Jean-Paul Garcia-Moran

Security Architect

March 2017

Protect and survive—safeguarding

your information assets

#MFSummit2017

What is the feeling out there on security?

44% 71% 51%

PwC Global Economic Crime survey 2016

Of UK respondents

who experienced

cybercrime, up

from 24% in 2014

Of respondents felt

the risk of

cybercrime had

increased over the

last 2 years

Sinking

expectations from

people, this is

number of

respondents that

felt that they would

probably get

hacked in the next

two years.

1

2

3

4

5

6

7

Cyber Kill Chain

Reco

nn

ais

san

ce

Deliv

ery

Insta

llatio

n

Actio

ns o

n

Ob

jectiv

es

Weap

on

isati

on

Exp

loit

ati

on

Co

mm

an

d &

Co

ntr

ol

(C2)

Information Gathering on PlacesPublic Infrastructure

Corporations

People’s Homes

Information Gathering on ServicesConnectivity

Data Repositories

File Sharing

Internet Facing Devices

• Tools for network scanning

• Query public DNS databases for info on IP’s

• Enumerate services and vulnerabilities

Active Reconnaissance

• Specialized Search Engines provide an advantage of

relative anonymity when researching targets

• Public repositories such as GitHub can be searched for

users mistakingly publishing passwords and application

code. (If there is one guarantee is that users make

mistakes!)

Passive Reconnaissance

• Many public databases to share Google Dorks

• Look for login UI’s

• Shared documents in public clouds

• Web server information

• Application Errors (SQLi attack vector)

intitle:"Login - OpenStack Dashboard" inurl:"dashboard“

site:onedrive.live.com shared by

inurl:/dbg-wizard.php filetype:php

site:cloudshark.org/captures# password

site:pastebin.com intext:@gmail.com | @yahoo.com |

@hotmail.com daterange:2457780-2457811

site:pastebin.com intext:@gmail.com | @yahoo.com |

@hotmail.com daterange:2457780-2457811

intext:"expects parameter 1 to be resource, boolean

given" filetype:php

• Most of the time, it’s an attack of opportunity

• Automation is possible with advanced payload techniques

• Common targets are PHP and MySQL applications

How to perform SQLi

Login

‘ OR 1=1;/*

/* --

SELECT * FROM ‘users’ WHERE

‘username’ = ‘’ OR 1=1; /* AND

‘password’ = ‘*/ --’

Unauthorized access is granted to

the application

SELECT * FROM some_table WHERE double_quotes =

"[Injection point]“

Advanced SQLi Payloads

"IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,

SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@

@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC

71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)

<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEE

P(1)))OR"*/"

• Look for passwords hardcoded in scripts

• Look for private keys mistakenly published

• Look for juicy info inside log files and scripts

GitRob

User mistakes

Looking for juicy info

Looking for juicy info

Hackers abuse application errors to steal

credentials with SQLi

• Search for devices with weak or no security

• Search for devices within a particular IP bloc to

investigate a target

• Search for particular type of $erver

openvpn

port:554 has_screenshot:true

motorola confidential country:"ES"

motorola confidential country:"ES"

motorola confidential country:"ES"

Looking for juicier targets

What’s in your home?

User works in protected environment

But carries device to untrusted zones like own home

IoT introduces a large surface area of attack

IoT introduces a large surface area of attack

User credentials used for lateral movement

Exploitation

Stealthy ExploitationThese meatbags see me as a trusted process, little do they suspect that I am actually an advanced hacker tool written in powershell. I am capable of stealthily staging a breach!

These puny humans think their secrets are safe! But I

with my advanced memory manipulation techniques will recover all your passwords and kerberos tickets! They will never know what hit them! HA HA HA!!

Powershell staging techniques

Passwords stored in clear text while in memory

Ransomware disrupts the business

• Passwords are sometimes hardcoded in Group Policies

for configuration or update purposes

• They can be found in scripts used for maintenance of

systems

• Many users hold privileged accounts and it’s easier to

attack them

• Phishing campaigns are very effective at compromising

the users

Privileged Access Management

Policy engine does the

following:

1) Evaluates rules

2) If user is allowed,

obtains privileged

credentials

3) Starts a privileged

session with protected

system

4) Connects users to

privileged session

Policy Engine

Credential Vault

Bastion Server Firewall

User: admin

User: root

Access

Policy

Manageme

nt

Super User

Privilege

Mgmt

(SUPM)

Shared

Account

Password

Manaement

(SAPM)

Real-time

Activity

Monitoring

Privileged Access Management

Enterprise

Credential Vault

Identity Vault

Managed Applications

Identity Vault

Driver Sync

• Sysadmins

• External consultants

• DBA’s

• Developers

• Helpdesk

Leverage good governanceDatabases Operating Systems Network Devices

Sharepoint RACF SAP LDAP

Privileged

Access

Request

Privileged

Identity

Governance

Time Based

Provisioning

Authorization

Workflows

Identity Governance and Administration

Monitor and Detect Anomalies

In order to detect an anomaly…

…you need to understand what is normal.

Could it have been prevented?

Identity Governance

Multi-Factor Authentication

Change Management

Risk Based Authentication

SIEM Monitoring and

Anomaly Detection

Privileged Account Management

H4ck3R

• http://wiki.ipfire.org/en/configuration/firewall/blockshodan

• Move to lowest privilege model

• Manage those passwords

• Enable the users to improve their own security

Recommendations

• Identify threat sources and actors and follow-up on them

(obsessively!!)

• Determine likely targets for these actors

• Manage the vulnerabilities

• Simulate attacks to test how effective the organization is

at detecting and remediating

• Learn, improve and repeat.

Recommendations

www.microfocus.com