how i'm going to own your organization v2
Post on 19-Oct-2014
677 views
DESCRIPTION
DerbyCon 2013 How i'm going to own your organizationTRANSCRIPT
“How I'm going to own your organization in just a few days”
The Malware obfuscation attack
Introduction to the Cyber Kill Chain™
@RazorEQX
http://404hack.blogspot.com
Safety TIP
@RazorEQX
• Army 1985-89
• Cracker
• Starving Nurse
• Gamer turned Networker
• Network Guy
• Firewall Guy
• Hacker
• Malware Reverse Engineer
USER: This is very bad file
Access to facebook to the setting bars..CODE: SELECT ALL
http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7
Settings
aPlib cmpressor's trace:CODE: SELECT ALL
aPLib v1.01 - the smaller the better :)Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
Pony gates:CODE: SELECT ALLhttp://webmail.alsultantravel.com:8080/ponyb/gate.phphxxp://alsultantravel.com:8080/ponyb/gate.phphxxp://webmail.alsultantravel.info:8080/ponyb/gate.phphxxp://198.57.130.35:8080/ponyb/gate.php
CODE: SELECT ALL<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembl
@Malwaremustdie• Are a group of dedicated Malware Researchers.
• Recognize that Malware is a serious threat.
• Recognize that Malware inhibits Internet
technology.
• Agree that Malware is an obfuscation for Advanced
Threats.
Kelihos Update
• http://malwaremustdie.blogspot.com/2013/08/the-
quick-report-on-48hours-in-battle.html
What Do They Want?
The Silver Bullet Solution
This product will save your life and put your kids
through college
Sounds good. Give
me two!
I feel so safe………
How do they get your Information?
Reconnaissance
Social
Media
Social Engineeri
ngSearch
Engines
Professional
Networking
Social Engineering Resources
Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story
Paterva: Maltego
Maltego is a program that can be used to determine relationships
and real world links between:
– People
– Groups (Social Networks)
– Companies
– Organizations
– Web Sites
– Domains
Maltego
Maltego
The Target XYZ Corp.
Hi I'm social engineering you.
Oh great! Its in my human nature to help anyone in anyway I can.
The Weapon
Some Hints
/usr/local/share/ettercap/etter.dns
tools.google.com A 10.10.10.10
#
NSURL *url = [NSURL
URLSTRING:@10.10.10.10:xxxx”;
The Delivery
Take the Bait: Installation
The Expected Response
Its all clean now.
Operation “Where is my Target”Action on Objectives
SSL
Exploitation
ExfiltrationExhibition
Exposure
Introducing "Cyber Kill Chain™"• Concept derived from offensive military doctrine:– Navy: Find, Fix, Track, Target, Engage, and Assess
– OODA Loop: Observe, Orient, Decide, and Act
– Key concept: Cyber Kill Chain™ defines how an adversary moves from target observation to a final objective. As with any chain, if any link breaks, the whole process fails
• Turn it into our advantage: – "To compromise our infrastructure, the bad guys have to be right
every step; we only have to be right once"
Cyber Kill Chain™ Model
• Intrusion
Cyber Kill Chain™
Detect Deny Disrupt Degrade Deceive
Recon
Weaponize
Delivery
Exploit
Installation
Command & Control
Actions on Objectives
Incre
asin
g R
isk
Internet
Mail Server
User
User
Open this attachment!CLICK!
COMMAND & CONTROL ESTABLISHED!
Data Exfiltration Begins
Cyber Kill Chain™ ModelRecon
• Research, identification, and selection of targets
• Crawling Internet websites looking for email addresses or information on specific
technologies
• Research conducted on business relationships and supply chain
• Enumeration of systems and infrastructure
– Active
– Passive
Recon Weaponize
Deliver Exploit Install C2
Actions on
Objectives
Cyber Kill Chain™ Model Weaponize
• The tool that puts the remote access trojan with an exploit into a deliverable payload
• Application data files such as Microsoft Office documents or Adobe PDF files serve as the weaponized payloads
• Compromised websites hosting malformed Java or Flash files
Recon Weaponize Deliver Exploit Install C2
Actions on
Objectives
Cyber Kill Chain™ Model Delivery
• Transmission of weapon into targeted environment
• The three most prevalent delivery vectors for weaponized payloads are – Emails with attachments or embedded hyperlinks
– Compromised website with malicious code
– USB drives or other removable media
Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
DGA: Domain Generation Algorithm
DNS Queries
Cyber Kill Chain™ Model Exploit
• After the weapon is delivered to target host, exploitation triggers attackers’ code
• Most often, this exploits an application or operating system vulnerability
• In most cases, exploitation occurs when users are– Coerced to open an executable attachment
– Leveraging a feature of the operating system that executes code automatically
Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model Installation
• Typically occurs immediately after the exploit is complete
• The install is often a backdoor or a tool grabber
• Also installation might occur during lateral movements by the attacker
Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ ModelC2
• Typically the compromised host must beacon outbound to its Internet controller server to establish command and control (C2) channel
• APT malware typically requires manual interaction vs. acting autonomously
• Once the C2 channel is established, attackers have "hands-on- the-keyboard" access
Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ Model Actions on Objectives
• Attackers begin collecting, encrypting, and exfiltrating data from compromised systems.
• Attackers may further propagate themselves throughout the internal network in lateral compromises.
• While exfiltration is the most common objective, attackers could also violate the integrity or availability of data as well.
• Consider what would happen if the attacker modified certain critical internal critical data.
Recon Weaponize Deliver Exploit Install C2 Actions on Objectives
Cyber Kill Chain™ ModelBenefits
• Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversary
• Provides a framework for working forward and backward in order to gauge effect and identify mitigations
• Articulates prioritization and strategy
• Identifies data gaps and source collection requirements
• Enables adversary attribution and campaign tracking
• Drives investigations to completion
• Intelligence feeds into gaining more intelligence
Lessons learned:• 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.
• 2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been
looking for.
• 3. Stop wasting money on tools that are always one step behind the adversary and always promising
”That feature is in the next release”
• 4. COLLABORATE with other organizations in your industry. This is priceless information. What activity
are you both seeing, and put two and two together.
• 5. OSINT - RSS research feeds are your friend. Pull out indicators you can use for detection tools and
track events to correlations to form campaigns. These groups are already doing the hard part for you.
XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc.
• 6. Most important of all. Have a damn good incident response plan. Know what and how you're going
to recover from this type of breech when it finally hits your organization.