red teaming in the cloud

Peter WoodChief Executive Officer

First Base Technologies LLP

Red Teaming in the Cloud

© First Base Technologies 2016

Founder and CEO - First Base Technologies LLP• Engineer, IT and information security professional since 1969• Fellow of the BCS, Chartered IT Professional, CISSP• Senior Member of the Information Systems Security Association• 15 Year+ Member of ISACA, ISACA Security Advisory Group• Member of the Institute of Information Security Professionals• Chair of white-hats.co.uk• Chair of OTIS (Operational Technology and IoT Security)• Member of ACM, IEEE, First Forensic Forum, Institute of Directors, Mensa


What was advanced is now average• Well planned, strategic

approach• Automation assisted

manual attacks• Social engineering,

especially phishing• Sophisticated malware• Clear objectives• Lots of resources

The enemy


To counter these attacks, we need threat-based thinking • Who is attacking what and how?• Where do we know we are

vulnerable?• What can we fix right now?• Conduct a red team exercise• Fix the problems we found• Check our fixes work• Wash, rinse, repeat

The defence


http://csrc.nist.gov/cyberframework/rfi_comments/040813_cba_part2.pdf

• Understand each attacker’s capability, motivation and methodologies

• Analyse the likely impact to help prioritise

• Design relevant scenarios• Execute red team

exercises• Assess protective controls• Evaluate detective

controls

The method


The strategy


Cloud computing metaphor:For a user, the network elements representing the provider-rendered services are invisible, as if obscured by a cloud

https://en.wikipedia.org/wiki/Cloud_computing

Image by Sam Johnston (includes Computer.svg by Sasa Stefanovic)


What assets will threat actors be interested in?• Money• Intellectual property• Identities• Databases• Intercepts• Network access• Control systems


What is the most attractive approach?(Needs to be: easiest, cheapest, lowest risk, best success rate …)• Break into the cloud• Infiltrate the provider• Infiltrate the customer• Intercept traffic• Trick the user


Why is it the most attractive approach?• Login from anywhere• Browser access• Single factor

authentication• No intruder detection• No physical security• Legitimate credentials• Good chance of

privilege escalation


Example methodologies• Spear phishing• Social networking• Watering hole attacks• Telephone social engineering• Theft of device• USB device• Charging points• Public computers• WiFi intercepts

How they think


• 4 registered domains• 5 IP address ranges• 72 Internet-facing hosts• Scan revealed OWA in use• LinkedIn search for relevant email addresses• 400 email addresses identified• Staff names and job titles analysed• Emails sent to obtain responding email style and layout

Reconnaissance


• Convincing fake domain name available and purchased• OWA site cloned onto fake domain for credential theft• Large number of email addresses harvested as targets• Design of real emails copied to facilitate spear phishing• Names and job titles gathered as fake senders• Genuine OWA will be used to test stolen credentials

(and gather further info)

Planning


• Email sent from IT manager, using fake domain address• OWA cloned on to tester’s laptop, DNS set accordingly• Email sent to three groups of 100 recipients• Within a few minutes, 41 recipients entered credentials• Credentials tested on legitimate OWA site• Significant information gathered from each account• Further emails can now be sent from legitimate addresses

Execution


Single-factor authentication may not be your best choice• We cracked 48% of 9,569

passwords• 98% of these passwords were

cracked within two hours• The remaining 2% were

cracked over the course of one week

Passwords – really?


Invest in your human firewall• Train your staff to recognise

social engineering attacks• Explain the why and how of

passphrases• Invest in continual

awareness campaigns• Use every medium available

to spread the word

Enable your best defence

Peter WoodChief Executive Officer

First Base Technologies LLP

[email protected]: @FBTechies

+44 (0)1273 454525

Need more information?