infosek2010 presentation attacking a corporation

8/6/2019 INFOSEK2010 Presentation Attacking a Corporation

1/25

Attacking a corporation

Vectors of attack that

need to be considered by security

officers


2/25


3/25

Overview Corporate Security Profile

Attacker Profile Attack Approaches

OSINT

Spear phishing

Theft

Wi-Fi

Virtualization and Test

Conclusions and Discussion


4/25

>/dev/null

This presentation shows how to penetrate a

corporation

This presentation proves that corporations

impenetrable This presentation proves that corporations are

insecure

This presentation proves that I should become

a criminal hacker


5/25

Corporate Security Profile The good

Systematic Approach - planned approach, all bases need to be covered - a corporation

plans for corporate security Immense Capital Resources a corporation has the funds to purchase very powerful

protection systems

Well Trained Human resources just as before, a corporation can train its teams with

the best training programs

But

Investment cycles - capital expenditures are planned for 1 and 3 year period,

Strategic orientation - due to strategy, security may be set aside, and get delayed in

development

Vendor and product interoperability delays - anything new must be tested. The testing

cycle is usually a month or more long

Human resources usage - security personnel assigned other tasks, which shifts their

focus


6/25

Attacking a Corporation Option 1

Attack with Overwhelming force

High profile attack visible very early in the attack

process

Requires huge resources on the attackers side

Defenses will be raised immediately

Additional resources can be diverted to defences

Law enforcement will be engaged immediately


7/25

Attacking a Corporation Option 2

Low under the radar

Difficult to identify until damage is done

Requires very little resources to be successful

Only some (if any) automated defense systems will

be alerted

Law enforcement will be engaged after the fact


8/25

The adversaries Attackers employ guerrilla-like tactics.

Not hampered by need to follow systematicapproaches and plans

Have all the time in the world

Will research the target for attack feasibility andpossible approach

Will research and obtain the required tools

Will employ social engineering May attempt decoy attacks while the real attack is

performed (for example DoS)


9/25

The adversaries an image Gender - even distribution between both genders

Expertise level - strong expertise in programming, TCP/IP protocols and operating systems.Regularly updating their knowledge through advisories and exercising on real or demo targets.

Some posses good social skills (social engineering). Motive - Financial gain through crime or politically motivated disruption. Alternatively, identifying

vulnerabilities so they can be remedied. In certain cases, uncovering or making available to generalpublic of corporate secrets for ethical reasons.

Posture towards their skills Secretive of their knowledge, and sharing with a very limited group.They know the risk they take is large, and that should they be discovered their victims will go afterthem with a vengeance.

Tools - Any number of off-the-shelf products always combined with custom written flexible code,viruses or worms.

Organization Individual efforts or Loose groups similar to guerrilla squadrons,. but while thegroup works for a common interest, it's still every man for himself.

Threat level - VERY HIGH - since they have criminal motives as well as broad knowledge andcustomized attacks, they will use multiple criminal vectors in parallel or to support each other.

They will most frequently act as customers to gain access and trust and collect information onweaknesses. To protect against them, a full collaboration of physical and IT security is needed.Also, employee education and segregation of duties assist in mitigating these attacks.


10/25

Attack Approach (intro) The most covert exploit is one that is used only

once Attackers need one-shot, one-kill attacks

This requires extremely serious reconnaissance


11/25

Attack Approach Nothing new or revolutionary Most targets can be

attacked by same approach

OSINT

Spear Phishing

Asset theft

Guest WiFi

Test and Virtualization

Environments


12/25

OSINT Intelligence collection from publicly available

sources and analyzing it to produce actionableintelligence

Who is Who who to target, who to impersonate

Maps and satellite imagery Relationships and interest Corporate partnerships,

personal communications, news items - After years ofbeing online, there is a lot out there

Files saved on web servers -Breadcrumbs on theinternet


13/25

OSINT Demo Presentation


14/25

Spear Phishing Optimal Targets

Management - is not the best good choice

Marketing and corporate communications get huge amounts ofmedia and even executable files

VIP sales regular communication with trusted partners

Combines best with Common vulnerable applications like

Adobe Internet Explorer

Office

There are generic tools to create these attacks The attacker need to be

Plausible

Cover his/her tracks

One-shot one kill (or burn the zombies)


15/25

Spear Phishing Demo Presentation


16/25

Asset theft Laptops?

Yes

But laptops tend to be encrypted and people watchover them

Mobile phones contacts, account settings, VPN Wallets keycards, personal information relevant

to social engineering or identity theft

Removable drives is stuff actually deleted? Unattended key chains office keys, keycards,

RSA OTP tokens


17/25

Corporate Guest Wi-Fi The wired infrastructure is fully controlled by IT

You find high-profile targets on the Guest WiFi corporate laptop holders

corporate VIP guests

external contractors

A vector for the VERY PATIENT A vector that is very difficult to detect

What is the trophy

Account passwords Contacts

Attack targets (computers)


18/25

Guest Wi-Fi Demo presentation


19/25

Test and Virtualized Environments Virtualization is not a home use tool.

Usually used by organizations of 500 employees or more

Smaller organizations use it to create multiple environments, evenexternally facing servers

Your activities are probably under scrutiny of several security sensors

Targeting a virtualization environment requires good preparationand fast reaction Rarely exposed directly

Need to enter and look around

Virtualized environments can hold a nice set of data for stealing orcorrupting Passwords Standby copies of data


20/25

Test and Virtualization -Targets of

choice Research/training platforms (lets see if we can install this)

Notoriously unpatched (even on host level)

Installed without following best practices Full of copied or freshly installed test guest computers

Have a tendency of urgently becoming production systems

Test and development platforms Patch level drifting from production systems

Need for additional resources creates forgotten copies Guest OS may be at low patch level

Have a lot of production grade data

Internet exposed non production platforms (Proof of concept, demosystems, etc.) Beta code Installed development tools which may open unnoticed interfaces

Vulnerable web applications


21/25

Test and Virtualized Environments Demo - Attacking the VM

Demo - Attacking VM from compromised VM

Demo - Attacking Host from compromised VM


22/25

Some interesting stuff Creating local exploit

Think what the target is expecting (document, web site) One-shot one kill

Wireless sniffer can live undetected for a long time

Impersonation of Mac Address

Who reads POP3 e-mail? - everyone

Virtualized environment

Very easy to forget patching

Once inside the perimeter, the exploited targets can livefor days

No monitor to look at (think VNC)


23/25

Conclusions Again Nothing New

These same issues exist on most organizations Work on awareness Patch everything

Know your enemy

Focus on physical security indepth

Dedicate personnel to security and dont overload them with otherstuff

Ensure that virtual machines are fully updated before they aredeployed in a production environment.

Do not expose test applications to open internet on a VM. (If you do,

treat the entire Host and all guests as hostile/honeypots Isolate the VM test environments in network isolation layers. Expose

minimal services to the rest of the organization


24/25

To start off the discussion Did you attack a real corporation

No, that would be a crime

Where can we get the tools?

Google is your friend

Are there really this vulnerable organizations The demo goes to extremes, but go back to your company and

check Who opens what kinds of attachments

Who patched adobe the last time

Who saved corporate data on his USB and then securely deleted


25/25

Thank you

Bozidar [email protected]

http://www.shortinfosec.net

infosek2010 presentation attacking a corporation

Documents