#ALSummit: Live Cyber Hack Demonstration
•
2 likes•721 views
James Brown (VP Technology Solutions Group, Alert Logic), Stephen Coty (Chief Security Evangelist, Alert Logic), and Paul Fletcher (Security Evangelist, Alert Logic)'s live hack demonstration at the NYC Alert Logic Cloud Security Summit on June 14, 2016.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (9)
Similar to #ALSummit: Live Cyber Hack Demonstration
Similar to #ALSummit: Live Cyber Hack Demonstration (20)
More from Alert Logic
More from Alert Logic (20)
Recently uploaded
Recently uploaded (20)
#ALSummit: Live Cyber Hack Demonstration
- 2. Security in the Cloud is a Shared Responsibility • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis • Network threat detection • Security monitoring • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer • Configuration best practices
- 5. Today’s Attacks are Becoming More Complex THE CYBER KILL CHAIN¹ THE IMPACT Financial loss Harm brand and reputation Scrutiny from regulators IDENTIFY & RECON INITIAL ATTACK COMMAND & CONTROL DISCOVER & SPREAD EXTRACT & EXFILTRATE • Attacks are multi-stage using multiple threat vectors • Takes organizations months to identify they have been compromised • 205 days on average before detection of compromise1 • Over two-thirds of organizations find out from a 3rd party they have been compromised2 1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast 2 – M-Trends 2015: A View from the Front Lines
- 6. Three Classes of Threat Actor Hacktivist Advanced Persistent Threat (APT)Cyber Criminal
- 7. March 2016 Cyber Attack Statistics
- 9. CyberCrime & Monetization Crypto Currencies Underground Market
- 10. Do not try this at home Do not try and download the hacking tools
- 11. GOOGLE DORKS
- 12. RECON & INITAL ATTACK
- 13. RECON & INITAL ATTACK
- 15. SOC View – Initial Attack & CnC Activity
- 17. SOC View – Extract/Exfiltration Activity
- 18. Exploits & Required Skillset
- 19. Stopping Imminent Data Exfiltration INCIDENT ESCALATION Partner and customer notified with threat source information & remediation tactics 8 min FUTHER ANALYSIS Alert Logic Analyst confirms user IDs & password hashes leaked as part of initial attack 2 hours EXFILTRATION ATTEMPT PREVENTED Partner works with customer to mitigate compromised accounts 6 hours COMPROMISE ACTIVITY Discovered through inspection of 987 log messages indicative of a SQL injection attack Customer Type: Retail Threat Type: Advanced SQL Injection
- 20. Preventing Ransomware Spread INCIDENT ESCALATION Critical risk of lateral movement through shared drives identified 14 min LATERAL MALWARE MOVEMENT PREVENTED Analyst performs forensic review of additional 8,000 log messages and 1,400 events that identifies additional attack vectors through related events 6 hours SUSPICOUS ACTIVITY Cryptowall detected on key gateway server in over 1,400 events (6,000 Packets) Customer Type: Retail Threat Type: Ransomware
- 21. Continuous Security Monitoring THE CYBER KILL CHAIN IDENTIFY & RECON INITIAL ATTACK COMMAND & CONTROL DISCOVER & SPREAD EXTRACT & EXFILTRATE
Editor's Notes
- Introductions: James Brown Title Too Long For Slide Narrator Richard Cassidy Product & Technical Marketing Role of SOC Analyst Richard Kynaston Some Hacker Dude Role of Hacker
- Site – the vanilla build of the underlying web server and possibly an application such as wordpress, but unmodified Theme – the first class of “add-on”; 3rd party developed, usually added without full code review, may be hooking data from sensitive files or directories and/or may update/extend core wordpress files Plug-ins – While themes can already be a problem alone, plugins are usually the bigger danger – may hook admin functionality, again added usually without full code review.  At times and dependent on how fully-featured/extensive the plugin, this might double the available attack vectors Your Apps – Have they been developed with a security mindset? Do they include files/code from 3rd party libraries? How is the code reviewed? User Input – A real danger zone, especially if the input is used to form variables in code functions (may open doors such as SQL injection, XSS); a comment field, a mailing list subscription field, a guestbook, a search function and so on Document Storage – upload functionality, is there sanitisation of allowed filetypes? Can the user access the raw file after upload? (may open the door to webshells, backdoors, defacement pages,could be vulnerable in tandem with user-input) Example recent vulnerable themes: Wordpress WPLMS learning management system theme Beauty Theme (arbitrary file upload) Truemag theme – unauthenticated reflected XSS Example recent vulnerable plugins: Revslider (our demo example) - multiple issues such as unrestricted file upload, file disclosure/download https://vuldb.com/?id.76139 Custom Content Type Manager (project handed to new author “wooranker”, created a backdoor - https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html) WooCommerce – popular wordpress e-commerce plugin (Feb 2016 XSS - https://0x62626262.wordpress.com/2016/02/24/import-woocommerce-xss-vulnerability/)
- Kill Chain Discuss what it is and how it relates to the anatomy of an attack Discuss how we will show each stage of this being enacted as we run through the live hack RevSlider Exploit  Discuss that we’re going to demonstrate an exploit in a popular Plugin as an example of what we’ve been discussing earlier in the presentation. Show the Plugin in Action and what it is/does on the WP Site - https://vuldb.com/?id.76139
- Introductions: James Brown Title Too Long For Slide Narrator Richard Cassidy Product & Technical Marketing Role of SOC Analyst Richard Kynaston Some Hacker Dude Role of Hacker
- Recon (Finding & Verifying Your Target) Google Dorks - https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=inurl%3Arevslider%20inurl%3Atemp%20inurl%3Aupdate_extract (RevSlider Result) or inurl:revslider%2520inurl:temp%2520inurl:update_extract for exact Dork                                                            iii.     WPScan to verify vulnerability exists (can be used as an example of how our SOC can detect RECON activity against vulnerable site? OR                                                            iv.     Link it back to CLOUD INSIGHT and why vulnerability management is key in preventing the organization from being exploitable in the first place against unpatched Plugins? OR                                                             v.     Discuss both
- Recon (Finding & Verifying Your Target) Google Dorks - https://www.google.co.uk/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=inurl%3Arevslider%20inurl%3Atemp%20inurl%3Aupdate_extract (RevSlider Result) or inurl:revslider%2520inurl:temp%2520inurl:update_extract for exact Dork                                                            iii.     WPScan to verify vulnerability exists (can be used as an example of how our SOC can detect RECON activity against vulnerable site? OR                                                            iv.     Link it back to CLOUD INSIGHT and why vulnerability management is key in preventing the organization from being exploitable in the first place against unpatched Plugins? OR                                                             v.     Discuss both
- Initial Attack & CnC Activity CURL Command Line used to upload Web Shell via vulnerable Plugin 1.      Function used embedded into “RevSlider” to make life simpler in updating the Plugin CnC Activity to Malicious IP (in most instances, either through known MALWARE Domain/IP SRC or TOR Exit Nodes) SOC View – NVISION ScreenShot on how this activity can be monitored, logged and identified by a trained SOC analyst and then escalated to the customer within a strict SLA to prevent attack reaching final stage of Kill Chain
- Discover & Spread (Lateral Movement) Hackers WSO provides Control Panel Access Demonstrate that WP Admin console is not logged in but that Hacker now has admin level access through exploiting vulnerable plugin Hacker can laterally move within server directories SQL Config File for Keys (Pre-Exfiltration Phase)                                  i.     PII, Financial Data, IP, etc… Admin Directories Traversal                                 i.     Gather Data to infect other systems Anecdote on 205 Days in target network ahead of moving to final exfiltration stage on Kill Chain