offensive ops: the attacker’s view of your...
TRANSCRIPT
![Page 1: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/1.jpg)
O F F E N S I V E O P S : T H E AT TA C K E R ’ S V I E W O F Y O U R N E T W O R K
![Page 2: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/2.jpg)
I N T R O D U C T I O N
Global Security Lead for SolarWinds MSP
Malware connoisseur and aficionado.
First Home in Edinburgh, Scotland.
Second Home in Terminal 5, Heathrow.
Third Home in Winnipeg, Manitoba.
IAN TRUMP@phat_hobbit
![Page 3: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/3.jpg)
E X T E R N A L T H R E AT S
![Page 4: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/4.jpg)
4
![Page 5: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/5.jpg)
By Victim Top 4
1. Non-Payment/Non-Delivery
2. 419/Overpayment
3. Identity Theft
4. Auction
![Page 6: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/6.jpg)
By Loss Top 4
1. Business Email Compromise
2. Confidence Fraud/Romance
3. Non-Payment/Non-Delivery
4. Investment
![Page 7: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/7.jpg)
F U D B O M B
Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion
annually by 2021. - Herjavec Group, Hackerpocalypse 2016
2012 report from Boston Consulting Group on the G-20 Online economy “By 2016, there
will be 3 billion Internet users globally—almost half the world’s population.
“The Internet economy will reach $4.2 trillion in the G-20 economies (by 2016)”
Using this number and extrapolating the suggested (and conservative) 8% CAGR rate of
the online economy we land at a figure (among the G-20 nations) of an online economy of
worth approximately 13.754 trillion by 2020.
What this data says: is unless technologic disruption occurs just under 1/2 of the entire G-
20 online economy will be lost to cyber criminals!?
![Page 8: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/8.jpg)
PA S S W O R D B A L L D R O P
8
Password Management is critical to security
10 Character Unique Passwords minimum
<fav pwd>-<service>-<fav pwd>
2FA for cloud services
Do not save passwords in your browser
Do not use the same passwords across all devices…
![Page 9: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/9.jpg)
E x p l o i t s & P a y l o a d s
9
800 sites dedicated to distributing stolen movies and television shows, 33% content theft sites
contained malware.
Consumers are 28 times more likely to get malware from a content theft site than on similarly
visited mainstream websites or licensed content providers.
45 percent of the malware was delivered through so- called “drive-by downloads” that invisibly
download to the user’s computer—without requiring them to click on a link.
![Page 10: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/10.jpg)
E m a i l T h r e a t s
789%increase in phishing email campaigns from the first three months of 2016 due primarily
to a ransomware upsurge against the last quarter of 2015.
2016, unprecedented rise in encryption ransomware attacks, and no signs of this trend
abating.
Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all
faced with the reality that this is now one of the most favored cyber criminal enterprises.
In Q1 2016 93% of Phishing Emails Contain a Ransomware Payload
![Page 11: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/11.jpg)
Payload
11
Bypassed Mail Protection
Bypassed Office 365 Mail Security
Bypassed Bit Defender MAV
Web Protection Not Effective
Fully Patched and Updated Machine
Admin Rights removal would prevent
(maybe – priv escalation)
Bypassed Sophos Firewall
![Page 12: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/12.jpg)
Malware is not Magic
12
Malware needs to:
1. Exploit a system vulnerability or user vulnerability for access
2. Install some code in system memory
3. Modify the registry or WMI for persistence
4. Generate network traffic to a C & C node
5. Possibly drop file(s) onto the system
6. Run an encryption process against your files
If it is not doing the above it is not Malware
![Page 13: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/13.jpg)
Kil l Chain Analysis
13
![Page 14: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/14.jpg)
E X P L O I T S
![Page 15: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/15.jpg)
Build Zero Day
15
![Page 16: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/16.jpg)
16
![Page 17: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/17.jpg)
17
Reverse a Patch
Patch comes out, see what it fixes.
Reverse engineer patch to break what it fixes
(exploit).
Build and test remote code exploit package.
Sell to cybercrime botnet herders in the underground.
Botnet spear-phishes, spam/phishes or conducts
automated attacks.
Profit.
![Page 18: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/18.jpg)
18
Exploit Kit 4 Sale Cheap
In June, The Neutrino Exploit Kit is pushing an Exploit for CVE-2016-0189, a vulnerability that was
reportedly used in targeted attacks on South Korean organizations earlier this year.
Microsoft fixed the vulnerability, which affects Internet Explorer’s scripting engines, in May.
Malvertising and ransomware campaigns have pivoted towards kits like RIG and Neutrino.
Angler and Nuclear are dead.
Neutrino dropping CryptXXX accounted for 75 percent of its observed exploit kit traffic while
another 10 percent combined of Neutrino and Magnitude was dropping Cerber.
![Page 19: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/19.jpg)
19
Exploit Mit igat ion
Reduce Attack Surface
Remove Administrative Rights
GPO’s, Free Software & User Awareness Training
http://www.thirdtier.net/ransomware-prevention-kit/
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent
vulnerabilities in software from being successfully exploited.
Bitdefender anti-malware researchers have released a new vaccine tool which can protect
against known and possible future versions of the CTB-Locker, Locky and TeslaCrypt
crypto ransomware families
http://download.bitdefender.com/am/cw/BDAntiRansomwareSetup.exe
![Page 20: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/20.jpg)
Mitigat ion
Matr ix
20
WAN to LAN End Point End Point LAN to WAN End Point
![Page 21: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/21.jpg)
PAY L O A D S
![Page 22: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/22.jpg)
22
Example Payload
CryptXXX 3.100 can still cause significant downtime by
encrypting files on network shares.
Infected machines scan the /24 subnet of their local
area network (LAN) in search of MS Windows shared
drives.
CryptXXX downloads a DLL which acts as a credential
stealing module.
StillerX appears to be fully-featured and targets the
credentials of a wide range of applications from poker software to Cisco VPN credentials.
The following is a partial list of targeted
data:
Browser data (history, cookies, stored
credentials)
Dialer credentials
Download managers credentials
Email credentials
FTP credentials
IM credentials
Poker software credentials
Proxy credentials
Remote administration software credentials
VPN credentials
WNetEnum Cached Passwords
Microsoft Credential Manager data
![Page 23: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/23.jpg)
23
SMB & MSP Global Threat
![Page 24: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/24.jpg)
24
Case Study: MSP Ransomware Payload
igfxpers.exe
7 / 54 2016-01-24 15:28:26 UTC
Confidential
![Page 25: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/25.jpg)
25
Case Study: MSP Ransomware Payload
igfxpers.exe
37 / 56 2016-05-31 15:28:26 UTC
Case Study: MSP Ransomware Payload
![Page 26: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/26.jpg)
26
notigfxpers.exe
22 / 53 2016-07-26 09:54:45 UTC
Case Study: MSP Ransomware Payload
Confidential
![Page 27: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/27.jpg)
27
Case Study: MSP Ransomware Payload
Confidential
![Page 28: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/28.jpg)
28
Case Study: Ransomware Payload Analysis
Confidential
3X.4X.1XX.8X – used as attack Proxy <- hosting provider in European country
Malware Analysis revealed a Trojan which dates to 2012 and is not crypto-
locker. The Trojan is programmed to deliver a cryptolocker in the form of an
executable payload from a purpose built web server.
3X.4X.9X.1XX – used as the delivery server for cryptolocker payload
^ Hosting provider in different European country.
Encryption key appears to be a “one time” key generated at time of infection
![Page 29: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/29.jpg)
29
Case Study: Ransomware Payload Analysis
Confidential
8 20.538692 192.168.1.56 3X.4X.9X.1XX HTTP 291
GET/googde.php?ccc=R16M01D0_a7bac6_Koc8dhzAUpSN8BygjzdpL51CzOhpXOUdYAj1O8BT8BErzI8hZ3tGH
XfHbJZ9i7BDcivYJOJs5zAhVxVIsgKyexrRpyRx4R7HJOMiA8uk3debBD3aLxB6LGzO5xIu3vYOD0lOm9J6r6cdEC
7oUzUE8OPOn0E_1186__<br>
Logs from infrastructure and service providers revealed the following:
IP Addresses used in the attack are from Germany, Netherlands, Hong Kong (VPN Provider?),
Singapore (VPN Provider?), UK, Spain & Russia.
The Russian IP address was the origin of a great deal of spam from a ransomware campaign.
Investigation and evidence gathering continues. Some countries cooperative others, not so much.
![Page 30: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/30.jpg)
PAY L O A D A N A LY S I S
![Page 31: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/31.jpg)
Virtual Machine (Vmware Player, Oracle Box)
Windows XP SP3 or Windows 7 (requires some config work)
Apps: Adobe Flash, Java, Silver Light, Adobe Reader (6 to 9 months out of date)
– unpatched MS Office viewers, with File Converters (docx, pptx, xlsx, etc.)
No AV installed (occasionally even Windows Defender may prevent shit)
Wireshark and Regshot installed
Virus Total Access
Platform:
![Page 32: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/32.jpg)
Payload Analysis
https://virustotal.com/en/ip-address/69.89.31.222/information/
![Page 33: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/33.jpg)
Demo (Video)
![Page 34: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/34.jpg)
Advanced Malware Analysis Platform
Cuckoo Sandbox - Throw any suspicious file at it and in a matter of seconds Cuckoo will provide
you back some detailed results outlining what such file did when executed inside an isolated
environment.
Thug – is a handy tool for studying exploit kits, as it emulates a real browser complete of a set of
plugins like Adobe Reader, Flash and Java.
Bro – is a powerful network analysis framework that is much different from the typical IDS you
may know.
Volatility - is a tool for memory forensics. It's free and written in Python, so it runs well on both
Windows and Linux.
IDA Pro - is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
![Page 35: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/35.jpg)
MethodologyPre Phase
A. Upload Suspect File to Virus Total
Phase 1 file to virus total
A. VM Snap Shot
B. Regshot 1
C. WireShark On
Phase 2
A. Infection
Phase 3
A.Regshot 2 & Compare
B. Observe WireShark Traffic
C. Trace IP to Host Country\
Post Phase
Restore VM From Snap Shot
![Page 36: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/36.jpg)
![Page 37: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/37.jpg)
C O N C L U S I O N S
![Page 38: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/38.jpg)
I T S E C U R I T Y F U D
When reporting and discussing the scale and impact of malware and cyber crime in general:
Move away from sensationalism.
Move away from the consequence of breach.
Who is not as important as how.
Compromise indicators are more important than financial costs.
Data derived from large enterprise is not relevant to SMB/SME.
We need a standards based score card free from disclosure litigation.
![Page 39: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/39.jpg)
Move to a Anti–Cyber Crime Architecture
Servers
192.168.2.X
SAN/NAS File Sharing
Over Https
Event Logging
HIDS/HIPS
Admins
192.168.3.X
No admin email
Event Logging
HIDS/HIPS
Users
192.168.4.X
GPO: No Coms
192.168.4.X
Local Admin for
MAX & Mgt
Printers
192.168.5.X
Firewall
192.168.1.X
Communication
Rules, Detective Rules
WAP in DMZ
![Page 40: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/40.jpg)
Egress Firewal l Rules to Stop Cyber Crime
Deny rules for Workstation Subnet: No external DNS, IRC, NTP, FTP, ICMP, SMTP,
SNMP, RDP
Deny rules for Admins (open as required) No external DNS, IRC, NTP, FTP, ICMP,
SMTP, SNMP, RDP
Deny rules for Printer Subnet: Everything. No printers on the Internet!
Servers: Deny Everything. Only DNS, NTP to Specific IPs, HTTPS.
Network Segmentation, Event Logs are key to prevent and detect hostile movement
in the network and C&C activity.
![Page 41: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/41.jpg)
Hosted Cloud Based Backup (BaaS)
User Awareness Training Program
Vulnerability Scanning
Patch & Update Systems & IoT Devices (PMaaS)
Harden Systems - Remove Admin/Restrict User Activates
Harden Systems - Reduce Attack Surface (Remove Flash)
Deploy Anti-Virus & Web Protection (Keep it up to date)
Deploy Mail Protection (MPaaS)
Be Prepared!
Layered Security Offering
![Page 42: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/42.jpg)
https://www.logicnow.com/ctg-ian
![Page 43: OFFENSIVE OPS: THE ATTACKER’S VIEW OF YOUR …securesouthwest.com/presentations/SSW7/IanTrump.pdf · Cybersecurity Ventures predicts cybercrime will cost the world in excess of](https://reader031.vdocuments.us/reader031/viewer/2022030400/5a71d09e7f8b9ac0538d2d47/html5/thumbnails/43.jpg)
T H A N K Y O U
The grim reality is cyber-crime only works if money can be made and the
money can be moved out of the electronic system and into physical currency,
or in the parlance of investigators suitably “laundered”. There is evidence
and a bold argument that suggests we don’t actually have a cyber-crime
problem, what we have is a money laundering problem.– Ian Trump, 2015