An Anatomy of a Targeted Cyberattack

Slides:

Advertisements

Similar presentations

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.

Website Hardening HUIT IT Security | Sep

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Threats to I.T Internet security By Cameron Mundy.

Advanced Persistent Threats (APT) Sasha Browning.

Module 7 – Gaining Access & Privilege Escalation  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Russell Rice Senior Director, Product Management Skyport Systems

The internet is a place of both useful and bad information. It has both good and bad side- and it’s all too easy for kids to stray into it. And no parents/guardian.

 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.

Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Defining your requirements for a successful security (and compliance

Proactive Incident Response

Stopping Attacks Before They Stop Business

Abusing 3rd-Party Services For Command And Control

OIT Security Operations

Six Steps to Secure Access for Privileged Insiders and Vendors

Adversary playbook.

Cybersecurity - What’s Next? June 2017

The next frontier in Endpoint security

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

Microsoft /20/2018 9:26 AM BRK1037 Win the IT security battle: automate password changes, privileged access & Minimize Cyber Losses Christopher.

Intelligence Driven Defense, The Next Generation SOC

be the strong link in your

Rules of Thumb to Mathematical Rule- A Cyber Security Journey

The Value of Defense in Depth

Automate, or Die Building a Continuous Response Architecture

Conquering all phases of the attack lifecycle

Six Steps to Secure Access for Privileged Insiders and Vendors

Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009

Introduction to Networking

Dissecting the Cyber Security Threat Landscape

Jon Peppler, Menlo Security Channels

Cyber Threat Intelligence Sharing Standards-based Repository

Closing the Breach Detection Gap

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Information Technology Services Education and Awareness Team

Determined Human Adversaries: Mitigations

Combining the best of Audit and Penetration Testing

Cyber attacks on Democratic processes

Social Engineering No class today! Dr. X.

Secure Browsing Because malware usually doesn’t identify itself.

Strong Security for Your Weak Link:

How to Operationalize Big Data Security Analytics

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Shifting from “Incident” to “Continuous” Response

Network Security Best Practices

Brandon Traffanstedt Systems Engineer - Southeast

The Assumed Breach Model

Information Security Awareness

Chapter 4: Protecting the Organization

Cybersecurity Am I concerned?

Implementing Client Security on Windows 2000 and Windows XP Level 150

Leveraging Visual Basic for Security

Cyber Security - Protecting Information

BACHELOR’S THESIS DEFENSE

Incident response and intrusion detection

BACHELOR’S THESIS DEFENSE

Determined Human Adversaries: Mitigations

Information Technology Services Education and Awareness Team

ISDC 2018 Malware dynamics: how to develop a successful anti-malware defense reference architecture policy Speaker: Sander Zeijlemaker, PhD Student Authors:

Engineering Secure Software

Presentation transcript:

An Anatomy of a Targeted Cyberattack Kill Chain An Anatomy of a Targeted Cyberattack

Who Gabriel Mathenge Security enthusiast. Red teaming and penetration testing. Twitter: @_theVIVI Website: thevivi.net Email: gabriel<at>thevivi.net Vince Obilo Security enthusiast. Red teaming and penetration testing. Twitter: @truneski Website: truneski.github.io Email: vincetrune<at>gmail.com

Why we’re here The structure of a cyber attack from initial reconnaissance to objective completion. We’ll outline common Tools, Techniques and Procedures (TTPs) used by malicious actors in the wild today. Focus is on methodology, not motive. Methodologies become more advanced as you move up the threat pyramid, but the general theme of the most common attacks remains the same.

Attack Phases

Our Target Iron Bank The Iron Bank is a bank in the Free City of Braavos. It is arguably the most powerful financial institution in the 7 kingdoms.

Iron Bank Defenses The Usual Suspects Firewalls. Monitoring solutions e.g. SIEMs. Site blocking. Antivirus. Okay-ish patch cycle. Strong user account & password policies. Security staff (blue team).

Our Scenario

1. Recon Domains & IP ranges. Websites/web applications. Infrastructure. Locations. People. Emails. Social media.

2. Exploitation - Service Exploitation

2. Exploitation - Emails Bad Guy – badguy@krcc.co.ke Alice – alice@krcc.co.ke

2. Exploitation - Emails Macros HTA OLE No Powershell

2. Exploitation - USB

3. Persistence Solidifying our foothold Passwords. Scheduled tasks, registry, wmi (host-level persistence). Golden tickets (domain-wide persistence).

4. Lateral Movement Touring your internal network User hunting. System hunting. PS Remoting. WMI. Avoiding logs.

5. Data Exfiltration Download all the things File searching. Exfiltration over third party site. Your data

Endgame GAME OVER

Timeline Gathering intel about target (1-4 months) Prepare phishing campaign (2 weeks – 1 month) Launch phishing campaign (1 week) Initial foothold; emails opened (1 week) Host-level persistence (immediately) Privilege escalation (1 week - 2 weeks) Lateral movement (1 week – 1 month) Domain-wide persistence (1 day) Data exfiltration (Now - ∞) SWIFT hack? ¯\_(ツ)_/¯

Mitigations/Recommendations How do we stop it? Phase Mitigations/Recommendations Exploitation Less obsession with perimeter security. Assume compromise. They’ll get in; will you know? what can you do to stop it? Patching, patching, patching. Train users. Endpoint security & real-time monitoring; workstations are their way in. Invest in your security team. Persistence Limit domain admins. Limit where domain admins can login (e.g. only to DCs) Attackers need DC access to create Golden Tickets, don’t let them get it. Do your users have local admin rights? Lateral Movement Flat domain for your entire organisation? Nope. Network isolation. Logon restrictions. Event/process monitoring. Application whitelisting. Data exfiltration Network monitoring. Network filtering. Network segmentation. Network flow baselines and anomalous activity. Can you tell the difference? Process monitoring. Powershell talking to Dropbox? Why? …this is just the tip of a very large iceberg. To put it simply; invest in your security team.