![Page 1: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/1.jpg)
The Other Side of the Fence .Dealing with Malware *Hackers
Prasanna Vhttp://vprasanna.com
![Page 2: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/2.jpg)
We generally hear about hackers& malware, the damage they create,the money & data they steal.
How's it to be on The Other Side?
We generally hear about hackers& malware, the damage they create,the money & data they steal.
How's it to be on The Other Side?
![Page 3: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/3.jpg)
Episode 1: The Conficker Strikes
![Page 4: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/4.jpg)
Somewhere during November 2008, an enterprisehaving thousands of systems spread acrossthe world
![Page 5: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/5.jpg)
Holiday season, most of team were on leave
![Page 6: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/6.jpg)
Complaints of network congestion, Domain controller was slow
We saw unprecedented network traffic, within LAN & Outbound to unusual IP addresses!
Rapid replication of suspicious system behavior across the globe
![Page 7: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/7.jpg)
Antivirus on the systems were generally up-to-date with definitions
![Page 8: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/8.jpg)
Our Network IDS was detecting traffic destined to random global IP addresses on destination ports 445
Turns out that the infected machines were missing patches, most importantly MS08-67
Apparently, these systems were also missing OS hardening that was put in place
![Page 9: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/9.jpg)
We had Failed!
![Page 10: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/10.jpg)
Effective logging and monitoring are like
torchlight
![Page 11: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/11.jpg)
Layered defense mechanism andthe role of Security Information & Event Management (SIEM)
![Page 12: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/12.jpg)
Security information from hosts & network logs helped identify the infected machines
Patch the systems or disable network access
Pivot!Being good in spreadsheet helps the admins
![Page 13: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/13.jpg)
Anti-Virus and Firewall are not the ultimate solutionsto today’s sophisticated threats.
Foolproof security ?
![Page 14: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/14.jpg)
There is Reasonable Security
14
……And it is achieved in layers
![Page 15: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/15.jpg)
Episode DHCP Server Goes 2 -Rogue
An admin s worst nightmare’
![Page 16: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/16.jpg)
Catastrophe Strikes!
![Page 17: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/17.jpg)
1. Logged to gateway / router. Internet is fine.2. Logged into UTM, sessions have doubled.3. No malwares reported in the AV manager!
![Page 18: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/18.jpg)
Wireshark is an Admin’s best friend!
![Page 19: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/19.jpg)
“Documentation is your life savior”
Was able to identify the offending machine based on a list I had generated earlier
![Page 20: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/20.jpg)
Turns out that a user had set up a server and
did not know to disable DHCP functionality!
![Page 21: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/21.jpg)
People are the weakest link
Learning's:
• Internal users can cause as much trouble as hackers and malware
![Page 22: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/22.jpg)
22
Information Security is about People, Process & Technology
Prx
![Page 23: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/23.jpg)
![Page 24: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/24.jpg)
Disclaimer
All opinions mentioned here are my personal and not necessarily
of my employer, current or previous.
![Page 25: The Other Side Of The Fence. Dealing With Hackers And Malware](https://reader033.vdocuments.net/reader033/viewer/2022051608/54432f75b1af9f2d0a8b482b/html5/thumbnails/25.jpg)
Thank You
Prasanna V
Cofounder @PacketVerify
http://vprasanna.com
@terminalfix