SlideShare a Scribd company logo

In Plain Sight: The Perfect Exfiltration

Itzik Kotler
Itzik Kotler

In this session, we will reveal and demonstrate perfect exfiltration via indirect covert channels (i.e. the communicating parties don’t directly exchange network packets). This is a family of techniques to exfiltrate data (low throughput) from an enterprise in a manner indistinguishable from genuine traffic. Using HTTP and exploiting a byproduct of how some websites choose to cache their pages, we will demonstrate how data can be leaked without raising any suspicion. These techniques are designed to overcome even perfect knowledge and analysis of the enterprise network traffic.

Software
1 of 33
Download to read offline
SafeBreach Stop tomorrow’s breach. Today. In Plain Sight: The Perfect Exfiltration Itzik Kotler Amit Klein
Help -> About -> Itzik Kotler - 15+ years in InfoSec - CTO & Co-Founder of Safebreach - Presented in RSA, HITB, BlackHat, DEFCON, CCC, … - http://www.ikotler.org
Help -> About -> Amit Klein - 25 years in InfoSec - VP Security Research, Safebreach 2015-present - CTO Trusteer (acquired by IBM) 2006-2015 - Chief Scientist Cyota (acquired by RSA) 2004- 2006 - Director of Security and Research, Sanctum (now part of IBM) 1997-2004 - IDF/MOD (Talpiot) 1988-1997 - 30+ papers, dozens of advisories against high profile products - Presented in RSA, CertConf, BlueHat, OWASP, AusCERT, ….
Goal The required bandwidth can be very modest - up to several dozen bits per day. Example use cases: - Cryptographic keys (128 bit) - Yes/no data e.g. “war alert” - Closed set data (“who is the mole”), names, short sentences (few words) e.g. strategic decisions Endpoint (desktop) in a high security enterprise needs to exfiltrate data to an entity outside the enterprise.
The Rules of the Game
The 10 commandments, part I 1. Scalability and Security: A perfect exfiltration technique should adhere to Kerckhoffs’s principle (sometimes called Shannon’s maxim), which states that “A [crypto] system should be secure even if everything about the system, except the key, is public knowledge”. In other words - no “security by obscurity”. This enables multiple channels with different keys 2. Only web (browsing) and derived traffic is allowed (e.g. HTTP, DNS, TLS) 3. “Whenever there is any doubt, there is no doubt” - anything that may theoretically be perceived as passing info is forbidden. So no emails, no encrypted texts, no google docs, no forum posts, etc.
The 10 commandments, part II 4. Perfect network monitoring. Every packet is scrutinized at all protocol levels, every anomaly is detected (“big data/machine learning, etc.”), reputation and statistics for all IPs/hosts are available, etc. 5. Assume TLS/SSL termination at the enterprise level 6. Receiving party has no restrictions (e.g. network surveillance) 7. No nation-state monitoring or 3rd party site monitoring. Though it’s assumed they do have some basic IDS/IPS/security products, so avoid flooding, etc.
The 10 commandments, part III 8. Time synchronization (seconds-resolution) between the communicating parties 9. Bonus points for methods that can be implemented manually (without SW) at the sender side 10. Active disruption by the enterprise is an option
Commandment #4 -> No direct communication Commandment #4: Perfect network monitoring. Every packet is scrutinized at all protocol levels, every anomaly is detected (“big data/machine learning, etc.”), reputation and statistics for all IPs/hosts are available, etc. Since site/IP ownership can be determined, and since we assume reputation and statistics are available to the monitoring entity, it follows that we cannot use direct communication. The covert channel has to be indirect (i.e. through a 3rd party site not owned by the communicating entities).
Way offs and Near Misses Or: What doesn’t work, and why...
Way off - “Traditional” covert channels Many techniques (fields in IP/TCP/HTTP) requiring direct communication ◆ TCP/IP: TTL, packet length, timestamp, packet rate/timing ◆ HTTP: If-Modified-Since, Cookie, whitespaces, etc. Comprehensive lists: http://eprints.ugd.edu.mk/10284/1/surveyAMBPselfArc.pdf http://caia.swin.edu.au/cv/szander/publications/szander-ieee-comst07.pdf http://docslide.us/internet/covert-timing-channels-using-http-cache-headers.html
Way off example TOS header (IP header) - 8-bit IP header field, can be used to exflitrate data - De-facto Windows workstations send TOS=0. - Anomaly detection is thus trivial, especially with prior knowledge of the concept - Disruption is trivial - set TOS=0 at firewall for all outgoing packets - Needs direct connection to the 2nd party - No good.
Near miss - IP ID (indirect) IP ID covert channel (http://www0.cs.ucl.ac.uk/staff/G.Danezis/papers/cover.pdf) - 3rd party using OS with global incrementing IP ID. Same concept as idle scan. Sender sends a request to the 3rd party site, the answer from the site increments the IP ID counter. The receiver observes (before vs. after). One bit per packet (sent/not sent). INDIRECT - The only OS that provides globally incrementing IP ID these days is FreeBSD. And in FreeBSD 11.0 (to be released July 2016) the TCP layer sets DF=1, IPID=0. So can’t be used with web browsing (TCP). - Line noise
Very near miss - web counters Bit.ly (and probably other URL shorteners) - based. Sender and receiver agree on a bit.ly URL, and time. Needs to be a not-so-popular resource (but not too rare), Ideally a URL that is linked from the Internet (e.g. a tweet/blog). Protocol: ● Before designated time, receiver checks web count for the URL (in bit.ly, appending a “+” to the URL). ● On time, sender requests the URL (1) or not (0). ● A bit later, the receiver checks the web count again.
Bit.ly web counter example
Attack (disruption) Intercept every request for a bit.ly URL, send a request to the URL+, obtain the original URL and redirect to it internally (without going through bit.ly and incrementing the counter).
Near miss - account login time Gmail shows last login time (https://security.google.com/settings/security/activity). So the protocol is that the sender is logged in at a designated time (bit=1) or not (bit=0). Receiver can login later and use the URL to see when the sender logged in (= covert channel) BUT - the page also shows last access from all devices, with browsers and geo- location. So the enterprise can request this page as well and observe. Yahoo mail - also shows IP address Problem - In general, some enterprises block email/social sites.
The Perfect Exfiltration
The principles of perfect exfiltration Use regular browsing (HTTP/HTTPS) Modify the application (or higher protocol) state - Storage channel Observe the change remotely
HTTP server-side caching - Find a popular site that caches pages on-the-fly. - Has to have tons of pages - Has to have pages that are not so popular - => eCommerce sites are ideal. - Typically the page’s caching time can be deduced from the HTTP response headers (Expires, etc.) - Sender and receiver agree on a page (URL) and a time. The page has to be non-popular. - To send 0, sender does nothing. To send 1, sender makes an HTTP request for the page at the prescribed time. - 10 seconds after the agreed upon time, the Receiver makes an HTTP request for the URL, and observes whether the page was cached recently (1), or right now (0).
Example sites ikea.com easyjet.com zap.co.il
Special Care and Caveats (part I) - Sites do change. Ideally have a downlink to the sender to update URLs - Time sync - ideally seconds-resolution. The better the sync, the less the receiver needs to wait before reading (up to round trips). Noise can be introduced if waiting for too long. Further research needed to measure and advise on thresholds. - On the other hand, the longer the time between the sender checking in and the receiver polling, the more secure the scheme becomes against attacks (see next slide)
Special Care and Caveats (part II) - Resilience - send “01” or “10” (to detect network outages, etc.) - Need to reconstruct the complete browsing session in order to blend in - Immerse in many regular web traffic sessions to dilute the real sessions - Multiple cache servers (not encountered), geo-ip based routing/distribution
(Failed) Attack example Intercept every user’s requests. Hold and delay every user’s request by e.g. 11 seconds Observe whether the page was cached (due to the receiver’s hit) in the last 11 seconds. Both detection and disruption Cons: - Very noisy - horrible user experience… - What does “positive” mean?
How do we fare vs. the 10 commandments? #1 - Secure and scalable. We can assign a unique URL (possibly in a different site) to a bit. Knowing the method, and even previous URLs doesn’t help (our best effort attacks are not convincing) #2 - web only. Yup ;-) #3 - no doubts. The traffic does look 100% kosher, no sender bits are encrypted/deposited, all traffic can be explained and reconstructed to show no hidden data. #4 - perfect network monitoring - all traffic originates from the browser and destines at a popular site, can be attributed to regular activity
How do we fare vs. the 10 commandments? #5 - TLS/SSL termination. Not a problem. #6 - receiving party has no restrictions. We’re OK with that… #7 - no nation state surveillance - we’re OK with that too + no impact on the site. #8 - Time sync (sec. resolution) - we’re OK with that. #9 - can be generated manually (web browsing) #10 - active disruption - impractical
Demo Time! git clone https://github.com/SafeBreach-Labs/cachetalk.git cd cachetalk python cachetalk.py -h
Web counters (take II) - Counting specific page/resource - YouTube movies, StackOverflow topics, etc. - Sender and receiver agree on a resource (not too popular) and a time. - Receiver can observe the counter (before and after the designated time) without modifying the counter - Sender downloads the resource (1) or not (0) at a designated time. Problems: - Some social sites (e.g. youtube) can be blocked by some enterprises - The “story” may be challenging
“online “ status (chats) Web-based chat services (e.g. facebook, google talk, yahoo chat, skype) typically have “online status” for friends. Each party opens an account. Then they befriend each other. Sender is online (1) or offline (0) at the designated time. Attacks/problems - Social sites may be blocked - The initial befriending can be questioned
Summary and Conclusions Perfect exfiltration exists! Robust “commandments” (derived from attack model) can be used to evaluate candidate protocols So far, only low bandwidth protocols were discovered Challenge (1): find higher bandwidth perfect exfiltration protocols Challenge (2): find ways to defeat the (perfect) exfiltration protocols described
Q&A
Amit Klein <amit.klein@safebreach.com> Itzik Kotler <itzik.kotler@safebreach.com>

Recommended

Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network securityRishabh Mehan
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9thaidn
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 

Recommended

Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network securityRishabh Mehan
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9Zombilizing The Web Browser Via Flash Player 9
Zombilizing The Web Browser Via Flash Player 9thaidn
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableRay Potter
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on CryptographyMartijn Grooten
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Dos threats and countermeasures
Dos threats and countermeasuresDos threats and countermeasures
Dos threats and countermeasuresn|u - The Open Security Community
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...André Fucs de Miranda
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2Dan Kaminsky
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Confidence web
Confidence webConfidence web
Confidence webDan Kaminsky
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
 
WXRCTVYV
WXRCTVYVWXRCTVYV
WXRCTVYVkshraddha9
 
Container con toronto
Container con torontoContainer con toronto
Container con torontoDan Lambright
 
revisedhoneypot429
revisedhoneypot429revisedhoneypot429
revisedhoneypot429Alan Wennersten
 

More Related Content

What's hot

How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableRay Potter
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on CryptographyMartijn Grooten
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewallsAkapo Damilola
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...André Fucs de Miranda
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRob Fuller
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
 

What's hot (19)

Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
The Good News on Cryptography
The Good News on CryptographyThe Good News on Cryptography
The Good News on Cryptography
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
 
Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOps
 
Dos threats and countermeasures
Dos threats and countermeasuresDos threats and countermeasures
Dos threats and countermeasures
 
Placing backdoors-through-firewalls
Placing backdoors-through-firewallsPlacing backdoors-through-firewalls
Placing backdoors-through-firewalls
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...
THE POWER OF INTELLIGENT FLOWS REAL-TIME IOT BOTNET CLASSIFICATION WITH APACH...
 
RIT 2009 Intellectual Pwnership
RIT 2009 Intellectual PwnershipRIT 2009 Intellectual Pwnership
RIT 2009 Intellectual Pwnership
 
Black opspki 2
Black opspki 2Black opspki 2
Black opspki 2
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
Confidence web
Confidence webConfidence web
Confidence web
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 

Viewers also liked

Container con toronto
Container con torontoContainer con toronto
Container con torontoDan Lambright
 
20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trendsYi-Lang Tsai
 
Webinar: are casbs ready for primetime?
Webinar: are casbs ready for primetime?Webinar: are casbs ready for primetime?
Webinar: are casbs ready for primetime?Bitglass
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesBromium Labs
 
CASBs: Real World Use Cases
CASBs: Real World Use CasesCASBs: Real World Use Cases
CASBs: Real World Use CasesBitglass
 
CASBs - A New Hope
CASBs - A New HopeCASBs - A New Hope
CASBs - A New HopeBitglass
 
8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security BrokerBitglass
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantIf We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantNathan Burke
 
The Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and Canary
The Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and CanaryThe Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and Canary
The Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and CanaryRed Hat Developers
 
How to Select a Security Visibility Solution
How to Select a Security Visibility SolutionHow to Select a Security Visibility Solution
How to Select a Security Visibility SolutionNETSCOUT
 
Enterprise Networks: No Tool Left Behind
Enterprise Networks: No Tool Left BehindEnterprise Networks: No Tool Left Behind
Enterprise Networks: No Tool Left BehindNETSCOUT
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCrowdStrike
 
5 Best Powerpoint Templates Amazing Creative Presentation Themes
5 Best Powerpoint Templates Amazing Creative Presentation Themes5 Best Powerpoint Templates Amazing Creative Presentation Themes
5 Best Powerpoint Templates Amazing Creative Presentation ThemesYeasir Arafat
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
 

Viewers also liked (20)

WXRCTVYV
WXRCTVYVWXRCTVYV
WXRCTVYV
 
Container con toronto
Container con torontoContainer con toronto
Container con toronto
 
revisedhoneypot429
revisedhoneypot429revisedhoneypot429
revisedhoneypot429
 
20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends
 
Webinar: are casbs ready for primetime?
Webinar: are casbs ready for primetime?Webinar: are casbs ready for primetime?
Webinar: are casbs ready for primetime?
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Derbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: SandboxesDerbycon Bromium Labs: Sandboxes
Derbycon Bromium Labs: Sandboxes
 
CASBs: Real World Use Cases
CASBs: Real World Use CasesCASBs: Real World Use Cases
CASBs: Real World Use Cases
 
zero day exploits
zero day exploitszero day exploits
zero day exploits
 
CASBs - A New Hope
CASBs - A New HopeCASBs - A New Hope
CASBs - A New Hope
 
8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker
 
If We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s ImportantIf We Only Had the Time: How Security Teams Can Focus On What’s Important
If We Only Had the Time: How Security Teams Can Focus On What’s Important
 
Overview
OverviewOverview
Overview
 
The Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and Canary
The Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and CanaryThe Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and Canary
The Deploy Master: From Basic to Zero Downtime, Blue/Green, A/B and Canary
 
How to Select a Security Visibility Solution
How to Select a Security Visibility SolutionHow to Select a Security Visibility Solution
How to Select a Security Visibility Solution
 
Enterprise Networks: No Tool Left Behind
Enterprise Networks: No Tool Left BehindEnterprise Networks: No Tool Left Behind
Enterprise Networks: No Tool Left Behind
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
5 Best Powerpoint Templates Amazing Creative Presentation Themes
5 Best Powerpoint Templates Amazing Creative Presentation Themes5 Best Powerpoint Templates Amazing Creative Presentation Themes
5 Best Powerpoint Templates Amazing Creative Presentation Themes
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 

Similar to In Plain Sight: The Perfect Exfiltration

DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...Start Pad
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...Gerardo Pardo-Castellote
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na InternetJoão S Magalhães
 
Computer network (10)
Computer network (10)Computer network (10)
Computer network (10)NYversity
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk
 
Computer network (2)
Computer network (2)Computer network (2)
Computer network (2)NYversity
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatDuo Security
 
IoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and ArchitectureIoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and ArchitectureTodd Montgomery
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsPaul Fremantle
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 

Similar to In Plain Sight: The Perfect Exfiltration (20)

DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
Network Testing ques
Network Testing quesNetwork Testing ques
Network Testing ques
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
OMG DDS Security Submission Presentation (September 2013 - 6th Revised Submis...
 
Seqüestro de dados na Internet
Seqüestro de dados na InternetSeqüestro de dados na Internet
Seqüestro de dados na Internet
 
Computer network (10)
Computer network (10)Computer network (10)
Computer network (10)
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk Traffic
 
Computer network (2)
Computer network (2)Computer network (2)
Computer network (2)
 
The Internet of Things: We've Got to Chat
The Internet of Things: We've Got to ChatThe Internet of Things: We've Got to Chat
The Internet of Things: We've Got to Chat
 
IoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and ArchitectureIoTaConf 2014 - IoT Connectivity, Standards, and Architecture
IoTaConf 2014 - IoT Connectivity, Standards, and Architecture
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
ERS downscale2016
ERS downscale2016ERS downscale2016
ERS downscale2016
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 

More from Itzik Kotler

Goodbye Data, Hello Exfiltration
Goodbye Data, Hello ExfiltrationGoodbye Data, Hello Exfiltration
Goodbye Data, Hello ExfiltrationItzik Kotler
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Itzik Kotler
 
Sounds Like Botnet
Sounds Like BotnetSounds Like Botnet
Sounds Like BotnetItzik Kotler
 
Turbot - A Next Generation Botnet
Turbot - A Next Generation BotnetTurbot - A Next Generation Botnet
Turbot - A Next Generation BotnetItzik Kotler
 
The Day of the Updates
The Day of the UpdatesThe Day of the Updates
The Day of the UpdatesItzik Kotler
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0Itzik Kotler
 

More from Itzik Kotler (6)

Goodbye Data, Hello Exfiltration
Goodbye Data, Hello ExfiltrationGoodbye Data, Hello Exfiltration
Goodbye Data, Hello Exfiltration
 
Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)Hack Like It's 2013 (The Workshop)
Hack Like It's 2013 (The Workshop)
 
Sounds Like Botnet
Sounds Like BotnetSounds Like Botnet
Sounds Like Botnet
 
Turbot - A Next Generation Botnet
Turbot - A Next Generation BotnetTurbot - A Next Generation Botnet
Turbot - A Next Generation Botnet
 
The Day of the Updates
The Day of the UpdatesThe Day of the Updates
The Day of the Updates
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 

Recently uploaded

Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 

Recently uploaded (20)

Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 

In Plain Sight: The Perfect Exfiltration

  • 1. SafeBreach Stop tomorrow’s breach. Today. In Plain Sight: The Perfect Exfiltration Itzik Kotler Amit Klein
  • 2. Help -> About -> Itzik Kotler - 15+ years in InfoSec - CTO & Co-Founder of Safebreach - Presented in RSA, HITB, BlackHat, DEFCON, CCC, … - http://www.ikotler.org
  • 3. Help -> About -> Amit Klein - 25 years in InfoSec - VP Security Research, Safebreach 2015-present - CTO Trusteer (acquired by IBM) 2006-2015 - Chief Scientist Cyota (acquired by RSA) 2004- 2006 - Director of Security and Research, Sanctum (now part of IBM) 1997-2004 - IDF/MOD (Talpiot) 1988-1997 - 30+ papers, dozens of advisories against high profile products - Presented in RSA, CertConf, BlueHat, OWASP, AusCERT, ….
  • 4. Goal The required bandwidth can be very modest - up to several dozen bits per day. Example use cases: - Cryptographic keys (128 bit) - Yes/no data e.g. “war alert” - Closed set data (“who is the mole”), names, short sentences (few words) e.g. strategic decisions Endpoint (desktop) in a high security enterprise needs to exfiltrate data to an entity outside the enterprise.
  • 5. The Rules of the Game
  • 6. The 10 commandments, part I 1. Scalability and Security: A perfect exfiltration technique should adhere to Kerckhoffs’s principle (sometimes called Shannon’s maxim), which states that “A [crypto] system should be secure even if everything about the system, except the key, is public knowledge”. In other words - no “security by obscurity”. This enables multiple channels with different keys 2. Only web (browsing) and derived traffic is allowed (e.g. HTTP, DNS, TLS) 3. “Whenever there is any doubt, there is no doubt” - anything that may theoretically be perceived as passing info is forbidden. So no emails, no encrypted texts, no google docs, no forum posts, etc.
  • 7. The 10 commandments, part II 4. Perfect network monitoring. Every packet is scrutinized at all protocol levels, every anomaly is detected (“big data/machine learning, etc.”), reputation and statistics for all IPs/hosts are available, etc. 5. Assume TLS/SSL termination at the enterprise level 6. Receiving party has no restrictions (e.g. network surveillance) 7. No nation-state monitoring or 3rd party site monitoring. Though it’s assumed they do have some basic IDS/IPS/security products, so avoid flooding, etc.
  • 8. The 10 commandments, part III 8. Time synchronization (seconds-resolution) between the communicating parties 9. Bonus points for methods that can be implemented manually (without SW) at the sender side 10. Active disruption by the enterprise is an option
  • 9. Commandment #4 -> No direct communication Commandment #4: Perfect network monitoring. Every packet is scrutinized at all protocol levels, every anomaly is detected (“big data/machine learning, etc.”), reputation and statistics for all IPs/hosts are available, etc. Since site/IP ownership can be determined, and since we assume reputation and statistics are available to the monitoring entity, it follows that we cannot use direct communication. The covert channel has to be indirect (i.e. through a 3rd party site not owned by the communicating entities).
  • 10. Way offs and Near Misses Or: What doesn’t work, and why...
  • 11. Way off - “Traditional” covert channels Many techniques (fields in IP/TCP/HTTP) requiring direct communication ◆ TCP/IP: TTL, packet length, timestamp, packet rate/timing ◆ HTTP: If-Modified-Since, Cookie, whitespaces, etc. Comprehensive lists: http://eprints.ugd.edu.mk/10284/1/surveyAMBPselfArc.pdf http://caia.swin.edu.au/cv/szander/publications/szander-ieee-comst07.pdf http://docslide.us/internet/covert-timing-channels-using-http-cache-headers.html
  • 12. Way off example TOS header (IP header) - 8-bit IP header field, can be used to exflitrate data - De-facto Windows workstations send TOS=0. - Anomaly detection is thus trivial, especially with prior knowledge of the concept - Disruption is trivial - set TOS=0 at firewall for all outgoing packets - Needs direct connection to the 2nd party - No good.
  • 13. Near miss - IP ID (indirect) IP ID covert channel (http://www0.cs.ucl.ac.uk/staff/G.Danezis/papers/cover.pdf) - 3rd party using OS with global incrementing IP ID. Same concept as idle scan. Sender sends a request to the 3rd party site, the answer from the site increments the IP ID counter. The receiver observes (before vs. after). One bit per packet (sent/not sent). INDIRECT - The only OS that provides globally incrementing IP ID these days is FreeBSD. And in FreeBSD 11.0 (to be released July 2016) the TCP layer sets DF=1, IPID=0. So can’t be used with web browsing (TCP). - Line noise
  • 14. Very near miss - web counters Bit.ly (and probably other URL shorteners) - based. Sender and receiver agree on a bit.ly URL, and time. Needs to be a not-so-popular resource (but not too rare), Ideally a URL that is linked from the Internet (e.g. a tweet/blog). Protocol: ● Before designated time, receiver checks web count for the URL (in bit.ly, appending a “+” to the URL). ● On time, sender requests the URL (1) or not (0). ● A bit later, the receiver checks the web count again.
  • 16. Attack (disruption) Intercept every request for a bit.ly URL, send a request to the URL+, obtain the original URL and redirect to it internally (without going through bit.ly and incrementing the counter).
  • 17. Near miss - account login time Gmail shows last login time (https://security.google.com/settings/security/activity). So the protocol is that the sender is logged in at a designated time (bit=1) or not (bit=0). Receiver can login later and use the URL to see when the sender logged in (= covert channel) BUT - the page also shows last access from all devices, with browsers and geo- location. So the enterprise can request this page as well and observe. Yahoo mail - also shows IP address Problem - In general, some enterprises block email/social sites.
  • 18.
  • 20. The principles of perfect exfiltration Use regular browsing (HTTP/HTTPS) Modify the application (or higher protocol) state - Storage channel Observe the change remotely
  • 21. HTTP server-side caching - Find a popular site that caches pages on-the-fly. - Has to have tons of pages - Has to have pages that are not so popular - => eCommerce sites are ideal. - Typically the page’s caching time can be deduced from the HTTP response headers (Expires, etc.) - Sender and receiver agree on a page (URL) and a time. The page has to be non-popular. - To send 0, sender does nothing. To send 1, sender makes an HTTP request for the page at the prescribed time. - 10 seconds after the agreed upon time, the Receiver makes an HTTP request for the URL, and observes whether the page was cached recently (1), or right now (0).
  • 23. Special Care and Caveats (part I) - Sites do change. Ideally have a downlink to the sender to update URLs - Time sync - ideally seconds-resolution. The better the sync, the less the receiver needs to wait before reading (up to round trips). Noise can be introduced if waiting for too long. Further research needed to measure and advise on thresholds. - On the other hand, the longer the time between the sender checking in and the receiver polling, the more secure the scheme becomes against attacks (see next slide)
  • 24. Special Care and Caveats (part II) - Resilience - send “01” or “10” (to detect network outages, etc.) - Need to reconstruct the complete browsing session in order to blend in - Immerse in many regular web traffic sessions to dilute the real sessions - Multiple cache servers (not encountered), geo-ip based routing/distribution
  • 25. (Failed) Attack example Intercept every user’s requests. Hold and delay every user’s request by e.g. 11 seconds Observe whether the page was cached (due to the receiver’s hit) in the last 11 seconds. Both detection and disruption Cons: - Very noisy - horrible user experience… - What does “positive” mean?
  • 26. How do we fare vs. the 10 commandments? #1 - Secure and scalable. We can assign a unique URL (possibly in a different site) to a bit. Knowing the method, and even previous URLs doesn’t help (our best effort attacks are not convincing) #2 - web only. Yup ;-) #3 - no doubts. The traffic does look 100% kosher, no sender bits are encrypted/deposited, all traffic can be explained and reconstructed to show no hidden data. #4 - perfect network monitoring - all traffic originates from the browser and destines at a popular site, can be attributed to regular activity
  • 27. How do we fare vs. the 10 commandments? #5 - TLS/SSL termination. Not a problem. #6 - receiving party has no restrictions. We’re OK with that… #7 - no nation state surveillance - we’re OK with that too + no impact on the site. #8 - Time sync (sec. resolution) - we’re OK with that. #9 - can be generated manually (web browsing) #10 - active disruption - impractical
  • 28. Demo Time! git clone https://github.com/SafeBreach-Labs/cachetalk.git cd cachetalk python cachetalk.py -h
  • 29. Web counters (take II) - Counting specific page/resource - YouTube movies, StackOverflow topics, etc. - Sender and receiver agree on a resource (not too popular) and a time. - Receiver can observe the counter (before and after the designated time) without modifying the counter - Sender downloads the resource (1) or not (0) at a designated time. Problems: - Some social sites (e.g. youtube) can be blocked by some enterprises - The “story” may be challenging
  • 30. “online “ status (chats) Web-based chat services (e.g. facebook, google talk, yahoo chat, skype) typically have “online status” for friends. Each party opens an account. Then they befriend each other. Sender is online (1) or offline (0) at the designated time. Attacks/problems - Social sites may be blocked - The initial befriending can be questioned
  • 31. Summary and Conclusions Perfect exfiltration exists! Robust “commandments” (derived from attack model) can be used to evaluate candidate protocols So far, only low bandwidth protocols were discovered Challenge (1): find higher bandwidth perfect exfiltration protocols Challenge (2): find ways to defeat the (perfect) exfiltration protocols described
  • 32. Q&A
  • 33. Amit Klein <amit.klein@safebreach.com> Itzik Kotler <itzik.kotler@safebreach.com>