Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ITCamp 2019 - Tudor Damian - You've just been hacked! Now what

126 views

Published on

It's 2019, a time when assuming your systems and applications are "unhackable" is one of the biggest mistakes you could do. While most people still think that prevention and maintenance remain a top priority in protecting yourself, building a clear process around how you will respond to attacks and data breaches during and after their occurrence is something often overlooked, or simply ignored.

This session intends to bring the assume breach security posture into the spotlight. We'll be discussing recent trends in cybersecurity attacks (credential reuse, password spraying, insider attacks, 2FA-bypass, etc.) and look at the best ways to build your data breach incident response policy. Demos included.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE Format, ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

ITCamp 2019 - Tudor Damian - You've just been hacked! Now what

  1. 1. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals You‘ve been hacked! Now what? Tudor Damian Managing Partner & CIO @ Avaelgo Certified Ethical Hacker Microsoft MVP
  2. 2. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Many thanks to our sponsors & partners! GOLD SILVER PARTNERS PLATINUM POWERED BY
  3. 3. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Managing Partner & CIO @ Avaelgo – Offering Peace of Mind as-a-Service – IT Advisory, Cloud Strategy, Managed Services, IT Security, Training • Co-founder @ ITCamp & ITCamp Community – Cloud and Datacenter Management MVP (Microsoft) – Certified Ethical Hacker (EC-Council) – Certified Security Professional (CQURE) • Contact: tudor.damian@avaelgo.ro / tudy.tel About me
  4. 4. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • State of the industry • Cyberattacks are changing –Insider attacks –Credential reuse (credential stuffing) –Password spraying • Demos (Credential harvesting, MFA bypass) • The new approach: Assume Breach –Creating a data breach incident response policy • Q&A Agenda
  5. 5. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • First, we had 4 newly announced Microarchitectural Data Sampling (MDS) side-channel vulnerabilities in Intel CPUs (most Intel CPUs released since 2011) So, last month was fun, right? More: https://mdsattacks.com/ & https://cpu.fail
  6. 6. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Pre-installed software flaw exposes Dell computers to remote hacking • Hackers breached Stack Overflow’s Q&A site • TeamViewer was breached by Chinese hackers in 2016 • Google Titan security keys had a Bluetooth flaw • Google stored G Suite user passwords in plaintext for 14 years • Microsoft released a critical patch for a “wormable flaw” (BlueKeep) – 4 new zero-day exploits for Windows were also disclosed • Israeli hackers used a 0-day flaw to install spyware via WhatsApp • Many Cisco devices let attackers implant a backdoor (Thrangrycat) 😾😾😾 …just to name a few ☺ Then we had some other news…
  7. 7. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Equifax Apple Deloitte LinkedIn Sony VK.com Dropbox Amazon Yahoo Equation Group Shadow Brokers BlueBorne Ccleaner MySpace ExpensiveWall Dragonfly Punycode BadUSB Superfish Heartbleed Shellshock Karmen POODLE FREAK GHOST DROWN Dirty COW STAGEFRIGHT QuadRooter XCodeGhost Mirai Carbanak Gemalto SS7 Locky DMA Locker Surprise Ranscam SWIFT Weebly Sundown CrypMIC TrickBot Angler RIG Tumblr Neutrino xDedic BlackEnergy ProjectSauron Adwind Danti SVCMONDR Lazarus FruityArmor ScarCruft Lurk Ammyy Admin Chinastrats Patchwork TeslaCrypt WannaCry Petya NotPetya Ethereum LeakerLocker CouchPotato NanoCore RAT SambaCry Ropemaker …and there’s been more in past years
  8. 8. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Precaution • Adhering to the preventative measures while using computer system and applications Maintenance • Managing all the changes in the infrastructure & computer applications and keeping them up to date Reaction • Acting in a timely fashion when security incidents occur Fundamental Concepts of Security
  9. 9. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • The situation is bad, and it’s getting worse – In 2018, 27% of attacks were from insiders – Less than 12% of organizations can consistently detect insider attacks – 41% of organizations do not monitor for abnormal user behavior – 87% say it is hard to determine the damage done by an insider attack – Endpoints (59%) and mobile devices (46%) are used to launch attacks Insider Attacks are on the rise Source: https://www.bitglass.com/blog/bitglass-insider-threat-report-2019
  10. 10. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals The underwear study ☺ Source: https://www.kaspersky.com/blog/passwords-are-like-underwear/10645/
  11. 11. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • …change them often • …don’t leave them lying around • …don’t share them Treat passwords like your underwear…
  12. 12. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Would you say that you have more pairs of underpants (panties, shorts) than passwords? The underwear study – question 1
  13. 13. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Would you say that you have more pairs of underpants (panties, shorts) than passwords? The underwear study – question 1
  14. 14. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Speaking about your underwear and your passwords, how often do you change them? The underwear study – question 2
  15. 15. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Speaking about your underwear and your passwords, how often do you change them? The underwear study – question 2
  16. 16. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Have you ever shared your underwear or password with a friend or member of your family? The underwear study – question 3
  17. 17. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Have you ever shared your underwear or password with a friend or member of your family? The underwear study – question 3
  18. 18. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Just search for “Collection #1-5” – e.g. https://en.wikipedia.org/wiki/Collection_No._1 – C#1 had 773 million unique emails and 21 million unique passwords • That’s more than 2.7 billion email/password pairs • The list contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new emails and 10 million new passwords from previously unknown sources – C#2-5 are estimated to be ~3x the size of C#1, after removing duplicates – You can check whether your password has been compromised in a public leak at https://haveibeenpwned.com/Passwords – https://sec.hpi.uni-potsdam.de/ilc/search?lang=en is also nice ☺ • These types of leaks lead to credential reuse/stuffing attacks Password collections abound
  19. 19. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Reusing stolen credentials to automate login requests – Uses lists of usernames and/or email addresses and the corresponding passwords, often from a data breach • It’s becoming a common occurrence, mainly because people reuse the same passwords for other platforms/sites Credential Reuse/Stuffing
  20. 20. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals Yet another attack: Password Spraying
  21. 21. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Usually, lockout policies prevent brute-forcing • So, what if we try authenticating against all accounts using just one password, ideally a leaked, common or easily guessable one? – You still get a lot of failed logins, but none of them trigger the lockout – You might get lucky with a common password • SeasonYear, Company123, PasswordYear, PetnameYear, etc. – Wait until observation/lockout window ends, then repeat – Maybe use something else other than SMB (e.g. OWA, RDP, Cisco VPN, etc.) • Lots of tools out there – some examples: – https://tools.kali.org/password-attacks/brutespray (Kali Linux) – https://github.com/Greenwolf/Spray (Bash script) – https://github.com/dafthack/MailSniper (PowerShell) What is Password Spraying about?
  22. 22. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Credential harvesting – ARP Poisoning & DNS Spoofing • MFA bypass Demo time ☺
  23. 23. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • We have to stop focusing on preventing a data breach and start assuming the breach has already happened • Currently: a one-sided, purely preventative strategy • Future: emphasis on breach detection, incident response, and effective recovery – Start thinking about the time when a breach will (almost inevitably) occur in your infrastructure – Be prepared for that! Assume Breach - a change in mindset
  24. 24. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals ASSUME BREACH Creating a cybersecurity incident response plan
  25. 25. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals “Hoping for the best, prepared for the worst, and unsurprised by anything in between” • Start implementing an Assume Breach approach – Research current attacks and tools, and figure out ways to respond to those – Select a team, start developing a process • Create an incident response plan – Prepare – Identify – Contain – Eradicate – Recover – Review So, how do we start? Discovery & Confirmation Containment & Continuity Eradication Recovery Lessons Learned
  26. 26. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • How did you first learn of the attack? – Security researcher, partner, customer, auditor, internal security alert, etc. • Analyze audit logs to identify unusual or suspicious account behavior – Look for things that indicate a likely attack and confirm attack has occurred • Try to describe the potential attacker – Including known or expected capabilities, behaviors, and motivations • Identify access point and source of attack and responsible party – Endpoint, application, malware downloaded, etc. • Check applications for signs of breach – Signatures, IP ranges, files hashes, processes, executables names, URLs of known malicious websites, etc. • Evaluate extent of damage and risk to systems and privileged accounts in particular – Audit which privileged accounts have been used recently, whether any passwords have been changed, and what applications have been executed • Inform employees regarding discovery • Share information externally about breach discovery – You may choose to hold communications during this phase until you have contained the breach in order to increase your chances of catching the attacker; make sure that aligns with your compliance requirements Discovery & Confirmation
  27. 27. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Enable temporary privileged accounts – To be used by the technical and security team to quickly access and monitor systems • Protect evidence – Back up any compromised systems as soon as possible, prior to performing any actions that could affect data integrity on the original media • Force MFA or peer review to ensure privileges are being used appropriately • Change passwords for all users, service, application and network accounts • Increase the sensitivity of application security controls – Use whitelisting/blacklisting to prevent malicious malware from being distributed • Remove systems from production or take systems offline if needed • Inform employees regarding breach containment • Share information externally regarding breach containment – Website updates, emails, social media posts, tech support bulletins, etc. Containment & Continuity
  28. 28. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Perform server & service hardening – Close firewall ports and network connections, especially for items related to the detected breach • Test devices and apps to be sure any malicious code is removed – Compare data and behavior both before and after the incident to ensure systems are reset properly • Inform employees regarding eradication • Share information externally regarding eradication – Website updates, emails, social media posts, tech support bulletins, etc. Eradication
  29. 29. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Download and apply security patches • Conduct a comprehensive vulnerability analysis • Return any systems that were taken offline to production • Inform employees regarding recovery • Share information externally regarding recovery – Website updates, emails, social media posts, tech support bulletins, etc. Recovery
  30. 30. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Review forensic evidence collected – Assess incident cost – Report to executive team and auditors if necessary • Implement additional training – Include everyone involved in incident response and all employees • Update your incident response plan – Include measures to prevent, detect and respond to similar breaches • Inform employees regarding lessons learned, training, etc. • Share information externally – Website updates, emails, social media posts, tech support bulletins, etc. Lessons Learned
  31. 31. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals WRAPPING UP
  32. 32. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals • Don’t reuse passwords, use a password manager • Stay up to date with current attacks, e.g. – How to prevent and detect insider attacks – How to detect attacks on your network, in real time – How MFA can be bypassed and what you can do about it • Educate your users – 90%+ of people can’t distinguish a phishing email from a legitimate one • Start using an Assume Breach approach • Create a cybersecurity incident response plan …just don’t keep on doing nothing ☺ Key takeaways
  33. 33. @ITCAMPRO #ITCAMP19Community Conference for IT Professionals THANK YOU!

×