The cyber threats facing businesses today are constantly evolving. They are being perpetrated by highly skilled, well-organized and well-funded groups. In this session we’ll take a look at some of these threats, and how you can mitigate your risks.

1. Jean-Paul Garcia-Moran
Security Architect
March 2017
Protect and survive—safeguarding
your information assets
#MFSummit2017

2. What is the feeling out there on security?
44% 71% 51%
PwC Global Economic Crime survey 2016
Of UK respondents
who experienced
cybercrime, up
from 24% in 2014
Of respondents felt
the risk of
cybercrime had
increased over the
last 2 years
Sinking
expectations from
people, this is
number of
respondents that
felt that they would
probably get
hacked in the next
two years.

4. 1
2
3
4
5
6
7
Cyber Kill Chain
Reconnaissance
Delivery
Installation
Actionson
Objectives
Weaponisation
Exploitation
Command&
Control(C2)

5. Information Gathering on Places
Public Infrastructure
Corporations
People’s Homes

6. Information Gathering on Services
Connectivity
Data Repositories
File Sharing
Internet Facing Devices

7. • Tools for network scanning
• Query public DNS databases for info on IP’s
• Enumerate services and vulnerabilities
Active Reconnaissance

8. • Specialized Search Engines provide an advantage of
relative anonymity when researching targets
• Public repositories such as GitHub can be searched for
users mistakingly publishing passwords and application
code. (If there is one guarantee is that users make
mistakes!)
Passive Reconnaissance

9. • Many public databases to share Google Dorks
• Look for login UI’s
• Shared documents in public clouds
• Web server information
• Application Errors (SQLi attack vector)

10. intitle:"Login - OpenStack Dashboard" inurl:"dashboard“

11. site:onedrive.live.com shared by

12. inurl:/dbg-wizard.php filetype:php

13. site:cloudshark.org/captures# password

14. site:pastebin.com intext:@gmail.com | @yahoo.com |
@hotmail.com daterange:2457780-2457811

15. site:pastebin.com intext:@gmail.com | @yahoo.com |
@hotmail.com daterange:2457780-2457811

16. intext:"expects parameter 1 to be resource, boolean
given" filetype:php

17. • Most of the time, it’s an attack of opportunity
• Automation is possible with advanced payload techniques
• Common targets are PHP and MySQL applications

18. How to perform SQLi
Login
‘ OR 1=1;/*
/* --
SELECT * FROM ‘users’ WHERE
‘username’ = ‘’ OR 1=1; /* AND
‘password’ = ‘*/ --’
Unauthorized access is granted to
the application

19. SELECT * FROM some_table WHERE double_quotes =
"[Injection point]“
Advanced SQLi Payloads
"IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,
SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@
@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC
71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)
<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEE
P(1)))OR"*/"

20. • Look for passwords hardcoded in scripts
• Look for private keys mistakenly published
• Look for juicy info inside log files and scripts
GitRob

21. User mistakes

22. Looking for juicy info

23. Looking for juicy info

24. Hackers abuse application errors to steal
credentials with SQLi

25. • Search for devices with weak or no security
• Search for devices within a particular IP bloc to
investigate a target
• Search for particular type of $erver

26. openvpn

27. port:554 has_screenshot:true

28. motorola confidential country:"ES"

29. motorola confidential country:"ES"

30. motorola confidential country:"ES"

31. Looking for juicier targets

32. What’s in your home?

33. User works in protected environment

34. But carries device to untrusted zones like own home

35. IoT introduces a large surface area of attack

36. IoT introduces a large surface area of attack

37. User credentials used for lateral movement

38. Exploitation

39. Stealthy Exploitation
These meatbags see me as a
trusted process, little do
they suspect that I
am actually an advanced
hacker tool written in
powershell. I am capable of
stealthily staging a breach!
These puny humans think their
secrets are safe! But I
with my advanced
memory manipulation techniques
will recover all your passwords and
kerberos tickets! They will never
know what hit them! HA HA HA!!

40. Powershell staging techniques

41. Passwords stored in clear text while in memory

43. Ransomware disrupts the business

44. • Passwords are sometimes hardcoded in Group Policies
for configuration or update purposes
• They can be found in scripts used for maintenance of
systems
• Many users hold privileged accounts and it’s easier to
attack them
• Phishing campaigns are very effective at compromising
the users

45. Privileged Access Management
Policy engine does the
following:
1) Evaluates rules
2) If user is allowed,
obtains privileged
credentials
3) Starts a privileged
session with protected
system
4) Connects users to
privileged session
Policy Engine
Credential Vault
Bastion Server Firewall
User: admin
User: root

46. Access
Policy
Manageme
nt
Super User
Privilege
Mgmt
(SUPM)
Shared
Account
Password
Manaement
(SAPM)
Real-time
Activity
Monitoring
Privileged Access Management
Enterprise
Credential Vault
Identity Vault
Managed Applications
Identity Vault
Driver Sync
• Sysadmins
• External consultants
• DBA’s
• Developers
• Helpdesk
Leverage good governance
Databases Operating Systems Network Devices
Sharepoint RACF SAP LDAP
Privileged
Access
Request
Privileged
Identity
Governance
Time Based
Provisioning
Authorization
Workflows
Identity Governance and Administration

48. Monitor and Detect Anomalies
In order to detect an anomaly…
…you need to understand what is normal.

51. Could it have been prevented?
Identity
Governance
Multi-Factor
Authentication
Change
Management
Risk Based
Authentication
SIEM Monitoring
and
Anomaly Detection
Privileged Account
Management
H4ck3R

52. • http://wiki.ipfire.org/en/configuration/firewall/blockshodan
• Move to lowest privilege model
• Manage those passwords
• Enable the users to improve their own security
Recommendations

53. • Identify threat sources and actors and follow-up on them
(obsessively!!)
• Determine likely targets for these actors
• Manage the vulnerabilities
• Simulate attacks to test how effective the organization is
at detecting and remediating
• Learn, improve and repeat.
Recommendations

55. www.microfocus.com