Adversary playbook
welcome REAL WORLD ATTACK DEMOS Adrian Diaz – Principal Solutions Architect 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
EXISTING APPROACHES ARE FAILING Adversaries Are Getting More Sophisticated MALWARE ATTACKS NON-MALWARE ATTACKS 40% 60% LOW HIGH THREAT SOPHISTICATION Harder to Prevent & Detect NON-MALWARE ATTACKS Questions: How many in the audience have been tackling the advanced threats landscape? Are most still in the malware attacks mentality? How many have in-house advanced capabilities? People/process/tools How many have dealt with a targeted attack? Who understands the endpoint crowded space? EDR/ Nextgen AV / SIEMs / Threat Intel • Next-Gen AV -Falcon Prevent o Machine Learning o Black Known Bad o Exploit Mitigation o IOA-Behavioral Blocking • EDR- Falcon Insight o Real-time and Historical search o Record Everything o Threat Hunting o Response and containment TERRORISTS HACKTIVISTS CYBER- CRIMINALS Organized Criminal Gangs NATION- STATES MALWARE ATTACKS
Ransomware 47% of organizations have experienced a ransomware attack in the last 12 month Source: Osterman Research Traditional AntiVirus and defenses are failing. We need to find a better approach 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
THERE IS NO SUCH THING AS 100% PREVENTION… 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
$1.6M the average impact of a successful spear- phishing attack. 84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015 $1.6M the average impact of a successful spear- phishing attack. Vanson Bourne. “The Impact of Spear Phishing.” 2016 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
200 Days Real Time Visibility average days attackers spend inside a network before being detected Source: INFOSEC Institute – The Seven Steps of a Successful Cyber Attack 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Scenario Victim machine – Windows 7 workstation Attacker machine – Kali Linux with Metasploit 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Glossary: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more. An exploit is the use of software, data, or commands to “exploit” a weakness in a computer system or program to carry out some form of malicious intent, such as a denial-of-service attack, Trojan horses, worms or viruses. The weakness in the system can be a bug, a glitch or simply a design vulnerability. A payload is a piece of code to be executed through said exploit. Have a look at theMetasploit Framework. It is simply a collection of exploits and payloads. Each exploit can be attached with various payloads like reverse or bind shells, the meterpreter shell etc. mimikatz is a tool well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. Social Engineer Toolkit (SET) The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. ... The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
(un)Known Malware / ransomware Run Cryptowall.exe with ML HEX Mod Cryptowall.exe Disable ML and Enable on Behavior IOA File is quarantined Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Beyond Malware - Spear Phishing and Browser exploit Launch Metasploit on Attacker machine Compile IE Browser Exploit Launch Outlook on Victim machine Click on Spear Phishing email link Show Active Sessions Run shell Show Reconnaissance and Exfiltration Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Beyond Malware - dumping credentials Use Meterpreter built-in hash dump Escalate privileges to local system (local admin) Run shell under system privileges Run hashdump Use Mimikatz in Memory Attack with Powershell script to dump credentials Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Beyond Malware - Maintain persistence & Lateral movement Use On-screen keyboard bypass / Sticky keys trick Create a registry entry on the target system allowing a system level shell to be invoked any time the osk.exe (on screen keyboard) process is called Open new terminal in Attacker machine Remote desktop to Victim machine Use Accessibility On-Screen keyboard for command prompt (does not generate logon events) Add new local admin Start Demo 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Beyond Malware - pdf exploit cooltype Adobe 8.3 CoolType SING Table “uniquename” Stack Buffer Overflow Generate Malicious PDF via msfconsole Prepare Attacking system PDF Payload on Victim machine Open Resume.pdf (Phishing) DIR, Exfil, Meterpreter shell Start Demo Ma 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Beyond Malware - SEToolkit Run SETOOLKIT Create Browser Exploit Attack Use Meterpreter Windows Reverse_TCP Metasploit Exploit Payloads execute Navigate to browser link on Victim machine Gain session access Start Demo Ma 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PEOPLE, PROCESS & TECHNOLOGY Threat hunting Skilled People - continuous learning; revisit investigations and adversary techniques Process - build repeatable process workflows into your tools, through enrinched content and API integration Technology - Seek to increase the time to value (TTV) and reducing mean-time- to-detection and response; detect earlier in the attack chain Requires Visibility (Prevention and Detection) Intelligence - combines the use of threat intelligence, analytics, and automated security tools with human smarts. 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. PEOPLE, PROCESS & TECHNOLOGY
THANK YOU! 2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.