infosek2010 presentation attacking a corporation
TRANSCRIPT
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
1/25
Attacking a corporation
Vectors of attack that
need to be considered by security
officers
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
2/25
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
3/25
Overview Corporate Security Profile
Attacker Profile Attack Approaches
OSINT
Spear phishing
Theft
Wi-Fi
Virtualization and Test
Conclusions and Discussion
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
4/25
>/dev/null
This presentation shows how to penetrate a
corporation
This presentation proves that corporations
impenetrable This presentation proves that corporations are
insecure
This presentation proves that I should become
a criminal hacker
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
5/25
Corporate Security Profile The good
Systematic Approach - planned approach, all bases need to be covered - a corporation
plans for corporate security Immense Capital Resources a corporation has the funds to purchase very powerful
protection systems
Well Trained Human resources just as before, a corporation can train its teams with
the best training programs
But
Investment cycles - capital expenditures are planned for 1 and 3 year period,
Strategic orientation - due to strategy, security may be set aside, and get delayed in
development
Vendor and product interoperability delays - anything new must be tested. The testing
cycle is usually a month or more long
Human resources usage - security personnel assigned other tasks, which shifts their
focus
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
6/25
Attacking a Corporation Option 1
Attack with Overwhelming force
High profile attack visible very early in the attack
process
Requires huge resources on the attackers side
Defenses will be raised immediately
Additional resources can be diverted to defences
Law enforcement will be engaged immediately
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
7/25
Attacking a Corporation Option 2
Low under the radar
Difficult to identify until damage is done
Requires very little resources to be successful
Only some (if any) automated defense systems will
be alerted
Law enforcement will be engaged after the fact
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
8/25
The adversaries Attackers employ guerrilla-like tactics.
Not hampered by need to follow systematicapproaches and plans
Have all the time in the world
Will research the target for attack feasibility andpossible approach
Will research and obtain the required tools
Will employ social engineering May attempt decoy attacks while the real attack is
performed (for example DoS)
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
9/25
The adversaries an image Gender - even distribution between both genders
Expertise level - strong expertise in programming, TCP/IP protocols and operating systems.Regularly updating their knowledge through advisories and exercising on real or demo targets.
Some posses good social skills (social engineering). Motive - Financial gain through crime or politically motivated disruption. Alternatively, identifying
vulnerabilities so they can be remedied. In certain cases, uncovering or making available to generalpublic of corporate secrets for ethical reasons.
Posture towards their skills Secretive of their knowledge, and sharing with a very limited group.They know the risk they take is large, and that should they be discovered their victims will go afterthem with a vengeance.
Tools - Any number of off-the-shelf products always combined with custom written flexible code,viruses or worms.
Organization Individual efforts or Loose groups similar to guerrilla squadrons,. but while thegroup works for a common interest, it's still every man for himself.
Threat level - VERY HIGH - since they have criminal motives as well as broad knowledge andcustomized attacks, they will use multiple criminal vectors in parallel or to support each other.
They will most frequently act as customers to gain access and trust and collect information onweaknesses. To protect against them, a full collaboration of physical and IT security is needed.Also, employee education and segregation of duties assist in mitigating these attacks.
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
10/25
Attack Approach (intro) The most covert exploit is one that is used only
once Attackers need one-shot, one-kill attacks
This requires extremely serious reconnaissance
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
11/25
Attack Approach Nothing new or revolutionary Most targets can be
attacked by same approach
OSINT
Spear Phishing
Asset theft
Guest WiFi
Test and Virtualization
Environments
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
12/25
OSINT Intelligence collection from publicly available
sources and analyzing it to produce actionableintelligence
Who is Who who to target, who to impersonate
Maps and satellite imagery Relationships and interest Corporate partnerships,
personal communications, news items - After years ofbeing online, there is a lot out there
Files saved on web servers -Breadcrumbs on theinternet
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
13/25
OSINT Demo Presentation
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
14/25
Spear Phishing Optimal Targets
Management - is not the best good choice
Marketing and corporate communications get huge amounts ofmedia and even executable files
VIP sales regular communication with trusted partners
Combines best with Common vulnerable applications like
Adobe Internet Explorer
Office
There are generic tools to create these attacks The attacker need to be
Plausible
Cover his/her tracks
One-shot one kill (or burn the zombies)
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
15/25
Spear Phishing Demo Presentation
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
16/25
Asset theft Laptops?
Yes
But laptops tend to be encrypted and people watchover them
Mobile phones contacts, account settings, VPN Wallets keycards, personal information relevant
to social engineering or identity theft
Removable drives is stuff actually deleted? Unattended key chains office keys, keycards,
RSA OTP tokens
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
17/25
Corporate Guest Wi-Fi The wired infrastructure is fully controlled by IT
You find high-profile targets on the Guest WiFi corporate laptop holders
corporate VIP guests
external contractors
A vector for the VERY PATIENT A vector that is very difficult to detect
What is the trophy
Account passwords Contacts
Attack targets (computers)
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
18/25
Guest Wi-Fi Demo presentation
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
19/25
Test and Virtualized Environments Virtualization is not a home use tool.
Usually used by organizations of 500 employees or more
Smaller organizations use it to create multiple environments, evenexternally facing servers
Your activities are probably under scrutiny of several security sensors
Targeting a virtualization environment requires good preparationand fast reaction Rarely exposed directly
Need to enter and look around
Virtualized environments can hold a nice set of data for stealing orcorrupting Passwords Standby copies of data
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
20/25
Test and Virtualization -Targets of
choice Research/training platforms (lets see if we can install this)
Notoriously unpatched (even on host level)
Installed without following best practices Full of copied or freshly installed test guest computers
Have a tendency of urgently becoming production systems
Test and development platforms Patch level drifting from production systems
Need for additional resources creates forgotten copies Guest OS may be at low patch level
Have a lot of production grade data
Internet exposed non production platforms (Proof of concept, demosystems, etc.) Beta code Installed development tools which may open unnoticed interfaces
Vulnerable web applications
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
21/25
Test and Virtualized Environments Demo - Attacking the VM
Demo - Attacking VM from compromised VM
Demo - Attacking Host from compromised VM
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
22/25
Some interesting stuff Creating local exploit
Think what the target is expecting (document, web site) One-shot one kill
Wireless sniffer can live undetected for a long time
Impersonation of Mac Address
Who reads POP3 e-mail? - everyone
Virtualized environment
Very easy to forget patching
Once inside the perimeter, the exploited targets can livefor days
No monitor to look at (think VNC)
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
23/25
Conclusions Again Nothing New
These same issues exist on most organizations Work on awareness Patch everything
Know your enemy
Focus on physical security indepth
Dedicate personnel to security and dont overload them with otherstuff
Ensure that virtual machines are fully updated before they aredeployed in a production environment.
Do not expose test applications to open internet on a VM. (If you do,
treat the entire Host and all guests as hostile/honeypots Isolate the VM test environments in network isolation layers. Expose
minimal services to the rest of the organization
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
24/25
To start off the discussion Did you attack a real corporation
No, that would be a crime
Where can we get the tools?
Google is your friend
Are there really this vulnerable organizations The demo goes to extremes, but go back to your company and
check Who opens what kinds of attachments
Who patched adobe the last time
Who saved corporate data on his USB and then securely deleted
-
8/6/2019 INFOSEK2010 Presentation Attacking a Corporation
25/25
Thank you
Bozidar [email protected]
http://www.shortinfosec.net