iftach Ian Amit | September 2011 Infiltration - Human All rights reserved to Security Art ltd. 2002-2011 8Tuesday, September 20, 11
  22. 22. Iftach Ian Amit | September 2011 Infiltration - Human • Not as in “I got your guy and I want $1,000,000 to set him free” All rights reserved to Security Art ltd. 2002-2011 8Tuesday, September 20, 11
  23. 23. Iftach Ian Amit | September 2011 Infiltration - Human • Not as in “I got your guy and I want $1,000,000 to set him free” • More like “dude, check out the pics from the conference we went to last month. Wicked!” All rights reserved to Security Art ltd. 2002-2011 8Tuesday, September 20, 11
  24. 24. Iftach Ian Amit | September 2011 Infiltration - Human • Not as in “I got your guy and I want $1,000,000 to set him free” • More like “dude, check out the pics from the conference we went to last month. Wicked!” • “did you get my memo with the new price-list <link to .xls file>” All rights reserved to Security Art ltd. 2002-2011 8Tuesday, September 20, 11
  25. 25. Iftach Ian Amit | September 2011 Infiltration - Human • Not as in “I got your guy and I want $1,000,000 to set him free” • More like “dude, check out the pics from the conference we went to last month. Wicked!” • “did you get my memo with the new price-list <link to .xls file>” • You get the idea... All rights reserved to Security Art ltd. 2002-2011 8Tuesday, September 20, 11
  26. 26. Iftach Ian Amit | September 2011 Infiltration - Human All rights reserved to Security Art ltd. 2002-2011 9Tuesday, September 20, 11
  27. 27. Iftach Ian Amit | September 2011 Infiltration - Human All rights reserved to Security Art ltd. 2002-2011 9Tuesday, September 20, 11
  28. 28. Iftach Ian Amit | September 2011 Infiltration - Human All rights reserved to Security Art ltd. 2002-2011 9Tuesday, September 20, 11
  29. 29. Iftach Ian Amit | September 2011 Infiltration - Human All rights reserved to Security Art ltd. 2002-2011 10Tuesday, September 20, 11
  30. 30. Iftach Ian Amit | September 2011 Infiltration - Human • eMails, web links, phishing... All rights reserved to Security Art ltd. 2002-2011 10Tuesday, September 20, 11
  31. 31. Iftach Ian Amit | September 2011 Infiltration - Human • eMails, web links, phishing... • Works like a charm! All rights reserved to Security Art ltd. 2002-2011 10Tuesday, September 20, 11
  32. 32. Iftach Ian Amit | September 2011 Infiltration - Human • eMails, web links, phishing... • Works like a charm! • And can be mostly automated All rights reserved to Security Art ltd. 2002-2011 10Tuesday, September 20, 11
  33. 33. Iftach Ian Amit | September 2011 Infiltration - Human • eMails, web links, phishing... • Works like a charm! • And can be mostly automated • SET to the rescue All rights reserved to Security Art ltd. 2002-2011 10Tuesday, September 20, 11
  34. 34. Iftach Ian Amit | September 2011 Infiltration - Human • eMails, web links, phishing... • Works like a charm! • And can be mostly automated • SET to the rescue All rights reserved to Security Art ltd. 2002-2011 10Tuesday, September 20, 11
  35. 35. Iftach Ian Amit | September 2011 Infiltration - Human And... being nice/nasty/ obnoxious/needy always helps! All rights reserved to Security Art ltd. 2002-2011 11Tuesday, September 20, 11
  36. 36. Iftach Ian Amit | September 2011 Infiltration - Human And... being nice/nasty/ obnoxious/needy always helps! All rights reserved to Security Art ltd. 2002-2011 11Tuesday, September 20, 11
  37. 37. Iftach Ian Amit | September 2011 Infiltration - Human And... being nice/nasty/ obnoxious/needy always helps! All rights reserved to Security Art ltd. 2002-2011 11Tuesday, September 20, 11
  38. 38. Iftach Ian Amit | September 2011 Infiltration - Human And... being nice/nasty/ obnoxious/needy always helps! All rights reserved to Security Art ltd. 2002-2011 11Tuesday, September 20, 11
  39. 39. Iftach Ian Amit | September 2011 Infiltration - Human And... being nice/nasty/ obnoxious/needy always helps! All rights reserved to Security Art ltd. 2002-2011 11Tuesday, September 20, 11
  40. 40. Iftach Ian Amit | September 2011 2. Data Targeting & Acquisition • Weaponizing commercial tools • Creating “APT” capabilities • But first - targeting... All rights reserved to Security Art ltd. 2002-2011 12Tuesday, September 20, 11
  41. 41. Iftach Ian Amit | September 2011 Step 1: Basic Intel What is the target “willing” to tell about itself? All rights reserved to Security Art ltd. 2002-2011 13Tuesday, September 20, 11
  42. 42. Iftach Ian Amit | September 2011 Step 1: Basic Intel What is the target “willing” to tell about itself? All rights reserved to Security Art ltd. 2002-2011 13Tuesday, September 20, 11
  43. 43. Iftach Ian Amit | September 2011 Who’s your daddy? And buddy, and friends, relatives, colleagues... All rights reserved to Security Art ltd. 2002-2011 14Tuesday, September 20, 11
  44. 44. Iftach Ian Amit | September 2011 Who’s your daddy? And buddy, and friends, relatives, colleagues... All rights reserved to Security Art ltd. 2002-2011 14Tuesday, September 20, 11
  45. 45. Iftach Ian Amit | September 2011 Who’s your daddy? And buddy, and friends, relatives, colleagues... All rights reserved to Security Art ltd. 2002-2011 14Tuesday, September 20, 11
  46. 46. Iftach Ian Amit | September 2011 Who’s your daddy? And buddy, and friends, relatives, colleagues... All rights reserved to Security Art ltd. 2002-2011 14Tuesday, September 20, 11
  47. 47. Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011 15Tuesday, September 20, 11
  48. 48. Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011 15Tuesday, September 20, 11
  49. 49. Iftach Ian Amit | September 2011 Select your target wisely And then craft your payload :-) All rights reserved to Security Art ltd. 2002-2011 16Tuesday, September 20, 11
  50. 50. Iftach Ian Amit | September 2011 Not as expensive as you think • ZeuS: $3000-$5000 • SpyEye: $2500-$4000 • Limbo: $500-$1500 All rights reserved to Security Art ltd. 2002-2011 17Tuesday, September 20, 11
  51. 51. Iftach Ian Amit | September 2011 Not as expensive as you think • ZeuS: $3000-$5000 • SpyEye: $2500-$4000 • Limbo: $500-$1500 All rights reserved to Security Art ltd. 2002-2011 17Tuesday, September 20, 11
  52. 52. Iftach Ian Amit | September 2011 Not as expensive as you think • ZeuS: $3000-$5000 • SpyEye: $2500-$4000 • Limbo: $500-$1500 All rights reserved to Security Art ltd. 2002-2011 17Tuesday, September 20, 11
  53. 53. Iftach Ian Amit | September 2011 Not as expensive as you think • ZeuS: $3000-$5000 E! RE • SpyEye: $2500-$4000 F • Limbo: $500-$1500 All rights reserved to Security Art ltd. 2002-2011 17Tuesday, September 20, 11
  54. 54. Iftach Ian Amit | September 2011 Just make sure to pack Experienced travelers know the importance of packing properly All rights reserved to Security Art ltd. 2002-2011 18Tuesday, September 20, 11
  55. 55. Iftach Ian Amit | September 2011 Just make sure to pack Experienced travelers know the importance of packing properly All rights reserved to Security Art ltd. 2002-2011 18Tuesday, September 20, 11
  56. 56. Iftach Ian Amit | September 2011 And set measurable goals • File servers • Databases • File types • Gateways (routes) • Printers All rights reserved to Security Art ltd. 2002-2011 19Tuesday, September 20, 11
  57. 57. Iftach Ian Amit | September 2011 From mass infection to APT Mass infection: APT: 5-6 days before 5-6 months before detection detection All rights reserved to Security Art ltd. 2002-2011 20Tuesday, September 20, 11
  58. 58. Iftach Ian Amit | September 2011 From mass infection to APT Mass infection: APT: 5-6 days before 5-6 months before detection detection All rights reserved to Security Art ltd. 2002-2011 20Tuesday, September 20, 11
  59. 59. Iftach Ian Amit | September 2011 From mass infection to APT Mass infection: APT: 5-6 days before 5-6 months before detection detection Frequent updates No* updates * Almost All rights reserved to Security Art ltd. 2002-2011 20Tuesday, September 20, 11
  60. 60. Iftach Ian Amit | September 2011 From mass infection to APT PATIENCE Mass infection: APT: 5-6 days before 5-6 months before detection detection Frequent updates No* updates * Almost All rights reserved to Security Art ltd. 2002-2011 21Tuesday, September 20, 11
  61. 61. Iftach Ian Amit | September 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 22Tuesday, September 20, 11
  62. 62. Iftach Ian Amit | September 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 22Tuesday, September 20, 11
  63. 63. Iftach Ian Amit | September 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 22Tuesday, September 20, 11
  64. 64. Iftach Ian Amit | September 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 22Tuesday, September 20, 11
  65. 65. Iftach Ian Amit | September 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 22Tuesday, September 20, 11
  66. 66. Iftach Ian Amit | September 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 22Tuesday, September 20, 11
  67. 67. Iftach Ian Amit | September 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 22Tuesday, September 20, 11
  68. 68. Iftach Ian Amit | September 2011 3. Exfiltration • Avoiding DLP • Avoiding IPS/IDS egress filters • Encryption • Archiving • Additional techniques All rights reserved to Security Art ltd. 2002-2011 23Tuesday, September 20, 11
  69. 69. Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011 24Tuesday, September 20, 11
  70. 70. Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011 24Tuesday, September 20, 11
  71. 71. Iftach Ian Amit | September 2011 How about them SSLs? • Cool. • Although sometimes may be intercepted • Pesky content filters... All rights reserved to Security Art ltd. 2002-2011 25Tuesday, September 20, 11
  72. 72. Iftach Ian Amit | September 2011 -----BEGIN PGP MESSAGE----- So... Version: GnuPG/MacGPG2 v2.0.14 (Darwin) hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZp FGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8Bf BHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt /gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuS Gilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakp Tm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6 leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfO hdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLei SyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIG vu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5 gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX /vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19 o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+ uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ 3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O 6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbT YcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5Kg mMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Is qvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N 0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI= =jN3t -----END PGP MESSAGE----- All rights reserved to Security Art ltd. 2002-2011 26Tuesday, September 20, 11
  73. 73. Iftach Ian Amit | September 2011 Still “too detectable” All rights reserved to Security Art ltd. 2002-2011 27Tuesday, September 20, 11
  74. 74. Iftach Ian Amit | September 2011 Still “too detectable” hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZp FGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8Bf BHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt /gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuS Gilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakp Tm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6 leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfO hdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLei SyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIG vu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5 gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX /vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19 o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+ uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ 3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O 6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbT YcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5Kg mMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Is qvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N 0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI= =jN3t All rights reserved to Security Art ltd. 2002-2011 27Tuesday, September 20, 11
  75. 75. Iftach Ian Amit | September 2011 Much better • Throws in some additional encodings • And an XOR for old time’s sake • And we are good to go... • 0% detection rate All rights reserved to Security Art ltd. 2002-2011 28Tuesday, September 20, 11
  76. 76. Iftach Ian Amit | September 2011 Resistance is futile All rights reserved to Security Art ltd. 2002-2011 29Tuesday, September 20, 11
  77. 77. Iftach Ian Amit | September 2011 But you have no network • They killed 80, 443, 53 and cut the cable to the interwebs! • Go old-school! All rights reserved to Security Art ltd. 2002-2011 30Tuesday, September 20, 11
  78. 78. Iftach Ian Amit | September 2011 Kill some trees All rights reserved to Security Art ltd. 2002-2011 31Tuesday, September 20, 11
  79. 79. Iftach Ian Amit | September 2011 To shred or not to shred? All rights reserved to Security Art ltd. 2002-2011 32Tuesday, September 20, 11
  80. 80. Iftach Ian Amit | September 2011 To shred or not to shred? All rights reserved to Security Art ltd. 2002-2011 32Tuesday, September 20, 11
  81. 81. Iftach Ian Amit | September 2011 Yeah, good ol’e DD... All rights reserved to Security Art ltd. 2002-2011 33Tuesday, September 20, 11
  82. 82. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  83. 83. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  84. 84. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  85. 85. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  86. 86. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  87. 87. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Set up a public PBX OR a conference call OR a voicemail box All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  88. 88. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Set up a public PBX OR a conference call OR a voicemail box All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  89. 89. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Collect your data Set up a public PBX OR a conference call OR a voicemail box All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  90. 90. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Collect your data Set up a public PBX OR a conference call OR a voicemail box All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  91. 91. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Collect your data Set up a public PBX Encode OR a conference call OR a voicemail box All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  92. 92. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Collect your data Set up a public PBX Encode OR a conference call OR a voicemail box All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  93. 93. Iftach Ian Amit | September 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Collect your data Set up a public PBX Encode OR a conference call Call, leave a message, don’t OR a voicemail box expect to be called back... All rights reserved to Security Art ltd. 2002-2011 34Tuesday, September 20, 11
  94. 94. Iftach Ian Amit | September 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 35Tuesday, September 20, 11
  95. 95. Iftach Ian Amit | September 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 35Tuesday, September 20, 11
  96. 96. Iftach Ian Amit | September 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 35Tuesday, September 20, 11
  97. 97. Iftach Ian Amit | September 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 35Tuesday, September 20, 11
  98. 98. Iftach Ian Amit | September 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 35Tuesday, September 20, 11
  99. 99. Iftach Ian Amit | September 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 35Tuesday, September 20, 11
  100. 100. Iftach Ian Amit | September 2011 All rights reserved to Security Art ltd. 2002-2011 36Tuesday, September 20, 11
  101. 101. Iftach Ian Amit | September 2011 Killing paper isn’t nice • Fax it! • Most corporations have email-to-fax services • heard of the address 555-7963@fax.corp.com ? • Just send any document (text, doc, pdf) to it and off you go with the data... All rights reserved to Security Art ltd. 2002-2011 37Tuesday, September 20, 11
  102. 102. Iftach Ian Amit | September 2011 Conclusions • Available controls • Information flow path mapping • Asset mapping and monitoring All rights reserved to Security Art ltd. 2002-2011 38Tuesday, September 20, 11
  103. 103. Iftach Ian Amit | September 2011 Controls • Start with the human factor • Then add technology All rights reserved to Security Art ltd. 2002-2011 39Tuesday, September 20, 11
  104. 104. Iftach Ian Amit | September 2011 Controls • Start with the human factor • Then add technology All rights reserved to Security Art ltd. 2002-2011 39Tuesday, September 20, 11
  105. 105. Iftach Ian Amit | September 2011 • Where people leave data • Hint - spend time with developers. • “Hack” the business process • Test, test again, and then test. Follow with a surprise test! All rights reserved to Security Art ltd. 2002-2011 40Tuesday, September 20, 11
  106. 106. Iftach Ian Amit | September 2011 Map your assets “be true to yourself, not to what you believe things should look like” Old chinese proverb All rights reserved to Security Art ltd. 2002-2011 41Tuesday, September 20, 11
  107. 107. Iftach Ian Amit | September 2011 And monitor them! They are YOUR assets after all No reason to be shy about it... And remember to add honey... All rights reserved to Security Art ltd. 2002-2011 42Tuesday, September 20, 11
  108. 108. Iftach Ian Amit | September 2011 2 tips for monitoring • Pre-infiltration - social media • Check out SocialNet for Maltego from packetninjas.net... :-) • Post-infoltration - ALL your channels • Yes - VoIP is one of them. Record, transcribe, feed to DLP. Simple as that. All rights reserved to Security Art ltd. 2002-2011 43Tuesday, September 20, 11
  109. 109. Iftach Ian Amit | September 2011 Then... TEST SOME MORE For hints/guides see: www.pentest-standard.org All rights reserved to Security Art ltd. 2002-2011 44Tuesday, September 20, 11
  110. 110. Iftach Ian Amit | September 2011 Questions? Thank you! Whitepapers: www.security-art.comData modulation Exfil POC: Too shy to ask now? http://code.google.com/p/ iamit@security-art.com data-sound-poc/ Need your daily chatter? twitter.com/iiamit All rights reserved to Security Art ltd. 2002-2011 45Tuesday, September 20, 11
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×