Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP (and how to prevent it) NACUSAC - 2018 Louisville, KY How to Steal a Billion Dollars
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP
(and how to prevent it)
NACUSAC - 2018Louisville, KY
How to Steal a Billion Dollars
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 2
Outline
• Introductions– Presenter
– Presentation format
– Cyber Kill Chain example
• Anatomy of an Attack– External Recon
– Weaponization
– Delivery
– Exploitation
– Internal Network Recon
– Command and Control
– Capture the flag
– Exfiltration
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
The Attacker
• David AndersonManager, CliftonLarsonAllen
• OSCP – Offensive Security Certified Professional
• BS – Information Technology – Minnesota State University Mankato
• Oversee and participate in:
– Penetration Testing
– Social Engineering
– Vulnerability Assessments
3
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
The Defenders
• Your IS/IT department
• Your employees
4
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 5
Anatomy of an Attack
• How do attackers work?
• What defenses are effective?
• How do I evaluate my own security needs?
• How can I spend my money efficiently?
5
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 6
CyberKill Chain
6
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
External Recon
7
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 8
CyberKill Chain
8
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• Port and Service enumeration
• Shodan
• OSINT
– Social Media
– Staff
– Customers
– webapps
9
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Service Enumeration
10
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Shodan
11
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
12
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Website
13
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• Documentation
– Network map◊ Data flow
– IP range
– External access provided to staff
14
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• OSINT– Social Media
◊ Staff
◊ Blogs / News
– Internet accessible documents
• Shodan
• Self Assessments– Google Alerts
15
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• Security Assessments
– Validation◊ Is it as secure as we think or expect?
– Assurance◊ Prove it to others it is as good as we say it is.
16
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
WEAPONIZATION
17
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 18
CyberKill Chain
18
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Weaponization
• Exploit announcements
• Exploit research
• Creation of an exploit or attack vector
• Purchase an exploit
• Payload creation
19
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Weaponization
• Open Source Weaponization Tools
– Metasploit
– Empire
– Kodiac
– Veil
– Etc…
20
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Weaponization
• Understand current environment
– Center for Internet Security – Controls 1 and 2
– Sign up for vendor bulletins and review
• IT Security Awareness training
• Mitigate Gaps
• Ongoing training on new technology
21
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Delivery
22
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 23
CyberKill Chain
23
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Social Engineering
– Phishing
– Email spoofing
– Call spoofing
24
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
25
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
26
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
27
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Email Filtering
Connected to mail.cogentco.com (38.9.X.X).
MAIL FROM: <[email protected]>
250 OK
RCPT TO: <[email protected]>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
FROM: <[email protected]>
TO: <[email protected]>
Subject: Free Tesla Car
SMTP Envelope
SMTP Message
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Phone Calls
• [Audio Sample]
29
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• In Person
– RFID clone
– Media drops
– Tailgating
30
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Not this tailgating…
31
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Security Awareness Training
• Mail Security Controls
• Security Assessments of email system
– Cloud
– OWA
– Endpoint
• Spam Filters
32
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Exploitation
33
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 34
CyberKill Chain
34
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Missing patches
– MS17-010 (WannaCry / ETERNALBLUE)
• End user
– Malicious Office documents (Macros, OLE, etc.)
– HTML Applications (.HTA)
• Windows PowerShell
– Can inject malicious code straight into memory
35
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
PowerShell
Malicious Macro
36
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
ETERNALBLUE
37
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
ETERNALBLUE
38
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Patch management– Simplify support
– Mitigation
• Security Policy– Least Privilege
– Layered Defense
– Secure by Design
– Assume Breach
39
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
Security Baseline– “Golden Image”
– Group Policy
– Benchmarks◊ CIS
◊ NIST
◊ STIGS
◊ USGCB
40
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Application whitelisting– AppLocker
– Windows Device Guard
• Protect Office Applications– Block Macros
– Windows Defender Exploit Guard
• Prevent script files from auto-executing– Change default application of file extensions: .hta, .js, .bat, etc…
41
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Tools– Sysinternals suite
– LAPS
– Sysmon◊ IR focused configuration
42
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Network Monitoring
– User level
– Temporal
– Attempts
– Behavior
• Segmentation
– Block endpoint SMB
– Guest Wi-Fi
– IoT
– Secure transactions
43
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Internal Network Recon
44
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 45
CyberKill Chain
45
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Where am I?– ipconfig /all
• Who am I?– whoami
• What privileges do I have?– whoami /groups
• Do I have local admin rights?– net localgroup administrators
46
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Who is on the network?– netstat
– Port scans
– DNS enumeration
– AD enumeration
• Who are the administrators?– BloodHound
47
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
BloodHound
48
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Default/easily guessable passwords
• Misconfiguration
• Missing patches
49
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Secure Network– Network Segmentation
– BLOCK workstation to workstation communication
• Network Monitoring– Netflow
– Endpoint logs
– “user” behavior
– Sensor alerts
– Log analysis
50
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Security Policy– Least Privilege
– Assume Breach
• Encryption– At-rest
– In Transit
51
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
PowerShell Security
• Upgrade to PowerShell v5
• Remove PowerShell v2
• Enable Script Block Logging
• Enable Script Transcription
• OPTIONAL: Configure Constrained Language Mode– Prevents advanced features, such as .NET execution, Windows API
calls, and COM access
– This may cause issues with managing systems with PowerShell
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Command and Control
53
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 54
CyberKill Chain
54
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Command and Control
• Remote access tool– Stabilize connection
– Persistence
• Communication– Encrypted
– Mimic “real” network traffic (HTTPS / DNS)
• Operational Security
55
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Command and Control
• Network Monitoring
– Bandwidth, traffic patterns, IP geolocation
• Threat Intelligence
– Internal◊ SEIM, Next-gen Firewalls
– External feeds◊ Industry – Microsoft, Google, Cisco, HP, etc
◊ STIX, TAXII, CybOX
56
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Capture the Flag
57
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 58
CyberKill Chain
58
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Asset Identification
• Asset Acquisition
– Open file shares are a goldmine
– AIRES files
59
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Admin Creds
– SQL creds in web.config files
– Cloud (e.g. Office 365)
• Open File Shares
• Insecure databases
60
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Network Map
– “Treasure map”
• Encryption
– “at rest” encryption
• Logging
– SQL access
– File access
61
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Exfiltration
62
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 63
CyberKill Chain
63
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exfiltration
• Collection point
• Package it up– Compress
– Encrypt
• Send it out– FTP, SSH, HTTP(S), ICMP, DNS, etc…
– We use whatever you allow outbound
64
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exfiltration
• Network Monitoring– Bandwidth
– Egress traffic
• Firewall Rules
• Threat Intelligence– Blacklists
– Geo location of IP
– Real-time analysis
65
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Summary
66
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 67
Summary
67
External Recon
Weaponization
Delivery
Exploitation
Internal Network Recon
Command Control
Capture the Flag
Exfiltration
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Thank you!
David Anderson612-397-3132
david.anderson @CLAconnect.com
Related Documents
