Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Anatomy of a Targeted Cyberattack

Published byDortha Perry Modified over 7 years ago

Similar presentations

Presentation on theme: "An Anatomy of a Targeted Cyberattack"— Presentation transcript:

1 An Anatomy of a Targeted Cyberattack
Kill Chain An Anatomy of a Targeted Cyberattack

2 Who Gabriel Mathenge Security enthusiast.
Red teaming and penetration testing. Website: thevivi.net gabriel<at>thevivi.net Vince Obilo Security enthusiast. Red teaming and penetration testing. Website: truneski.github.io vincetrune<at>gmail.com

3 Why we’re here The structure of a cyber attack from initial reconnaissance to objective completion. We’ll outline common Tools, Techniques and Procedures (TTPs) used by malicious actors in the wild today. Focus is on methodology, not motive. Methodologies become more advanced as you move up the threat pyramid, but the general theme of the most common attacks remains the same.

4 Attack Phases

5 Our Target Iron Bank The Iron Bank is a bank in the Free City of Braavos. It is arguably the most powerful financial institution in the 7 kingdoms.

6 Iron Bank Defenses The Usual Suspects Firewalls.
Monitoring solutions e.g. SIEMs. Site blocking. Antivirus. Okay-ish patch cycle. Strong user account & password policies. Security staff (blue team).

7 Our Scenario

8 1. Recon Domains & IP ranges. Websites/web applications.
Infrastructure. Locations. People. s. Social media.

9 2. Exploitation - Service Exploitation

10 2. Exploitation - s Bad Guy – Alice –

11 2. Exploitation - s Macros HTA OLE No Powershell

12 2. Exploitation - USB

13 3. Persistence Solidifying our foothold Passwords.
Scheduled tasks, registry, wmi (host-level persistence). Golden tickets (domain-wide persistence).

14 4. Lateral Movement Touring your internal network User hunting.
System hunting. PS Remoting. WMI. Avoiding logs.

15 5. Data Exfiltration Download all the things File searching.
Exfiltration over third party site. Your data

16 Endgame GAME OVER

17 Timeline Gathering intel about target (1-4 months)
Prepare phishing campaign (2 weeks – 1 month) Launch phishing campaign (1 week) Initial foothold; s opened (1 week) Host-level persistence (immediately) Privilege escalation (1 week - 2 weeks) Lateral movement (1 week – 1 month) Domain-wide persistence (1 day) Data exfiltration (Now - ∞) SWIFT hack? ¯\_(ツ)_/¯

18 Mitigations/Recommendations
How do we stop it? Phase Mitigations/Recommendations Exploitation Less obsession with perimeter security. Assume compromise. They’ll get in; will you know? what can you do to stop it? Patching, patching, patching. Train users. Endpoint security & real-time monitoring; workstations are their way in. Invest in your security team. Persistence Limit domain admins. Limit where domain admins can login (e.g. only to DCs) Attackers need DC access to create Golden Tickets, don’t let them get it. Do your users have local admin rights? Lateral Movement Flat domain for your entire organisation? Nope. Network isolation. Logon restrictions. Event/process monitoring. Application whitelisting. Data exfiltration Network monitoring. Network filtering. Network segmentation. Network flow baselines and anomalous activity. Can you tell the difference? Process monitoring. Powershell talking to Dropbox? Why? …this is just the tip of a very large iceberg. To put it simply; invest in your security team.

Download ppt "An Anatomy of a Targeted Cyberattack"

Similar presentations

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.

Cyber Attack Scenario Overview Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago, Chile.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
Advanced Persistent Threats (APT) Sasha Browning.

Advanced Persistent Threats (APT) Sasha Browning.
Module 7 – Gaining Access & Privilege Escalation  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability.

Module 7 – Gaining Access & Privilege Escalation  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Russell Rice Senior Director, Product Management Skyport Systems

Russell Rice Senior Director, Product Management Skyport Systems
The internet is a place of both useful and bad information. It has both good and bad side- and it’s all too easy for kids to stray into it. And no parents/guardian.

The internet is a place of both useful and bad information. It has both good and bad side- and it’s all too easy for kids to stray into it. And no parents/guardian.
 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.

 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.
Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.

Koustav Sadhukhan, Rao Arvind Mallari and Tarun Yadav DRDO, Ministry of Defense, INDIA Cyber Attack Thread: A Control-flow Based Approach to Deconstruct.
Common System Exploits Tom Chothia Computer Security, Lecture 17.

Common System Exploits Tom Chothia Computer Security, Lecture 17.
Defining your requirements for a successful security (and compliance

Defining your requirements for a successful security (and compliance
Proactive Incident Response

Proactive Incident Response
Stopping Attacks Before They Stop Business

Stopping Attacks Before They Stop Business

Similar presentations

Ads by Google