The Anatomy of an Attack:Think Like a Criminal

About Your PresentersKen Smith

• Employment

• Senior Consultant, SecureState, LLC.

• Professor of Network Security, University of Mount Union

• Cyber Security, Curriculum Development, Notre Dame College

• Formerly of 5th Special Forces Group (Airborne)

• Education

• BS, Computer Info Systems, University of Dayton

• AA, Arabic Language and Culture, Defense Language Institute

• MA, Security Policy Studies, Notre Dame College

• Areas of Specialization

• Physical Security, Wireless Encryption, and Mobile Devices

Benjamin Brooks, CISSP

• Employment

• Consultant, SecureState, LLC.

• Equipment Architecture and Configuration Validator, US

Special Operations Command

• Leading Chief Petty Officer, US Navy Special Warfare, Tactical

Information Operations, SEAL Team-5

• Education

• BA, Political Science, University of Illinois

• Areas of Specialization• Policy, IT Partnering, Wireless Technologies and Mobile

Devices

Agenda

• Basics Booster

• State of Affairs

• Oh, the Places They’ve

Breached!

• Threat Actors

• The Attacker’s Mind

• A Paradigm Shift

• Operation OatmealGhost

• Q&A

Basics Booster

Confidential Information

Information Security

Confidentiality

AccessibilityIntegrity

State of Affairs

• Breaches continue in spite of budget increases• Industry and size agnostic

• Attacks are increasing in frequency

• Variety of threat actors• Not much in common at first glance

• Deeper analysis reveals shared mindsets

• Need for fundamental change in our approach to security

Regulations and Frameworks

Breached 2014

Breached 2014

Other

Data Classification

Sensitive Data Management

Anti-Virus/Anti-Malware

Data Loss Prevention (DLP)

Virtual Private Network

Data Discovery

Firewalls

Forensic Tools

Security Governance

Identity & Access Management

Mobile Device Management

Web Application Firewalls

Encryption, Tokenization

Intrusion Detection & Prevention

Endpoint Security

Security Incident & Event Management (SIEM)

0% 10% 20% 30% 40% 50% 60%

Technology Investments After The 2014 Breaches

34%

Breached 2015

Threat Actors

The Attacker’s Mind : Always Assume a Breach

The Attacker’s Mind

• Attack methods are unpredictable

• Tools and exploits released continuously

• New indicators of compromise

• Attack methodology is not!

• Independent of background

• Recognizable behavior

The Attacker’s Mind

Enumeration

• Users• Services• Port Scans• Operating

Systems• Vulnerabilities

Exploitation

• SQL Injection• Leverage

Vulnerabilities• Establish

Foothold• Evasion

Techniques• Human

Element

Privilege Escalation

• Configuration Files• User Pivoting• Backups• Scripts• GPO

Preferences•Mimikatz

Post Exploitation

• System Pivoting• Network

Pivoting• Persistence• Pillaging• Destruction• Exfiltration

Discovery

• OSINT• DNS•Whois• Network•Metadata• Social Media

The Hacker’s MindCuriosity Problem Solvers

Defiant

Detail-Oriented

Determined

Sense of

Community

A Paradigm Shift

A Paradigm Shift• Compliance-driven security testing

• No social engineering• Notify IT/Security teams of testing• Small time windows• Single lane assessments

• We’re on the same side

• Attackers don’t limit themselves• Why should you?

A Paradigm Shift – One Phish, Two Phish• Spam is not phishing

• Gone are the days of the Nigerian Prince

• Modern attacks• Targeted• Well-developed and researched• Timely

• Can be a touchy subject• People feel tricked and distrustful• This is something to embrace (to an extent)

A Paradigm Shift – Red Phish, Blue Phish• Verizon’s 2015 Annual Attack Vector Report• 23% of recipients open phishing messages• 11% open malicious attachments

• Median time to first click• 22 seconds

• All it takes is one

A Paradigm Shift – Time and Scope• Verizon report• 37% breaches contained within hours• 30% contained within several days

• Numbers are post-discovery• Fireye 2012 report • Average cyberespionage attack continued unchecked for 458 days before discovery

• Detection-deficit • 8-16 hour penetration tests aren’t good enough

Operation OatmealGhost

Scenario

• Target Profile

• Multinational

• Decentralized

• Trophies

• Intellectual Property

• Merger/Acquisition Info

Send in the Team!

Attack Vectors

Attack Vectors

Attack Vectors

Timeline of Events

26

N - 14•Recon Begins• Targets Identified•Hardware Ordered• Sites Collected•Metadata Collection

N

•Brute Force Lotus Notes

N + 2• Shipped Payloads

N + 4

• Lotus Notes Recon TROPHY

•USB Payload Connects Back To C2

N + 4(+ 5HR)

•Multiple Domain Administrators TROPHY

*** Unrestricted *** Pivoting

Highlight Reel

Access To Lotus Notes Permitted Monitoring & Countermeasures

Global Penetration

Regained Access After Blocking

Gained Access To Chat Server – Began Chatting As Admins

Listened to & Recorded Conference Calls

After Action Review (AAR)• What went right?• Extended time period • Inclusion of social engineering as a vector• Reactions were legitimate

• What went wrong?• Defenses had been focused on traditional

barriers• Reacting to events over email• Admin staff act hastily without understanding

the situation

After Action Review (AAR)What Should Have Been Done Differently?• Think Like an Attacker Before/During/After

• Where are our weaknesses?• What is an attacker likely to do next?• Social Media – Don’t be specific!

• War gaming• Attack Your Own Organization• Seek Out Weakness Throughout The Organization

• Remove Limitations on assessments• A penetration test can be more• Think beyond compliance• Include Social Engineering

Become Proactive NOT Reactive!

After Action Review (AAR)Top Three Things You Can Do• Educate

• Educate

• Educate!

War Room Technical Blog

Confidential Information

https://warroom.securestate.com

@SS_WarRoom

Confidential Information

Q&A@p4tchw0rk

@technlogian

A Paradigm Shift - Phishing

https://github.com/securestate/king-phisher