teletrust informationstag it-forensik · 12.05.2016 teletrust-informationstag...
TRANSCRIPT
![Page 1: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/1.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 1
TeleTrusT-Informationstag "IT-Forensik"
Berlin, 12.05.2016
Moderne Honigtöpfe im Zeitalter
scheiternder Prävention
Bernhard Schildendorfer
SEC Consult Unternehmensberatung GmbH
![Page 2: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/2.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 2
whoami
Bernhard
Schildendorfer | [email protected]
Security Consultant | SEC Consult
… IT / Information Security in St. Pölten
… SEC-Consult since 02/2010
… Penetration Tester, Project Leader, …
… and some other interests
![Page 3: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/3.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 3
- A classical APT -
![Page 4: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/4.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4
“The account of a user that was on vacation was locked due to
failed logins”- a SEC Consult Client
![Page 5: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/5.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 5Foto: Fotolia 62727991, Westend61
![Page 6: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/6.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 6
… they succeeded … and they will come back
![Page 7: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/7.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 7
Conclusion
Traditional Security fails
against targeted attacks
Too little is spent on
monitoring & response
Tailored security breaches are
inevitable
![Page 8: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/8.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 8
What to do?
Security is all about
knowing & preparation!
![Page 9: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/9.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 9
WHAT IF you are able to…
get their motivation?
get their TTP‘s
identify the attacker(s)?
![Page 10: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/10.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 10
Knowing - Global Threat Intelligence?
Indicators of compromise (IOCs) / Signature feeds
Malicious IPs
Malicious domains
Malware hashes
Phishing e-mails
Misc. fingerprints
![Page 11: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/11.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 11
The Dilemma
Patient 0
Attacker only needs to breach once
Defender needs to be constantly aware
Defender can only react after breach
Why not change this?
![Page 12: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/12.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 12
Look in the Mirror…
=*
*Almost
![Page 13: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/13.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 13
How to Redirect the attacker?
Place a weak link in the
exposed infrastructure
0
10
20
30
40
50
60
70
80
90
100
Application 1 Application 2 Application 3 Application 4 Application 5 Entry Point Application 7 Application 8 Application 9
SQL Injection
Fileshare
Default Passwords
File Uploads
0 Day Vulnerability
Outdated Software
![Page 14: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/14.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 14
Looking at the Dilemma again
Patient 0
Attacker only needs to breach once
Defender needs to be constantly aware
Defender can only react after breach
Situation changed!
![Page 15: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/15.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 15
Be close to your enemies!
Find out where they come into your system
Find out what tools they are using
Find out what they are after
Find out what their motivation is
Build your own
LOCAL THREAT INTELLIGENCE
Know Your Enemy
![Page 16: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/16.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 16
13.04.2015
Hello!
4103 IOCs were detected on the following units:websrv01.wbdmz.local: 3122
dbsrv01.wbdmz.local: 981
Click here to access the Dashboard.
![Page 17: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/17.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 17
Connection Atlas
![Page 18: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/18.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 18
Activity Graph
![Page 19: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/19.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 19
Live Alerts
![Page 20: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/20.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 20
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
StealthVulnerability
Scan
![Page 21: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/21.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 21
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
• SQL Injection
• Broken File Upload
![Page 22: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/22.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 22
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
• RAT Malware
• Valid mcsync.exe
• DLL Hijacking
• Misc. Tools
![Page 23: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/23.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 23
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
Dump cached passwords
![Page 24: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/24.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 24
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
Network Scan
![Page 25: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/25.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 25
Anatomy of a Targeted Attack
Initial Compromise
Establish
Foothold
Escalate
Privileges
Internal Recon
Move Laterally
MaintainPresence
Initial Recon Complete Mission
• Windows commands
• Remote cronjob
![Page 26: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/26.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 26
Conclusion
Working time:
~ 3am - ~ 2pm (CET)
Identified motivation
Attributed infrastructure
Generation of signatures
![Page 27: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/27.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 27
Takeaways
Prevention fails
Preparation is key
Improve monitoring & detection capabilities
Know your enemies
Increase time to defend
Homefield advantage
Do the homework
![Page 28: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/28.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 28
Takeaways
„If you know your enemies and
know yourself, you will not be
imperiled in a hundred battles“
- Sun Tzu, The Art of War
![Page 29: TeleTrusT Informationstag IT-Forensik · 12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 4 “The account of a user that was on vacation was locked due to failed logins” - a](https://reader030.vdocuments.us/reader030/viewer/2022041204/5d54861f88c993ce318b4c71/html5/thumbnails/29.jpg)
12.05.2016 TeleTrusT-Informationstag "IT-Forensik" 29
Contact
29
GERMANY
SEC Consult Unternehmensberatung Deutschland GmbH
Ullsteinstraße 118
D-12109 Berlin
Email [email protected]
LITHUANIA
UAB Critical Security, a SEC Consult company
Sauletekio al. 15-311
10224 Vilnius
Tel +370 5 2195535
Email [email protected]
RUSSIA
CJCS Security Monitor
5th Donskoy proyezd, 15, Bldg. 6
119334, Moscow
Tel +7 495 662 1414
Email [email protected]
SINGAPORE
SEC Consult Singapore PTE. LTD
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Email [email protected]
CANADA
i-SEC Consult Inc.
100 René-Lévesque West, Suite 2500
Montréal (Quebec) H3B 5C9
Email [email protected]
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Komarigasse 14/1
2700 Wiener Neustadt
Tel +43 1 890 30 43 0
Email [email protected]
THAILAND
SEC Consult (Thailand) Co.,Ltd.
29/1 Piyaplace Langsuan Building 16th Floor, 16B
Soi Langsuan, Ploen Chit Road
Lumpini, Patumwan | Bangkok 10330
Email [email protected]
www.sec-consult.com
SWITZERLAND
SEC Consult (Schweiz) AG
Turbinenstrasse 28
8005 Zürich
Tel +41 44 271 777 0 | Fax +43 1 890 30 43 15
Email [email protected]
AUSTRIASEC Consult Unternehmensberatung GmbH
Mooslackengasse 17
1190 Vienna
Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15
Email [email protected]