Upload File

hack.lu 2019 / 2019-10-23 public / tlp:white disturbance

  • Home
  • Documents
  • HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE
25
PUBLIC / TLP:WHITE DISTURBANCE THE SORRY STATE OF CYBERSECURITY AND WHAT WE CAN DO ABOUT IT SAÂD KADHI, HEAD OF CERT-EU. v1 HACK.LU 2019 / 2019-10-23

Upload: others

Post on 19-Mar-2022

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

PUBLIC / TLP:WHITE

DISTURBANCE THE SORRY STATE OF CYBERSECURITY AND WHAT WE CAN DO ABOUT IT

SAÂD KADHI, HEAD OF CERT-EU.

v1

HACK.LU 2019 / 2019-10-23

Page 2: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

IN THE BEGINNING

Page 3: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

IN THE BEGINNING, A CYBERSECURITY PRODUCT WAS BORN

THE ANTIVIRUS

Page 4: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

IN THE BEGINNING, IT PROTECTED US (TO SOME EXTENT )

THE ANTIVIRUS

AIDS (1989)

BRAIN (1986)

RANSOMWARE

WORMS

ILOVEYOU (2000)

CODE RED (2001)

NIMDA (2001)

CONFICKER (2008)

REVETON (2012)

CRYPTOLOCKER (2013)

WANNACRY (2017)

PETYA (2016)TROJANS & RATS

DARKCOMET (2012)

FINFISHER (2011?)

EGABTR (1989?)

NETBUS (1998)

FILELESS MALWARE

SLAMMER (2003)

POWELIKS (2015)

POTENTIALLY UNWANTED APPLICATIONS

MIMIKATZ (2011)

Page 5: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

IN THE BEGINNING, IT PROTECTED US (TO SOME EXTENT )

THE ANTIVIRUS

AIDS (1989)

BRAIN (1986)

RANSOMWARE

WORMS

ILOVEYOU (2000)

CODE RED (2001)

NIMDA (2001)

CONFICKER (2008)

REVETON (2012)

CRYPTOLOCKER (2013)

WANNACRY (2017)

PETYA (2016)TROJANS & RATS

DARKCOMET (2012)

FINFISHER (2011?)

EGABTR (1989?)

NETBUS (1998)

FILELESS MALWARE

SLAMMER (2003)

POWELIKS (2015)

POTENTIALLY UNWANTED APPLICATIONS

MIMIKATZ (2011)

THIS SLIDE (NOR MY LIFE) WILL

SUFFICE TO LIST THEM ALL

Page 6: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

HOW WE ENDED UP HERE?

THESE EXAMPLES ARE ALL TELLTALE SIGNS OF THE

DOMINATING MONOCULTURE

CYBERINSECURITY: THE COST OF MONOPOLY

HOW THE DOMINANCE OF MICROSOFT’S PRODUCTS POSES A RISK TO SECURITY

DAN GEER, SEP 24, 2003

Source: Wired

BUT… A MONOCULTURE HAS ADVANTAGES

(AND THE SECURITY OF MS PRODUCTS HAS SIGNIFICANTLY AND STEADILY IMPROVED)

HOWEVER, CLASS BREAKS ARE TOO COSTLY TO IGNORE

https://www.wired.com/2004/02/warning-microsoft-monoculture/
Page 7: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

MONOCULTURE & STANDARDISATION

CLASS BREAKS 101

TARGETS A CERTAIN PIECE OF SOFTWARE

COMPROMISES A CERTAIN DEVICE

TARGETS A WIDELY DEPLOYED PIECE OF

SOFTWARE

COMPROMISES HUNDREDS IF NOT THOUSANDS OF DEVICES

DEVICE

DEVICE

DEVICE

DEVICE

DEVICE

DEVICE

DEVICE

DEVICE

Page 8: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

CLASS BREAKS: EXAMPLES

Source: Google's Project Zero

2012-2018: GOOGLE’S PROJECT ZERO FOUND SEVERAL HIGHLY CRITICAL

VULNERABILITIES IN MANY OTHER AV PRODUCTS

(KASPERSKY, ESET, COMODO, TRENDMICRO, SOPHOS…)

SYMANTEC ENDPOINT

PROTECTION (2016)

Source: The Register

https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html
https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html
https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html
https://www.theregister.co.uk/2012/11/06/sophos_multiple_vulns/
Page 9: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

Source: imgflip.com

https://imgflip.com
Page 10: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

FROM SUPPLY-CHAIN ATTACKS TO CLASS BREAKS

TARGETS COMPANY X (SECONDARY TARGET)

COMPROMISES COMPANY A

(PRIMARY TARGET)

TARGETS COMPANY X (SECONDARY TARGET)

COMPROMISES TENS IF NOT HUNDREDS OF COMPANIES

COMPANY A

COMPANY C

COMPANY E

COMPANY B

COMPANY F

COMPANY G

COMPANY D

COMPANY H

COMPANY X IS A SUPPLIER OF COMPANY A

COMPANY X IS A SUPPLIER OF MANY

ORGS

Source: Reuters

https://www.reuters.com/article/us-target-breach/target-cyber-breach-hits-40-million-payment-cards-at-holiday-peak-idUSBRE9BH1GX20131219
Page 11: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

THIS IS NOT THEORETICAL

Source: Twitter

Source: Arstechnica

2019

2016

?

https://twitter.com/cglyer/status/1182413194360508419
https://arstechnica.com/information-technology/2016/06/teamviewer-users-are-being-hacked-in-bulk-and-we-still-dont-know-how/
Page 12: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

MARCHING TOWARD FAILURE

Page 13: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

IN THE BEGINNING…

THE ANTIVIRUS

FAILLIBLE (FAULTY SIGNATURES, BSOD)

INSECURE (TOO MANY PARSERS, BAD

CODING)

INSUFFICIENT (COVER ONLY A CERTAIN CLASS

OF THREATS)

EXCELLENT VECTOR

(FOR A NICE CLASS BREAK ATTACK)

Page 14: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

WITH GROWING DIGITALISATION COMES PRODUCT PROLIFERATION

THE ANTIVIRUS

NETWORK FIREWALL

(WITH DPI)

UTM

WAF

PROXY

UBA

2FA

NIDS

NIPS

SIEMSOAR

EDR

EPP

SANDBOX

THREAT FEEDS

TIP

ANTI-MALWARE

ANTI-SPAM

DLPPERSONAL FIREWALL

(WITH DPI)

VULNERABILITY SCANNERS

VPN

UEBA

Page 15: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

Source: RSA Conference

https://www.rsaconference.com/usa/expo-and-sponsors
Page 16: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

LIKE THE ANTIVIRUS, THESE ‘SOLUTIONS’ ARE ALL PART OF THE ATTACK SURFACE

7 Oct 2019, Source: thebestvpn

10 Oct 2019, Source: ZDNet

2019Source: TechCrunch

2011, Source: CSOOnline

https://thebestvpn.com/cyberoam-preauth-rce/?=cve-2019-17059-flaw
https://www.zdnet.com/article/imperva-blames-data-breach-on-stolen-aws-api-key/
https://techcrunch.com/2019/07/27/comodo-password-access-data/
https://www.csoonline.com/article/2623707/the-real-security-issue-behind-the-comodo-hack.html
Page 17: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

… RUNNING ON TOP OF VULNERABLE PROCESSORS

Source: https://meltdownattack.com

Source: https://foreshadowattack.eu

Source: https://zombieloadattack.com

https://meltdownattack.com
https://foreshadowattack.eu
https://zombieloadattack.com
Page 18: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

AND THEY NEED HUMANS & €€€ TO INSTALL, USE AND MAINTAIN

SIEM

BUY SOFTWARE

BUY HARDWARERECRUIT

SYSADMINS

TRAIN PEOPLE(TO USE SOME OBSCURE QUERY

LANGUAGE)

MAKE CLUSTERS & BACK-UPS

BUY PRO SERVICES (BECAUSE THERE ARE ALWAYS ‘EDGE

CASES’)

BUY PRO SERVICES

(BECAUSE YOU NEED NEW PARSERS AND YOUR EXISTING PARSERS WILL

BREAK)

BUY SUPPORT

BUY THREAT FEEDS

BUY AN ADD-ON FOR YOUR

COMPLIANCE NEEDS

MONITOR THE HEALTH OF THE SYSTEM

(ARE YOU SURE YOU ARE NOT MISSING LOGS?)

CONFIGURE LOGGING PROPERLY(NO, IT’S NOT A FIRE & FORGET TASK)

BUY A TIP

BUY AN INCIDENT RESPONSE PLATFORM

HIRE DATA SCIENTISTS

BUILD AND MAINTAIN

USE CASES

CONFIGURE ALERTS (AND HOPE YOUR ANALYSTS WON’T DIE OUT OF

FALSE POSITIVE FATIGUE)

Page 19: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

TRENDING!

HOUSTON, WE HAVE A SERIOUS LAYER 8 PROBLEM

THE HUMAN BRAIN IS NOT A

COMPUTER

FEAR OF MISSING OUT

CONTINUOUS DISTRACTIONS & INTERRUPTIONS

TOO MANY THINGS

TO LEARN

TOO MANY THINGS

TO DEFEND

FRUSTRATION

CONTINUOUSLY CHANGING TECH

CONTINUOUSLY CHANGING THREAT

LANDSCAPE

TOO LITTLE TIME TO INVESTIGATE

INFOBESITYTHE PERFECT RECIPE FOR

DOOM (& BURNOUTS)

Page 20: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

HANG ON APOLLO! HELP IS ON ITS WAY!

NOPE, ARTIFICIAL INTELLIGENCE IS NOWHERE READY TO HELP US

Source: Nature

BREAKING DEEP NEURAL NETWORKS (DNNs) IS VERY EASY

Further reading: Adversarial Reprogramming of Neural Networks, Cornell University

ALGORITHMS ARE CREATED BY ‘FLAWED' HUMANS & TRAINED ON DATA OF VARYING QUALITY WHILE RUNNING ON VULNERABLE

PROCESSORS

https://www.nature.com/articles/d41586-019-03013-5
https://arxiv.org/abs/1806.11146
Page 21: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

BREAKING THE FAILURE CYCLE

Page 22: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

THERE IS NO SILVER BULLET

(SECURITY) BUGS ARE A DIRECT BYPRODUCT OF MODERN SOFTWARE

DEVELOPMENT

TIME TO MARKET

LIMITED OR NON-EXISTENT REGULATION

BAD CODING PRACTICES

NO LIABILITY (USE AS-IS BUT DON’T FORGET TO PAY)

FLAWED VC MODEL

GROWING COMPLEXITY

MARKETING IS KINGLACK OF

TRANSPARENCY

Page 23: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

AND THINGS ARE GETTING WORSE

The over-complexification of provisioning and deployment pipelines is a dangerous trend. I don't trust the layers upon

layers of scripts and tools to not break randomly, and I worry the maintenance cost is getting out of hands. Yes, I'm

looking at you, k8s.

Source: Julien Vehent, Firefox Operations Security at @Mozilla, Author of Security DevOps http://securing-devops.com; coder & speaker.

https://twitter.com/jvehent/status/1182771152256720903
Page 24: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

WE KNOW THE SOLUTIONS AND THEY REQUIRE COURAGE & HARD WORK

PUSHBACK!

ASK FOR MORE TRANSPARENCY FROM VENDORS & SUPPLIERS

LOBBY FOR SOUND REGULATION & LIABILITY

INVEST IN PEOPLE & SKILLS

IMPLEMENT PROPER CYBER HYGIENE (IT REALLY HELPS A LOT!)

LEVERAGE THE POWER OF THE CROWD EMPOWER & HELP LAW

ENFORCEMENT (THOSE CRIMINALS MUST BE

ARRESTED)

LEARN TO USE WHAT YOU ALREADY HAVE

(AND STOP USING WHAT YOU DON’T NEED)

PARTICIPATE IN VARIOUS COMMUNITIES & FOSTER

TRUE SHARING

IDENTIFY THE CROWN JEWELS IN YOUR

NETWORK (YOU CAN LOSE A LEG BUT NOT A

HEART)

DEMAND INTEROPERABILITY

DEMAND EASY-TO-USE SOLUTIONS

USE & CONTRIBUTE TO FREE, OPEN SOURCE

SOLUTIONS (WHEN APPLICABLE)

HELP EACH OTHER OUT (SHOW ME HOW TO DO THIS & I’LL

SHOW YOU HOW TO DO THAT)

Page 25: HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE

THINK CONSTITUENT

CREATE VALUE


Cracking Into Embedded Devices - HACK.LU 2K8

FIRST CONFERENCE 29 / 2017-06-15 TLP:WHITE A SCALABLE ... · first conference 29 / 2017-06-15 tlp:white saâd kadhi cert-bdf / thehive project a scalable, open source and free incident

[Attacks Part] BetterCrypto Workshop @ Hack.lu 2014

TLP:White FIRST/TF-CSIRT Technical Colloquium January 25th

Emotional disturbance

OREO - Hack.lu CTF 2014

TLP:WHITE - WaterISAC · 2020. 9. 17. · TLP:WHITE TLP:WHITE 16 Sept 2020 Alert Number AC-000133-TT WE NEED YOUR HELP! If you identify any suspicious activity within your enterprise

Breaking and Securing Web Applications - Hack.lu

2006: Hack.lu Luxembourg 2006: Anonymous Communication

2008 Hack.lu Aumaitre

Emotional Disturbance Decision Tree Emotional Disturbance Decision Tree … · 2017-03-23 · Emotional Disturbance Decision Tree Emotional Disturbance Decision Tree TM The EDDT is

2016.hack.lu file2016.hack.lu

BINARY INSTRUMENTATION FOR HACKERS GAL DISKIN / INTEL (@GAL_DISKIN) HACK.LU 2011@GAL_DISKIN

Hack.lu 2016 October, 19th2016.hack.lu/archive/2016/Wavestone - Hack.lu 2016 - Hadoop safari... · Hack.lu 2016 – October, 19th Mahdi BRAIK ... / Guitar, riding, volley-ball / Git

Radare2 - Radare2 - a framework for reverse engineering2015.hack.lu/archive/2015/radare2-workshop-slides.pdf · October 22, 2015 Hack.lu 10-2015. maxime morin 22 y/o french expat

Unpacking for Dummies - Hack.lu

2009 Hack.lu Slides WM6 Rootkit

Project 2007-11 – Disturbance Monitoring 200711 Disturbance...2020/07/11  · Project 2007-11 – Disturbance Monitoring PRC-002-2 – Disturbance Monitoring and Reporting Requirements

Malware Initial Findings Report (MIFR) - 10127623 2017-10-13...TLP:WHITE 3 of 25 Details TLP:WHITE Name goo-AA021-1468346915-00-50-56-A5-34-B3.js Size 3904 Type ASCII text, with very

TLP:WHITE : Kernellix Co., Ltd....TLP:WHITE : Kernellix Co., Ltd. Network Storage Server 172.80.80.110 Active Directory Server 172.80.80.120 Accounts Database Server 172.80.80.130

INTERNET SCANNING - 2017.hack.lu€¦ · Related work hack.lu 2014, Internet Scanning, Mark Schloesser @ Rapid7 Labs 4 Internet-wide studies since 1998, research-focused mostly •

Extreme Cold & Winter Weather | Update #2 · 2021. 2. 17. · SITUATION UPDATE TLP:WHITE February 17, 2021 Page 4 of 12 TLP:WHITE ELECTRICITY OVERVIEW • ERCOT: As of 9:30 AM EST

TLP:WHITE : Kernellix Co., Ltd

Malware Initial Findings Report (MIFR) - 10124171 2017-05-14 · TLP:WHITE TLP:WHITE Malware Initial Findings Report (MIFR) - 10124171 2017-05-14 Notification This report is provided

Forging the USB armory Andrea Barisani - Hack.lu

Draw me a Local Kernel Debugger - Hack.lu

TLP:WHITE HELP! TLP:WHITE Ransomware

All your Bluetooth is belong to us - Hack.lu 2006

Hack.lu edition 2012 A forensic analysis of Android Malware · Hack.lu edition 2012 A forensic analysis of Android Malware Wednesday, 24th October 2012 KEVIN ALLIX, [email protected]

Community Change: disturbance and succession · Community Change: disturbance and succession Reading: Chap. 20 I. Disturbance A. Disturbance: Frequency Intensity Scale B. Stability:

Charlotte Civil Disturbance - uc.appstate.eduuc.appstate.edu/_documents/Charlotte-Civil Disturbance-PIO-Summit… · Charlotte Civil Disturbance CHARLOTTE-MECKLENBURG WebEOC LIFECYCLE

JOINT CYBERSECURITY ADVISORYdhhs.ne.gov/Documents/AA20-302A Joint Cybersecurity...TLP:WHITE WHITE TLP:WHITE JOINT CYBERSECURITY ADVISORY Ransomware Activity Targeting the Healthcare

TLP:WHITE MI... · 2020-07-28 · TLP:WHITE TLP:WHITE Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik

Evasion of HighEnd IPS Devices - Hack.lu

Forging the USB armory Andrea Barisani - Hack.lu 20152015.hack.lu/archive/2015/forging_the_usb_armory.pdf · Copyright 2015 Inverse Path S.r.l. Forging the USB armory USB armory -