Advanced Persistent    Pentesting     Fighting Fire with Fire           Hacker Halted 2012                  jcran         ...
@jcran• CTO Pwnie Express• QA’d largest OSS Ruby project• Penetration tester of Fortune 500 orgs• Presented at Black Hat, ...
@n00bznet• Native Floridian• Degree in Finance• In security for 10 years but started out in  securities.• Wonder each day ...
Fire with fire?• Keep the uncontrollable in a semi-  controlled environment• Burn the old before something / someone  else ...
Agenda• A look at the threat landscape in 2012• Quick compromise case studies• A hard look at APT in 2012• Lessons we can ...
PROCESS• Much of the IR data is analyzed here from  published sources• Huge props to Mandiant, Trustwave,  Verizon, Shadow...
Threat Landscape in       2012
Threat Actors• Hactivists• Financially Motivated Attackers• State-Sponsored Attackers• Employees / Contractors / Insiders•...
Focus on the attacker• Attackers are people too• Attackers have a personality• Attackers have a limited set of knowledge• ...
2012 Major Breaches• Verisign “successfully and repeatedly"• Global Payments, 1.5m• Barnes & Noble• Public disclosures rar...
Apalling Stats• 6% self-detection of breaches in 2011,  up from 2009*• Typical attack went undetected for 416  days• 100% ...
Case Studies
Attack Process• Phishing attack• RAT Installed• Pass-the-hash• Domain access• Exfiltration
Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exfiltration
List of Windows                                                        Usernames /                                        ...
Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exfiltration
2008 - 2011 Findings• Phishing (when in scope)• Vulnerable to Pass-the-hash• Improper network segmentation• Improper Egres...
“Scope?”
APT in 2012
APT• email with the subject line "2011  Recruitment Plan" / Excel spreadsheet• "We went through a domain name and  passwor...
APT in 2012• APT is much more likely to hang out vs  Financially-motivated attackers• More interested in remaining stealth...
Breakdown• Discuss Capabilities• Discuss Testing• Discuss Detection
Infiltration
APT Infiltration• Spear Phishing • Now with better spelling • Reader, Powerpoint, Word, Excel• Compromise trusted sites or ...
Infiltration Testing• SET + Metasploit• Commercial Tools • Metasploit Pro • Core Impact • Phishme / SaaS services   • gener...
Infiltration Detection• Users• Egress Filtering - Break HTTPS & DNS at  the perimeter• Monitor DNS for rogue domains• Windo...
Escalation
APT Escalation +   Lateral Movement• Phishing lands you on a user-level  workstation• You’ll need to escalate priviledges ...
Escalation & LM Testing•   Metasploit / Meterpreter    •   getsystem    •   BypassUAC•   Post modules by thelightcosine•  ...
Escalation & LM        Detection• Maybe NIDS• Windows Event Logging
Internal Recon
APT Internal Recon• Most files attackers want are on desktops  or a network share or email• Permissions can be a pain, but ...
RAT Capabilities• Upload to remote server• Steal certificates• Search the hard drive for Word / PDF  (sensitive words) / RD...
Internal Recon Testing• Builtin tools• Meterpreter has some nice capabilities• VPN or RDP is sometimes necessary  (email)
Internal Recon          Detection• Monitor access to files• Event Logging
Persistence
APT Persistence• Remote access solutions • Two factor ups the ante, but doesn’t    seem to be a major issue• Rootkits • Po...
Persistence Testing• Get a hold of some VPN Accounts, use’m• Use RDP if it’s available• Backdoor several systems using not...
Persistence Detection• Monitor DNS • But there may be a backup domain• Endpoint - Registry or Memory Scan
Exfiltration
APT Exfiltration• 3-4 Years ago - FTP, IRC, etc• Now, beacon & exfil over HTTPS / DNS• RDP & VPN• 46% of systems didn’t have...
Exfiltration Testing• Metasploit / Meterpreter Channels• Pwnie Express Pwn Plug
Exfiltration Detection• Ingress filter everything• Egress filter everything• Break DNS and HTTPS at the perimeter• DO NOT ALL...
Lessons Learned
Lessons Learned• Focus of a pentest is on the binary result• Pentest == APT• Red Team - you should be simulating the  thre...
Lessons Learned• We can learn a lot from the IR data• You are fighting a constant attack . Be IR-  ready• When prevention f...
Lessons Learned• You should have enough prevention to buy  you time for detection and reaction.• You don’t have to stop th...
Being IR Ready• Develop overview of Enterprise  Infrastructure• Centralize the Storage and Analysis of key  Logs• Implemen...
Lessons Learned• Bejtlich: 2 goals: classify and count security  incidents & measure time from detection  to containment• ...
Ideas...
Rethink the test as a       product• It shouldn’t be a binary result• A stack of paper is a stack of paper• The process it...
Gamification• Haroon Meer introduced this idea• Gamify the test• Play cards for certain access / systems• “Collaborative Wa...
Pentesting => IR          Training• It’s one thing to tell your target to “watch”  for trouble• It’s another to actively w...
Not If, But When
Ask
Counter Attack
Pass the Hash   Pass the Hash works on more than Windows
Lateral Movement
Getting Owned
Not if but When!
• We have Infected our PC from Lab, then  gave Cyber Attacker Fake ZIP Archive with  his own• Virus inside and the name “G...
Take Aways• As a tester, DEMAND to work together, As  a testee, DEMAND to work together• Pentests should not operate in a ...
Further Reading• Mandiant Webinars• Penetration Testing Considered Harmful• Threat Report Collection
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Advanced Persistent Pentesting: Fighting Fire with Fire
Upcoming SlideShare
Loading in...5
×

Advanced Persistent Pentesting: Fighting Fire with Fire

11,058

Published on

3 Comments
10 Likes
Statistics
Notes
No Downloads
Views
Total Views
11,058
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
355
Comments
3
Likes
10
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Advanced Persistent Pentesting: Fighting Fire with Fire

    1. 1. Advanced Persistent Pentesting Fighting Fire with Fire Hacker Halted 2012 jcran n00bznet
    2. 2. @jcran• CTO Pwnie Express• QA’d largest OSS Ruby project• Penetration tester of Fortune 500 orgs• Presented at Black Hat, Defcon, SOURCE Boston, BSidesLV
    3. 3. @n00bznet• Native Floridian• Degree in Finance• In security for 10 years but started out in securities.• Wonder each day why he took that Red pill!
    4. 4. Fire with fire?• Keep the uncontrollable in a semi- controlled environment• Burn the old before something / someone else does• Creates boundaries
    5. 5. Agenda• A look at the threat landscape in 2012• Quick compromise case studies• A hard look at APT in 2012• Lessons we can take away• Not if, but when
    6. 6. PROCESS• Much of the IR data is analyzed here from published sources• Huge props to Mandiant, Trustwave, Verizon, Shadowserver, others for sharing specifics
    7. 7. Threat Landscape in 2012
    8. 8. Threat Actors• Hactivists• Financially Motivated Attackers• State-Sponsored Attackers• Employees / Contractors / Insiders• Casual “Attackers”
    9. 9. Focus on the attacker• Attackers are people too• Attackers have a personality• Attackers have a limited set of knowledge• Attackers have less visibility on your network than you do as a defender
    10. 10. 2012 Major Breaches• Verisign “successfully and repeatedly"• Global Payments, 1.5m• Barnes & Noble• Public disclosures rarely discuss espionage • RSA, Northrup Grumman, L3, Lockheed
    11. 11. Apalling Stats• 6% self-detection of breaches in 2011, up from 2009*• Typical attack went undetected for 416 days• 100% of incidents had creds stolen*• Targeted attackers go straight for the SAM*
    12. 12. Case Studies
    13. 13. Attack Process• Phishing attack• RAT Installed• Pass-the-hash• Domain access• Exfiltration
    14. 14. Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exfiltration
    15. 15. List of Windows Usernames / ACME Enterprises Machines Domain Admin Oracle Security Assessment 2009 SMB Credentials Credentials Finge Key: r printi ng (q uiet) List of Windows RED – Did Not Obtain / Failed he s Create Obtain Unix Vulnerabilties Ha s Domain Creds on GREEN – Obtained / Success AN Admin Local SMB Browsing (quiet) te (no is y) AN M Account Machine GREY – Not Attempted / Not Attainable cu xe Scan kL E y ac t Cr Domain Domain User bili ln e ra Administrator Data on Local Vu Domain Admin Token PC Hashes ith Access to ARP Spoofing W o B oi w Ad rks row pl g Internal as in m tat se t e t ss Network in io M Pa i st n s ra a en Ex to s k r To p lo it Vu l ne Local Admin ra Credentials bi lity OS-Level ireless Access on Web Local Exploit / Gain Control of In Pass-The-Hash wit Server / Escalate Privs h ug Web Application ct to W Uti Metasploit / Crack Database Pl l i ze a ch i n Ut Passwords M iliz Lo e eV C onne gg PN ed -In Ut Local Admin iliz e Hashes Ba c kd oo es H a sh r Network Jack less min al Ad D ro p Loc t to Wire Wireless User Credentials Connec Physical Exploit access to Valid Domain Exploit Simplistic Service Exploit Web ACME PC Account Vulnerability Exploit Web Password Configuration AppFind Inconspicu on External Vulnerability Guessing / ous Area on External Configuration Device Brute Force Device Find Successful Inconspicuous guess Area Backdoor VPN Success / Intercept Traffic Access to Installed Failure Access to Tailgate User / Steal HID Card ACME Secured ACME Floor Area User Opens Brute Force attachment or Attack clicks link using Medusa Tailgate Valid User Email List of Potential constructed Username / Find Network- Find Web with Backdoor Password Level application Access to 529 MITM’d  Wireless   W Combos Vulnerability Vulnerability Wireless Key ide building Network s pr ea d/ By T Generate list of p as At arg possible sG Intercept client tac ete ua PA k d P usernames / rd probes using kW his St ac hpasswords at KARMA Cr ing ion Spoke / External Hoovers / Vulnerability Physical Company Scan Results Perimeter Access Directory
    16. 16. Attack Process• Initial Access• RAT Installed• Pass-the-hash• Domain access• Exfiltration
    17. 17. 2008 - 2011 Findings• Phishing (when in scope)• Vulnerable to Pass-the-hash• Improper network segmentation• Improper Egress filtering• Zero detection rate• Collaboration between tester & testee, but only superficial
    18. 18. “Scope?”
    19. 19. APT in 2012
    20. 20. APT• email with the subject line "2011 Recruitment Plan" / Excel spreadsheet• "We went through a domain name and password reset " - caught "even senior managers by surprise"• shut down remote access to its internal network• logged in to the VPN to gain access remotely to the corporate network.
    21. 21. APT in 2012• APT is much more likely to hang out vs Financially-motivated attackers• More interested in remaining stealthy• Likely to install multiple backdoors for persistent access
    22. 22. Breakdown• Discuss Capabilities• Discuss Testing• Discuss Detection
    23. 23. Infiltration
    24. 24. APT Infiltration• Spear Phishing • Now with better spelling • Reader, Powerpoint, Word, Excel• Compromise trusted sites or simply set up a fake domain • Browser Exploits / 3rd Party Plugins• Connectback over HTTPS
    25. 25. Infiltration Testing• SET + Metasploit• Commercial Tools • Metasploit Pro • Core Impact • Phishme / SaaS services • generally neutered attack
    26. 26. Infiltration Detection• Users• Egress Filtering - Break HTTPS & DNS at the perimeter• Monitor DNS for rogue domains• Windows event logging
    27. 27. Escalation
    28. 28. APT Escalation + Lateral Movement• Phishing lands you on a user-level workstation• You’ll need to escalate priviledges to admin• You’ll probably need to bypass UAC• Now you need admin creds• Lots of handy user creds in the registry
    29. 29. Escalation & LM Testing• Metasploit / Meterpreter • getsystem • BypassUAC• Post modules by thelightcosine• Everybody loves PSExec• Everybody loves Pass the Hash
    30. 30. Escalation & LM Detection• Maybe NIDS• Windows Event Logging
    31. 31. Internal Recon
    32. 32. APT Internal Recon• Most files attackers want are on desktops or a network share or email• Permissions can be a pain, but gathering more access is easy with PTH & Token Impersonation
    33. 33. RAT Capabilities• Upload to remote server• Steal certificates• Search the hard drive for Word / PDF (sensitive words) / RDP files• Screenshot / record audio / video• Scan the local network to identify hosts• Execute commands on the infected system
    34. 34. Internal Recon Testing• Builtin tools• Meterpreter has some nice capabilities• VPN or RDP is sometimes necessary (email)
    35. 35. Internal Recon Detection• Monitor access to files• Event Logging
    36. 36. Persistence
    37. 37. APT Persistence• Remote access solutions • Two factor ups the ante, but doesn’t seem to be a major issue• Rootkits • PoisonIvy, Gh0stRAT, ZeroAccess, TDSS
    38. 38. Persistence Testing• Get a hold of some VPN Accounts, use’m• Use RDP if it’s available• Backdoor several systems using not only metasploit, but an RAT• Use a C&C Server
    39. 39. Persistence Detection• Monitor DNS • But there may be a backup domain• Endpoint - Registry or Memory Scan
    40. 40. Exfiltration
    41. 41. APT Exfiltration• 3-4 Years ago - FTP, IRC, etc• Now, beacon & exfil over HTTPS / DNS• RDP & VPN• 46% of systems didn’t have malware*• Cleaning up slackspace
    42. 42. Exfiltration Testing• Metasploit / Meterpreter Channels• Pwnie Express Pwn Plug
    43. 43. Exfiltration Detection• Ingress filter everything• Egress filter everything• Break DNS and HTTPS at the perimeter• DO NOT ALLOW outbound DNS or HTTP/HTTPS without monitoring / filtering
    44. 44. Lessons Learned
    45. 45. Lessons Learned• Focus of a pentest is on the binary result• Pentest == APT• Red Team - you should be simulating the threat• Blue Team - Structure roles so your team can focus on investigating suspicious events*• We can improve security by repeating the testing process
    46. 46. Lessons Learned• We can learn a lot from the IR data• You are fighting a constant attack . Be IR- ready• When prevention fails, rapid detection and response helps• You can monitor change on your network more effectively than anyone else
    47. 47. Lessons Learned• You should have enough prevention to buy you time for detection and reaction.• You don’t have to stop the threat entirely• Remediate in the strike zone.• OPFOR• My NFL team is awesome in practice, they only suck in the game
    48. 48. Being IR Ready• Develop overview of Enterprise Infrastructure• Centralize the Storage and Analysis of key Logs• Implement robust Logging• http://www.mandiant.com/resources/m- trends/ - MTrends 2010
    49. 49. Lessons Learned• Bejtlich: 2 goals: classify and count security incidents & measure time from detection to containment• Do you know where your sensitive data is?• If we gave you a hostname, could you tell us within a few hours whether it had sensitive data on it?*
    50. 50. Ideas...
    51. 51. Rethink the test as a product• It shouldn’t be a binary result• A stack of paper is a stack of paper• The process itself is a product• Better product => better capability• Better capability => measurably lower response times
    52. 52. Gamification• Haroon Meer introduced this idea• Gamify the test• Play cards for certain access / systems• “Collaborative Wargaming”• “Scenario Testing”
    53. 53. Pentesting => IR Training• It’s one thing to tell your target to “watch” for trouble• It’s another to actively work with and train your target• Lares, Attack Research, others?
    54. 54. Not If, But When
    55. 55. Ask
    56. 56. Counter Attack
    57. 57. Pass the Hash Pass the Hash works on more than Windows
    58. 58. Lateral Movement
    59. 59. Getting Owned
    60. 60. Not if but When!
    61. 61. • We have Infected our PC from Lab, then gave Cyber Attacker Fake ZIP Archive with his own• Virus inside and the name “Georgian-Nato Agreement”.• Attacker Stole that archive and executed malicious files.• As we had access to BOT Panel, we had maintained control over his PC.• http://dea.gov.ge/uploads/CERT%20DOCS/ Cyber%20Espionage.pdf
    62. 62. Take Aways• As a tester, DEMAND to work together, As a testee, DEMAND to work together• Pentests should not operate in a silo• Even if you don’t want the results, you want the capability• Adding or enhancing a capability qualifies as actionable results• Offensive capabilities lead, defensive capabilities lag
    63. 63. Further Reading• Mandiant Webinars• Penetration Testing Considered Harmful• Threat Report Collection
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×