Erich Mueller gave a presentation on conquering all stages of an attack at the NTXISSA Cyber Security Conference. He outlined the typical stages an attacker will go through - initial infection, command and control, privilege escalation, internal reconnaissance, lateral movement, and damage. At each stage, he described common techniques attackers use, such as phishing and fileless malware for initial infection, domain generation algorithms for command and control, and password dumping for privilege escalation. The goal is to provide a comprehensive overview of how attackers operate throughout an attack lifecycle.
Apple introduced a new set of features in iOS 8 and Yosemite under the name "Continuity". These features allow iPhones to work with other iDevices such as Macs and iPads in new ways. Handoff, Instant hotspot and Airdrop are some of the new services offered by Continuity. Among these new services is one named "Call Relay". Essentially, it allows one to make and receive phone calls via iDevices and route them through the iPhone. This is not your typical VOIP service but a P2P connection based on a proprietary protocol. Apple's security white-paper is short and vague on this particular topic. Only four paragraphs are dedicated to explain how Call Relay works and the only security relevant information is as follows: "The audio will be seamlessly transmitted from your iPhone using a secure peer-to-peer connection between the two devices."
I reverse engineered the protocol to understand how it works. The goal was to see if Apple's design was secure and find vulnerabilities focusing on ways to eavesdrop phone calls. In this presentation, I will start by explaining all the details of this protocol and the process of reverse engineering it. Once the protocol is understood by the audience, I will discuss the thread surface and the different attack vectors possible. I will focus on what worked and demonstrate with demos. We will see how it is possible to abuse the protocol to spy on victims by leaving their mic open. We can also troll victims by dropping or preventing them from picking up phone calls. Last, I will explain how an attacker can abuse multi-party calls to impersonate other callers. Once we understand the vulnerabilities, we will discuss how it can be weaponized to build an amateur (insert 3 letters here)-spy program. This presentation covers CVE-2016-4635, CVE-2016-4721, CVE-2016-4722 and CVE-2016-7577
Ransomware: History Analysis & Mitigation
An hour long look at ransomware's beginnings, ransomware in the news, variants throughout the years, cutting edge malware analysis, and mitigation techniques.
Andy Thompson is a member of the Shadow Systems Hacker Collective, and Dallas Hackers Association, I'm active in the Dallas InfoSec community. Currently a Technical Advisor for CyberArk Software, I work with Fortune 500 companies assisting them in advancing their CyberSecurity Programs.
The Other Advanced Attacks: DNS/NTP Amplification and CaretoMike Chapple
This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
To keep up with the growing demand of always-on and available-anywhere connectivity, the use of cellular, in comparison to its wireless mobile connectivity counterpart in the electromagnetic spectrum, is rapidly expanding. My research in the IoT space led me down the path of discovering a variety of vulnerabilities related to cellular devices manufactured by Sierra Wireless and many others. Proper disclosures have occurred; however, many manufactures have been slow to respond. This led into examining numerous publicly disclosed vulnerabilities that were considered "low-hanging-fruit" against cellular devices and other cellular-based network modems that are often deployed as out of band management interfaces. The research expanded through the details provided in configuration templates available by each device including the following:
- Wireless Network Information
- IPSec Tunnel Authentication Details
- Connected devices and services
Focusing on an obfuscated series of examples to protect the organizations, people, and companies identified; this presentation focuses on the services and systems information of the following, commonly deployed cellular-connected devices to provide an in-depth look at what is easily possible:
- Emergency Response systems
- Resource collection systems
- Transportation Safety
- Out of band management
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Apple introduced a new set of features in iOS 8 and Yosemite under the name "Continuity". These features allow iPhones to work with other iDevices such as Macs and iPads in new ways. Handoff, Instant hotspot and Airdrop are some of the new services offered by Continuity. Among these new services is one named "Call Relay". Essentially, it allows one to make and receive phone calls via iDevices and route them through the iPhone. This is not your typical VOIP service but a P2P connection based on a proprietary protocol. Apple's security white-paper is short and vague on this particular topic. Only four paragraphs are dedicated to explain how Call Relay works and the only security relevant information is as follows: "The audio will be seamlessly transmitted from your iPhone using a secure peer-to-peer connection between the two devices."
I reverse engineered the protocol to understand how it works. The goal was to see if Apple's design was secure and find vulnerabilities focusing on ways to eavesdrop phone calls. In this presentation, I will start by explaining all the details of this protocol and the process of reverse engineering it. Once the protocol is understood by the audience, I will discuss the thread surface and the different attack vectors possible. I will focus on what worked and demonstrate with demos. We will see how it is possible to abuse the protocol to spy on victims by leaving their mic open. We can also troll victims by dropping or preventing them from picking up phone calls. Last, I will explain how an attacker can abuse multi-party calls to impersonate other callers. Once we understand the vulnerabilities, we will discuss how it can be weaponized to build an amateur (insert 3 letters here)-spy program. This presentation covers CVE-2016-4635, CVE-2016-4721, CVE-2016-4722 and CVE-2016-7577
Ransomware: History Analysis & Mitigation
An hour long look at ransomware's beginnings, ransomware in the news, variants throughout the years, cutting edge malware analysis, and mitigation techniques.
Andy Thompson is a member of the Shadow Systems Hacker Collective, and Dallas Hackers Association, I'm active in the Dallas InfoSec community. Currently a Technical Advisor for CyberArk Software, I work with Fortune 500 companies assisting them in advancing their CyberSecurity Programs.
The Other Advanced Attacks: DNS/NTP Amplification and CaretoMike Chapple
This session gives you a list of things besides spearphishing to worry about. You may think DDoS is old hat, but there’s a new spin on how to do it every month, including (to take one example) spoofing packets sent to an amplification server. These attacks leverage misconfigured DNS and NTP services to exhaust all bandwidth available to a third party victim. We’ve also learned in the past few weeks about a threat - Careto - that has been waging cyberwar against the Internet for at least seven years. In this webcast, we explore those new threats and ways that you can better defend your organization.
Snooping on Cellular Gateways and Their Critical Role in ICSPriyanka Aash
To keep up with the growing demand of always-on and available-anywhere connectivity, the use of cellular, in comparison to its wireless mobile connectivity counterpart in the electromagnetic spectrum, is rapidly expanding. My research in the IoT space led me down the path of discovering a variety of vulnerabilities related to cellular devices manufactured by Sierra Wireless and many others. Proper disclosures have occurred; however, many manufactures have been slow to respond. This led into examining numerous publicly disclosed vulnerabilities that were considered "low-hanging-fruit" against cellular devices and other cellular-based network modems that are often deployed as out of band management interfaces. The research expanded through the details provided in configuration templates available by each device including the following:
- Wireless Network Information
- IPSec Tunnel Authentication Details
- Connected devices and services
Focusing on an obfuscated series of examples to protect the organizations, people, and companies identified; this presentation focuses on the services and systems information of the following, commonly deployed cellular-connected devices to provide an in-depth look at what is easily possible:
- Emergency Response systems
- Resource collection systems
- Transportation Safety
- Out of band management
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
Over the past year, Intel Security has actively participated with global law enforcement agencies in take-down operations to shut down cybercrime infrastructure, associated malware and the cybercriminals themselves. This session will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.
Combating Cyberattacks through Network Agility and AutomationSagi Brody
As presented January 2018 at PTC18 in Hawaii. This talk covers the use of new network automation technologies and strategies which can be used to combat Cyberattacks including DDoS, Ransomware, and Reflection. The talk specifically discusses how DDoS monitoring and mitigation can be improved via the use of interconnection fabrics to replace traditional GRE tunnels for out-of-band communication; How Disaster Recovery (DRaaS) may be used as an entry point for Cyberattacks, how DRaaS infrastructure may be used to improve production site security, and how Managed Security Service providers can integrate directly with DRaaS infrastructure and Software-Defined-Perimeter solutions to improve automated network failover and failback
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Secure application deployment in Apache CloudStackTim Mackey
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Slide yang kupresentasikan di MII-Intel Seminar (Jakarta, 30/10/2019)
IoT is the Future. Or even, IoT is widely adopted now.
Are you sure you are prepared enough for it? Are confident that your IoT solution is secure?
From IT to IoT: Bridging the Growing Cybersecurity DividePriyanka Aash
With the widespread growth of IOT devices and services, security is a priority. This session will discuss the challenges of implementing security solutions for IoT services for security professionals who are looking at things from an IT viewpoint. Traditional IT security solutions may not be directly applicable to the IoT ecosystem. New IoT specific threats and challenges need to be addressed.
Learning Objectives:
1: Learn about the top IoT threats.
2: Discover how to address threats using new design process not old IT process.
3: Understand the security lifecycle differences between IT and IoT.
(Source: RSA Conference USA 2018)
The Art of Evading Anti-Virus
There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.
Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.
He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.
Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.
It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
Dragos Adversary Hunter Joe Slowik presents on Behavior-Based Defense in ICS at the 13th annual API conference in Houston, TX. This presentation discusses how identifying adversary behaviors and their common requirements and behaviors can help network defenders prepare for future events--exemplifying how network defense for sensitive environments is strengthened through continuous improvement from prior events.
Visit www.dragos.com to learn more.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, it’s possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, we’ll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and we’ll see how it’s possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
Over the past year, Intel Security has actively participated with global law enforcement agencies in take-down operations to shut down cybercrime infrastructure, associated malware and the cybercriminals themselves. This session will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.
Combating Cyberattacks through Network Agility and AutomationSagi Brody
As presented January 2018 at PTC18 in Hawaii. This talk covers the use of new network automation technologies and strategies which can be used to combat Cyberattacks including DDoS, Ransomware, and Reflection. The talk specifically discusses how DDoS monitoring and mitigation can be improved via the use of interconnection fabrics to replace traditional GRE tunnels for out-of-band communication; How Disaster Recovery (DRaaS) may be used as an entry point for Cyberattacks, how DRaaS infrastructure may be used to improve production site security, and how Managed Security Service providers can integrate directly with DRaaS infrastructure and Software-Defined-Perimeter solutions to improve automated network failover and failback
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Secure application deployment in Apache CloudStackTim Mackey
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Slide yang kupresentasikan di MII-Intel Seminar (Jakarta, 30/10/2019)
IoT is the Future. Or even, IoT is widely adopted now.
Are you sure you are prepared enough for it? Are confident that your IoT solution is secure?
From IT to IoT: Bridging the Growing Cybersecurity DividePriyanka Aash
With the widespread growth of IOT devices and services, security is a priority. This session will discuss the challenges of implementing security solutions for IoT services for security professionals who are looking at things from an IT viewpoint. Traditional IT security solutions may not be directly applicable to the IoT ecosystem. New IoT specific threats and challenges need to be addressed.
Learning Objectives:
1: Learn about the top IoT threats.
2: Discover how to address threats using new design process not old IT process.
3: Understand the security lifecycle differences between IT and IoT.
(Source: RSA Conference USA 2018)
The Art of Evading Anti-Virus
There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.
Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.
He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.
Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.
It comes to no surprise, that any micro-services, any security controls you use to build applications – will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if penetration tests are successful. "Defense in depth is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern web application, and improve it by building multiple lines of defense. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
Dragos Adversary Hunter Joe Slowik presents on Behavior-Based Defense in ICS at the 13th annual API conference in Houston, TX. This presentation discusses how identifying adversary behaviors and their common requirements and behaviors can help network defenders prepare for future events--exemplifying how network defense for sensitive environments is strengthened through continuous improvement from prior events.
Visit www.dragos.com to learn more.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
Detecting and Catching the Bad Guys Using Deception
Traditional controls are well known for their short comings in the face of modern cyber-attacks. Cyber security technologies will make use of signature based, behavioral, Next Generation capabilities or attempt to augment capabilities by leveraging cloud based or on premise cyber analytics warehouse and threat intelligence feeds via indicator of compromise (IOC) or other mechanisms. Although the later efforts have increased organizational cyber capabilities, they only do so with proper investments in people, process and technology. Additionally, as attackers adapt to defenses, these controls begin to experience decreasing marginal rates of defensive capability.
Deception programs, architectures and technologies endeavor to augment existing cyber security capabilities through the use of honeypots or honey net (decoys) or breadcrumbs or broken glass (deceptions).
Advanced deception technologies are differentiated by the use of distributed deception technology which features agentless, simple deployment capabilities with lightweight deceptions that leverage operating system objects deceive attackers into triggering alerts. Normal users would never trigger the deceptions as an attacker would, resulting in high fidelity alerting with near-zero false positives. Such technology consequently serves to not only augment cyber security capabilities post-breach but provides a new, highly effective post-breach cyber security capability along with precise real-time forensics.
James Muren is a strategist and delivers workshops in cyber security strategy, GRC and security architecture that are used to develop long-term strategies and tactical roadmaps for customers that addresses security for legacy and cloud architectures. As a strategic management consultant and having built fully capable cyber programs in the past, he helps mentor and lead teams for programs & projects in information technology & cyber security. James is primarily focused on the business benefits of cyber security, and the demonstration of those benefits through metrics that can be quickly communicated to executive leadership. By properly integrating security controls within a regulatory and policy context, security programs such as breach and incident response, data governance, forensics, etc. can properly demonstrate value, receive proper investment and adequately secure organizations.
James is also a researcher. His areas of research include: Continuous GRC, cyber analytics, Trusted Computing Group (TCG), Security Automation, Hardware & Software Security, ICS, SCADA, IOT, Malware Research, Full System Security Design Lifecycle and Leap Ahead technology.
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
Real World Threat Hunting
Security threats have grown from network annoyances to attacks on sensitive infrastructure; penetrating network perimeters, moving laterally within networks, breaching new device types, and cloaking movements. This presentation will share techniques utilized by Cisco to detect and investigate sophisticated, embedded threats.
The speaker, who has conducted monitoring and investigations on customer networks, will review recent real attacks observed on customer networks, from discovery to remediation, and provide lessons learned. These interactive case examples will highlight how to identify these threats using security intelligence, expert staff, and the Cisco OpenSOC platform.
Examples of attacks and illustrations:
* Sophisticated phishing attacks targeted at customer environments.
* Breaches and data exfiltration resulting from the high-profile HeartBleed and Shellshock vulnerabilities.
* Sophisticated malware targeting financial institutions with the goal of data theft.
* Use of full packet capture to identify data exfiltration.
Presented by Oliver Pinson-Roxburgh, (www.alertlogic.com) at AWS User Group meetup, November '17
"As organisations continue to shift to cloud computing, new research reveals a significant consolidation of threats in specific layers of the computing model. Effective attackers, always seeking the weakest spots in network defenses, understand the changing attack landscape and have adapted their attack methods to this new paradigm. How do we evolve our security strategies to meet this challenge? In this session Oliver will discuss:
• Insights from the 2017 Cloud Security Report
• What the top 6 web attack types are that account for 75% of verified incidents
• Machine learning’s impact on detecting incidents and understanding attack progression
As well as a Live Cyber Hack Demo showing you the impact of implementing web applications that lack the correct security controls.
Докладчики представят подробный анализ, проведенный на основе исследования более 200 уязвимостей в SCADA и HMI. Вы сможете ознакомиться с подробным описанием популярных типов уязвимостей в решениях крупнейших производителей, таких как Schneider Electric, Siemens, General Electric и Advantech. Вы узнаете о том, как обнаружить критически опасные уязвимости в базовом коде. В докладе будут сопоставляться активность разных производителей в выпуске исправлений, а также сегменты SCADA с другими сегментами рынка программного обеспечения. Вниманию разработчиков и операторов будут предоставлены рекомендации, которые позволят снизить вероятность осуществления атак, а также прогнозы касательно дальнейших тенденций развития атак.
Microsegmentation from strategy to executionAlgoSec
Organizations heavily invest in security solutions to keep their networks safe, but still struggle to close the security gaps. Micro-segmentation helps protect against the lateral movement of malware and minimizes the risk of insider threats. Micro-segmentation has received lots of attention as a possible solution, but many IT security professionals aren’t sure where to begin or what approach to take.
In this practical webinar, Prof. Avishai Wool, AlgoSec’s CTO and co-founder will guide you through each stage of a micro-segmentation project – from developing the correct micro-segmentation strategy to effectively implementing it and continually maintaining your micro-segmented network.
Register now for this live webinar and get a practical blueprint to creating your micro-segmentation policy:
What is micro-segmentation.
Common pitfalls in micro-segmentation projects and how to avoid them.
The stages of a successful micro-segmentation project.
The role of policy change management and automation in micro-segmentation.
How to protect my cloud workload from Ransomware?Raphael Bottino
"How to protect my cloud workload from Ransomware?" is a speech given at the Cloud Computing Meetup Rio, a meetup focused in Cloud Computing. The theme of this meetup in particular was Security in Cloud Computing. The presentation is focused on Ransomware defense, such as Wannacry and Patya/NotPetya.
In the recent years, the traditional application monolith has broken down into a hefty chunk of micro-services thereby increasing the attack surface. We will look at how this increases the entry points into the complex modern day application ecosystem. The modern security tester needs various skills to pen-test such apps including the understanding of containers to successfully break or defend such applications.
When we tie this with the fast paced devOps life cycles for applications and explore the challenges when scaling security for such applications across the organization.
Hence, this webinar discusses traditional and relatively newer methods of Pen-testing web applications. Thereby illustrating how the changing business requirements and Agile life cycles for applications affect Security testing for modern applications.
Key Takeaways:
- what do the traditional Pen testing/Security testing Techniques entail?
- How is the landscape for Applications changing and how it affects security testing?
- What are the key essentials for testing modern applications?
- what can be done to scaling Security Assessments(Testing) for Modern & Agile life cycles?
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together. Presented at SplunkLive! Stockholm October 2015 for more information please visit http://live.splunk.com/stockholm
Array Networks - A Layered Approach to Web and Application Security
Encryption creates the need for at least two levels of security. ADC’s provide high availability and a secure layer for SSL traffic termination, decryption, inspection and forwarding to advanced security appliances for further inspection.
Ed Keiper is a senior systems engineer with Array Networks. His background includes 10+ years of experience in cloud computing, infrastructure and security.
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Keith Kraus
Traditional security tools like security information and event managers (SIEMs) are struggling to keep up with the terabytes of event data (250M to 2B events) being generated each day from an ever-growing number of devices. Cybersecurity has become a data problem, and enterprises need to reply with scalable solutions to enable effective hunting and combat evolving attacks. Rethinking the cybersecurity problem as a data-centric problem led Accenture Labs’s Cybersecurity team to use emerging big data tools along with new approaches such as graph databases and analysis to exploit the connected nature of the data to its advantage. Joshua Patterson, Michael Wendt, and Keith Kraus explain how Accenture Labs’s Cybersecurity team is using Apache Kafka, Spark, and Flink to stream data into Blazegraph and Datastax Graph to accelerate cyber defense.
Leveraging Datastax Graph and Blazegraph allows Accenture Labs to greatly accelerate query and analysis performance compared to traditional security tools like SIEM. Josh, Michael, and Keith share the challenges of fitting cybersecurity data into each of the graph structures, as well as the ways they exploited the connectedness of events to discover new threats that would have been missed in traditional SIEM tools. In addition, they explain how they use GPUs to accelerate graph analysis by using Blazegraph DASL. Josh, Michael, and Keith end by demonstrating how to efficiently and effectively stream data into these graph databases using best-in-breed technologies such as Apache Kafka, Spark, and Flink and touch on why Kudu is becoming an integral part of Accenture’s technology stack. Utilizing these technologies, clients have supercharged their security analysts’ cyber-hunting abilities and are uncovering threats faster.
Availability
How do you ensure business applications are delivered under attacks?
Performance
How do you ensure consistent user experience when your network is under attack?
Security
What is the cost of data loss or abuse of your resources?
Scalability
How do you ensure future growth while minimizing initial spending?
Cost reduction
How to address all the above while reducing costs?
The Indianapolis Splunk User Group meeting from December 1, 2022 included presentations on Risk Based Alerting from Kinney Group's Michael Simko, Outpost Security's Stuart McIntosh, and Horizon3.ai's Snehal Antani.
Similar to Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller (20)
Intellectual Property Protection―
Cross Roads between Ethics, Information Security, and Internal Audit
Richard (Rick) Brunner has more than 40 years experience in information security and technology, specializing in secure systems/application design and development, system architectures, information risks and controls, testing, and strategy and program management. Rick’s past assignment was as an Assistant Vice President, Security Strategy and Architecture at GM Financial and has worked in Healthcare, Finance, Human Resources, Military, and Intelligence. Rick has 32 years of military service, both active and reserves, rising to the rank of Colonel (0-6). He holds an Executive Jurist Doctorate degree, concentration in Law and Technology from Concord Law School; Master of Science degree in Computer Science, concentration in Information Systems Security from James Madison University; and a Bachelor of Science degree in Mathematics and Computer Science from University of Texas at San Antonio. Rick is an Assistant Faculty member at Collin College, instructing courses in their cyber security program and is an active member of Collin’s Cyber Security Advisory Board. Rick holds the following certifications:
• Certified Information Systems Security Professional (CISSP) (Certification Number: 375658)
• SABSA Chartered Security Architect - Foundation Certificate (SCF) (License SCF14020703)
• ITIL Foundation Certificate in IT Service Management (Certification Number: 37823)
Layered Security / Defense in Depth
One area that I have found that even seasoned security professionals have a problem with articulating is layered security (defense in depth). Most are familiar with their area of expertise (servers, networks, pen testing, etc.), but have never viewed security as a heterogeneous process. In my presentation I use a layered diagram to highlight what controls are in what layers, what controls interact across layers, and what a complete layered security model would look like vs. what a more typical company security model does look like.
Nathan Shepard
CISSP, CISM, CRISC, CISA
33 Years in IT.
21 Years in Information Security.
Information Security consulting at the corporate governance level.
Information Security management for outsourced InfoSec delivery.
Business Geekdom: 1 = 3 = 5
Each year a security team participates in several audits, meetings with the business and strategy meetings. Often times, security is seen as one imposing requirements that are either too difficult, impossible to manage or flat out ridiculous.
This is similar to a geek. A geek is defined, as, "an unfashionable or socially inept person." Is this socially ineptness actually just the lack of the ability to translate the passion of the security professional to the business professional?
In this presentation, I would like to cover how to create, establish and evangelize a framework that has one backend with several frontends. The backend is a common security control framework (not the UCF) and the front end translates to the various business units, audits and business strategies encountered in a security professionals profession each year.
Grant Gilliam is a Enterprise and Solutions Architect for CHRISTUS Health. Previously, Gilliam has been a security architect, senior security engineer and senior data security analyst. Industries worked in include healthcare, insurance, software and news media. Gilliam has also established and created his own business focusing in outsourcing non-competitive business tasks for allowing clients a strategic advantage over competitors by minimizing FTE and contractor headcount.
His educational background includes a Master of Science in Information Systems, focusing in Information Security, and Bachelor of Business Administration in Management Information Systems, both from Baylor University. The focus of his masters degree research was IT law and Intellectual Property. Gilliam also is a Certified Information Systems Security Professional, Certified Information Security Manager and Certified Information Systems Auditor.
Day in the Life of a Security Solutions Architect
I'd like to present my "Day in the Life of a Security Solutions Architect" at Hewlett Packard Enterprise. In this presentation, I'll go into detail of what exactly I do as a security architect, and my career progression which got me there. I'll speak about my daily activities, successful client engagements, skills required, etc. I'm happy to answer any questions from the audience, share insights, what I wish I had done earlier in my career, etc.
Marco Fernandes is a Security Solutions Architect at Hewlett Packard Enterprise. Prior to that I worked in IT in the defense industry and security consulting in the commercial world. I'm also President of the North Texas Cyber Security Association. I was born in Dallas, TX, and I obtained my Bachelor of Science in Business Computer Information Systems from the University of North Texas. I've In my free time I enjoy card games, reading, fitness, watching WWE wrestling, & helping my community.
Red, Amber, Green Status: The Human Dashboard
This session will outline the importance of presenting actionable metrics for the Security Awareness program. Oftentimes security programs are presented while omitting the most constant threat to Information Systems: the human. From a security awareness perspective, we will review analytics that include key performance indicators that may already be available to you; they just need to be added to the new human dashboard.
Laurianna Callaghan currently serves as a security consultant for Ana Academy, a Dallas based security training company. Previously, Laurianna worked with Dell where she was the creator of security analytics for a major healthcare customer which were presented at the 2016 IASAP conference. In addition, Laurianna has more than 21 years experience in various IT domains. She has served as the Director of Systems Engineering for a telemarketing firm, the UNIX/MVS Manager for a major airline and has IT experience in the healthcare, communications, transportation, education, retail, and other industry sectors. Laurianna holds both the CCNA Security and CISSP designations.
Hacking Performance Management, the Blue Green Game - With a live demo!
Dr. Branden R. Williams has almost twenty years of experience in technology and information security, both as a consultant and an executive. Branden co-founded a technology services company that provided the foundation to a prominent e-learning company. He has vast experience as a practitioner and consultant which included helping companies create user-centric security controls and models. His specialty is navigating complex landscapes—be it compliance, security, technology, or business—and finding innovative solutions that save companies money while reducing risk and improving performance. Along the way, he was a Consulting Director for VeriSign/AT&T, one of four CTOs at RSA, ISSA Distinguished Fellow, elected to the PCI Board of Advisors, and author of four books.
Assuming people are rational, we all do things to maximize our payoffs. It's why things like Enron, and the Sub Prime mortgage crisis happen. This demonstration will show you a key element to designing performance management systems that employees will hack to their advantage.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
1. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
The Attack Lifecycle – Conquering
All Stages of an Attack
Erich Mueller
Solutions Engineer
Cybereason
November 10, 2017
2. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Hunting for the Adversary
2
Innovation (Tough!)
Custom
Development (Challenging)
Botnet, Hacked Server,
Hosting ($20)
Stolen Credit Card ($5)
Obfuscator ($0.05)
Rebuild Code ($0.00)
3. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Are you under attack?
3
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
4. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
External Recon
4
• People/Social Engineering
• Conferences
• Call help desk or admin
• Technology
• External scans
• Buy information & tools on black market
• Business Intelligence
• Trusted relationships
• 3rd party vendors
“Even Rao, a highly experienced cybersecurity
researcher, nearly fell for the scam, as he happened to have
recently mailed a package via UPS.”
5. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Initial Infection
5
• Phishing & spear phishing
• Vulnerability exploit
• Infected USB drive
Lateral
Movement
Recon DamageC & C
Initial
Infection
Privilege
EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
6. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Initial Infection: Process Injection
6
Running a procedure as a thread inside
another process
• Evasion
• Reading host process memory
• Affecting host process behavior
• Server persistence
Lateral
Movement
Recon DamageC & C
Initial
Infection
Privilege
EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
7. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Initial Infection: Fileless Malware
7
Malicious code launches and carries out an infection within a tool
or process
• Unlike traditional malware
• Doesn’t use a file
• Runs in memory of the device
Examples of processes/tools
• Legitimate Windows processes
• Windows management interface
• Meterpreter
• Executing remote commands
Recon DamageC &CInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
8. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Command & Control
8
Why
• Establish and maintain
connection to:
• Execute malicious code
• Update malware
• Sending back collected info
• Provide heartbeat to indicate the
attack is still alive
How
• Legitimate HTTP
• Legitimate DNS request
• Fast Flux
• TOR
• IRC
• Facebook / Twitter / YouTube
comments
• Domain Generation AlgorithmPrivilege
Escalation
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
9. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Command & Control: Domain
Generation Algorithm
9
• C&C servers quickly get blacklisted
• DGA generates 1000’s of domains
• Predictable to attacker, unpredictable to
security researcher
• One will be C&C
• When C&C domain blacklisted, attacker:
• Selects another generated domain
• Registers it
• Continues attack
Spread Damage
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
10. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Privilege Escalation
10
Why
• Gain better persistence
• Cred dump/user
impersonation
• Operate under the radar
How
• Exploit vulnerabilities
• Command line vulnerability
• Process injection
• Leverage improper
configurations
• Local admin rights for all
users
• User lockout policies
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
11. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Privilege Escalation: Exploit Windows
Vulnerabilities
11
• Windows kernel mode driver vulnerabilities
• Windows task scheduler vulnerabilities
• Vulnerabilities in Windows design
• Windows user account control (UAC)
• DLL search order
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
12. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Privilege Escalation: Exploit Windows
Vulnerabilities
12
• Windows kernel mode driver vulnerabilities
• Windows task scheduler vulnerabilities
• Vulnerabilities in Windows design
• Windows user account control (UAC)
• DLL search order
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
13. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Internal Reconnaissance
13
Why
• Paint a picture of the IT
infrastructure
• Who are the administrators?
• What steps get me closer to my
target?
• What type of services are running?
• Identify target and a path to
the target
How
• ARP scanning
• NetBIOS enumeration
• Port scanning
• Credential stealing
Initial infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
14. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Recon: Port Scanning
14
• Services use ports to
communicate
• HTTP = 80, DNS = 53, etc…
• Attacker scans the subnet to
find exposed and exploitable
services
Spread DamageC & C DamageInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
16. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Lateral Movement
16
Why
• Gain access to target
machines
• Domain controllers
• OWA
• Persistence
How
• Use legitimate tools
maliciously
• Pass The Hash/Ticket
• Shares
• PSExec
• RDP
• SSH
• PowerShell
• SCCM
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
17. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Lateral Movement: PsExec
17
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs PsExec to run a
process on a remote machine
interactively
Malicious use
Attacker runs PsExec with
stolen credential hashes to
spread their malware through
an entire network
18. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Lateral Movement: PowerShell
18
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs PowerShell to
monitor firewall
Malicious use
Attacker PowerShell with
encoded commands to spread
malware
21. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Persistence
21
Why
• Establish long term
access
• Primary goal is
often persistent
accessibly
How
• Scheduled tasks
• Autoruns
• Temp files
• Fileless malware
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
22. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Damage
22
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
• FTP/SSH
• Email
• DNS
• Dropbox
• Pastebin
o Ransomware
o Corporate
financials
o Credit card data
o System
corruption
Business Profit Sabotage
23. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Are you under attack?
23
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
24. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
Total Enterprise PROTECTION
24
25. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
A Layered Approach to Security
25
26. NTXISSA Cyber Security Conference – November 10-11, 2017
@NTXISSA #NTXISSACSC5
26
Thank you
Editor's Notes
This is known as the triangle of pain. At the bottom of the slide are the things which are easy to detect. Hashes are trivial to detect and there are literally billions of them. IP addresses being used a little harder due to spoofing etc., domains still a little harder since they can change quickly. Network artifacts like botnets, compromised servers etc harder still, but there are still millions available in online marketplaces. But that’s where most solutions and threat intelligence services concentrate.
(Click) (Click)
But there’s a second way to look at this. There’s the cost to the attacker. It costs nothing to recompile some malware and create a new hash. It costs a few dollars to buy a stolen credit card and buy a bunch of IP addresses or domains. It costs a few dollars to buy a compromised server to launch an attack from.
(Click)(Click)
Attackers don’t have unlimited time and money though, so they re-use tools and TTPs many times over. There aren’t many of these. They’re tough to detect, but then again, they take a lot of investment from the attacker, so they have a much longer shelf life. That’s what Cybereason looks to detect. In this presentation we’ll look at some of these methods
You’re probably familiar with this slide
Advanced attacks involve many steps after an initial infection
The challenge is to detect attack behaviors at all the steps and then be able to piece together all the components of the attack
No attack follows a perfect pattern/escalation – so having a linear attack lifecycle doesn’t make sense, but most attacks will leverage these steps at one point or another throughout the attack
In this presentation, I will walk through each stage in the attack lifecycle and give examples of what we see attackers doing to advance their attacks
First, before we even get to the attack lifecycle, and attacker will conduct external recon which is essentially all the homework that an attacker will do before they begin their attack. They want to gather as much information about their target as possible in order to increase their chances of a successful attack. External Recon can consist of research on:
People - A massive amount of information can be gathered through social engineering. That includes leveraging social networks like LinkedIn, Facebook, Twitter. One example of this is UserIDs. It’s human nature to use the same ID across multiple platforms. So, if you can figure out what someone’s userID is on one platform, that will likely translate across other platforms where you can gather even more intel.
Conferences – People love to talk. You can learn a lot of information by attending a conference and striking up a conversation with a representative of the target organization.
Help desk – If you get a little information, you can start getting a help desk to answer questions. Let’s say you have that UserID, you can call a help desk and ask a number of questions that can help you get an understanding of how things are set up there.
Technology – To better understand the technological lay of the land at the target, an attacker will do:
External Scans – These are constantly happening and can provide a lot of information about an organizations IT infrastructure. For example, you can see the IP block that an organization uses, what different firewalls they have, what version of operating systems they’re on, essentially everything that is exposed to the internet – and of course that’s highly valuable information to gather inorder to plan your attack
Buy information or tools – The easier way is to just buy the intel or tools – like a botnet to gain access to the intel that you want
Business Intel – Another layer to research is the business operations
Trusted relationships – An attacker will want to understand what suppliers this organization is working with
3rd party vendors – Think “Target breach” – attackers leveraged the HVAC vendor to gain access to POS devices and embed malware that stole credit card information. Knowing what 3rd party vendors an organization is using can provide an easy avenue for breaching into a network.
http://www.darkreading.com/attacks-breaches/why-social-media-sites-are-the-new-cyber-weapons-of-choice/a/d-id/1326802
Now that I (as the attacker) have done my homework and I know what’s out there, I’m ready to make my move!
So, how are attackers making this initial infection?
The most common way is through phishing and spear phishing. As much as you tell people to NOT click on the link, someone will always click on it. It’s human nature. You get an email from your boss that says “Urgent” with a link in it, you click on it…and boom – the attacker is in.
Another common technique is a vulnerability exploit – These are things like zero days, drive-by downloads, and taking advantage of anything not patched.
Infected USB drive – Who doesn’t want a free USB?! This one is classic - Attackers will load these up with malware, drop them out around the parking lot of their target organization, and inevitably someone will pick it up and put it in their machine. Like feeding candy to a baby…
Compromised credentials –There’s a number of ways to compromise credentials – maybe an attacker is coming in from another compromised network and has compromised credentials. Remember what we said about how it’s human nature to reuse user ids – it’s certainly human nature to reusing credentials as well. So an attacker can gain access with those stolen creds.
Once an attacker has made their way in, one of the first things that they often do is process injection. This is when an attacker will take a malicious process and inject it into a legitimate process.
For example: Let’s say that someone from inside the target organization clicks on an attachment in a phishing email. It opens an excel document where the malware is embedded, but the attacker wants to be (look like) he’s in a web browser so he can make an external connection that won’t send up red flags. So, he injects into a web browser through a vulnerability in Flash or IE or Firefox... This enables him to take over and access commands and run as legitimate web browser traffic. At that point, the attacker is in.
One benefit of using this technique is that it’s challenging to detect because the attacker is running within a legitimate process. For example, let’s say the attacker injects into Internet Explorer and starts making web calls...that’s pretty normal behavior. But, if he starts making web calls from Excel, that’s weird and more likely to get detected.
Process injection is a good way to make the initial breach AND gain persistence. In particular, attackers inject into processes on servers that rarely get rebooted – e.g. Domain Controllers. Some of the hacks on Russian banks used this technique.
According to the Cybereason response team, about 60% of successful attacks use “fileless” malware - where the malware exists only in memory, and never gets written to disk as a file. These attacks are undetectable by antivirus solutions, and many can easily avoid “next gen AV” tools. Fileless malware exploits vulnerable applications or uses legitimate administrative tools like PowerShell and WMI to propagate.
Detecting fileless malware requires deep visibility and complex analytics.
Now that the attacker is in, he’s needs to set up a command and control.
WHY
Making and maintaining this connection enables the attacker to:
Execute commands and controls to the compromised systems
Update malware if/when it needs to be updated – attackers may tweak their malware in the middle of an attack and need to push out an update to the compromised machines
Send information – As data and info is collected in a compromised machine, it must be sent back to the attacker through this connection
Provide heartbeat –it’s critical for an attacker to ensure that their connection is always up and running
HOW
Establishing this connection can be done through a number of techniques including:
Legitimate HTTP – many companies still allow unfiltered access over known ports
WannaCry: A great example is the first version of WannaCry which included a static domain responsible for keeping WannaCry propagating and spreading. By registering and blocking that domain, organizations had a “kill switch” to block the ransomware.
DNS tunneling – In DNS tunneling, command and control instructions get sent and received disguised as DNS queries via compromised DNS servers out on the Internet
Fast Flux – With Fast Flux, many IP addresses get associated with a single DNS domain, and swapped around at a high frequency, making it difficult to identify and blacklist IP addresses.
TOR – TOR, or ”The Onion Router” is software designed for anonymous communication, designed to evade typical network controls. Although designed to protect anonymity of people like political dissidents in authoritarian regimes, its often used by attackers as a way to communicate with compromised hosts
IRC – Internet Relay Chat (IRC) is a client/server networking model that facilitates. Attackers often use IRC networks because they’re simple and require low bandwidth, making them widely used to host botnets
Social media – interactions with social networking sites can easily be automated and security teams are unlikely to spot offending traffic in the massive quantities of other social media sessions
Domain Generation Algorithm – Let’s dig into that more on the next slide
Before we get into how DGA works, back when malware first came out, attackers would establish C&C by including a connection to a specific IP address. As the malware was ripped apart, security teams would identify the connection and add the IP to a blacklist.
Now, malware authors have changed their approach. Instead of connecting to just one IP address that will inevitably get blocked, they create thousands of connections – and just one of them will be the C&C.
They create a ton of random DNS names. But then security teams caught on and said “Ok, any connection to a DNS without an English name, is bad.”
Attackers then started to concatenate multiple English words together. These guys are smart – so they even took it another step and decided to salt the algorithm a little bit.
One way to do this is to add the trending topic on Twitter. Now, you don’t know what I’m going to ask for tomorrow until tomorrow happens.
Even if/when their domain is blacklisted, the attacker can simply choose another generated domain, register it, and continue their attack.
In that way, DGA is a persistence mechanism to ensure the attacker maintains a connection to the compromised systems.
From the security analysts point of view, if they are look at this from the:
Network perspective: They’re going to see all the DNS requests, but not know what process made the request. But if they look at if from the…
Endpoint Perspective: They will be able to see what process is making these connections
Once the communications channel is established, the C&C server will instruct the malware on how to achieve next steps like escalating privileges…
WHY - Privileged accounts enable an attacker to more quickly and easily navigate a network to reach their ultimate target and have the access required to execute their mission (e.g. exfil sensitive data, access to shut down systems, etc)
With privileged access, an attacker has better persistence
Priv access also enables the attacker to access to system processes and run specific tools that must be run as admin/root. This can enable them to dump credentials and impersonate authorized users.
In addition, privileges enable an attacker to more easily operate under the radar of many security tools
HOW -
Exploit vulnerabilities: The most common way that attackers elevate privileges is to identify and exploit a common vulnerability.
Command line vulnerability – If a user has too many rights, an attacker can use command line to reveal information that they shouldn’t be able see. An attacker can then gain access to root or run an exploit to retrieve additional credentials in the network.
Process injection – If an attacker knows a vulnerability in an application, he will inject malicious code into the applications process to leverage the vulnerability and elevate his privileges.
In addition, if the right policies aren’t set, an attacker can elevate their privileges by leveraging improper configurations
An attacker can easily gain admin access in an organization where all users have local admin rights on their machines. And – if a domain admin has ever logged into that machine, the attacker can very easily own the entire network.
If lockout policies are not properly set, an attacker can brute force into a machine and elevate privileges.
Rootkits
Deceive the user
Replace os with malware
Windows has a number of vulnerabilities that attackers take advantage of to elevate privileges.
These include:
Kernel Mode Driver vulnerabilities – One example is when the Windows kernel-mode driver (win32k.sys or other sys files) improperly handles objects in memory
Windows Task Scheduler – One known vulnerability is the way Task Scheduler conducts integrity checks to validate that tasks run with the intended user privileges
An attacker can exploit either of these vulnerabilities by running a specially crafted application on an affected system.
Windows Design – there are a number of inherent vulnerabilities in the way Windows is designed
UAC – There are many methods to bypass UAC. UAC is designed to enable a program to elevate its privileges to perform a task under administrator-level permissions. Attackers abuse this by injecting malicious software into a trusted process to gain elevated privileges. And they often elevate privileges this way without even notifying the user - if the UAC protection level is set to anything but the highest level, certain programs can elevate privileges without prompting the user through the UAC notification box.
DLL search – Attackers take advantage of the Windows DLL search order to modify or replace an existing DLL with a malicious DLL. One example is DLL preloading (also called binary planting attacks) which is when an attacker places a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. If a search order-vulnerable program is configured to run at a higher privilege level (such as any DLL running in kernel), then the malicious DLL that is loaded will also be executed at the higher level granting the attacker elevated privileges.
One exploit is hot potato (MS16-075) which takes advantage of a number known issues with NTLM relay (HTTP->SMB relay) and NBNS spoofing. By exploiting these Windows design “features”, an attacker can elevate his privileges from an unprivileged user to NT AUTHORITY/SYSTEM.
Hot potato: https://github.com/foxglovesec/Potato
https://pentestlab.blog/2017/04/24/windows-kernel-exploits/
Windows has a number of vulnerabilities that attackers take advantage of to elevate privileges.
These include:
Kernel Mode Driver vulnerabilities – One example is when the Windows kernel-mode driver (win32k.sys or other sys files) improperly handles objects in memory
Windows Task Scheduler – One known vulnerability is the way Task Scheduler conducts integrity checks to validate that tasks run with the intended user privileges
An attacker can exploit either of these vulnerabilities by running a specially crafted application on an affected system.
Windows Design – there are a number of inherent vulnerabilities in the way Windows is designed
UAC – There are many methods to bypass UAC. UAC is designed to enable a program to elevate its privileges to perform a task under administrator-level permissions. Attackers abuse this by injecting malicious software into a trusted process to gain elevated privileges. And they often elevate privileges this way without even notifying the user - if the UAC protection level is set to anything but the highest level, certain programs can elevate privileges without prompting the user through the UAC notification box.
DLL search – Attackers take advantage of the Windows DLL search order to modify or replace an existing DLL with a malicious DLL. One example is DLL preloading (also called binary planting attacks) which is when an attacker places a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. If a search order-vulnerable program is configured to run at a higher privilege level (such as any DLL running in kernel), then the malicious DLL that is loaded will also be executed at the higher level granting the attacker elevated privileges.
One exploit is hot potato (MS16-075) which takes advantage of a number known issues with NTLM relay (HTTP->SMB relay) and NBNS spoofing. By exploiting these Windows design “features”, an attacker can elevate his privileges from an unprivileged user to NT AUTHORITY/SYSTEM.
Hot potato: https://github.com/foxglovesec/Potato
https://pentestlab.blog/2017/04/24/windows-kernel-exploits/
WHY - At multiple points along the attack lifecycle, the attacker will conduct reconnaissance to understand where they are in the network and what other systems may be within reach. Recon enables an attacker to answer questions that he may have about the network/IT infrastructure
Admins? I want access to those accounts to advance my attack
Steps? Where do I go next?
Services? Maybe I can exploit one of those to advance my attack
Recon also enables the attacker to identify their target machines (or at least what machines are likely to hold the information/data they are after.) and helps them identify the path to get to those target machines.
HOW - There are a number of ways that attackers can conduct recon including:
Look at different ARP tables - The Address Resolution Protocol (ARP) is a telecommunication protocol used for resolution of network layer addresses into link layer addresses. ARP is used to convert an IP address to a physical address such as an Ethernet address (also known as a MAC address)
NetBIOS enumeration – With NetBIOS enumeration, especially in Windows networks, you can use in-built operating system functions to understand what resources are available on a given network. This can contain very useful information like machine names or open shares.
Port Scanning & Credential Stealing – I’ll explain more on those on the next couple slides…
Port scanning is one method to conduct recon
Services use ports to communicate (HTTP = 80, or DNS = 53 which is good because it’s usually always open)
Once an attacker has established a foothold on a computer, he will scan the subnet to find exposed and exploitable services on other computers and platforms.
The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK
In the past this was used indiscriminately to discover potentially vulnerable services, but that is a very noisy way to communicate. These days it’s more about understanding the machines around you so you know which tools you can use to move laterally, e.g. looking for open https servers, DNS servers, PSExec, NetBIOS ports. So you’ll see more targeted port scanning, selectively testing ports associated with legitimate tools.
Credential theft is another way that an attacker will conduct recon and plan for his next steps. Some ways that an attacker will steal credentials include:
Mimikatz – open-source tool that extracts Windows credentials and is used in a number of attack techniques like pass the hash, pass the ticket, and golden ticket
WCE is an older but still functional tool designed for system administrators to make password management a bit easier. But of course attackers and pentesters can use this tool, too.
Lazagne - The LaZagne project is an open source password recovery tool used to retrieve passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases and so on). This tool has been developed for the purpose of finding these passwords for the most commonly-used software
With stolen credentials, an attacker is ready to move laterally and/or escalate privileges to continue his attack
http://www.blackhillsinfosec.com/?p=4667
WHY –
Attackers will conduct lateral movement for a number of reasons. Later in the attack lifecycle, they may be moving to gain access to their target machine. A common target in advanced attacks is a domain controller - As soon as an attacker accesses a DC, they can easily own the entire domain.
Another common purpose for lateral movement is to gain persistence. With access through multiple accounts/machines, if one is shut down, the attacker can easily pivot to another to continue his attack.
HOW
So, once the attacker knows where he wants to go, he’ll make his move – often by using legitimate tools in order to stay under the radar of the security team.
And, because these tools are legitimate, a security analyst you cant’ prevent these from running. But that doesn’t mean you can’t detect lateral movement. What you want to pay attention to is why the tool is run and where it’s run from
Think of it like a shovel which is a legitimate gardening tool. If Bob is using that shovel to dig a hole and plant a tree, that’s a valid use of the tool. BUT if Bob is standing behind Billy and it looks like he’s going to hit him over the head with that shovel, as a security analyst I can say, “that’s a malicious use of the shovel – and something I’d want to stop”.
PSExec is a good example:
Let’s first look at the legitimate use of PsExec –
Remote tool
It’s really common behavior for IT admins to run PsExec and execute commands on remote systems (e.g. to do installations/updates on servers)
Now let’s look at a malicious use of PsExec -
1) An attacker will glean administrator credentials from earlier attack stage (eg. mimikatz, WCE)
2) The attacker will then use credentials with PsExec for remote execution of code.
Examples:
Open up an interactive command shell for direct interaction with remote system
Create a scheduled task on remote machine for persistence or tool acquisition
Proliferate malware
etc..
PowerShell is another legitimate tool that attackers are leveraging
IT admins legitimately use PowerShell all of the time
IT admins will write scripts, commonly using PowerShell, to automate routine maintenance and monitoring
The malicious use of PowerShell is also occurring at an increasing rate
Attackers use PowerShell because it’s typically difficult to detect what they’re doing within PowerShell – it helps them look legitimate
They may run PowerShell with the intent of downloading and executing malware, moving laterally, or various other post-exploitation activities, but there are a few ways to tell the difference from the legitimate use and the malicious use:
One is where it’s running from: If you see Powershell running from a parent process of Microsoft office…that’s not normal.
Another thing to monitor are the network connections originating from Powershell – You may be able to indicate a malicious use of Powershell if you see it making connections to a suspicious IP.
The other thing to look at are encoded commands – a normal IT admin will not usually use encoded commands. Attackers often will because it’s a way to avoid AV and other prevention tools.
So if you see a bunch of encoded commands, that’s an indication that there’s something strange happening – so again, looking at the how, why, and where these legitimate tools are being used can enable you to detect an attacker at this stage.
Another everyday, legitimate protocol that attackers exploit is Kerberos
Built into the windows infrastructure, Kerberos authentication is happening behind the scenes every single day.
It looks complicated but it’s really simple:
A user authenticates at the beginning of the day by requesting a ticket from the Key Distribution Center (KDC)/Domain Controller (DC).
The KDC confirms that you are who you say you are, and sends you back a Ticket Granting Ticket (TGT)
Then, when the user wants to access other systems, or in this case an application server, he must request a Ticket Granting Service (TGS)
So, the users TGT (the users proof that he is who he says he is) is sent back to the KDC/DC and the KDC generates a Ticket Granting Service (TGS) which enables the user to access the application server
That’s the legitimate use, but attackers are exploiting Kerberos with Pass the hash and pass the ticket attacks…
What the attacker is doing is stealing the users Ticket Granting Ticket (TGT)
In Kerberos, this isn’t the users password, but it essentially acts as the users password for as long as it’s valid (typically 8 to 10 hours)
So, with the stolen Ticket, the attacker can request access to the application server by presenting the stolen TGT to the DC. Because that TGT appears to be legitimate, the DC will generate a TGS for the attacker and grant him access to the application server.
In these attacks, the attacker only has the ticket (or hash in PtH) – they don’t even need a credential in order to gain access to any system that the user has access to and fly under the radar.
Detection of this is interesting:
Prevention won’t stop these types of attacks, but with good detection, you can spot them.
What you’re looking for (as the security analyst) is for anyone who has logged into a system without passing a UserID and password. You can see this by looking at API calls and logs that show that information.
WHY
Throughout the attack lifecycle, an attacker will maintain presence on the system to ensure he always has access - no matter what happens (e.g. system restarts, credentials are lost, remote access tool fails/restarts). It’s important for an attacker to open as many doors as possible to ensure that if one is shut, or leads to nothing, they still have a foothold and another avenue to advance their attack.
Persistence is also a common initial goal of an attack. Once that’s established, the secondary goal (damage of some sort) will be determined – but it rarely happens overnight. Advanced attacks occur over many months/years so establishing persistence is critical to an attacks’ success.
Some ways that attackers are maintaining persistence include:
Scheduled tasks – Windows Task Scheduler and other utilities can be used to schedule programs or scripts to be executed at a specified date and time. An adversary will use this to execute programs at the system startup or on a regular basis to maintain persistence. This way, anytime the system reboots, it will also reboot the malware/attackers’ access to the compromised system.
Autoruns – Similarly, it’s very common for attackers/malware authors to configure their malware to run during system bootup or logon to maintain persistence.
Temp files – Temp files are often used in conjunction with “just-in-time” compiling techniques. The payload is in a temp file, and then the system compiles the data in the temp file “on the fly” to create a process that only exists in memory, thus evading any scanners. Plus, whatever it creates has a unique hash since it’s compiled for one time use.
Fileless malware – Fileless malware keeps the malware infection concealed while it triggers the intended actions
Multiple ways to cause damage:
Business
Many advanced attackers will cause their damage by exfiltrating sensitive data like intellectual property (IP), or personally identifiable information (PII), etc
Profit
Instead of stealing information, some attackers go directly for money by quickly getting in, encrypting data, and holding it hostage for a price
Some attackers will steal financial information (earnings reports) before they’re publicly available and conduct insider trading based on the stolen information
Another method for profit is to steal credit card information for reuse or for sale
Sabotage
Other attackers seek to cause damage – sometimes we see this in industrial controls
Attackers have been known to use self-propagating wipers (e.g. shamoon) to disable any and all machines that they reach
Another method is to replace firmware to corrupt systems
http://www.itworld.com/article/2861675/cyberattack-on-german-steel-factory-causes-massive-damage.html
As you’ve seen in this presentation, there are many steps and moves that attackers make in order to carry out their mission.
One of the best ways to defend is to conduct behavioral analysis to identify what attackers are doing, if and when they’re exploiting vulnerabilities, how and when they’re using legitimate tools, etc.
Your IT environment is so big and complex that the number of events happening in split seconds is endless. (you can’t get there by doing it with analysts asking questions)
Invented our own tech from scratch: graph database + graph processing that is dynamic and real-time. Bigger and stronger than any technology out there.
Central to that question is detection, because You can’t protect against what you can’t detect. You can’t block it, you can’t prevent it, you can’t investigate, you can’t respond. And we detect better than anyone else.
Cybereason pitch / what we do here / how what you just saw relates to how we prevent attacks