cyber analysts: who they are, what they do, where they are - marco ramilli - codemotion milan 2016
TRANSCRIPT
![Page 1: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/1.jpg)
Profilo aziendale YOROI
November 26 2016 CodeMotion Milan
Marco Ramilli
![Page 2: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/2.jpg)
Profilo aziendale YOROI
Cyber Analysts: who they are, what they do,where they are !
![Page 3: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/3.jpg)
Profilo aziendale YOROI
Agenda:
- Cyber Analysts: who they are!
- Cyber Analysts: what they do!
- Cyber Analysts: where they are!
![Page 4: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/4.jpg)
Profilo aziendale YOROI
Today’s Host● PhD in Bologna Joint UCDavis
○ Cyber Security, Penetration Testing US Voting Machines○ Books and Publications
● NIST○ OEVT○ Penetration Testing methodologies to help US Democracy
● Palantir○ Product Company○ Intelligence Company
● Yoroi○ One of the most extraordinary cyber security company founded
in Europe (Hakin9)
![Page 5: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/5.jpg)
Profilo aziendale YOROI
Who they are!Nowadays is not a trivial topic:
● Deep Learning Machines● Cognitive Computing● Machine Learning Algorithms ● Neural Networks
Undermine the Human side of Cyber Security Analysis.
But could that technology really take off the human side of this job ?
![Page 6: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/6.jpg)
Profilo aziendale YOROI
Who they are!Dark Avenger Mutation Algorithm (1993)
It could produce some decryptor cases that appeared only in about 5% or less of all cases. However, the engine had a couple of minor limitations that were enough to detect the virus reliably using an instruction size disassembler and a state machine. In fact, there is only one constant byte in an MtE decryptor, the 0x75 (JNZ), which is followed by a negative offset—and even that is placed at a variable location (at the end of the decryptor, whose length is not constant).
![Page 7: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/7.jpg)
Profilo aziendale YOROI
Who they are!
Super Simple Malware Evasion Technique. Credits: https://www.exploit-db.com/34591
![Page 8: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/8.jpg)
Profilo aziendale YOROI
Who they are!Red Pill Approach credits: A fistful of red-pills: How to automatically generate procedures to detect CPU emulators
![Page 9: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/9.jpg)
Profilo aziendale YOROI
Who they are!
![Page 10: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/10.jpg)
Profilo aziendale YOROI
What they do!
● Day 1, Morning. A phone call (from IT department) saying a server is performing weird network requests.
● Day 1, Afternoon. A VMWare image is sent to Cyber Analyst email box
he’ gotta run !
![Page 11: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/11.jpg)
Profilo aziendale YOROI
What they do!
Apport -> Intercepts crashes right when they happen the first time, gathers system information and send back to developers stack traces and useful infos to fixt the crash
package-data-downloader -> used by software installers such as dpkg and apt.
![Page 12: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/12.jpg)
Profilo aziendale YOROI
What they do!
SubProcess … Why ?/usr/bin/lls … What ?
![Page 13: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/13.jpg)
Profilo aziendale YOROI
What they do!
SubProcess … Why ?/usr/bin/lls … What ?
![Page 14: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/14.jpg)
Profilo aziendale YOROI
What they do!
![Page 15: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/15.jpg)
Profilo aziendale YOROI
What they do!
![Page 16: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/16.jpg)
Profilo aziendale YOROI
What they do!
Connect to 198.216.87.22 ?
![Page 17: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/17.jpg)
Profilo aziendale YOROI
What they do!Ok, let’s intercept what it sends to 198 !
On the client side in the meanwhile ...
Oh boy… really ?
![Page 18: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/18.jpg)
Profilo aziendale YOROI
What they do!
![Page 19: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/19.jpg)
Profilo aziendale YOROI
What they do!Ok, we’ve got password exfiltration every crash dump and every software update and machine control since ssh is available.
But how they trigger persistence on a server ?
Maybe attackers trigger crashes from outside ?
![Page 20: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/20.jpg)
Profilo aziendale YOROI
What they do!
Et Voilà ! CVE-2014-3583
![Page 21: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/21.jpg)
Profilo aziendale YOROI
What they do!Ok, we know pretty much a lot of things about the intrusion even how they get persistence...
But why the user reported a “strange behavior” ?
Maybe attackers needed such a server as pivot server ?
Oh..Oh !!
![Page 22: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/22.jpg)
Profilo aziendale YOROI
What they do!Here we go !A nice SEH BOverflow on Windows
We need to asks for another server Image ….. :D
Ok not today...
![Page 23: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/23.jpg)
Profilo aziendale YOROI
What they do!
It was a quite original way to penetrate a system… is it a new fancy opportunistic way ?
![Page 24: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/24.jpg)
Profilo aziendale YOROI
What they do!
![Page 25: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/25.jpg)
Profilo aziendale YOROI
What they do!
How “lls” landed here ?
![Page 26: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/26.jpg)
Profilo aziendale YOROI
What they do!
Only 5 iterations ? - Let’s check it out !
![Page 27: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/27.jpg)
Profilo aziendale YOROI
What they do!A simple reminds on Linux passwords:● schema: $id$salt$hashed
○ $1$ -> MD5○ $2a$ -> Blowfish○ $2y$ -> Blowfish (8-bit chars)○ $5$ -> SHA-256○ $6$ -> SHA-512
● !: account is password locked● *: account is locked● !!: no password set (RedHat)
![Page 28: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/28.jpg)
Profilo aziendale YOROI
What they do!
![Page 29: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/29.jpg)
Profilo aziendale YOROI
What they do!
![Page 30: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/30.jpg)
Profilo aziendale YOROI
Where they are!● Unfortunately there is not a full learning path to become Cyber
Security Analyst so far.● There are a lot of classes on:
○ Reverse Engineer○ Firmware Analyses○ Forensic Analyses○ Penetration Testing○ Vulnerability Assessments○ Secure Policy Assessment○ . . . . .
● But a Cyber Security Analyst should be able to perform each of these actions + human interactions + strategic thinking + organization chart knowledge + problem solving
![Page 31: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/31.jpg)
Profilo aziendale YOROI
Where they are ?
![Page 32: Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016](https://reader031.vdocument.in/reader031/viewer/2022022813/587080e11a28ab57368b65c1/html5/thumbnails/32.jpg)
Profilo aziendale YOROI
We are Hiring !
www.yoroi.company