Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“How I'm going to own your
organization in just a few days”
The Malware obfuscation attack
Introduction to the Cyber Kill ...
SafetyTIP
@RazorEQX
• Army 1985-89
• Cracker
• Starving Nurse
• Gamer turned Networker
• Network Guy
• Firewall Guy
• Hacker
• Malwa...
USER: This is very bad file
Access to facebook to the setting bars..
CODE: SELECT ALL
http://www.facebook.com/
abe2869f-9b47-4cd9-a358-c22904dba7f7
Se...
@Malwaremustdie
• Are a group of dedicated Malware Researchers.
• Recognize that Malware is a serious threat.
• Recognize ...
Kelihos Update
• http://malwaremustdie.blogspot.com/2013/08/the-quick-
report-on-48hours-in-battle.html
What DoTheyWant?
The Silver Bullet Solution
This product will save your life
and put your kids through college
Sounds good.
Give me two!
I feel so safe………
How do they get your Information?
Reconnaissance
Social
Media
Social
Engineering
Search
Engines
Professional
Networking
Social Engineering Resources
Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story
Paterva: Maltego
Maltego is a program that can be used to determine relationships and real
world links between:
– People
–...
Maltego
Maltego
TheTarget XYZ Corp.
Hi I'm social engineering you.Oh great! Its in my
human nature to help
anyone in anyway I can.
TheWeapon
Some Hints
/usr/local/share/ettercap/etter.dns
tools.google.com A 10.10.10.10
#
NSURL *url = [NSURL URLSTRING:@10.10.10.10...
The Delivery
Take the Bait: Installation
The Expected Response
Its all clean now.
Operation “Where is myTarget”
Action on Objectives
SSL
Exploitation
ExfiltrationExhibition
Exposure
Introducing "Cyber Kill Chain™"
• Concept derived from offensive military doctrine:
– Navy: Find, Fix,Track,Target, Engage...
Cyber Kill Chain™ Model
• Intrusion
Cyber Kill Chain™ Detect Deny Disrupt Degrade Deceive
Recon
Weaponize
Delivery
Exploit...
Internet
Mail Server
User
User
Open this attachment!
CLICK!COMMAND & CONTROL ESTABLISHED!
Data Exfiltration
Begins
Cyber Kill Chain™ Model
Recon
• Research, identification, and selection of targets
• Crawling Internet websites looking fo...
Cyber Kill Chain™ Model
Weaponize
• The tool that puts the remote access trojan with an exploit
into a deliverable payload...
Cyber Kill Chain™ Model
Delivery
• Transmission of weapon into targeted environment
• The three most prevalent delivery ve...
DGA: Domain Generation Algorithm
DNS Queries
Cyber Kill Chain™ Model
Exploit
• After the weapon is delivered to target host, exploitation triggers
attackers’ code
• Mo...
Cyber Kill Chain™ Model
Installation
• Typically occurs immediately after the exploit is
complete
• The install is often a...
Cyber Kill Chain™ Model
C2
• Typically the compromised host must beacon outbound to its Internet
controller server to esta...
Cyber Kill Chain™ Model
Actions on Objectives
• Attackers begin collecting, encrypting, and exfiltrating data from comprom...
Cyber Kill Chain™ Model
Benefits
• Provides for a more defensible network by providing incident responders
with multiple l...
Lessons learned:
• 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.
• 2. Don't take a cr...
How i'm going to own your organization v2
How i'm going to own your organization v2
How i'm going to own your organization v2
How i'm going to own your organization v2
Upcoming SlideShare
Loading in …5
×

How i'm going to own your organization v2

1,567 views

Published on

DerbyCon 2013
How i'm going to own your organization

Published in: Education, Technology
  • Be the first to comment

How i'm going to own your organization v2

  1. 1. “How I'm going to own your organization in just a few days” The Malware obfuscation attack Introduction to the Cyber Kill Chain™ @RazorEQX http://404hack.blogspot.com
  2. 2. SafetyTIP
  3. 3. @RazorEQX • Army 1985-89 • Cracker • Starving Nurse • Gamer turned Networker • Network Guy • Firewall Guy • Hacker • Malware Reverse Engineer
  4. 4. USER: This is very bad file
  5. 5. Access to facebook to the setting bars.. CODE: SELECT ALL http://www.facebook.com/ abe2869f-9b47-4cd9-a358-c22904dba7f7 Settings aPlib cmpressor's trace: CODE: SELECT ALL aPLib v1.01 - the smaller the better :) Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved. More information: http://www.ibsensoftware.com/ Pony gates: CODE: SELECT ALL http://webmail.alsultantravel.com:8080/ponyb/gate.php hxxp://alsultantravel.com:8080/ponyb/gate.php hxxp://webmail.alsultantravel.info:8080/ponyb/gate.php hxxp://198.57.130.35:8080/ponyb/gate.php CODE: SELECT ALL <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32"
  6. 6. @Malwaremustdie • Are a group of dedicated Malware Researchers. • Recognize that Malware is a serious threat. • Recognize that Malware inhibits Internet technology. • Agree that Malware is an obfuscation for AdvancedThreats.
  7. 7. Kelihos Update • http://malwaremustdie.blogspot.com/2013/08/the-quick- report-on-48hours-in-battle.html
  8. 8. What DoTheyWant?
  9. 9. The Silver Bullet Solution This product will save your life and put your kids through college Sounds good. Give me two!
  10. 10. I feel so safe………
  11. 11. How do they get your Information? Reconnaissance Social Media Social Engineering Search Engines Professional Networking
  12. 12. Social Engineering Resources Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story
  13. 13. Paterva: Maltego Maltego is a program that can be used to determine relationships and real world links between: – People – Groups (Social Networks) – Companies – Organizations – Web Sites – Domains
  14. 14. Maltego
  15. 15. Maltego
  16. 16. TheTarget XYZ Corp. Hi I'm social engineering you.Oh great! Its in my human nature to help anyone in anyway I can.
  17. 17. TheWeapon
  18. 18. Some Hints /usr/local/share/ettercap/etter.dns tools.google.com A 10.10.10.10 # NSURL *url = [NSURL URLSTRING:@10.10.10.10:xxxx”;
  19. 19. The Delivery
  20. 20. Take the Bait: Installation
  21. 21. The Expected Response Its all clean now.
  22. 22. Operation “Where is myTarget” Action on Objectives SSL
  23. 23. Exploitation ExfiltrationExhibition Exposure
  24. 24. Introducing "Cyber Kill Chain™" • Concept derived from offensive military doctrine: – Navy: Find, Fix,Track,Target, Engage, and Assess – OODA Loop: Observe, Orient, Decide, and Act – Key concept: Cyber Kill Chain™ defines how an adversary moves from target observation to a final objective. As with any chain, if any link breaks, the whole process fails • Turn it into our advantage: – "To compromise our infrastructure, the bad guys have to be right every step; we only have to be right once"
  25. 25. Cyber Kill Chain™ Model • Intrusion Cyber Kill Chain™ Detect Deny Disrupt Degrade Deceive Recon Weaponize Delivery Exploit Installation Command & Control Actions on Objectives IncreasingRisk
  26. 26. Internet Mail Server User User Open this attachment! CLICK!COMMAND & CONTROL ESTABLISHED! Data Exfiltration Begins
  27. 27. Cyber Kill Chain™ Model Recon • Research, identification, and selection of targets • Crawling Internet websites looking for email addresses or information on specific technologies • Research conducted on business relationships and supply chain • Enumeration of systems and infrastructure – Active – Passive Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  28. 28. Cyber Kill Chain™ Model Weaponize • The tool that puts the remote access trojan with an exploit into a deliverable payload • Application data files such as Microsoft Office documents orAdobe PDF files serve as the weaponized payloads • Compromised websites hosting malformed Java or Flash files Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  29. 29. Cyber Kill Chain™ Model Delivery • Transmission of weapon into targeted environment • The three most prevalent delivery vectors for weaponized payloads are – Emails with attachments or embedded hyperlinks – Compromised website with malicious code – USB drives or other removable media Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  30. 30. DGA: Domain Generation Algorithm
  31. 31. DNS Queries
  32. 32. Cyber Kill Chain™ Model Exploit • After the weapon is delivered to target host, exploitation triggers attackers’ code • Most often, this exploits an application or operating system vulnerability • In most cases, exploitation occurs when users are – Coerced to open an executable attachment – Leveraging a feature of the operating system that executes code automatically Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  33. 33. Cyber Kill Chain™ Model Installation • Typically occurs immediately after the exploit is complete • The install is often a backdoor or a tool grabber • Also installation might occur during lateral movements by the attacker Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  34. 34. Cyber Kill Chain™ Model C2 • Typically the compromised host must beacon outbound to its Internet controller server to establish command and control (C2) channel • APT malware typically requires manual interaction vs. acting autonomously • Once the C2 channel is established, attackers have "hands-on- the- keyboard" access Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  35. 35. Cyber Kill Chain™ Model Actions on Objectives • Attackers begin collecting, encrypting, and exfiltrating data from compromised systems. • Attackers may further propagate themselves throughout the internal network in lateral compromises. • While exfiltration is the most common objective, attackers could also violate the integrity or availability of data as well. • Consider what would happen if the attacker modified certain critical internal critical data. Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
  36. 36. Cyber Kill Chain™ Model Benefits • Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversary • Provides a framework for working forward and backward in order to gauge effect and identify mitigations • Articulates prioritization and strategy • Identifies data gaps and source collection requirements • Enables adversary attribution and campaign tracking • Drives investigations to completion • Intelligence feeds into gaining more intelligence
  37. 37. Lessons learned: • 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation. • 2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been looking for. • 3. Stop wasting money on tools that are always one step behind the adversary and always promising ”That feature is in the next release” • 4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together. • 5. OSINT - RSS research feeds are your friend. Pull out indicators you can use for detection tools and track events to correlations to form campaigns. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc. • 6. Most important of all. Have a damn good incident response plan. Know what and how you're going to recover from this type of breech when it finally hits your organization.

×