1. Breach Analysis - Insights from
technical breach to protective
measures
By J.Sinclair
Breach Analysis - Jonathan Sinclair 1
2. Talk Outcomes
• Demonstrate security from two perspectives
– The goal of a Blackhat
– The goal of a Whitehat
• An introduction to tooling
Breach Analysis - Jonathan Sinclair 2
4. Blackhat Perspective
• Motivating Factors
– Like the challenge (dedication)
– Self-promotion / Fame
• Want to improve security by showing it’s failing (grey see the
work by: Tavis Ormandy)
– Money
• Focus
– Breaching security
• Penetration Testing
• Exploit writing
• Bug hunting
• Social Engineering
Breach Analysis - Jonathan Sinclair 4
5. Where to start
• Follow a methodology /plan
– Intelligence Gathering: Passive/Active
– Vulnerability Analysis: Active
– Exploitation: Active
– Post Exploitation: Active
– Reporting (Bad guys don’t care about this. It
leaves evidence)
Breach Analysis - Jonathan Sinclair 5
6. Steps of an attacker
(Tools of the trade)
• Intelligence Gathering : Maltego, Social
harvesting
• Reconnaissance:
– Zenmap/Nmap – Find a service
• Get the service listing:
– Telnet, smtp, https, printer, msrpc, irc, http-proxy, ftp
• Query the services:
– Test login’s e.g. ftp, telnet, smtp
• Identify software information:
– WinFTP version 2.3.0
Breach Analysis - Jonathan Sinclair 6
7. Steps of an attacker
• Exploit
– Check exploit-db, NIST, metasploit, Nessus etc.
– Set-up a lab environment
– Download the app you want to exploit
– Start fuzzing : test the application to simulate a
crash
Breach Analysis - Jonathan Sinclair 7
8. Steps of an attacker
• Attach to Immunity or your favourite
debugger: OllyDbg, WinDbg, IdaPro
Breach Analysis - Jonathan Sinclair 8
9. Steps of an attacker
• Control the crash
– Manipulate EIP via ECX and EDX
– Jump to your shell code
• Generate via Metasploit:
– msf payload(shell_bind_tcp) > generate -b
'x00x44x67x66xfax01xe0x44x67xa1xa2xa3x75x4b‘
– Prep your exploit in Ruby
– Launch at the target system
• ./msfconsole
• use auxiliary/dos/windows/ftp/winftp230_remote
• exploit
Breach Analysis - Jonathan Sinclair 9
10. Steps of an attacker
• Got shell – Bad guy wins
– Starting interaction with 2...
– Microsoft Windows XP [Version 5.1.2600] (C)
Copyright 1985-2001 Microsoft Corp.
– C:Documents and SettingsvictimDesktop>
Breach Analysis - Jonathan Sinclair 10
11. Access Granted
• Network security bi-passed
• Access of a single system can lead to additional
breaches
• Pivot point (post-exploitation) for future attacks
identified
Game Over
Breach Analysis - Jonathan Sinclair 11
12. Whitehat Perspective
• Motivating Factors
– Secure your enterprise
– Keep company assets and intellectual property safe
– Engineer a secure solution
– Fame (would be nice but rarely appreciated)
• Focus
– Salary
– Watching the bad guys
– Staying current while maintaining the old
Breach Analysis - Jonathan Sinclair 12
13. Why it’s so hard to be good
• Security dilemma:
– “The intruder only needs to exploit one of the
victims in order to compromise the enterprise.”
• Security mantra:
– “There is no perfect defence”
• Security solution – the 3 pillars:
– Awareness
– Process
– Tools
Breach Analysis - Jonathan Sinclair 13
14. Security Awareness(1)
• Ensure people are educated
– Set up awareness campaigns
– Create training programmes
– Bring security thinking to the people
• Relate to cultural differences (US vs.
Switzerland)
Breach Analysis - Jonathan Sinclair 14
15. Security Awareness(2)
• Create a mind-set of critical thinking and
encouraging people to ask the ‘what if..’ type
questions
• Security thinking has nothing to do with being
a techy. (Techies nearly always forget this)
Breach Analysis - Jonathan Sinclair 15
16. Security Process
• What is actually important to you?
– Know what you want
– Know what you’re risk appetite is
– Integrate security into everything you do
Breach Analysis - Jonathan Sinclair 16
17. Tooling
• Firewalls, IPS/IDS’s, DLP, SIEM, Antivirus etc. will
only cover your last 20%
• Most incidents come from internal employees
– Symantec figures (1996 – 2002) : 59%
– CERT figures (2010) : 60%
– Open Security Foundation (2010) : 47%
• Tools have vulnerabilities: Wireshark!
Breach Analysis - Jonathan Sinclair 17
18. Enterprise security
• The message: “Your organisation will be
breached”
• What to consider
– You need to know when this happens
– You need to know how to contain it
– You need to be able to understand your
reputation
Breach Analysis - Jonathan Sinclair 18
19. Enterprise security: Sony
• Case Study:
– Sony breach in 2011
– 25 million personal details stolen from the Sony
Online Entertainment network
• Name, Address, Email, DoB, Phone numbers
• Motive:
– Unknown but potentially to sell on credit card
information (the hack didn’t reveal the 3-digit
security code)
Breach Analysis - Jonathan Sinclair 19
20. Enterprise security: Sony
• Reaction by Sony
– SOE network was suspended
• SOE was then rebuilt
– Company would grant 30 days additional playing
time to registered users
• Reaction by the public
– Legal action brought against Sony
– In the UK Sony was fined £250,000
Breach Analysis - Jonathan Sinclair 20
21. Enterprise security: Sony
• Overall cost
– Profits plunged 59% or 15.5bn Yen as a combined
result of cyber breach and Japanese tsunami
– Continued losses to the brand into 2012
• Real issues
– Personal data lost
– Credit card fraud became more prevalent
Breach Analysis - Jonathan Sinclair 21
22. Enterprise security: Final Thoughts
• Take away message:
– The data a company may lose in a security breach
may not be ‘secret’ data e.g. IP, however
reputation loss will ALWAYS cost an enterprise
• Security in an enterprise is about protecting
reputation!
Breach Analysis - Jonathan Sinclair 22