The document summarizes a presentation given by cybersecurity experts Ken Smith and Benjamin Brooks. It discusses the state of cyber attacks, the mindset of attackers, and the need for a paradigm shift in how organizations approach security. It then describes a fictional operation called "OatmealGhost" where the presenters carried out a penetration test against a target organization to demonstrate the attacker mindset and how easily networks can be breached.
CS8792 - Cryptography and Network Securityvishnukp34
this is an engineering subject.this consist of
pgno: 5 - Information security in past & present
pgno: 7 - Aim of Course
pgno: 8 - OSI Security Architecture
pgno: 9 - Security Goals – CIA Triad
pgno: 13 - Aspects of Security
pgno: 17 - ATTACKS
pgno: 22 - Passive Versus Active Attacks
pgno: 23 - SERVICES AND MECHANISMS
Threat Intelligence Ops In-Depth at Massive EnterpriseJeremy Li
Topic: Threat Intelligence Ops In-Depth at Massive Enterprise
Source: Massive Data Analytic Session of ISC2019
Author: Jeremy Li of Meituan-Dianping Inc.
CS8792 - Cryptography and Network Securityvishnukp34
this is an engineering subject.this consist of
pgno: 5 - Information security in past & present
pgno: 7 - Aim of Course
pgno: 8 - OSI Security Architecture
pgno: 9 - Security Goals – CIA Triad
pgno: 13 - Aspects of Security
pgno: 17 - ATTACKS
pgno: 22 - Passive Versus Active Attacks
pgno: 23 - SERVICES AND MECHANISMS
Threat Intelligence Ops In-Depth at Massive EnterpriseJeremy Li
Topic: Threat Intelligence Ops In-Depth at Massive Enterprise
Source: Massive Data Analytic Session of ISC2019
Author: Jeremy Li of Meituan-Dianping Inc.
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!Kevin Fisher
Five basic concepts you must know to address cybersecurity risks. General Lack of Awareness and a vague understanding of users threats & risks associated with computers and the Internet; a lack of quality help; and complacency are serious issues facing IT and Internet operations today.
Software is in place
Does not involve me
Using fault injection attacks for digital forensics Justin Black
Forensics is an important incident response and law enforcement tool. However, more and more devices have started using hardware encryption to ensure that the secrets they contain are well protected. Fault injection is a technique by which injecting various types of faults into an embedded system causes it to perform in a way it wouldn't have otherwise. In this presentation, we show how we can utilize fault injection techniques to perform forensics on an encrypted device.
This presentation shows how fault injection works and what it can be used for digital forensics needs.
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
A covert channel is an attack that creates a capacity to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. Covert channels are easily used to exfltrate data from a secure location especially over a long period of time.
Generally, covert channels are usually very difficult to detect due to their ability to use existing legitimate connections hence, raising as little red flags as possible.
In this talk for CorkSec (December, 2019), Joel Aleburu would give an overview of Covert Channels; what they are, the different types, how they function, how to detect and mitigate against them.
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Rev. Oct. 13, 2017
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
DRC - Cybersecurity Concepts 2015 - 5 Basics you must know!Kevin Fisher
Five basic concepts you must know to address cybersecurity risks. General Lack of Awareness and a vague understanding of users threats & risks associated with computers and the Internet; a lack of quality help; and complacency are serious issues facing IT and Internet operations today.
Software is in place
Does not involve me
Using fault injection attacks for digital forensics Justin Black
Forensics is an important incident response and law enforcement tool. However, more and more devices have started using hardware encryption to ensure that the secrets they contain are well protected. Fault injection is a technique by which injecting various types of faults into an embedded system causes it to perform in a way it wouldn't have otherwise. In this presentation, we show how we can utilize fault injection techniques to perform forensics on an encrypted device.
This presentation shows how fault injection works and what it can be used for digital forensics needs.
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
A covert channel is an attack that creates a capacity to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. Covert channels are easily used to exfltrate data from a secure location especially over a long period of time.
Generally, covert channels are usually very difficult to detect due to their ability to use existing legitimate connections hence, raising as little red flags as possible.
In this talk for CorkSec (December, 2019), Joel Aleburu would give an overview of Covert Channels; what they are, the different types, how they function, how to detect and mitigate against them.
La realización de un Test de Intrusión Físico tiene como finalidad conseguir acceso físico a una determinada ubicación, y no es una tarea sencilla. Requiere preparación, investigación, análisis, coordinación, mucha simulación y la aplicación de una metodología flexible que pueda adaptarse a las condiciones particulares de cada objetivo.
Analizar el entorno, evadir todo tipo de sistemas de seguridad física y colaborar en equipo (Red Team), son aspectos fundamentales para lograr la intrusión, y con ello posteriormente, el acceso a equipos, red y un sinfín de datos en las instalaciones del objetivo.Si quieres saber qué es un Red Team y profundizar en la realización de intrusiones físicas, esta es tu charla.
The Presentation is about the Basic Introduction to Cybersecurity that talks about introduction and what is security means. Also the presentation talks about CIA Triad i.e confidentiality, integrity and availability
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Rev. Oct. 13, 2017
Slides for a college CISSP prep course. Instructor: Sam Bowne
Taught online for Coastline Community College and face-to-face at City College San Francisco.
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_F17.shtml
Mercer Capital's Value Focus: Energy Industry | 3Q 2015 | Segment: Explorati...Mercer Capital
Mercer Capital's Energy Industry newsletter provides perspective on valuation issues. Each newsletter also typically includes a macroeconomic trends, industry trends, and guideline public company metrics.
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
Penetration Testing has become a part of every security program to some degree over the last several years. Additionally, many standards and regulations require them for compliance as do contractual obligations and pen testing is a well-known best practice for the IT security industry. One of the main issues with Penetration Testing is that very few entities have the knowledge, resources or time to address this in-house. As a result, this task is often outsourced to a third party, who employ “white-hat” hackers with the supposed expertise to complete the task in order to meet business and regulatory needs.
The question is “How do you tell the difference between a seasoned group of pen-testing professionals and a low-rent firm whose simply handing over the reports from a canned tool?” In this presentation, Jason Broz and Tom Eston from SecureState will address the following issues:
• Pitfalls of pen-testing clients
• Games that some firms may play
• What to look for in a quality pen test firm
• Provide the audience with a checklist of questions to ask when choosing a pen-test firm.
What Does a Full Featured Security Strategy Look Like?Precisely
In today’s IT world, the threats from bad actors are increasing and the negative impacts of a data breach continue to rise. Responsible enterprises have an obligation to handle the personal data of their customers with care and protect their company’s information with all the tools at their disposal.
For IBM i customers, this includes system settings, company-wide security protocols and the strategic use of additional third-party solutions. These solutions should include things like multi factor authentication (MFA), auditing and SEIM features, access control, authority elevation, and more. In this presentation, we will help you understand how all these elements can work together to create an effective, comprehensive IBM i security environment.
Watch this on-demand webinar to learn about:
• taking a holistic approach to IBM i Security
• what to look for when you consider adding a security product to your IBM i IT infrastructure.
• the components to consider a comprehensive, effective security strategy
• how Precisely can help
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
Ethical hacking and ethical hacker are terms used to describe hacking performed by a company or individual to help identify potential threats on a computer or network. We talk about these practices and technology related...
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Protecting Your IP with Perforce Helix and IntersetPerforce
The intellectual property stored in your SCM system comprises your company’s most valuable assets. How do you keep those assets safe from threats inside and outside your organization?
This session by Charlie McLouth, Director of Technical Sales at Perforce, and Mark Bennett, Vice President at Interset, will give you a deep dive into how Perforce Helix keeps your assets safe, including real-world scenarios of Interset's Threat Detection. You’ll hear how Interset Threat Detection applies advanced behavioral analytics to user activities to proactively surface threats to the IP stored in the Helix Versioning Engine.
You’ll also hear how Helix’s fine-grained permissions model provides unified security policies that govern access-control based on LDAP authentication and contextual information such as IP address of the client or file paths.
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
2. About Your Presenters
Ken Smith
• Employment
• Senior Consultant, SecureState, LLC.
• Professor of Network Security, University of Mount Union
• Cyber Security, Curriculum Development, Notre Dame College
• Formerly of 5th Special Forces Group (Airborne)
• Education
• BS, Computer Info Systems, University of Dayton
• AA, Arabic Language and Culture, Defense Language Institute
• MA, Security Policy Studies, Notre Dame College
• Areas of Specialization
• Physical Security, Wireless Encryption, and Mobile Devices
Benjamin Brooks, CISSP
• Employment
• Consultant, SecureState, LLC.
• Equipment Architecture and Configuration Validator, US
Special Operations Command
• Leading Chief Petty Officer, US Navy Special Warfare, Tactical
Information Operations, SEAL Team-5
• Education
• BA, Political Science, University of Illinois
• Areas of Specialization
• Policy, IT Partnering, Wireless Technologies and Mobile
Devices
3. Agenda
• Basics Booster
• State of Affairs
• Oh, the Places They’ve
Breached!
• Threat Actors
• The Attacker’s Mind
• A Paradigm Shift
• Operation OatmealGhost
• Q&A
5. State of Affairs
• Breaches continue in spite of budget increases
• Industry and size agnostic
• Attacks are increasing in frequency
• Variety of threat actors
• Not much in common at first glance
• Deeper analysis reveals shared mindsets
• Need for fundamental change in our approach to security
12. The Attacker’s Mind
• Attack methods are unpredictable
• Tools and exploits released continuously
• New indicators of compromise
• Attack methodology is not!
• Independent of background
• Recognizable behavior
13. The Attacker’s Mind
Enumeration
• Users
• Services
• Port Scans
• Operating
Systems
• Vulnerabilities
Exploitation
• SQL Injection
• Leverage
Vulnerabilities
• Establish
Foothold
• Evasion
Techniques
• Human
Element
Privilege
Escalation
• Configuration
Files
• User Pivoting
• Backups
• Scripts
• GPO
Preferences
• Mimikatz
Post
Exploitation
• System
Pivoting
• Network
Pivoting
• Persistence
• Pillaging
• Destruction
• Exfiltration
Discovery
• OSINT
• DNS
• Whois
• Network
• Metadata
• Social Media
16. A Paradigm Shift
• Compliance-driven security testing
• No social engineering
• Notify IT/Security teams of testing
• Small time windows
• Single lane assessments
• We’re on the same side
• Attackers don’t limit themselves
• Why should you?
17. A Paradigm Shift – One Phish, Two Phish
• Spam is not phishing
• Gone are the days of the Nigerian Prince
• Modern attacks
• Targeted
• Well-developed and researched
• Timely
• Can be a touchy subject
• People feel tricked and distrustful
• This is something to embrace (to an extent)
18. A Paradigm Shift – Red Phish, Blue Phish
• Verizon’s 2015 Annual Attack Vector Report
• 23% of recipients open phishing messages
• 11% open malicious attachments
• Median time to first click
• 22 seconds
• All it takes is one
19. A Paradigm Shift – Time and Scope
• Verizon report
• 37% breaches contained within hours
• 30% contained within several days
• Numbers are post-discovery
• Fireye 2012 report
• Average cyberespionage attack continued unchecked for 458 days before discovery
• Detection-deficit
• 8-16 hour penetration tests aren’t good enough
26. Timeline of Events
26
N - 14
•Recon Begins
•Targets Identified
•Hardware Ordered
•Sites Collected
•Metadata Collection
N
•Brute Force Lotus Notes
N + 2
•Shipped Payloads
N + 4
•Lotus Notes Recon
TROPHY
•USB Payload
Connects Back To C2
N + 4
(+ 5HR)
•Multiple Domain Administrators
TROPHY
*** Unrestricted ***
Pivoting
27. Highlight Reel
Access To Lotus Notes
Permitted Monitoring &
Countermeasures
Global Penetration
Regained Access After Blocking
Gained Access To Chat Server – Began Chatting As Admins
Listened to & Recorded
Conference Calls
28. After Action Review (AAR)
• What went right?
• Extended time period
• Inclusion of social engineering as a vector
• Reactions were legitimate
• What went wrong?
• Defenses had been focused on traditional
barriers
• Reacting to events over email
• Admin staff act hastily without understanding
the situation
29. After Action Review (AAR)
What Should Have Been Done Differently?
• Think Like an Attacker Before/During/After
• Where are our weaknesses?
• What is an attacker likely to do next?
• Social Media – Don’t be specific!
• War gaming
• Attack Your Own Organization
• Seek Out Weakness Throughout The Organization
• Remove Limitations on assessments
• A penetration test can be more
• Think beyond compliance
• Include Social Engineering
Become Proactive NOT Reactive!
30. After Action Review (AAR)
Top Three Things You Can Do
• Educate
• Educate
• Educate!
31. War Room Technical Blog
Confidential Information
https://warroom.securestate.com
@SS_WarRoom
33. A Paradigm Shift - Phishing
https://github.com/securestate/king-phisher
Editor's Notes
These are the topics that we will be covering, trying to keep it at a high level.
Basics Booster
Why can’t we have a 100% secure system?
Because we deal with people, and people make mistakes
CIA Triad: a balancing act
Breaches Continue
Not a matter of money, though budgets do need to be effective
More and more people are attacking
Variety of Actors
Who’s who in zoo
What’s their point? One of two goals
Get your information
Deny your information
The need to change focus
It takes a thief….
Frameworks
Anyone familiar with any of these?
Pick a flavor, they are very similar
Emphasize different aspects of the CIA Triad, but all pretty well balanced
Despite best efforts…
Last year there were some very notable breaches in security
But lets talk numbers…
Approximately $440 BILLION in 2014 lost to attackers… according to the Center for Strategic and International Studies (CSIS)
34% increase in security technology investments
It’s a lot of money but doesn’t seem like a bad investment, right?
And yet here we are…
What do all of these organizations have in common? They all use the internet, but seriously…
The weakest link in most information systems, are the people using
THE POINT
big or small, no company (or government organization) is immune
Attacks estimated to cost businesses nearly $1 trillion this year
Let’s get back to who’s who…
Governments: China, Russia
Hacktivists: annonymous , ISIS
Patriot Hackers: The Jester
Jokers: LULZ Sec
Curious Kids: just crazy kids
Attackers…
No matter what, assume the breach, because no system can be 100% safe.
So if we keep spending all this money on technology, is it worth it? What can we do?
We everyone, from CEO to Mailroom intern, to think more like an attacker!
And now my esteemed colleague, Ken Smith.
