SlideShare a Scribd company logo
1 of 30
Download to read offline
PANELISTS:
SESSION ID:
#RSAC
MODERATOR:
EXP-T09R
Dr. Johannes Ullrich
Dean of Research at STI - SANS’ Graduate
School
Director of the Internet Storm Center
Michael Assante
Director of SANS ICS Training Programs
Was VP and CISO of NERC
Directed INL’s Electric Power Program
Testified before US House and Senate
Ed Skoudis
Leads SANS Pen Testing and Hacker
Exploits Immersion Training Programs
Created NetWars & CyberCity Simulators
Author of CounterHack Reloaded
Alan Paller
Director of Research, SANS Institute
The Seven Most Dangerous New
Attack Techniques,
and What's Coming Next
#RSAC
Ed Skoudis
-- Leads SANS Pen Testing and Hacker Exploits Immersion Training Programs
-- Created NetWars & CyberCity Simulators
-- Author of Counter Hack Reloaded
#RSAC
Top Threats - Skoudis
3
Broadening Targets
Full Weaponization of Windows PowerShell
What Stagefright Tells Us About Mobile Security Going Forward
XcodeGhost – How Will You Trust Your Apps Going Forward?
#RSAC
Broadening Targets
4
The last 12 months have shown the threat’s focus is broadening
PII still a target, but much more is in play now
OPM attack
Government background check data and fingerprints
Ashley Madison attack
Sensitive personal information at play
Extortion malware stealing browser history
Ukrainian power grid attack
#RSAC
Defenses Against Broadening Threats
5
Don’t assume that you are safe just because you lack PII
Attackers are devising clever uses for all kinds of data with
criminal and national security implications
Vigorously apply robust security standards focused on actual
attack techniques used in the wild
Twenty Critical Controls
IAD Top 10 Information Assurance Mitigation Strategies
Australian Signals Directorate Top 4 Mitigation Strategies
#RSAC
Windows PowerShell Weaponization
6
PowerShell Empire – Amazing integrated post-exploitation capabilities
By Will Schroeder, Justin Warner, and more
PowerShell Empire features:
Powerful agent
Pillaging / Privilege escalation
Pivoting / Lateral movement
Persistence
Integrated with attacker operations
All free and incredibly easy to use, and often works even with application
white listing
#RSAC
Weaponized PowerShell Defenses
7
Don’t rely on PowerShell’s limited execution policy
A safety feature, not a security feature… trivial to bypass
Enhanced logging in PowerShell 5
Pipeline logging, deep script block logging, and more
Win 10 AntiMalware Scan Interface (AMSI)
All script content presented to registered antimalware solution on the box
PowerShell 5 Constrained Mode and AppLocker integration with “Deny
Mode” and “Allow Mode” – behaves like script white listing
#RSAC
Stagefright as a Portent of Mobile Vulns
8
Stagefright: A series of significant vulnerabilities discovered in Android, all
associated with a library that plays multi-media content
Discovered by Joshua Drake at Zimperium through exhaustive fuzzing, and then
detailed analysis of fuzzing results
Code execution via text messaging, video viewing in email, browser video
watching, and more
Google patched it quickly…
... But there’s a problem: For Android devices, the OEMs and Mobile
Operators (carriers) sit between the code developer(s) and customers
Getting patches out in a timely fashion is difficult at best
#RSAC
Stagefright-Style Vuln Defenses
9
Upgrade to newer versions of
Android (and don’t forget iOS!)
Implement a corporate
strategy for doing so regularly
Via MDM and network
infrastructure, enforce use of only
up-to-date versions of mobile
operating systems for enterprise
apps and data… Deny others
Give preferential treatment to
Android vendors who push updates
all the way to devices quickly
Google
Code
Owner
SamsungLGMoto
MO 3MO 2MO 1
Android
Phone D
Android
Phone C
Android
Phone B
Android
Phone
A
Flaw
disclosure
Notice
and fix
3rd Party
Software
3rd Party
Software
Both handset
manufacturers and
mobile operators lack
significant financial
reward for continued
support of already-sold
Android devices
#RSAC
XcodeGhost – Can You Trust Your Apps?
10
Historically, attacks against source code and dev tools have proven deeply
insidious
Bad guys can no
longer ignore
iOS as a malware
target
With XcodeGhost, they
showed innovative
ways to undermine iOS
Enterprise app store signing is another
1984
Reflections on
Trusting Trust
• Backdoor the
compiler
2004-2010
tcpdump,
Linux kernel
attempt, etc.
• Backdoor
the source
code
2015
XcodeGhost
• Backdoor the dev
environment
#RSAC
XcodeGhost – Implications for Defense
11
Analyze the security of permitted apps in your environment
Josh Wright’s App report card
at http:///pen-testing.sans.org/u/64u
Data isolation from mobile devices
Container-based security is waning
Virtualized Mobile Infrastructure is rising
User training can help – don’t install untrusted apps… and tell them why
Look for anomalous activity in the environment
New free RITA (Real Intelligence Threat Anslysis) tool from Black Hills Information Security
http://bit.ly/BHIS_RITA
#RSAC
Michael Assante
--Director of SANS ICS Training Programs
--Was VP and CISO of NERC
--Directed INL’s Electric Power Program
--Testified before US House and Senate
#RSAC
Lights Out
13
One, of a hand full: acknowledged ICS attacks with physical effects
Cyber attacks against 3 Ukrainian power companies on Dec 23
Successfully cause power outages
Coordinated & multi-faceted
Destructive acts
BlackEnergy 3 Malware plays some role
Additional malware (e.g. customized KillDisk)
#RSAC
Power System SCADA 101
14
Distribution Control Center
110 kV Substation
110 kV Substation
35 kV Substation
#RSAC
Distribution Utility Systems
15
Distribution Control Center
(SCADA DMS)
Company Network
Customer Call Line
#RSAC
The Attacks
16
Distribution Control Center
Malware is simply a tool used
for specific actions (e.g. access) 1. Intrusion (Foothold)
2. Take over credentials & IT
3. Access & remove relevant data
4. Cross-over into SCADA
5. Change the state of power system
6. Damage firmware
7. Wipe SCADA & infrastructure hosts
Cyber Attack 1. (ICS Kill Chain)
Cyber Attack 2. (Supporting)
1. Flood Customer Phone Line
2. UPS take over & disconnect
#RSAC
Success…but
17
#RSAC
Disrupt Power & Anti-restore
18
#RSAC
Dr. Johannes Ullrich
-- Dean of Research at STI: SANS’ Graduate School
-- Director of the Internet Storm Center
#RSAC
Software Security: Components Matter
20
Insecure third party components matter!
Development environments, software components (libraries) are
more and more under attack
Developer workstations are high on the target list
#RSAC
Apple Xcode Ghost
21
Compromised version of Xcode offered for download on Chinese
sites
Compiled software included
malicious functionality
Unnoticed due to trust relationship
between Apple and developers
#RSAC
Juniper Backdoor
22
Static password added to code.
Not typical “support password”
Designed to evade detection
Who did it?
<<< %s(un='%s') = %u
#RSAC
Mitigation
23
Accountability: Who did it? Version control systems need to keep
a record of which changes were done by whom and why
Software repositories need regular offline backups
Traditional code reviews and pentesting will not fix this
Cryptographic protection against tampering
git blame login.html
#RSAC
The Internet of Evil Things
24
The IoT is not just a “target” for its own sake
More and more IoT devices
are used as attack platforms
after they are compromised
#RSAC
Raspberry Pis Attacking!
25
Goal:
Building a proxy or DDoS network
sometimes: Bitcoins (yes… still!)
Worst case: Used to attack internal networks
#RSAC
Multi Architecture Malware
26
81896 Jan 1 00:10 10 <- ELF LSB MIPS
82096 Jan 1 00:10 11 <- ELF MSB MIPS
70612 Jan 1 00:10 13 <- ELF LSB x86-64
48996 Jan 1 00:10 14 <- ELF LSB ARM
65960 Jan 1 00:10 15 <- ELF LSB 386
70648 Jan 1 00:10 16 <- ELF LSB PowerPC
65492 Jan 1 00:10 17 <- ELF LSB 386
2133 Jan 1 00:20 bin2.sh
#RSAC
Brute Force Architecture Detection
27
All versions are downloaded and execution is attempted for all of
them.
Initial infection usually implement simple bot (IRC/HTTP as C2C)
Additional components are downloaded later for specific
architectures
“busybox” replaced with trojaned version
#RSAC
Change in Malware Economics
28
170 Million Credit Card Holder vs 61 Million Stolen (2014)
450 Million issued SSNs vs 22 Million Stolen (just OPM hack)
142 Million registered voters vs. 191 Million records leaked
ALL DATA HAS BEEN STOLEN
little value in stealing the same data over and over.
Reducing scarcity = Reduced Price
#RSAC
Ransom Ware
29
Instead of copying data: Encrypt it
Ransom ware has been going on for a couple years now
Increasing in sophistication (e.g. platform independent Ransom32)
Instead of stealing data from a web site: Shut it down
Used to be more against fringe (e.g. online gambling) sites
Or for political motives
Now used against any site with insufficient DDoS protection
#RSAC
Your Questions and Discussion

More Related Content

What's hot

Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityPraetorian
 
Kaspersky Lab Transparency Principles
Kaspersky Lab Transparency PrinciplesKaspersky Lab Transparency Principles
Kaspersky Lab Transparency PrinciplesKaspersky
 
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesExploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesPraetorian
 
3 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 20113 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 2011davidmaciaalcaide
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey מוטי שגיא
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwareUpwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwarePriyanka Aash
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 

What's hot (20)

Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
 
Kaspersky Lab Transparency Principles
Kaspersky Lab Transparency PrinciplesKaspersky Lab Transparency Principles
Kaspersky Lab Transparency Principles
 
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous DronesExploring Risk and Mapping the Internet of Things with Autonomous Drones
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
 
3 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 20113 Nir Zuk Modern Malware Jun 2011
3 Nir Zuk Modern Malware Jun 2011
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile MalwareUpwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
Upwardly Mobile: Looking at Evolving Cybercrime Tactics in Mobile Malware
 
Kaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise PortfolioKaspersky Lab new Enterprise Portfolio
Kaspersky Lab new Enterprise Portfolio
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application Security
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
 
Ecosystem
EcosystemEcosystem
Ecosystem
 

Similar to The Seven Most Dangerous New Attack Techniques, and What's Coming Next

Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...viaForensics
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014viaForensics
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DevicePriyanka Aash
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DevicePriyanka Aash
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04Kyle Lai
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Kyle Lai
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks  Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 

Similar to The Seven Most Dangerous New Attack Techniques, and What's Coming Next (20)

Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
Mobile security
Mobile securityMobile security
Mobile security
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Stop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain SecurityStop Passing the Bug: IoT Supply Chain Security
Stop Passing the Bug: IoT Supply Chain Security
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
Cyber Hacking & Security - IEEE - Univ of Houston 2015-04
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks  Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
Code protection
Code protectionCode protection
Code protection
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...Daniel Zivkovic
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimizationarrow10202532yuvraj
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5DianaGray10
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideHironori Washizaki
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 

Recently uploaded (20)

UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
All in AI: LLM Landscape & RAG in 2024 with Mark Ryan (Google) & Jerry Liu (L...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization100+ ChatGPT Prompts for SEO Optimization
100+ ChatGPT Prompts for SEO Optimization
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5
 
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK GuideIEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
IEEE Computer Society’s Strategic Activities and Products including SWEBOK Guide
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 

The Seven Most Dangerous New Attack Techniques, and What's Coming Next

  • 1. PANELISTS: SESSION ID: #RSAC MODERATOR: EXP-T09R Dr. Johannes Ullrich Dean of Research at STI - SANS’ Graduate School Director of the Internet Storm Center Michael Assante Director of SANS ICS Training Programs Was VP and CISO of NERC Directed INL’s Electric Power Program Testified before US House and Senate Ed Skoudis Leads SANS Pen Testing and Hacker Exploits Immersion Training Programs Created NetWars & CyberCity Simulators Author of CounterHack Reloaded Alan Paller Director of Research, SANS Institute The Seven Most Dangerous New Attack Techniques, and What's Coming Next
  • 2. #RSAC Ed Skoudis -- Leads SANS Pen Testing and Hacker Exploits Immersion Training Programs -- Created NetWars & CyberCity Simulators -- Author of Counter Hack Reloaded
  • 3. #RSAC Top Threats - Skoudis 3 Broadening Targets Full Weaponization of Windows PowerShell What Stagefright Tells Us About Mobile Security Going Forward XcodeGhost – How Will You Trust Your Apps Going Forward?
  • 4. #RSAC Broadening Targets 4 The last 12 months have shown the threat’s focus is broadening PII still a target, but much more is in play now OPM attack Government background check data and fingerprints Ashley Madison attack Sensitive personal information at play Extortion malware stealing browser history Ukrainian power grid attack
  • 5. #RSAC Defenses Against Broadening Threats 5 Don’t assume that you are safe just because you lack PII Attackers are devising clever uses for all kinds of data with criminal and national security implications Vigorously apply robust security standards focused on actual attack techniques used in the wild Twenty Critical Controls IAD Top 10 Information Assurance Mitigation Strategies Australian Signals Directorate Top 4 Mitigation Strategies
  • 6. #RSAC Windows PowerShell Weaponization 6 PowerShell Empire – Amazing integrated post-exploitation capabilities By Will Schroeder, Justin Warner, and more PowerShell Empire features: Powerful agent Pillaging / Privilege escalation Pivoting / Lateral movement Persistence Integrated with attacker operations All free and incredibly easy to use, and often works even with application white listing
  • 7. #RSAC Weaponized PowerShell Defenses 7 Don’t rely on PowerShell’s limited execution policy A safety feature, not a security feature… trivial to bypass Enhanced logging in PowerShell 5 Pipeline logging, deep script block logging, and more Win 10 AntiMalware Scan Interface (AMSI) All script content presented to registered antimalware solution on the box PowerShell 5 Constrained Mode and AppLocker integration with “Deny Mode” and “Allow Mode” – behaves like script white listing
  • 8. #RSAC Stagefright as a Portent of Mobile Vulns 8 Stagefright: A series of significant vulnerabilities discovered in Android, all associated with a library that plays multi-media content Discovered by Joshua Drake at Zimperium through exhaustive fuzzing, and then detailed analysis of fuzzing results Code execution via text messaging, video viewing in email, browser video watching, and more Google patched it quickly… ... But there’s a problem: For Android devices, the OEMs and Mobile Operators (carriers) sit between the code developer(s) and customers Getting patches out in a timely fashion is difficult at best
  • 9. #RSAC Stagefright-Style Vuln Defenses 9 Upgrade to newer versions of Android (and don’t forget iOS!) Implement a corporate strategy for doing so regularly Via MDM and network infrastructure, enforce use of only up-to-date versions of mobile operating systems for enterprise apps and data… Deny others Give preferential treatment to Android vendors who push updates all the way to devices quickly Google Code Owner SamsungLGMoto MO 3MO 2MO 1 Android Phone D Android Phone C Android Phone B Android Phone A Flaw disclosure Notice and fix 3rd Party Software 3rd Party Software Both handset manufacturers and mobile operators lack significant financial reward for continued support of already-sold Android devices
  • 10. #RSAC XcodeGhost – Can You Trust Your Apps? 10 Historically, attacks against source code and dev tools have proven deeply insidious Bad guys can no longer ignore iOS as a malware target With XcodeGhost, they showed innovative ways to undermine iOS Enterprise app store signing is another 1984 Reflections on Trusting Trust • Backdoor the compiler 2004-2010 tcpdump, Linux kernel attempt, etc. • Backdoor the source code 2015 XcodeGhost • Backdoor the dev environment
  • 11. #RSAC XcodeGhost – Implications for Defense 11 Analyze the security of permitted apps in your environment Josh Wright’s App report card at http:///pen-testing.sans.org/u/64u Data isolation from mobile devices Container-based security is waning Virtualized Mobile Infrastructure is rising User training can help – don’t install untrusted apps… and tell them why Look for anomalous activity in the environment New free RITA (Real Intelligence Threat Anslysis) tool from Black Hills Information Security http://bit.ly/BHIS_RITA
  • 12. #RSAC Michael Assante --Director of SANS ICS Training Programs --Was VP and CISO of NERC --Directed INL’s Electric Power Program --Testified before US House and Senate
  • 13. #RSAC Lights Out 13 One, of a hand full: acknowledged ICS attacks with physical effects Cyber attacks against 3 Ukrainian power companies on Dec 23 Successfully cause power outages Coordinated & multi-faceted Destructive acts BlackEnergy 3 Malware plays some role Additional malware (e.g. customized KillDisk)
  • 14. #RSAC Power System SCADA 101 14 Distribution Control Center 110 kV Substation 110 kV Substation 35 kV Substation
  • 15. #RSAC Distribution Utility Systems 15 Distribution Control Center (SCADA DMS) Company Network Customer Call Line
  • 16. #RSAC The Attacks 16 Distribution Control Center Malware is simply a tool used for specific actions (e.g. access) 1. Intrusion (Foothold) 2. Take over credentials & IT 3. Access & remove relevant data 4. Cross-over into SCADA 5. Change the state of power system 6. Damage firmware 7. Wipe SCADA & infrastructure hosts Cyber Attack 1. (ICS Kill Chain) Cyber Attack 2. (Supporting) 1. Flood Customer Phone Line 2. UPS take over & disconnect
  • 18. #RSAC Disrupt Power & Anti-restore 18
  • 19. #RSAC Dr. Johannes Ullrich -- Dean of Research at STI: SANS’ Graduate School -- Director of the Internet Storm Center
  • 20. #RSAC Software Security: Components Matter 20 Insecure third party components matter! Development environments, software components (libraries) are more and more under attack Developer workstations are high on the target list
  • 21. #RSAC Apple Xcode Ghost 21 Compromised version of Xcode offered for download on Chinese sites Compiled software included malicious functionality Unnoticed due to trust relationship between Apple and developers
  • 22. #RSAC Juniper Backdoor 22 Static password added to code. Not typical “support password” Designed to evade detection Who did it? <<< %s(un='%s') = %u
  • 23. #RSAC Mitigation 23 Accountability: Who did it? Version control systems need to keep a record of which changes were done by whom and why Software repositories need regular offline backups Traditional code reviews and pentesting will not fix this Cryptographic protection against tampering git blame login.html
  • 24. #RSAC The Internet of Evil Things 24 The IoT is not just a “target” for its own sake More and more IoT devices are used as attack platforms after they are compromised
  • 25. #RSAC Raspberry Pis Attacking! 25 Goal: Building a proxy or DDoS network sometimes: Bitcoins (yes… still!) Worst case: Used to attack internal networks
  • 26. #RSAC Multi Architecture Malware 26 81896 Jan 1 00:10 10 <- ELF LSB MIPS 82096 Jan 1 00:10 11 <- ELF MSB MIPS 70612 Jan 1 00:10 13 <- ELF LSB x86-64 48996 Jan 1 00:10 14 <- ELF LSB ARM 65960 Jan 1 00:10 15 <- ELF LSB 386 70648 Jan 1 00:10 16 <- ELF LSB PowerPC 65492 Jan 1 00:10 17 <- ELF LSB 386 2133 Jan 1 00:20 bin2.sh
  • 27. #RSAC Brute Force Architecture Detection 27 All versions are downloaded and execution is attempted for all of them. Initial infection usually implement simple bot (IRC/HTTP as C2C) Additional components are downloaded later for specific architectures “busybox” replaced with trojaned version
  • 28. #RSAC Change in Malware Economics 28 170 Million Credit Card Holder vs 61 Million Stolen (2014) 450 Million issued SSNs vs 22 Million Stolen (just OPM hack) 142 Million registered voters vs. 191 Million records leaked ALL DATA HAS BEEN STOLEN little value in stealing the same data over and over. Reducing scarcity = Reduced Price
  • 29. #RSAC Ransom Ware 29 Instead of copying data: Encrypt it Ransom ware has been going on for a couple years now Increasing in sophistication (e.g. platform independent Ransom32) Instead of stealing data from a web site: Shut it down Used to be more against fringe (e.g. online gambling) sites Or for political motives Now used against any site with insufficient DDoS protection