1Keeping HackersOut of Your Organisation….By Being Hacked!Martin Overton, EMEA ERS Lead and SeniorSecurity Consultant, Cyber Security Intelligence andResponse Team (CSIRT)
2AgendaThreatscapeReal World “Hacking” Examples and Customer Stories:– Networks– End-Points– Web Applications– The HumanSolutionsQuestions?
3Number of vulnerabilities increase radically with emergenceof new business models and technologies.MobilityEmployees,customers,contractors,outsourcersBring yourown ITSocial businessCloud and virtualization1 trillion connectedobjects (cars,appliances, cameras)30 billion RFID1tags (products,passports,buildings andanimals)1 billionworkers willbe remoteor mobile1 billion mobileInternet users30 percentgrowth of 3Gdevices33 percent of all new businesssoftware spending will beSoftware as a ServiceSource: IBM X-Force® Trend Report, 2011Exponentially growing and interconnecteddigital universeAdopting new business models andembracing new technologies
4Motivation and Sophistication is Evolving RapidlyAttackershave moreresourcesOff-the-shelf toolsare available forsaleThey will keeptrying untilthey get in
5The new security landscapeSophisticated attackers are a primary concernThreat Profile TypeShareof IncidentsAttack TypeAdvancedthreat /mercenaryNationalgovernmentsTerrorist cellsCrime Cartels23%EspionageIntellectual property theftSystems disruptionFinancial CrimeMaliciousInsidersEmployeesContractorsOutsourcers15%Financial CrimeIntellectual Property TheftUnauthorized Access/Hacktivist Social Activists 7%Systems disruptionWeb defacementInformation DisclosureOpportunistWorm and viruswriters“Script Kiddies”49%Malware propagationUnauthorized AccessWeb defacementPotentialImpactSource: Government Accountability Office, Department of Homeland Securitys Role in Critical InfrastructureProtection Cybersecurity, GAO-05-434; IBM CyberSecurity Intelligence & Response Team, September 2012
62,641,350The Average Company Faces Per WeekSecurity Attacks1. Health & Social Services2. Transportation3. Hospitality4. Finance & Insurance5. Manufacturing6. Real Estate7. Mining, Oil & GasTop 7 Most ATTACKED Industries62Security IncidentsThe Average CompanyExperiences Per Week1. End user didn’t think before clicking2. Weak password / default password in use3. Insecure configuration4. Use of legacy hardware or software5. Lack of basic network security protection orsegmentationTop 5 reasons WHY attacks were possibleDid you know...Malicious CodeSustained Probe or ScanUnauthorized AccessLow-and-Slow AttackAccess/Credentials AbuseDenial of ServiceWhat IBM SeesCategories of Attack
71. Double-clicking “on anything”2. Disabling endpoint security settings3. Using vulnerable, legacy softwareand hardware4. Failing to install security patches5. Failing to install anti-virus6. Failing to report lost/stolen device7. Connecting endpoint to a networkfrom an insecure access point (i.e.,Starbucks)8. Using a second access point (i.e.,AirCard) creating a bypass9. Using weak/default passwordsand/or using business passwords forpersonal use10. Giving passwords over the phoneTop Reasons WHY Compromises Occurend users/endpoints1. Connecting systems/virtual images to theInternet before hardening them2. Connecting test systems to the Internet withdefault accounts/passwords3. Failing to update or patchsystems/applications on a timely basis.4. Failing to implement or update virus detectionsoftware5. Using legacy/EOLed software and hardware6. Running unnecessary services7. Using insecure back end managementsoftware8. Failing to remove old or unused accounts enduser accounts.9. Implementing firewalls with rules that dontstop malicious or dangerous traffic-incomingor outgoing.10. Failing to segment network and/or adequatelymonitor/block malicious traffic with IDS/IPSinfrastructure80-90% of all security incidentscan be easily avoided!
8Screenshots from REAL Hacks, Customer Storiesand a Video…
9Network Hacked Step 1!Initialcompromisewas via adefaultApacheTomcatmanager userid andpassword…
10Network Hacked Step 2!We then uploaded aspecial WAR file toallow us to gain aremote shellaccess….
11Network Hacked Step 3!Using this we dumped password hashes from thesystem and created a user account which we thenadded to the local Administrator group….
12Network Hacked Step 4!Then we could login using Microsoft Terminal Server Client…
13Network Hacked Step 5!Which we then cracked to find the passwords…Including the Administrator!This same technique was used on another server
15What Does The Previous Slide Mean?It means we have Domain Admin on the network.This means we now can access ANY system in the Domain.This means we can see ALL data on all systems in the Domain.In other words, we now own the network.We will tell you and do no harm, the bad guys work to other agendas!
16Solution components:IBM penetration testing toidentity and help correctexposure to the InternetBusiness challenge:Concerned about real hackers external attacks, they wanted to test exactlytheir systems and their monitoring and response infrastructure against areal hacker attacking from the internetSolution:IBM discovered a critical vuln in one of the extensions installed on the CMSpowering the public extranet.By exploiting this vuln, IBM was able to take control over the hosting server,establish a tunnel (internet->DMZ) and project the attacker machine on theprivate DMZ segment. The encrypted tunnel nullified network securityprotections like FW and IPS. The hacker could attack any internal servicegaining access to other hosts and sensitive documents/databases.Solution/Benefits:IBM provided detailed remediation recommendations to the customerand they were resolved quicklyCustomer Win Story (Penetration Test):A large French company owning several brands, decided to assess theirsystems performing External and Internal penetration testing with IBM.
17Customer Win Story (Application Test):A large bank assessed the security risks of internet facing applicationsand infrastructureBusiness challenge:– As a part of regular security practice large European bankengaged IBM to verify security of their internet facing infrastructureand application.Solution:– IBM assessed infrastructure and found SQL injection flaw thatmight be used by unauthorized attacker to gain access to sensitivedata– IBM also found SQL injection flaw in one of the application whichenabled attacker full access to internal dataBenefits:– IBM worked with the application developers to resolve the issues– Client re-coded as recommended and then IBM retested: all issueswere confirmed fixedVulnerabilities were foundthat allowed anybody toget access to confidentialdata
18So Just How Easy is it to Hack a Web Application (Web Site)?
19Social Engineering TestingThis includes the following – Workstation/Laptop Security– Tailgating– USB Sticks– Confidential Data– Phishing (Email and Web)– Phishing (Phone)– Customer Specific Tests This is pick and mix solution and is often bespoke for the clients specific needs.
20Definition:- PhishingThe art of using social engineering to encourage the user to divulgeinformationThe user receives an email directing them to a website which looksofficial, but isn’t!The user is encouraged to enter account details, passwords etc.However, phishing can also be carried via VoIP, SMS or traditionalPhones or Mobiles.
21Spear PhishingPhishing scam targeting a single company ororganisation– If your users received an email from “H.R.” askingthem to confirm their username/password how manywould?Attacks have a specific aim - to gain access to yourinternal systemsMany so-called APT* or Targeted attacks use this as oneof their main attack vectors.This is made easier by the vast amount of data mostpeople give away via social media sites and services…*Advanced Persistent Threat
22Phishing (Email and Web)This fake HSBC email contained a link to the fake HSBC website that was setupspecifically for this test. The fake website was hosted at the following URL:http://hsbc.banking.services.http01.com/HSBC/Below is a screenshot of the Phishing email sent to supplied addresses from a fakeHSBC email account HSBC.Alert@post.com :
23Phishing (Email and Web)This fake site was complete with a working password box that masked theinput (as in real life) and also asked the victim to install a new SSL Certificate(really a renamed payload from the USB stick).
24Phishing (Email and Web)One of the victims clicked on the link in the bogus email and thenproceeded to supply their “real” business account details.The two redacted fields (between the | symbols after the 100000 entry)contained the real HSBC login id and password for the HSBC account forthe victim.
25Phishing (Phone)This part of social engineering testing requires phone calls to a pre-agreednumber or numbers and pretend to be from the helpdesk, supplier, or a customerhaving problems with their account/service.The story is agreed with the customer before being used; often this will involveseveral stories and attacks from different vectors (customer, support, HR, etc.)Then there is Vishing and Smishing…
26Solutions – Penetration Test Methodology•Security is a Journey, not aDestination…•Uses the same techniques and tools asthe Bad Guys and Girls…•Lots of manual testing using veryspecialised skills…•A very detailed report with findings,including step by step details on exactlyhow we hacked systems or people…•Report includes a managementsummary, full technical findings,remediation instructions as well asprioritized recommendations…
27The Value of Penetration TestingIBM penetration testing services candeliver:– An effective, affordable service that provides a“hacker’s-eye” view of a client’s security posture– The identification of security issues before theyare exploited, providing organizations anopportunity to prevent threats before they canimpact the business– Access to security experts andproven best practices and deliversa detailed action plan with remediationrecommendations– Assistance in ensuring regulatory complianceand business continuity
28Additional OfferingsIBM Penetration Testing Can and Often Does Include:• Malware Defence Review• SCADA Penetration Test• Network Penetration Test• On-site Penetration Test• Application Assessment• Application Code Analysis (web, java, mobile, etc.)• Social Engineering (“Hacking the Human”)• Wireless Security Testing• Emergency Response and Incident Management
29Team Skills…Beyond Penetration/Application Testing…Reverse EngineeringHardware/Firmware Hacking, including rooting and jail-breakingKnowledge of iOS, Java, Android as well as the usual suspects…Malware, Exploits and bypassing security technologiesCoding in C, C++, C#, Java (and derivatives), Perl, Python, PHP,Basic, Assembler, Shell scripting, Pascal, REXX, etc.
30ERS HotlineHave an emergency? Call IBM ERS 24x7x365(US) 1-888-241-9812(WW) 1-312-212-8034Best Practices: Ensure you have access to the resources andtools needed to respond quickly to the inevitable incidentClients should consider retaining expert security consultantsprior to an incident. This ensures guaranteed access toresources, knowledge of your environment, and predictableresponse times.As an example, IBM’s Emergency Response ServiceSubscription includes:• Initial one-day workshop for incident planning• 120 staff hours per year, which can be utilized remotely or on site atthe client’s discretion for emergency response services orpreventative servicesWe can perform these preemptive incident preparation services at the beginning or anygiven time during the subscription:• Active threat assessment• Cyber Security Incident Response Program gap assessment• Incident response training and simulated exercise• Unlimited emergency declarations• Two seats on the X-Force Threat Analysis Service• Quarterly check point, remote support, and update on threatlandscape
31Customer Win Story (ERS):An international defence contractor…Business challenge:– The FBI contacted the customer to inform them that they had beenhacked and that the attackers were stealing data from them as wellas “bugging” key executives laptops. They also suggested thatthey get help in finding and removing the malcode.Solution:– IBM identified the new (unknown) malware installed (and how itwas hidden)– IBM identified how and to which remote systems the data wasbeing “exfiltrated” to.Benefits:– IBM identified the new malware and identified how it installed, whatit did, etc.– IBM created a “bespoke” detection and removal script for thecustomer. This “killed” the malware in memory and then deletedthe malware from the system. It also sent reports of infectionsfound and cleaned to the security manager.– Client was delighted with our speed of action and the completeremoval of the malware.APT was found thatallowed attackers to getaccess to confidential dataincluding weaponssystems code andblueprints as well asrecord executive meetings!
32What can you do now?Be aware.Do security testing (penetration, application, process andprocedures, etc.) for visibility and prioritization for proper riskmanagement strategyBe proactive.Manage against vulnerabilities and carry out log analysis aswell as baseline your “normal” network data flows for real-time detection and protection against sophisticated attacksBe prepared.Have an incident response plan in place to quickly respondand remediate against a breach, but don’t forget to test it…When you do suffer a breach (and you will), who are yougoing to call?
35Who I am, my background, skills, etc.My name is Martin Overton and I’m a hacker…Sun Alliance / Royal and SunAlliance– Joined 1988– Commissioning PCs, Strategy (hardware and software)– Responsible for Malware Research/Prevention (10 years), Ethical Hacker (2.5 years)Outsourced April 2002– Joined EMEA IGS Security June 2002 as Malware/Anti-Malware SME– Moved to MSSD (EMEA) June 2004 to set up EMEA Virus CERT, Member of Global Virus CERT– Moved to ISS X-Force Professional Security Services April 2008– Also doing ethical hacking, computer forensics and application assessments as well as malware related work.– Now the EMEA lead for ERS (but still doing the ethical hacking, etc.)Other– Helped set up Independent ISS UK User Group– WildList reporter, Charter member of AVIEN– Regular lecturer at University of Warwick (amongst others)– Lots of published papers and presented at many international conferences, such as CompSec, EICAR and VirusBulletin– 25+ Years of knowledge on malware and related security threats– 10+ Years of knowledge in ethical hacking, forensics and application testing