breach analysis slideshare
TRANSCRIPT
![Page 1: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/1.jpg)
Breach Analysis - Jonathan Sinclair 1
Breach Analysis - Insights from technical breach to protective measures
By J.Sinclair
![Page 2: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/2.jpg)
Breach Analysis - Jonathan Sinclair 2
Talk Outcomes
• Demonstrate security from two perspectives
– The goal of a Blackhat
– The goal of a Whitehat
• An introduction to tooling
![Page 3: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/3.jpg)
Breach Analysis - Jonathan Sinclair 3
Perspectives
White vs. Black
![Page 4: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/4.jpg)
Breach Analysis - Jonathan Sinclair 4
Blackhat Perspective• Motivating Factors – Like the challenge (dedication)– Self-promotion / Fame
• Want to improve security by showing it’s failing (grey see the work by: Tavis Ormandy)
– Money• Focus– Breaching security
• Penetration Testing• Exploit writing• Bug hunting• Social Engineering
![Page 5: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/5.jpg)
Breach Analysis - Jonathan Sinclair 5
Where to start
• Follow a methodology /plan– Intelligence Gathering: Passive/Active– Vulnerability Analysis: Active– Exploitation: Active– Post Exploitation: Active– Reporting (Bad guys don’t care about this. It
leaves evidence)
![Page 6: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/6.jpg)
Breach Analysis - Jonathan Sinclair 6
Steps of an attacker(Tools of the trade)
• Intelligence Gathering : Maltego, Social harvesting
• Reconnaissance:– Zenmap/Nmap – Find a service• Get the service listing:
– Telnet, smtp, https, printer, msrpc, irc, http-proxy, ftp• Query the services:
– Test login’s e.g. ftp, telnet, smtp• Identify software information:
– WinFTP version 2.3.0
![Page 7: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/7.jpg)
Breach Analysis - Jonathan Sinclair 7
Steps of an attacker
• Exploit– Check exploit-db, NIST, metasploit, Nessus etc.– Set-up a lab environment– Download the app you want to exploit– Start fuzzing : test the application to simulate a
crash
![Page 8: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/8.jpg)
Breach Analysis - Jonathan Sinclair 8
Steps of an attacker
• Attach to Immunity or your favourite debugger: OllyDbg, WinDbg, IdaPro
![Page 9: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/9.jpg)
Breach Analysis - Jonathan Sinclair 9
Steps of an attacker
• Control the crash– Manipulate EIP via ECX and EDX– Jump to your shell code
• Generate via Metasploit:– msf payload(shell_bind_tcp) > generate -b '\x00\x44\x67\x66\xfa\
x01\xe0\x44\x67\xa1\xa2\xa3\x75\x4b‘
– Prep your exploit in Ruby– Launch at the target system
• ./msfconsole• use auxiliary/dos/windows/ftp/winftp230_remote• exploit
![Page 10: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/10.jpg)
Breach Analysis - Jonathan Sinclair 10
Steps of an attacker
• Got shell – Bad guy wins– Starting interaction with 2... – Microsoft Windows XP [Version 5.1.2600] (C)
Copyright 1985-2001 Microsoft Corp. – C:\Documents and Settings\victim\Desktop>
![Page 11: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/11.jpg)
Breach Analysis - Jonathan Sinclair 11
Access Granted
• Network security bi-passed
• Access of a single system can lead to additional breaches
• Pivot point (post-exploitation) for future attacks identified
Game Over
![Page 12: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/12.jpg)
Breach Analysis - Jonathan Sinclair 12
Whitehat Perspective
• Motivating Factors – Secure your enterprise– Keep company assets and intellectual property safe– Engineer a secure solution– Fame (would be nice but rarely appreciated)
• Focus– Salary– Watching the bad guys– Staying current while maintaining the old
![Page 13: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/13.jpg)
Breach Analysis - Jonathan Sinclair 13
Why it’s so hard to be good
• Security dilemma:– “The intruder only needs to exploit one of the
victims in order to compromise the enterprise.”• Security mantra:– “There is no perfect defence”
• Security solution – the 3 pillars:– Awareness– Process– Tools
![Page 14: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/14.jpg)
Breach Analysis - Jonathan Sinclair 14
Security Awareness(1)
• Ensure people are educated– Set up awareness campaigns– Create training programmes– Bring security thinking to the people
• Relate to cultural differences (US vs. Switzerland)
![Page 15: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/15.jpg)
Breach Analysis - Jonathan Sinclair 15
Security Awareness(2)
• Create a mind-set of critical thinking and encouraging people to ask the ‘what if..’ type questions
• Security thinking has nothing to do with being a techy. (Techies nearly always forget this)
![Page 16: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/16.jpg)
Breach Analysis - Jonathan Sinclair 16
Security Process
• What is actually important to you?
– Know what you want
– Know what you’re risk appetite is
– Integrate security into everything you do
![Page 17: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/17.jpg)
Breach Analysis - Jonathan Sinclair 17
Tooling
• Firewalls, IPS/IDS’s, DLP, SIEM, Antivirus etc. will only cover your last 20%
• Most incidents come from internal employees– Symantec figures (1996 – 2002) : 59%– CERT figures (2010) : 60%– Open Security Foundation (2010) : 47%
• Tools have vulnerabilities: Wireshark!
![Page 18: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/18.jpg)
Breach Analysis - Jonathan Sinclair 18
Enterprise security
• The message: “Your organisation will be breached”
• What to consider– You need to know when this happens– You need to know how to contain it – You need to be able to understand your reputation
![Page 19: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/19.jpg)
Breach Analysis - Jonathan Sinclair 19
Enterprise security: Sony
• Case Study:– Sony breach in 2011– 25 million personal details stolen from the Sony
Online Entertainment network• Name, Address, Email, DoB, Phone numbers
• Motive:– Unknown but potentially to sell on credit card
information (the hack didn’t reveal the 3-digit security code)
![Page 20: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/20.jpg)
Breach Analysis - Jonathan Sinclair 20
Enterprise security: Sony
• Reaction by Sony– SOE network was suspended• SOE was then rebuilt
– Company would grant 30 days additional playing time to registered users
• Reaction by the public– Legal action brought against Sony– In the UK Sony was fined £250,000
![Page 21: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/21.jpg)
Breach Analysis - Jonathan Sinclair 21
Enterprise security: Sony
• Overall cost– Profits plunged 59% or 15.5bn Yen as a combined
result of cyber breach and Japanese tsunami– Continued losses to the brand into 2012
• Real issues– Personal data lost– Credit card fraud became more prevalent
![Page 22: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/22.jpg)
Breach Analysis - Jonathan Sinclair 22
Enterprise security: Final Thoughts
• Take away message:– The data a company may lose in a security breach
may not be ‘secret’ data e.g. IP, however reputation loss will ALWAYS cost an enterprise
• Security in an enterprise is about protecting reputation!
![Page 23: Breach analysis slideshare](https://reader035.vdocument.in/reader035/viewer/2022062503/587c39211a28ab5a1d8b4987/html5/thumbnails/23.jpg)
Breach Analysis - Jonathan Sinclair 23
Questions and Answers
?