7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 1/159
COMPLIACE
CHRIS NICKERSONGuerillas in
the Wires
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 2/159
the Wires
hi. =)
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 3/159
Thanks
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 4/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 5/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 6/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 7/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 8/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 9/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 10/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 11/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 12/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 13/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 14/159
Anyway...
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 15/159
I’m Chris
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 16/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 17/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 18/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 19/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 20/159
-me
• Pain in the arse
•Loudmouth
• Hacker Punk
• Tells lies (professionally)
• Is called all sorts of bad
words.. That I will likelysay throughout this talk
• Cant code well
• Talks $hit
•
Drinks a LOT• Is an overall J3rk
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 21/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 22/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 23/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 24/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 25/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 26/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 27/159
LARES
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 28/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 29/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 30/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 31/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 32/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 33/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 34/159
Electronic• Network Pentesting
• Surveillance/ plants
Social• In Person Social Engineering
• Phone Conversation
• Social Profiling
Physical• Lockpicking
• Direct Attack
EP Convergance
• Attacks on
physical
systems that
are network
enabled
ES Convergance
• Blackmail
•
Phishing• Profiling
• Creating moles
PS Convergance
• Tailgaiting
• Impersonation
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 35/159
Figure Out Whatis Important tothe company
Steal It !
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 36/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 37/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 38/159
To get you awake
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 39/159
Get you to THINK about
what we are doing
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 40/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 41/159
So…
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 42/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 43/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 44/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 45/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 46/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 47/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 48/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 49/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 50/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 51/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 52/159
We areclearly
doingsomething
wrong
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 53/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 54/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 55/159
2012 Infosec Year In review
2,644 incidents were reported (Up117.3% from 2011)
267,000,000 records exposed
Over 150,000,000 in ONE incident
84.7% of the records exposed camefrom business
45% of incidents included publicreleases of passwords
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 56/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 57/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 58/159
Persians vs Scythians
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 59/159
ROME vs Britons
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 60/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 61/159
Mongolians vs Tanguts
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 62/159
Vs.
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 63/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 64/159
El Empecinado
Aka
Juan Martín Díez
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 65/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 66/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 67/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 68/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 69/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 70/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 71/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 72/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 73/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 74/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 75/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 76/159
Structureexists even
in Guerilla
warfare
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 77/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 78/159
h l
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 79/159
The only
patch for
Human
Stupidity isEXPERIENCE
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 80/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 81/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 82/159
So how does
all of this
apply to us?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 83/159
Environment
AttackerDefender
Home Field
Advantage
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 84/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 85/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 86/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 87/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 88/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 89/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 90/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 91/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 92/159
ENCRYPTION
Own the box/steal the keys
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 93/159
Keylog
GPU Cracking is fun TO the cloud!!
Attack 3rd party crypt
And if all else fails…
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 94/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 95/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 96/159
Nmap… --data-
length=0
Or –f
Or just go faster –T5
Lame… that this STILL
works in many cases
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 97/159
Roll your own crypto
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 98/159
Use “other” data streams
(mDNS, Airdrop,BITS,DNS, HTTP,SIP)
Go to the phones..
(Translate to 16 octave
audio and exfil over fax)
Hopefully you sawSteffen Wendzel’s talk
if not go find em
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 99/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 100/159
AV/Anti-
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 101/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 102/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 103/159
Custom checksums are
not hard… theres
apps for that =)
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 104/159
Clearthelog.rb
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 105/159
… rm
Run scripty logcleaners in your
tools*MSF,CORE,CANVAS all
have **so do mostexploit kits (yeay
china)
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 106/159
Of the
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 107/159
6Top Firewalls
How many can
effectivelyblock TCP ports?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 108/159
-Source NSS Labs Firewall Group test
:Section: TCP Split Handshake
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 109/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 110/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 111/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 112/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 113/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 114/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 115/159
WHAT DO
WE DO?
STEP 0
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 116/159
STEP 0
EDUCATION
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 117/159
Implement
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 118/159
Implement
Awareness
and
KnowledgeFormula
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 119/159
Defense = capability (awareness + knowledge) +experience
Capability =(Knowledge + Awareness) Can we defend
against an attack?
Experience – over all ability to
understand/plan/execute/and remain on task during
the event
**ps… this is not math… just conceptual. Most companies out there couldn’t put
actual ACURATE values on controls or any of the areas above if they even tried.
Crawl,walk,run…
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 120/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 121/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 122/159
Practice
BASIC
INFOSEC!
Patching
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 123/159
Patching
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 124/159
“The more
sophisticated
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 125/159
sophisticated
thetechnology, the
more vulnerable
it is toprimitive
attack. People
often overlook
the obvious” –
Dr WHO
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 126/159
Align With
the business
objectives
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 127/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 128/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 129/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 130/159
What does
your company
DO???
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 131/159
How does it
do it?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 132/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 133/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 134/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 135/159
Now what?
Grow Revenew Buy firewall
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 136/159
Increase Productreliability
Increase brand
value
Launch xyz new
thing
Increase customerservice/satisfaction
Deploy DLP
Move to Cloud
Install moar AV
WAF
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 137/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 138/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 139/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 140/159
How much do
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 141/159
you spend onDisaster
Recovery.
(Average is
1 8% t t l
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 142/159
Average costof a
downtime
$287,600
Multiply that
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 143/159
by the # ofbugs found in
code that can
stop aservice
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 144/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 145/159
TEST TO SEE IF ITWORKS….. DUMMY
VulnerabilityAssessments?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 146/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 147/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 148/159
Process
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 149/159
Figure Out Whatthe Company
Thinks is Important
Steal It !
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 150/159
5
+ Customdesigned attack
kitsAt ANY time
Non Interactive,without update
+ CorporatePartner Attacks
4 + 0daydevelopment
At ANY time
Non Interactive,Without update
unlessurgent/issue
based
+ Physical Attacks
3Exploitation of ALL
KNOWNvulnerabilities w/non-interactive
sessions
Extendedengagement time
window
Non interactive w/update
+ Individualattacks
2
Exploitation of Known
vulnerabilities atALL layers w/
interactive sessions
Unlimited Timewindow during
engagement
Interactivew/scheduled update
+ Indirect attacks
1Exploitation of
knownVulnerabilities atall layers underApplication with
interactivesessions
Constrained Timewindows
Interactive w/constant client
updateDirect Attacks
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 151/159
FOLLOW A REPEATABLE
METHODOLOGY
Allow a FULL TEST
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 152/159
Allow a FULL TEST
to get FULL VALUE• ACT as you would NORMALLY
– Systems attack : tests IR plan
– System Error: tracks mean time to
issue identification
– Service Outage: tests/identifies
flaws in BCP – System down: tests/identifies
flaws in DR plan
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 153/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 154/159
SET REASONABLE
EXPECTAITONS
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 155/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 156/159
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 157/159
What do you
have to lose?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 158/159
YOU HAVE
ALREADY BEENHACKED
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 159/159