Downloaded 11 times
Uploaded byEC-Council
Defending Against 1,000,000 Cyber Attacks by Michael Banks
The document outlines the prevalence of cyber attacks, citing that up to 300 million attacks occur daily and focusing on government cybersecurity efforts. It describes Project Slam, which aims to research adversary behavior to generate wordlists and methodologies for combating cyber threats. Key takeaways emphasize the importance of using strong passwords, unique usernames, and enabling two-factor authentication.
More Related Content
![[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx](https://cdn.slidesharecdn.com/ss_thumbnails/threathuntingtocampaigntrackingworkshop-hitcon2020ctivillage-201213185811-thumbnail.jpg?width=640&height=640&fit=bounds){kind=tracking}
![OSINT tools for security auditing [FOSDEM edition]](https://cdn.slidesharecdn.com/ss_thumbnails/osinttoolsforsecurityauditingfosdemedition1-170205120023-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Defending Against 1,000,000 Cyber Attacks by Michael Banks
![Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader](https://cdn.slidesharecdn.com/ss_thumbnails/bankstatementhackerhalted2019-191031170529-thumbnail.jpg?width=640&height=640&fit=bounds)
Defending Against 1,000,000 Cyber Attacks by Michael Banks
- 1. Defending Against 1,000,000 CyberAttacks Michael Banks | Rendition InfoSec
- 2. $whoami Michael Banks (@4MikeBanks) •Information Security Consultant • SigO
- 3. $./disclaimer.py | OVAMO| IANAL | TINLA OVAMO: Opinions and Views of this presentation are my own and not of any of my employers IANAL: I am not a lawyer TINLA: This is not legal advice
- 4. Overview • Background •Cyber Attacks • Numbers • Project Slam • take-a-ways
- 5.
- 6.
- 7. $./traceRoute.py --myLifeandData “Hacking ofGovernment Computers Exposed 21.5 Million People” –NY Times
- 8. $./drill.py | grep“WTF” “…OPM, for example thwarts 10 million confirmed intrusion attempts targeting our network.” - KATHERINE ARCHULETA
- 9. $./theme.py 1. Need moretalent. 2. <insert org here> faces MILLIONS of cyber attacks… 3. The inevitable:
- 10.
- 11. $./cyberAttacks.py --congress 18 U.S.C.§ 1030. Computer Fraud & Abuse Act “Fraud and related activity in connection with computers: (a) Whoever— (1) having knowingly accessed a computer without authorization or exceeding authorized access…”
- 12. $./cyberAttacks.py --dod DOD JointTerminology for Cyberspace Operations “A hostile act using computer or related networks or systems, and intended to disrupt and/ or destroy an adversary’s critical cyber systems, assets, or functions.”
- 13. $./cyberAttacks.py --defineAudience 18 U.S.C.§ 1030. Computer Fraud & Abuse Act DOD Joint Terminology for Cyberspace Operations
- 14.
- 15.
- 16. $./numbers.py “Up to 300Million Cyber Attacks on XXX (3LA) Data Centers Take Place Each Day”
- 17.
- 18. $./numbers.py --strangeAddition Media/Public • SSHBrute Force Attempt • Wordlist of 10,000 • 1 IP (x.x.x.x) • 3 Mins • Unsuccessful Login • Reported as: • 10,000 Rapid Sophisticated Cyber Attacks Thwarted Analyst/Community • SSH Brute Force Attempt • Wordlist of 10,000 • 1 IP (x.x.x.x) • 3 Mins • Unsuccessful Login • Reported as: • 1 Failed Attempted Intrusion Event
- 19. $./numbers.py --strangeAddition Media/Public • AllPort nMap Scan • 65535 Ports • 1 IP (x.x.x.x) • 1 Min • Reported as: • Over 65,000 Rapid Sophisticated Cyber Attacks Thwarted Analyst/Community • All Port nMap Scan • 65535 Ports • 1 IP (x.x.x.x) • 1 Min • Reported as: • No Report (”We get scanned all the time”)
- 20.
- 21. $./projectSlam.py A project designedto research adversary behavior and utilize the data captured to generate wordlists, blacklists, and methodologies of various threat actors that can be provided back to the public.
- 22. $./projectSlam.py • v1 (2016) •Kippo-0.9 • Debian 8 • Cloud Based Deployment • Geographically Located in New York • Public Accessible Ports: 22, 80, 443
- 23. $./projectSlam.py • Username /Pass (Wordlist) • Source IP (Location) • Full TTY Sessions • A!! D@ Toolz
- 24. $./projectSlam.py • v2 (2017)– a full interaction honeypot to enumerate more information from the attacker. • Docker (Pre-Populated)
- 25. $./projectSlam.py ~4,000 Every Day ~1.4Million in a year
- 26.
- 27.
- 28.
- 29. $./projectSlam.py Usernames Count 1. root499,111 2. admin 13,496 3. Administrator 1,428 4. support 1,046 5. user 954 6. test 739 7. ubnt 666 8. guest 525 Usernames Count 9. oracle 390 10. ftpuser 359 11. PlcmSpIp 355 12. pi 324 13. postgres 264 14. operator 221 15. git 214
- 30. $./projectSlam.py Passwords Count 1. 1234563,683 2. admin 3,606 3. password 3,283 4. root 3,042 5. 1234 2,989 6. 12345 2,876 7. test 2,722 8. 123 2,575 9. !@ 2,518 10. 1 2,478 Passwords Count 11. p@ssw0rd 2,448 12. wubao 2,366 13. root123 2,347 14. jiamima 2,311 15. !q@w 2,272 16. ! 2,263 17. !qaz@wsx 2,251 18. idc!@ 2,196 19. admin!@ 2,181 20. support 750
- 31.
- 32.
- 33. $./projectSlam.py |whatsNext • Reportfor 2016 (Jan ‘17) • Full Report • Wordlist • IP List • Deployment for 2017 (Jan-Dec) • Report for 2017 (Jan ‘18) • Full Report • Wordlist • IP List
- 34.
- 35. $TakeHome.py • Partial Wordlist •Partial IP List
- 36.
- 37. $Conclusion.py • Don’t usesimple passwords • Use unique usernames • Reset default credentials • Where possible use 2FA
- 38. $Questions.py |audience RenditionInfoSec.com @4MikeBanks |Michael@RenditionInfoSec.com | (847) 208-2393 MichaelBanks.org
Editor's Notes
- #2 I was contemplating a theme for this event so I thought Dr. Evil would make a great fit for this event.
- #3 My name is Michael Banks and I am an Information Security Consultant at Rendition InfoSec, a consulting firm that does incident response, penetration texting, and reverse engineering. I found out yesterday that I should feel obligated to put my twitter on here, so I am 4MikeBanks on twitter. I do tweet every now and then about InfoSec stuff so feel free to tweet me. I am also a SigO in the reserve, so I do that on the side.
- #4 Just to check the block here are the top three disclaimers.
- #5 This presentation is going to main about debunking this notion of reported cyber attacks. We will breakdown generally what is considered an attack. We will break down some numbers of how it’s reported in some cases and we will look at some projects and initiatives that I put in place to aid in bringing some light to the ridiculously large numbers you hear out there about cyber activity.
- #6 Summer 2015 I am located in Boston and a training conference. I don’t keep my nose in the media normally, but I like to stay informed on the high points of what’s going on in the world and in the US. So I’m switching channels on the TV and I find a station that mentions something that I am familiar with. The SF-86!
- #7 I say to myself, I know what that is and why is that in the news. Well after watching it for a while, the news being the news they headline reads: “21.5 Million People Exposed ”
- #8 Are you serious? I am appalled at the news of this. All I could say was WOW! After watching the news a bit more, turns out there is a congressional hearing in the coming days to find out more of what happened, who's at fault, and the extent of who’s affected. Now I am sure everyone has heard of C-Span, but who really sits and watches congress? This time I was.
- #9 The house committee of Oversight and Government reform held this hearing and they are definitely an interesting bunch. So they had a group of people from OPM. The one that was focused on heavily was the director at the time, Ms. Archuleta. During her opening statements there was something that jumped out to me instantly and I won’t it sounded like an upfront excuse, but yeaaahhhh! I heard some other things that was interesting throughout the hearing like hearing like systems from the 60’s, cobalt, and no 2FA for access to VERY sensitive data. If you haven’t seen the hearing, I would check it out. Google ”Oversight and Government Reform Hearings.” After watching that hearing I kept my ear to the ground and tuned into other hearing about other “cyber” things. By doing that I notice a couple themes and reoccurrences from the panels and the congressmen.
- #10 There was a constantly a mention there we need more talent. We deal with Millions of cyber attacks constantly. Finally a constant mention of something called, The inevitable ”Cyber Pearl Harbor.” I know what they mean, but WHY! After seeing government and some of their lack of understanding, I went to the interwebs to find out what people are calling cyber attacks and I am sad that I did. It brought me to doing this talk as a subject.
- #11 So what is a “Cyber Attack?” There not much out there that is clear on what that really is in a plain way that the public can grasp to. I really didn’t want to cite or rely on the amazing site of Wikipedia. I have found thought that to define a cyber attack it Unfortunately depends who you are asking.
- #12 Well What does the law say? Congress and the DOJ will squarely point right at the CFAA for cyber attacks in reference to what they are.
- #13 The DOD operates and defines their definition as well. Their definition is a bit more descriptive.
- #15 The government definitely has their definitions and they are content with them, but I am pretty sure these guys have a slightly different outlook on the definition of what a cyber attack is.
- #16 Have you ever heard the phrase that “the numbers don’t lie”? SURE! Numbers don’t lie, but The words around them can definitely lie for them. I learned that quickly in a statistics class.
- #17 Every time you turn around you you see someone reporting about attacks, but RARELY do you see them explaining what types of attacks that there were.
- #18 Armageddon….
- #24 a medium interaction honeypot focused on SSH brute force attempts and focusing on wordlists, passwords, and attacker attack process after login.
- #26 Output Throttling
- #37 Date Last Seen IP…
- #38 Date Last Seen IP…
- #40 Contact Page