moderne honigtöpfe im zeitalter · 2015-11-10 · advisor for information security expert for the...

Version: 1.0

Date: 2015-11-03

Author: Avi Kravitz

Responsible: Avi Kravitz

Confidentiality Class: Public

Moderne Honigtöpfe im Zeitalter scheiternder Prävention

© 2013 SEC Consult Unternehmensberatung GmbH

All rights reserved

Title: [--Title--] | Responsible: [--Responsible--]

Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--]


All rights reserved


All rights reserved

Title: CybeDefence | Responsible: Avi Kravitz

Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public

whoami

Bernhard

Schildendorfer | [email protected]

Security Consultant | SEC Consult

… IT / Information Security in St. Pölten

… SEC-Consult since 02/2010

… Penetration Tester, Project Leader, …

… Responsible for Operations @ CyberTrap

… and some other interests


All rights reserved




All rights reserved


All rights reserved



Advisor for information security

Expert for the implementation of security processes and policies(ISO 27001, BS 25999, GSHB)

Leading company for technical security audits

Specialist for web application security according to ONR 17700

Independent of product manufacturers

Our customers are public authorities, financial institutions and well-

known leading companies all over the world

Sectoral orientation (defence, public, finance, industry, SW development)

SEC Consult – Who we are (2)


All rights reserved




All rights reserved


All rights reserved



Case #1

a fraud.

5


All rights reserved




All rights reserved


All rights reserved



6

Hey Phil!

Did u already take

care of the invoice?

It‘s important!

Frank, which invoice

are you talking

about?

CEO

CFO


All rights reserved




All rights reserved


All rights reserved



7

Ohhh damn!!

It‘s attached to this

mail. Please take

care of it.

OK!

CEO

CFO


All rights reserved




All rights reserved


All rights reserved



3 hours later…

8

Frank, I initiated the

transfer!What are you talkin

about?


All rights reserved




All rights reserved


All rights reserved



9

CEO

Fraudster


All rights reserved




All rights reserved


All rights reserved



WHAT IF

you could identify the fraudster?

10


All rights reserved




All rights reserved


All rights reserved



Later the same day…

11

Beispielbild - Optisches Auftreten des Einsatzteams kann abweichen


All rights reserved




All rights reserved


All rights reserved



12

Frank, find

attached the

confirmation!

CFO


All rights reserved




All rights reserved


All rights reserved



20 minutes later…

13

Intercepted Data

10/09/2015 05:28:33 PM - [SMB] NTLMv2-SSP Client : 5.31.128.11

10/09/2015 05:28:33 PM - [SMB] NTLMv2-SSP Username : TROUBLEMARS\arad

10/09/2015 05:28:33 PM - [SMB] NTLMv2-SSP Hash :

ARAD::TROUBLEMARS:1122334455667788:BF291E57152648994XXXX5FFC34EA6F3:01

01000000000000CB222026A702XXXXX80245F1155C1780000000002000A0073006D006

2003100320001001400530045005200560045005200320030003000380004001600730

06D006200310032002E006C006F00630061006C0003002CXXXXX450052005600450052

0032003000300038002E0073006D006200310032002E006C006F<snip>

Cracked password: moneymaker1982


All rights reserved




All rights reserved


All rights reserved



30 minutes later…

14

Intercepted Data

10/09/2015 05:55:56 PM - [SMB] NTLMv2-SSP Client : 41.58.80.176

10/09/2015 05:55:56 PM - [SMB] NTLMv2-SSP Username : MicrosoftAc-

count\[email protected]

10/09/2015 05:55:56 PM - [SMB] NTLMv2-SSP Hash : my-cool-

[email protected]::MicrosoftAccount:1122334455667788:D2CEXX0DABBBC3

FD08A6XXXXX89B00B:0101000000000000649CEDE9AXXXXX10108C9D7355FB6CA3D000

0000002000A0073006D006200310032000100140053004500520056004500520032003

000300038000400160073006D006200310032002E<snip>

Cracked password: homersimpson7


All rights reserved




All rights reserved


All rights reserved



some days later…

15


All rights reserved




All rights reserved


All rights reserved



Case #2

an APT.

16


All rights reserved




All rights reserved


All rights reserved



“The account of a user that was on vacation was locked due to failed logins”

- a SEC Consult client

17


All rights reserved




All rights reserved


All rights reserved



Anatomy of a Targeted Attack

Initial Compromise

Establish

Foothold

Escalate

Privileges

Internal Recon

Move Laterally

MaintainPresence

Initial Recon Complete Mission


All rights reserved




All rights reserved


All rights reserved




Initial Recon

let‘s steal

the crown

jeweles

EstablishFoothold

let‘s plant

some remote

controllable

malware• Critical Vulnerabilities in

Web Applications

• Spear Phishing

• Drive-By Downloads

• etc.

Initial Compromise

let‘s find a way

into the company

information

gathering


All rights reserved




All rights reserved


All rights reserved




• Weak Passwords

• Misconfigurations

• Bad Patchmanagement

• etc.

Escalate

Privileges

Internal Recon

Move Laterally

MaintainPresence

Complete Mission

let‘s plant new

backdoors

let‘s move from system

to system until we find

what we‘re looking for

look for the

diamonds!

we got the

crown jeweles,

let’s deliver it to

our client


All rights reserved




All rights reserved


All rights reserved


Version / Date: V1.0 / 2015-10-08 | Confidentiality Class: public Foto: Fotolia 62727991, Westend61


All rights reserved




All rights reserved


All rights reserved



They will come back

22


All rights reserved




All rights reserved


All rights reserved



! Information security can no longer

prevent advanced targeted attacks

!Too much spending is focused on

the prevention

!Too little is spent on security monitoring

and response

!Tailored security breaches are inevitable

Conclusio


All rights reserved




All rights reserved


All rights reserved



What to do?

24

Security is all about

knowing & preparation!


All rights reserved




All rights reserved


All rights reserved



WHAT IF you are able to…

get their motivation?

get their TTP‘s

identify the attacker(s)?

25


All rights reserved




All rights reserved


All rights reserved



Knowing - Global Threat Intelligence?

Indicators of compromise (IOCs)/ Signature feeds

Malicious IPs

Malicious domains

Malware hashes

Phishing e-mails

Misc. fingerprints

The Art of Deception

We know your enemies


All rights reserved




All rights reserved


All rights reserved



Look in the Mirror…

28


All rights reserved




All rights reserved


All rights reserved



CyberTrap

CyberTrap is a weak link in the exposed infrastructure

0

10

20

30

40

50

60

70

80

90

100

Application 1 Application 2 Application 3 Application 4 Application 5 Entry Point Application 7 Application 8 Application 9

SQL Injection

Fileshare

Default Passwords

File Uploads

0 Day Vulnerability

Outdated Software


All rights reserved




All rights reserved


All rights reserved



Be close to your enemies with CyberTrap!

Find out where they come into your system

Find out what tools they are using

Find out what they are after

Find out what their motivation is

CyberTrap gives you unique

LOCAL THREAT INTELLIGENCE

Know Your Enemy


All rights reserved




All rights reserved


All rights reserved



Hello!CyberTrap detected 4103 IOCs on the following units:

websrv01.wbdmz.local: 3122dbsrv01.wbdmz.local: 981

Click here to access the CyberTrap Dashboard.CyberTrap Notification System

31

13.04.2015


All rights reserved




All rights reserved


All rights reserved




Initial Compromise

Establish

Foothold

Escalate

Privileges

Internal Recon

Move Laterally

MaintainPresence


StealthVulnerbility

Scan


All rights reserved




All rights reserved


All rights reserved




Initial Compromise

Establish

Foothold

Escalate

Privileges

Internal Recon

Move Laterally

MaintainPresence


• SQL Injection

• Broken File Upload


All rights reserved




All rights reserved


All rights reserved




Initial Compromise

Establish

Foothold

Escalate

Privileges

Internal Recon

Move Laterally

MaintainPresence


• RAT Malware

• Valid mcsync.exe

• DLL Hijacking

• Misc. Tools


All rights reserved




All rights reserved


All rights reserved




Initial Compromise

Establish

Foothold

Escalate

Privileges

Internal Recon

Move Laterally

MaintainPresence


Dump cached passwords


All rights reserved




All rights reserved


All rights reserved




Initial Compromise

Establish

Foothold

Escalate

Privileges

Internal Recon

Move Laterally

MaintainPresence


• Windows commands

• Remote cronjob


All rights reserved




All rights reserved


All rights reserved



Takeaways

Prevention fails

Preparation is key

Improve monitoring & detection capabilities

Know your enemies

Increase time to defend

Homefield advantage

Do the homework

43


All rights reserved




All rights reserved


All rights reserved



Takeaways

44

„If you know your enemies and know yourself, you will not be imperiled in a hundred battles“

- Sun Tzu, The Art of War


All rights reserved




All rights reserved


All rights reserved



Contact

45

GERMANY

SEC Consult Unternehmensberatung Deutschland GmbH

Ullsteinstraße 118

D-12109 Berlin

Email [email protected]

LITHUANIA

UAB Critical Security, a SEC Consult company

Sauletekio al. 15-311

10224 Vilnius

Tel +370 5 2195535


RUSSIA

CJCS Security Monitor

5th Donskoy proyezd, 15, Bldg. 6

119334, Moscow

Tel +7 495 662 1414


SINGAPORE

SEC Consult Singapore PTE. LTD

4 Battery Road

#25-01 Bank of China Building

Singapore (049908)


CANADA

i-SEC Consult Inc.

100 René-Lévesque West, Suite 2500

Montréal (Quebec) H3B 5C9


AUSTRIA

SEC Consult Unternehmensberatung GmbH

Komarigasse 14/1

2700 Wiener Neustadt

Tel +43 1 890 30 43 0


THAILAND

SEC Consult (Thailand) Co.,Ltd.

29/1 Piyaplace Langsuan Building 16th Floor, 16B

Soi Langsuan, Ploen Chit Road

Lumpini, Patumwan | Bangkok 10330


www.sec-consult.com

SWITZERLAND

SEC Consult (Schweiz) AG

Turbinenstrasse 28

8005 Zürich

Tel +41 44 271 777 0 | Fax +43 1 890 30 43 15


AUSTRIASEC Consult Unternehmensberatung GmbH

Mooslackengasse 17

1190 Vienna

Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15


http://www.sec-consult.com/

moderne honigtöpfe im zeitalter · 2015-11-10 · advisor for information security expert for the...

Documents