Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

When Mallory Met Alice - A Fable


Published on

A scrubbed version of an internal presentation give to technical leaders on why security efforts matter.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

When Mallory Met Alice - A Fable

  1. 1. When Mallory Met Allice A FABLE
  2. 2. Meet Alice Research Faculty at a Major Pediatric Hospital Biostatistician Casual web user ◦ Downloads packages for her R statistical analysis from the web ◦ Reads news and occasionally streams stories from NPR Running Windows XP with standard corporate image
  3. 3. Meet Mallory British college freshman on summer vacation Has heard that hacking is COOL Spends time on web forums Downloaded a free copy of Kali Linux, includes a pre-configured version of Metasploit
  4. 4. Alice Meets Mallory Drive by web download Not caught by web proxy Not caught by desktop anti-virus Uses public exploit code in Metasploit to attack a vulnerable version of Flash on Alice’s computer Installs a persistent RAT that phones home whenever Alice’s machine is active
  5. 5. Mallory Gets to Know Alice Finds personal tax information on Alice’s computer Has Alice’s Social Security Number, home address, salary, and more… Ultimately finds Alice’s computer boring…
  6. 6. Mallory Goes Exploring Mallory scans the network Alice’s computer has access to other systems!
  7. 7. Mallory Makes New Friends Finds vulnerable systems ◦ System A ◦ Something called System B Mallory isn’t sure what to do next, launches the Metasploit autopwn option Launches built-in attack code ◦ X vulnerabilities from XXXX and XXXX on the System A ◦ X vulnerabilities from XXXX and XXXX on the System B Both applications lock up and are completely unresponsive
  8. 8. Mallory Becomes Bored While Allice’s IT team is having a bad day, nothing very exciting happened from Mallory’s viewpoint She decides to go play with other “friends” Before leaving, she makes sure to take Alice’s tax information…Mallory knows someone that will give her a few bucks for them Malory sells access to Alice’s computer to a bot operator who uses it to mine Bitcoins and send spam Mallory returns to school a little richer…though perhaps not much wiser
  9. 9. Just a Fable…Right? Sorry! Internal data showing how this made up story could actually occur is scrubbed. But really, there’s nothing in here that is far fetched for any major organization.