improving cyber resiliency using intelligence-led attack ... · improving cyber resiliency using...

33
Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu

Upload: others

Post on 22-May-2020

7 views

Category:

Documents


0 download

TRANSCRIPT

Improving Cyber Resiliency using Intelligence-led Attack Simulations

Vincent Yiu

Who am I?

Vincent YiuFounder of SYON Security

Offensive Operations including Adversary Simulaton and Penetration Testing

Certifications: CREST certified, OSCP, OSCE

Speaker at: SSC Xi’an 2018, HITB Singapore 2017 and 2018, JD Security Conference Beijing 2017, Steelcon UK 2017, Bsides Manchester UK 2017, Snoopcon 2017 and 2018.

@vysecurity

[email protected]

Experiences• Global banks• Local banks• Wealth management• Global insurance• Smart grid• Retail• Manufacturing / R&D organizations• Satellite• HR companies• Financial technology providers• ISP / Registrars• Telecoms• Energy• Biomedical• Health• More…

Financial Technology?• Asset Management• Automated Teller Machine (ATM) Operators• ATM and self-service terminal manufacturing• Banks and Credit Unions• Credit Report Services• Electronic Payment Systems• Financial Planners and Investment Advisers• Financial Transaction Processing• Institutional Securities Brokerages• Investment Firms• Mortgage Breaks• Property/Casualty Insurance Carriers• Venture Capital• CRYPTOCURRENCY EXCHANGE

https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf

But it all boils down to…

• The target objective

• The attacker’s motivation

• The crown jewels

Hacking a target is not the end goal, acquisition of the objective is the mission.

Agenda

• Financial industry threats• What is intelligence?• Current state of Security Testing across the world• What is Cyber Attack Simulation Testing?• Attack lifecycle – Modelling real attacker techniques

Goals: Basic to Basics

Confidentiality

Integrity Availability

Data, Information• Benefit Records• Business and Strategic Plans and Goals• Finance Documents• Invoices• Organizational Charts• Pricing Data• Recurring Reports• Customer Data• Payment Card Data

Manipulation• Change Customer Account Data• Change Amount of Money• Change Software• Change Website

Access• Move Money• Withdraw Cash• Denial of Service

Intelligence• Who’s hacking who?• What are criminals after? • Is your company affected? • When are they going to hack you? • Have they already hacked you but you don’t know?• Current scam campaigns going on

Intelligence ReportYour Company1

2

???3

Intelligence Report: What’s in it?• Open Source Intelligence information on your company

• Enumerated digital asset IP ranges / domains

• Shodan passive enumeration of digital assets• Potential vulnerabilities

• Competent intelligence providers will have 20+ years historical database of data• Provide insight as to what CRIME groups are targeting YOUR industry• What CRIME groups are targeting YOUR organization• What accounts and data are being sold?• What are the capability levels of these CRIME groups?• What malware deployments? What tactics, techniques, and procedures do they use?

Open Source Intelligence• Company Name• Company Branches• Legal entities• Revenue• Executives• Organizational Chart• Office locations• Email addresses• Phone numbers• Passwords appeared in previous breaches• Digital assets• Potential vulnerabilities

Adversary Information• Name of groups and individuals who may be targeting your industry• Groups who may be targeting your particular organization• Mentions of your organization on the Dark Net / Underground communities

• TOR network• Exploit.in LEVEL X account

• Public APT and private APT reports• Malware samples• Indicators of compromise• Motivations• Origin country• Emails• Domains• IP addresses

• Accounts for your service being sold • Access to your organization being sold (insider threat / previously hacked access)

Improving Cyber Resiliency using Intelligence-led Attack Simulations

What threats are we facing?

• SWIFT – Financial motivation• ATM Jackpotting – Financial motivation• Cryptocurrency Exchange Transfers – Financial motivation

Improving Cyber Resiliency using Intelligence-led Attack Simulations

Who are the threat actors?

• Many Advanced Persistent Threat Groups• Cabarnak – ATM / Point of Sale Devices• Lazarus – SWIFT

Improving Cyber Resiliency using Intelligence-led Attack Simulations

What are we doing about it?• Prepare• Assess• Understand your company’s defensive capabilities

After breach:• Investigations• Security hardening

Case Study

• Bank X

2014Simulated

Attack$200K

2016Bangladesh

Hackedvia. SWIFT$81 Million

2018On-going

Simulations$200K

Prepared for the

FUTURE

Case Study

• Financial Technology company Y• Global Reach• Deploys Infrastructure for many banks

• “Can an attacker break into our network, and obtain access to our customer’s networks?”

Current State of Security Assessments

Is the Door Locked?

Is there a Safe?

COMPLIANCE

Current State of Security Assessments

Can I get past the

door?

Can we break into the safe?

PENETRATIONTESTING

Project 1

Project 2

Current State of Security Assessments

UNLOCKED BALCONY DOOR

OPEN THE SAFE

ATTACK SIMULATION

ONE PROJECT

FIND SAFE COMBINATION IN

ROOM

SURVEILANCE TO FIND TIME WHEN NO

ONES HOME

JUMP DOWN FROM FLOOR

ABOVE

Where are we?

• United Kingdom / USA:• Red Teaming / Attack Simulation• Penetration Testing

• Asia:• Risk Assessment• Buy Security Products• Penetration Testing

Attack Simulation Regulations

• United Kingdom: CBEST (Financial), TBEST (Telecom), NBEST (Energy), ATTEST (Aviation)

• Europe: TIBER-EU• Hong Kong: iCAST• Singapore: Pending Singapore Montary Authority

Capabilities

Cyber Capability Spectrum

LOW HIGH

CREST Certified

CRESTBasic

CREST Simulated Attack Specialist

Experienced Consultant Dealing with Critical Infrastructure

You’ve got an upcoming match against Mike Tyson

Risk Assessment / Compliance

Watch a video, then say “He might take a right punch”Are you ready for the fight with no training?

Penetration Testing

Practicing against a punching bag

Attack Simulation

Train against someone who can mimic Mike Tyon

Cyber Attack Lifecycle: Microsoft’s Version

Brief walkthrough of an attack on ACME corporation

• Financial Technology Provider• Global presence• Operations in UK, Germany, Singapore, and Philippines

• Goal: Obtain access to customer data• Goal: Obtain access to customer environment• Goal: Obtain credentials for a customer environment

How might you go about this sort of an attack?

Step 1: Reconaissance

• Map out digital assets• Scanning, visualising, understanding the surface• Digital footprint / Social media footprint• Code leaks, breach dumps

• Map out physical assets• Potential last resort if attack over internet proves infeasible

• Map out human resources• Scraping, searching the internet• LinkedIn, 脉脉

Step 2: Phishing

• Review target’s email security configuration

• Set up a phishing campaign

• Target gets phished

• Foothold on internal network

Step 3: Actions on Objectives

• Skip Privilege Escalation, phished target is a Philippines operations manager

• Login to internal password management server

• Dump all credentials for all APAC customers

• Surveillance of the target over multiple days

• Target logs into customer Citrix server via. secured virtual machine

Step 3: Actions on Objectives

• Connect to virtual machine

• Lookup customer credentials

• Login

• Access to customer environment granted

THANKS!Any questions?

@vysecurity

[email protected]

www.vincentyiu.co.uk