The cyber threats facing businesses today are
constantly evolving. They are being perpetrated
by highly skilled, well-organized and well-funded
groups.
In this session we’ll take a look at
some of these threats, and how you can
mitigate your risks.
2. What is the feeling out there on security?
44% 71% 51%
PwC Global Economic Crime survey 2016
Of UK respondents
who experienced
cybercrime, up
from 24% in 2014
Of respondents felt
the risk of
cybercrime had
increased over the
last 2 years
Sinking
expectations from
people, this is
number of
respondents that
felt that they would
probably get
hacked in the next
two years.
6. Information Gathering on Services
Connectivity
Data Repositories
File Sharing
Internet Facing Devices
7. • Tools for network scanning
• Query public DNS databases for info on IP’s
• Enumerate services and vulnerabilities
Active Reconnaissance
8. • Specialized Search Engines provide an advantage of
relative anonymity when researching targets
• Public repositories such as GitHub can be searched for
users mistakingly publishing passwords and application
code. (If there is one guarantee is that users make
mistakes!)
Passive Reconnaissance
9. • Many public databases to share Google Dorks
• Look for login UI’s
• Shared documents in public clouds
• Web server information
• Application Errors (SQLi attack vector)
17. • Most of the time, it’s an attack of opportunity
• Automation is possible with advanced payload techniques
• Common targets are PHP and MySQL applications
18. How to perform SQLi
Login
‘ OR 1=1;/*
/* --
SELECT * FROM ‘users’ WHERE
‘username’ = ‘’ OR 1=1; /* AND
‘password’ = ‘*/ --’
Unauthorized access is granted to
the application
19. SELECT * FROM some_table WHERE double_quotes =
"[Injection point]“
Advanced SQLi Payloads
"IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,
SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@
@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC
71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)
<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEE
P(1)))OR"*/"
20. • Look for passwords hardcoded in scripts
• Look for private keys mistakenly published
• Look for juicy info inside log files and scripts
GitRob
25. • Search for devices with weak or no security
• Search for devices within a particular IP bloc to
investigate a target
• Search for particular type of $erver
39. Stealthy Exploitation
These meatbags see me as a
trusted process, little do
they suspect that I
am actually an advanced
hacker tool written in
powershell. I am capable of
stealthily staging a breach!
These puny humans think their
secrets are safe! But I
with my advanced
memory manipulation techniques
will recover all your passwords and
kerberos tickets! They will never
know what hit them! HA HA HA!!
44. • Passwords are sometimes hardcoded in Group Policies
for configuration or update purposes
• They can be found in scripts used for maintenance of
systems
• Many users hold privileged accounts and it’s easier to
attack them
• Phishing campaigns are very effective at compromising
the users
45. Privileged Access Management
Policy engine does the
following:
1) Evaluates rules
2) If user is allowed,
obtains privileged
credentials
3) Starts a privileged
session with protected
system
4) Connects users to
privileged session
Policy Engine
Credential Vault
Bastion Server Firewall
User: admin
User: root
48. Monitor and Detect Anomalies
In order to detect an anomaly…
…you need to understand what is normal.
49.
50.
51. Could it have been prevented?
Identity
Governance
Multi-Factor
Authentication
Change
Management
Risk Based
Authentication
SIEM Monitoring
and
Anomaly Detection
Privileged Account
Management
H4ck3R
53. • Identify threat sources and actors and follow-up on them
(obsessively!!)
• Determine likely targets for these actors
• Manage the vulnerabilities
• Simulate attacks to test how effective the organization is
at detecting and remediating
• Learn, improve and repeat.
Recommendations