This document discusses cyber attack methodology using the Cyber Kill Chain model and provides lessons learned. The Cyber Kill Chain model outlines the stages an attacker goes through from initial reconnaissance to actions on objectives. These stages include weaponization, delivery, exploit installation, command and control, and actions on objectives. The document emphasizes the importance of understanding egress traffic, collaborating with other organizations, and having an incident response plan to disrupt attacks at various stages of the Cyber Kill Chain.
OWASP ATL - Social Engineering Technical Controls PresentationOWASP Atlanta
Meetup July 16th, 2015
User awareness training will always fail to prevent 100% of social engineering attacks. However, consistent and reliable technical controls drastically mitigate an organization’s risk and increase the difficulty for malicious actors to launch successful attacks.
This talk describes social engineering from the perspectives of an attacker and a defender. The presentation will cover techniques designed to help organizations develop an ideal incident response plan crafted specifically for social engineering attacks. It will explain technical controls that are designed to inhibit attackers, as well as procedures that allow an incident response team to quickly identify successful attacks and eradicate their presence.
Bishop Fox conducted new research into the state of email spoofing defenses and identified organizations that are most commonly targeted for brand spoofing. This research will show that 99.9% of the top million domains are vulnerable to email spoofing and provide recommendations for avoiding attack.
This presentation covers attacks and defenses for dangerous social engineering activities, including:
· Email spoofing
· Domain hijacks
· Typo-squatting
· Client-side attacks
· Watering hole attacks
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
For more info on pen testing: securitymetrics.com/sm/pub/penetrationtesting
For more info on vulnerability scanning: securitymetrics.com/sm/pub/vulnerabilityscanning
Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
OWASP ATL - Social Engineering Technical Controls PresentationOWASP Atlanta
Meetup July 16th, 2015
User awareness training will always fail to prevent 100% of social engineering attacks. However, consistent and reliable technical controls drastically mitigate an organization’s risk and increase the difficulty for malicious actors to launch successful attacks.
This talk describes social engineering from the perspectives of an attacker and a defender. The presentation will cover techniques designed to help organizations develop an ideal incident response plan crafted specifically for social engineering attacks. It will explain technical controls that are designed to inhibit attackers, as well as procedures that allow an incident response team to quickly identify successful attacks and eradicate their presence.
Bishop Fox conducted new research into the state of email spoofing defenses and identified organizations that are most commonly targeted for brand spoofing. This research will show that 99.9% of the top million domains are vulnerable to email spoofing and provide recommendations for avoiding attack.
This presentation covers attacks and defenses for dangerous social engineering activities, including:
· Email spoofing
· Domain hijacks
· Typo-squatting
· Client-side attacks
· Watering hole attacks
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
For more info on pen testing: securitymetrics.com/sm/pub/penetrationtesting
For more info on vulnerability scanning: securitymetrics.com/sm/pub/vulnerabilityscanning
Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
Recorded Webcast: https://logrhythm.com/resources/webcasts/activated-charcoal-making-sense-of-endpoint-data/
Security operations is all about understanding and acting upon of large amounts of data. When you can pull data from multiple sources, condense it down and correlate across systems, you can highlight trends, find flaws and resolve issues.
This Presentation was given at Black Hat 2016 and, recently, an SC Magazine Webcast, covering the importance of monitoring endpoints and how to leverage endpoint data to detect, respond and neutralize advanced threats.
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
httpscreenshot is a tool developed internally over the past year and a half. It has become one of our go to tools for the reconnaissance phase of every penetration test. The tool itself takes a list of addresses, domains, URLs, and visits each in a browser, parses SSL certificates to add new hosts, and captures a screenshot/HTML of the browser instance. Similar tools exist but none met our needs with regards to speed (threaded), features (JavaScript support, SSL auto detection and certificate scraping), and reliability.
The cluster portion of the tool will go through and group "similar" websites together, where "similar" is determined by a fuzzy matching metric.
This tool can be used by both blue and red teams. The blue teams can use this tool to quickly create an inventory of applications and devices they have running in their environments. This inventory will allow them to quickly see if there is anything running in their environment that they may not know about which should be secured or in many cases removed.
The red teams can use this tool to quickly create the same inventory as part of our reconnaissance, which is often very effective in identifying potential target assets.
Network Forensics and Practical Packet AnalysisPriyanka Aash
Why Packet Analysis?
3 Phases - Analysis, Conversion & Collection
How do we do it ?
Statistics - Protocol Hierarchy
Statistics - End Points & Conversations
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Activated Charcoal - Making Sense of Endpoint DataGreg Foss
Recorded Webcast: https://logrhythm.com/resources/webcasts/activated-charcoal-making-sense-of-endpoint-data/
Security operations is all about understanding and acting upon of large amounts of data. When you can pull data from multiple sources, condense it down and correlate across systems, you can highlight trends, find flaws and resolve issues.
This Presentation was given at Black Hat 2016 and, recently, an SC Magazine Webcast, covering the importance of monitoring endpoints and how to leverage endpoint data to detect, respond and neutralize advanced threats.
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
httpscreenshot is a tool developed internally over the past year and a half. It has become one of our go to tools for the reconnaissance phase of every penetration test. The tool itself takes a list of addresses, domains, URLs, and visits each in a browser, parses SSL certificates to add new hosts, and captures a screenshot/HTML of the browser instance. Similar tools exist but none met our needs with regards to speed (threaded), features (JavaScript support, SSL auto detection and certificate scraping), and reliability.
The cluster portion of the tool will go through and group "similar" websites together, where "similar" is determined by a fuzzy matching metric.
This tool can be used by both blue and red teams. The blue teams can use this tool to quickly create an inventory of applications and devices they have running in their environments. This inventory will allow them to quickly see if there is anything running in their environment that they may not know about which should be secured or in many cases removed.
The red teams can use this tool to quickly create the same inventory as part of our reconnaissance, which is often very effective in identifying potential target assets.
Network Forensics and Practical Packet AnalysisPriyanka Aash
Why Packet Analysis?
3 Phases - Analysis, Conversion & Collection
How do we do it ?
Statistics - Protocol Hierarchy
Statistics - End Points & Conversations
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
Palo Alto Networks Live Community Senior Engineers Tom and Joe present best security practices at the Fuel Spark event in London. For more details, please visit: https://live.paloaltonetworks.com/t5/Community-Blog/Live-Community-team-at-Spark-User-Summit-London/ba-p/153182
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
With the help of GCHQ and Cert-UK, we've produced this presentation on reducing the impact of normal cyber attacks. It's not meant to be an exhaustive guide on cyber security threats. The presentation isn't tailored to individual needs, and it is not a replacement for specialist cyber security advice.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
Are WAFs the best approach for defending your website against malicious bots? How can you optimize your WAF for bot detection and mitigation? Watch this webinar and learn practical tips on how to defend your web infrastructure against the OWASP Top 10 as well as brute force attacks, web scraping, unauthorized vulnerability scans, fraud, spam and man-in-the-middle attacks.
World renowned expert and author of Web Application Firewalls: A Practical Approach, John Stauffacher, shares his expertise. He has over 17 years of experience in IT Security and is a certified Network Security and Engineering specialist.
Learn more : http://resources.distilnetworks.com/h/i/95930604-tune-in-for-the-ultimate-waf-torture-test-bots-attack/177622
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
Elements of the discussion will include:
– Insight into emerging cyber threats
– A profile of today’s evolved hackers: what they are after, why, and how they’re getting what they want
– Strategies and tools you can implement to safeguard against attacks
Presentation by Ismael Valenzuela from Intel Security about ransomware and how enterprises can design their IR responses to mitigate ransomware threats.
Similar to How i'm going to own your organization v2 (20)
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Thinking of getting a dog? Be aware that breeds like Pit Bulls, Rottweilers, and German Shepherds can be loyal and dangerous. Proper training and socialization are crucial to preventing aggressive behaviors. Ensure safety by understanding their needs and always supervising interactions. Stay safe, and enjoy your furry friends!
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
1. “How I'm going to own your
organization in just a few days”
The Malware obfuscation attack
Introduction to the Cyber Kill Chain™
@RazorEQX
http://404hack.blogspot.com
7. Access to facebook to the setting bars..
CODE: SELECT ALL
http://www.facebook.com/
abe2869f-9b47-4cd9-a358-c22904dba7f7
Settings
aPlib cmpressor's trace:
CODE: SELECT ALL
aPLib v1.01 - the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Pony gates:
CODE: SELECT ALL
http://webmail.alsultantravel.com:8080/ponyb/gate.php
hxxp://alsultantravel.com:8080/ponyb/gate.php
hxxp://webmail.alsultantravel.info:8080/ponyb/gate.php
hxxp://198.57.130.35:8080/ponyb/gate.php
CODE: SELECT ALL
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0"
processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program
Description</description><dependency><dependentAssembly><assemblyIdentity type="win32"
8. @Malwaremustdie
• Are a group of dedicated Malware Researchers.
• Recognize that Malware is a serious threat.
• Recognize that Malware inhibits Internet technology.
• Agree that Malware is an obfuscation for AdvancedThreats.
16. Paterva: Maltego
Maltego is a program that can be used to determine relationships and real
world links between:
– People
– Groups (Social Networks)
– Companies
– Organizations
– Web Sites
– Domains
28. Introducing "Cyber Kill Chain™"
• Concept derived from offensive military doctrine:
– Navy: Find, Fix,Track,Target, Engage, and Assess
– OODA Loop: Observe, Orient, Decide, and Act
– Key concept: Cyber Kill Chain™ defines how an adversary moves from target
observation to a final objective. As with any chain, if any link breaks, the whole
process fails
• Turn it into our advantage:
– "To compromise our infrastructure, the bad guys have to be right every step; we
only have to be right once"
29. Cyber Kill Chain™ Model
• Intrusion
Cyber Kill Chain™ Detect Deny Disrupt Degrade Deceive
Recon
Weaponize
Delivery
Exploit
Installation
Command & Control
Actions on Objectives
IncreasingRisk
31. Cyber Kill Chain™ Model
Recon
• Research, identification, and selection of targets
• Crawling Internet websites looking for email addresses or information on specific technologies
• Research conducted on business relationships and supply chain
• Enumeration of systems and infrastructure
– Active
– Passive
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
32. Cyber Kill Chain™ Model
Weaponize
• The tool that puts the remote access trojan with an exploit
into a deliverable payload
• Application data files such as Microsoft Office documents
orAdobe PDF files serve as the weaponized payloads
• Compromised websites hosting malformed Java or Flash
files
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
33. Cyber Kill Chain™ Model
Delivery
• Transmission of weapon into targeted environment
• The three most prevalent delivery vectors for weaponized
payloads are
– Emails with attachments or embedded hyperlinks
– Compromised website with malicious code
– USB drives or other removable media
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
36. Cyber Kill Chain™ Model
Exploit
• After the weapon is delivered to target host, exploitation triggers
attackers’ code
• Most often, this exploits an application or operating system vulnerability
• In most cases, exploitation occurs when users are
– Coerced to open an executable attachment
– Leveraging a feature of the operating system that executes code automatically
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
37. Cyber Kill Chain™ Model
Installation
• Typically occurs immediately after the exploit is
complete
• The install is often a backdoor or a tool grabber
• Also installation might occur during lateral
movements by the attacker
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
38. Cyber Kill Chain™ Model
C2
• Typically the compromised host must beacon outbound to its Internet
controller server to establish command and control (C2) channel
• APT malware typically requires manual interaction vs. acting
autonomously
• Once the C2 channel is established, attackers have "hands-on- the-
keyboard" access
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
39. Cyber Kill Chain™ Model
Actions on Objectives
• Attackers begin collecting, encrypting, and exfiltrating data from compromised
systems.
• Attackers may further propagate themselves throughout the internal network
in lateral compromises.
• While exfiltration is the most common objective, attackers could also violate
the integrity or availability of data as well.
• Consider what would happen if the attacker modified certain critical internal
critical data.
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
40. Cyber Kill Chain™ Model
Benefits
• Provides for a more defensible network by providing incident responders
with multiple locations that can stop the progress of the adversary
• Provides a framework for working forward and backward in order to
gauge effect and identify mitigations
• Articulates prioritization and strategy
• Identifies data gaps and source collection requirements
• Enables adversary attribution and campaign tracking
• Drives investigations to completion
• Intelligence feeds into gaining more intelligence
41. Lessons learned:
• 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.
• 2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been looking for.
• 3. Stop wasting money on tools that are always one step behind the adversary and always promising ”That feature is in the next
release”
• 4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put
two and two together.
• 5. OSINT - RSS research feeds are your friend. Pull out indicators you can use for detection tools and track events to correlations to
form campaigns. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar's selling domains
to crimeware organizations.. etc.
• 6. Most important of all. Have a damn good incident response plan. Know what and how you're going to recover from this type of
breech when it finally hits your organization.
Editor's Notes
I should have called this presentation not how I'm going to own your organization but instead how its likely already “owned”. Let me ask you a question. No one needs to raise their hands just acknowledge in your mind. How many of you think your network has already been compromised and just has not been found yet?Makes it hard to sleep at night I bet?This presentation should actually be titled how likely is it that your organization is already owned not how I’m going to own your organization in just a few days.I am going to ask you a question that I don’t want you to answer just to take a moment and think about it. Is your network already compromised and you just haven’t found out about it yet?That thought probably keeps you up at night, or it should.
My 8 Year old wants to see Daddy on Video So I will be adding in my own censorship. Sorry no cussing at DerbyCon from me this year.
Don’t die at DerbyCon. If you get to the terminal and swell up like a balloon then start having chest pains. don’t FLY. Apparently some airlines done like people dying on them at 30,000 feet.
Note: Software cracker back in the day was cool using SoftIce. I was actually reversing code before reversing was cool. Then cracker turned out to be a term for a white guy. Not so cool anymore.Please take out your phones and turn them up all the way I want it to feel as though we are all sitting in a meeting and I'm presenting while all of your phones are going off this will really make me feel at home for the rest of this presentation I thank you in advance.Everyone please enter my twitter id in your phone.(pause)Who entered my twitter ID and turned on their cell phones? Raise of hands.You have just been social engineered.
Soft-ICE Used in the late 80’s and 90’s as .. Look it up on twitter. Soft ice was a utility that was used back in the 80s and 90s for crackers and was a utility we could use at the time to remove dongle cracks, passwords, game cracks and copyright keys, it was also used to create actual patches. I didn’t realize it at the time but I was actually a software reverse engineer before there was malware or the internet as we know it today.
VirusTotal is a website that provides free checking of files for viruses. It uses up to 46 different antivirus products and scan engines to check for viruses that the user's own antivirus solution may have missed, or to verify against any false positives.[1]Files up to 64 MB can be uploaded to the website or sent via email.[2] Anti-virus software vendors can receive copies of files that were flagged by other vendors however were missed by their own engine, they use this information to improve their own software and, by extension, VirusTotal's own capability. Users can also scan suspect URLs and search through the VirusTotal dataset.VirusTotal was selected by PC World as one of the best 100 products of 2007I started using virus total about three years ago and worked my way up from the bottom of being pretty much a nobody just using the toolfor face value and eventually started collaborating with other members who were pretty advanced in the community and really knew advanced techniques for reversing.
Throughout the course of a year I became good friends with many members of the virus total community and started collaborating with researchers across the globeThis is what malware research looks like now. Landing zonesRedirectors.Everything from Packers, Xor,and obfuscated URLs. Anything you can think of our adversaries are doing and are continuing to advance their techniques and we have continued to crack them
From virus total a few of the researchers that became close friends would form a group with one really brilliant leader and formed MalwareMustDIe. The group based its principles to find these malware Kits and track their KITS, analyze the data and then do full disclosures on how the kits worked. Some of the research included the discovery of blackhole toolkit 2.0 using Tor networks. Pseudo-dynamic URLs, and most recently the tracking and the beginning of taking down the khilos botnet.
What do they want? This is all depends on the threat actor, some just want to see the world burn, what do the rest want? Many are after IP, financial information, destroying company reputation, etc. Intellectual propertyFinancialsCustomer reputation MoneyContactsDestruction
Organizationsfrom various sectors are spending vast amounts of money on advanced threats. Managers, CISOs, and CIOs are speaking with industry leaders on various tools which may or may not fit within their budget, they are selling these tools as a silver bullet solution. The reality is most organizations already have an arsenal of tools and not enough staff to review the data that's already being collected and monitored in their production environment, adding even more tools to this sort of environment means the analysts cannot ingest all the data quickly enough to form a picture of what's actually occurring on the network. The reality is the adversary has the same or similar tools and knowsexactly what tools your organization uses and they know how you use them and I'll tell you why. For the single-purpose of staying a step ahead of these tools and continuing to perfect their obfuscation techniques.
And your manager puts massive box of tools on your desk and tells you how you deploy this in our network. It's going to be the end-all be-all to protect our environment and everybody's going to be happy rightYou probably have had a similar experience where a supervisor has handed you the next silver bullet tool to stop the next APT/Advanced Threat/ whatever phrase or acronym you prefer. The reality is they think this will make them look great and you will be happy too bad this is not reality.
How does an adversary gain information about an organization? This information is learned using what is called social profiling, this can be accomplished on sites similar to, LinkedIn, Facebook, Twitter, and Google. With the use of these sites an adversary has the ability totrack your organization andcreate an organizational chart,down to who reports to whom and which manger reports to which director and which director reports to which VP and so forth. This includes phone numbers, email addresses, personal blogs, and through social engineering can even obtain information of where children go to school, what someone's personal schedule is, and what packages you're expecting in the mail. People like to talk about themselves andthey like to blog, tweet, and post on Facebook about what the are doing, also leaving geolocation information on pictures. Withoutproper privacy settings on any of these platforms this information is practically public to the entire world!Cree-pyMaltego and NetGlubThe Harvesterhttp://checkusernames.com/ Check Usernames - Useful for checking the existence of a given username across 160 Social NetworksHuman Intelligence (HUMINT)Methodology always involves direct interaction - whether physical, or verbal.Gathering should be done under an assumed identity (remember pretexting?).Key EmployeesPartners/SuppliersIMINT can also refer to satellite intelligence, (cross over between IMINT and OSINT if it extends to Google Earth and its equivalents).Covert Gathering - CorporateOn-Location GatheringPhysical security inspectionsWireless scanning / RF frequency scanningEmployee behavior training inspectionAccessible/adjacent facilities (shared spaces)Dumpster divingTypes of equipment in useOffsite GatheringData center locationsNetwork provisioning/providerFoundstone has a tool, named SiteDigger, which allows us to search a domain using specially strings from both the Google Hacking Database (GHDB) and Foundstone Database (FSDB).
Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story http://resources.infosecinstitute.com/social-engineering-a-hacking-story/
How would you enumerate the targets infrastructure without touching it?
So what do I wantwith all thesetools??? Network blocks owned AS NumbersEmail addressesExternal infrastructure profileTechnologies usedPeremetertoolsPurchaseagreements 3rd party vendorsRemoteaccessApplication usage Browser user agents…Defense technologies Humancapability
And these individual targets are going to be inside your organization closest to the data he's trying to get access to to achieve his objective. And this can all be done with a simple phone call toan individual administrative assistant and actually use the personal information he received on the Internet to use against her or him. All this to make that individual perceive that they are giving information to a person they know or trustThe targets are going to be within your organization and be the least path of resistance to the accounts and data the threat actor is trying to access. This will be done with simple phone calls to colleagues, administrative assistants, and other associates using the information learned through social profiling to gain trust and access. All of this is used to gain a false sense of trust in order to get the individual targets drop their defenses.
So with all this reconnaissance information we can build a profile of what tools are being used at the perimeter, what operating systems are used on the workstations potentially account names maybe even passwords. One such tactic might actually be having the admin look underneath the keyboard for a posit note which has the account and password forgotten when their boss went to a conference. All this can be built into a program that can be used once inside the organization. Exploits can be written used against specific operating systems Applications like browsers Adobe flash even down to the what version each application is using all using social engineering.With all of the social reconnaissance completed the attacker then will begin to build a profile of tools that are being used on the perimeter, what OS is being used on the workstations, account names, and even passwords. Once this information is is organized and accounted for the attacker can then use a the organizational information learned from social engineering as well as the technical information to craft an exploit. I have no idea how you are going to get an admin to look under the keyboard or if it is their keyboard how do you gain physical access? How would you get and admin to look under their bosses keyboard?
A small package for a POC was created using a stripped down version of ettercap. Only a few of the functions were used to reduce the footprint of the file for execution in memory including the video card.The payload also contains copies of fake patches to various browser types. Google Chrome is the example here.
So with all this packaged up and can now create a method of delivery. in this case he chooses a spear phishing attack which is going to use against the administrative assistant. Emails going to contain a link or several links that will actually do http get functions build a well known Application called blackhole toolkit. Payload inside this blackhole toolkit isn't going to be fake antivirus to be that special exploit that the adversary created both making the Advanced threat tools and the cyber security department if even detected respond to this as a typical malware campaign We have now packaged and chosen our method of delivery which will use the information we learned from our social engineering against the administrative assistant. There will be an email sent which will contain a link or several links which will preform an http get function to a well known application called the Blackhole Toolkit. The payload will not be a fake AV, it will be the exploit created by the adversary to bypass the advanced threat tools and the information security team appearing to be a typical malware campaign.
So the email is delivered most likely making it through your perimeter because the scoring is fairly low it's a single target. All this was of course tested against your perimeter with several other fake fishing type campaigns via several recipients or potentially single-user with nothing more than a URL and a short message and a DNS query from the link when clicked on actually being nothing but a harmless http or https string none of which would cause an alarm by any of your perimeter tools This could even be a DNS query resolving to a local address in the United States by monitoring the destination domain with tools like Umbrella or other DNS activity tools. The email or emails are delivered through the various when the actual spear phishing campaign occurs with again a link that actually downloads the toolkit itself when clicked or is embedded in email as an attachment. Still a low score. New version of BHEK, single user recipient, and obfuscated quite well. Once the emails clicked and the payload is delivered the dropper BHEK actually extracts its contents with various premeditated exploits by either embedded into memory or even a video card. The exploit could be a utility that spoofs browser updates Adobe products, cloud storage like dropbox or vulnerabilities in your known operating systems All which were gathered during the reconnaissance phase. The objective here is what's been known and used for a long time with tools like metasploit or other hacking tools; a jump host The advocacy wants off this machine and onto another machine as quick as possibleThe spear phishing campaign will most likely make it through as it is only directed to one address. All of this was of course tested against the perimeter with several other fake phishing type campaigns via several recipients or potentially a single-user with nothing more than a URL and a short message and a DNS query from the link, when clicked on will be actuallynothing more than a harmless http or https string none of which would cause an alarm by any perimeter tools This could even be a DNS query resolving to a local address in the United States by monitoring the destination domain with tools like Umbrella or other DNS activity tools. The email or emails are delivered through the various spear phishing campaigns whichagain contain a link that download the toolkit, and when clicked is launchedor is embedded in email as an attachment(again requiring execution). These will still have a low score. New version of BHEK, single user recipient, and obfuscated quite well. Once the emails clicked and the payload is delivered the dropper BHEK actually extracts its contents with various premeditated exploits by either embedding into memory or even a video card utility. The exploit could be a utility that spoofs browser updates for something along the lines of Adobe products, cloud storage like dropbox or vulnerabilities in your known operating systems All which were gathered during the reconnaissance phase. The objective here is what's been known and used for a long time with tools like metasploit or other hacking tools; a jump host The adversary wants off this machine in order to jump onto another machine as quickly as possible.
At this point there is no requirement for any command-and-control there's no contact from the exploit from any machine compromised by lateral movement The only objective is to harvest the data on the infected machine and only then make a connection to a predetermined location and transport mechanism like ssl http or FTP. The key here is I'm already inside the perimeter. The advocacy is in the squishy center of your network. The infected hosts can remain silent for as long as the advocacy deems fit for sufficient information gathered and the security department to company forget the original alert of the infected host from the phishing infection. This exfiltration of data could even be transmitted form several of the hosts in a peer-to-peer sharing application in several simultaneous transmissions like a bit torrent.
A few days later the target companies financials,accounts, passwords, network IP addresses of critical systems show up on pastebin or in the media or are sold off to the highest bidder.
Do you see the obfuscation?
Duration: 10 minutesDescribe the behavior as well as perspective on counter-intelligent models and defenses against these mapped steps.
Duration: 10 minutesDescribe the behavior as well as perspective on counter-intelligent models and defenses against these mapped steps.
Duration: 10 minutesKey Points: This is an important piece, and is part of what makes the APT adversary "advanced"Hard to detect. This is where collaboration with other peer groups can help tremendously by sharing intelligence. OSINT, Intelligence feeds, Research sites.
This was five pages long
See the hits for one DGA name as its rotated in sequence.
Key Points:CVsZero-day attacks
Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversaryProvides a framework for working forward and backward in order to gauge effect and identify mitigationsArticulates prioritization and strategyIdentifies data gaps and source collection requirementsEnables adversary attribution and campaign trackingDrives investigations to completionIntelligence feeds into gaining more intelligence
1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been looking for.3. Stop wasting money on tools that are always one step behind the adversary and always promising "that feature is in the next release" Bull*BEEP*4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together.5. RSS research feeds are your friend. Pull out indicators you can use for detection tools. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc.6. Most important of all. Have a damn good incident response plan. Know what and how you're going to recover from this type of breech when it finally hits your organization.