Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Thinking like a hacker - Introducing Hacker Vision


Published on

This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!

Main points covered:

• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.


Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.

Link to the recorded webinar:

Published in: Technology
  • High paying jobs on Facebook? $25 per hour, start immediately ◆◆◆
    Are you sure you want to  Yes  No
    Your message goes here
  • How can I improve my memory and concentration? How can I improve my memory for studying?♥♥♥
    Are you sure you want to  Yes  No
    Your message goes here

Thinking like a hacker - Introducing Hacker Vision

  1. 1. 1
  2. 2. Summary 2  Security faults are common across different technologies  To preempt these common issues, it is most effective to view systems from an attacker’s point of view  An attacker’s view point leads to better informed security decisions than a checklist approach since knowing about common hacking methods prunes the design space to the most effective security controls  Developing an attacker’s perspective involves threat modeling and keeping up-to-date with hacking knowledge  This presentation provides both a framework for reasoning about effective security and plenty of hacking examples of everyday technology
  3. 3. Agenda and overview 3 1. Introduction 2. ‘Hacker Vision’: Seeing like your potential attacker 3. Examples – visual intuition pumps − Physical examples − Network examples − IoT examples 4. Conclusions
  4. 4. The ‘OODA’ Loop 4  Situational Awareness generated from sensor data  Analysis of inputs such as: – Endpoint detection – Log analysis – Previous actions  What is the best action to execute? – Do you apply restrictions? – Maybe you monitor further? – Perhaps begin deep analysis?  How is this best done?  Analyze the input data and apply filters to go from data to knowledge  Produce action plans  Order these by effectiveness  Decide on success/fail criteria – how will you measure this?  Execute the action  Take note of outcome: – Success/Fail?  Output of actions to be input for next loop The OODA loop is a model for decision making that originated from within the USAF for training fighter pilots. Its relevance to security is well known, and we will begin by summarizing it here:
  5. 5. Common approaches to security (High Level) 5  Do not read their pentest reports Security Assessment Risk Management Security Awareness Things people do right What people get wrong  ‘Ostrich’ approach to Assessment Outcomes – Missing Patches – Ignoring configuration advice – Assessments do not translate to meaningful action  ‘Fortress Mentality’ – ‘Building higher walls is the best’ – No thought towards ‘detection in depth’ to complement ‘defense in depth’  Lack of incident support – Blaming users over seeing an opportunity to improve procedures – Not taking the opportunities to empower users to help and act  Read their pentest reports  Regular assessments – Penetration tests – Code reviews – Readiness assessments  Consider their Threat model – Risk assessment – Attack surface identification and threat management – The ‘OODA Loop’  Good security awareness – Developer awareness – NoC/SoC readiness – End-User awareness – CSIRT/CERT with adequate powers and procedures Pentest Reports
  6. 6. Agenda 1. Introduction 2. ‘Hacker Vision’ 3. Examples 4. Conclusions 6
  7. 7. Overview of de Bono’s ‘Six Thinking Hats’ describing six modalities used in critical thinking 7 Red Hat - Emotions  Intuitive or instinctive ‘gut reactions’  Statements of emotional feeling White Hat - Information  What are the facts?  Considering purely what information is available Yellow Hat - Optimism  Logic applied to identifying benefits & seeking harmony  Sees the bright/sunny side of a situation Green Hat - Creativity  Statements of provocation and investigation  Following instinct on an idea  Creative, ‘out of the box’ thinking Black Hat - Discernment  Logic applied to identifying reasons to be cautious and conservative  Practical, realistic approach Blue Hat – Managing  What is the subject?  What are we thinking about?  What is the goal?  Look at the big picture Security design should optimally adopt adversarial thinking. A useful framework for such critical thinking is de Bono’s Thinking Hats method:
  8. 8. Introducing ‘Hacker Vision’ – developing the idea of a ‘Security Hat’ 8 ‘Features’ as tools  Determine what features are of interest to an attacker, e.g. – User functionality e.g. search – Admin functionality – Developer functionality  As questions around this – E.g. can a ‘password reset’ functionality be abused arbitrarily? Repurposing technology  Can your product’s purpose be changed?  Can the product be maliciously monetized?  Ask questions relating to the shift of your products to some other use, e.g. – Can a product be used as a Bitcoin miner? How about a Botnet node? – Can an API function be used to abuse integrity, confidentiality or availability? Control Bypass  Identify potential opportunities for control bypass  Ask questions relating to the readiness of such controls, e.g. – How hard is that padlock to lockpick? – How secure are your users’ passwords? – Are we doing 2FA correctly? – How do you define and enforce trust? Monitoring and Notification  In addition to assessing the coverage of your protection, assess how well your notification works  Question more about time-to-notice an attack, e.g. – If someone disabled a door lock, how long would it take for you to notice? – What if someone added a DA acct? Core Idea – Pursuing the adversarial view involves asking a number of questions:
  9. 9. Relevance of Hacker Vision in multiple fields of security within an organization 9 Attack Surface Threat Modelling Assessments Maintenance Greater visibility of a defender’s security posture by adopting a more pointed adversarial assessment view  Exposes data about weaknesses in an attack surface  Demonstrates to a defender how effective currently active controls are  Shows a defender how to better rank identified threats  Demonstrates what controls may be more appropriate  Allows better definition of security assessments  Allows a defender to relativize assessment results – Can see what is an immediate vs. longer term concern  Exposes where improvements can be made – In SDLC, patch management, incident response and management, etc. Benefits
  10. 10. Agenda and overview 10 1. Introduction 2. ‘Hacker Vision’: Seeing like your potential attacker 3. Examples – visual intuition pumps − Physical examples − Network examples − IoT Examples 4. Conclusions
  11. 11. Trivial Example 11
  12. 12. Is there anything wrong with this padlock? 12
  13. 13. Padlock Evaluation – How easy is it to pick? In this case, very easy 13 Easily picked  Making use of a simple, custom tool  See YouTube video:
  14. 14. 14 Would you trust this SmartLock?
  15. 15. The Bluetooth SmartLocks are easily reverse engineered and hacked 15 Smarth Locks use a basic BLE management protocol  The communications over BLE between the lock and a smartphone are easily intercepted and reverse engineered  Admin functionality (e.g. changing passcodes) was conducted in the clear  See Anthony Rose and Ben Ramsay‘s DEFCON 24 slides:
  16. 16. What is the issue with this door? 16
  17. 17. Common magnetic lock installation errors 17 Magnetic Lock  On Keypad side of door meaning an attacker has access to the locking mechanism  Can interfere with lock wiring or even removal of the restrictive parts of lock  Disassembly on the left shows the potential for abuse – The central nut can be removed to dislodge the magnetic plate from the mounting bracket – The lower cover can be removed to essentially unscrew the mounting bracket from the door – The wiring can be accessed meaning power can be cut from the electromagnet  Additionally, worn keypads can also be a source of information about a lock – See Bruce Schneier‘s blog:
  18. 18. Agenda and overview 18 1. Introduction 2. ‘Hacker Vision’: Seeing like your potential attacker 3. Examples – visual intuition pumps − Physical examples − Network examples − IoT examples 4. Conclusions
  19. 19. 19
  20. 20. Messy wiring and unattended USB ports – would you spot a LANTurtle? 20 Messy wiring  Would you notice a malicious network implant?
  21. 21. Further examples – Malicious USB devices: DigiSpark and BadUSB 21 DigiSpark – a small, inexpensive Arduino-like microcontroller capable of emulating USB devices such as keyboards and mice. Can be used for malicious injection of scripts by posing as a USB keyboard, but capable of typing at great speed. BadUSB - An ingenious attack devised by SRLabs researchers Karsten Nohl and Jakob Lell. The essence of this attack is to repurpose a standard, off-the-shelf USB flash drive to become a malicious network device, hijacking the victim’s network traffic.
  22. 22. Malicious ‘Sub-Domain’ pivot and exploitation methodology via a Pass-the-Hash attack 22 ‘Sub-Domain’ for your attacker  If one client gets compromised, so are all the others – Attackers will use a ‘Pass the Hash’ attack to exploit other clients Common Local Admin (LA) Password  Functionally, LA is no different from Domain Admin or Enterprise Admin  Can do the same actions on client machines; the difference is their scope Attacker C3 C1 C5 C2 C4 Domain Admin logged in on C3 Attacker then compromises C3 to get DA Auth Token (for a token impersonation attack) LA Password 1 LA Password 2
  23. 23. Agenda and overview 23 1. Introduction 2. ‘Hacker Vision’: Seeing like your potential attacker 3. Examples – visual intuition pumps − Physical examples − Network examples − IoT examples 4. Conclusions
  24. 24. 24 Can you trust your IP Cameras?
  25. 25. IP Cameras and IoT devices may pose more of a threat than may first be apparent 25 Small Linux Servers  Tend to run very out of date software  Badly maintained by both device and component (SoC/uC) manufacturers  Cloud services – exposed and vulnerable to various attacks – cameras/  Mirai – botnet spread by weak telnet credentials  Nov 2016 TR-069 exploit – permitted spread of malware to vulnerable D- Link routers
  26. 26. Agenda 1. Introduction 2. ‘Hacker Vision’ 3. Examples 4. Conclusions 26
  27. 27. Conclusions 27 Better secured productsSeeing through ‘Hacker Vision’  Improve your awareness of gaps in your endpoint protection  Adopt a dynamic adversarial mindset and apply it to your security  Keep up to date with hacking trends, knowledge, and research  Improve your assessment criteria by means of this knowledge  Identify where the ‘low hanging fruit’ is for your threat model  Gives better coverage of your endpoint attack surface  Reveals things that are lax, or not fit for purpose  Shows what fixes will be effective in situ  Can shine a light on what is working well  Better assessment planning and security awareness in a team …but it is no substitute for appropriate, professional security assessments and well thought out security planning!
  28. 28. SRLabs Template v12 ISO 27032 Training Courses  ISO/IEC 27032 Introduction 1 Day Course  ISO/IEC 27032 Foundation 2 Days Course  ISO/IEC 27032 Lead Implementer 5 Days Course  ISO/IEC 27032 Lead Auditor 5 Days Course Exam and certification fees are included in the training price.|
  29. 29. SRLabs Template v12 THANK YOU ? +44 7906 634725 Questions?