cyber analysts: who they are, what they do, where they are - marco ramilli - codemotion rome 2017
TRANSCRIPT
Profilo aziendale YOROI
Agenda:
- Cyber Analysts: who they are!
- Cyber Analysts: what they do!
- Cyber Analysts: where they are!
Profilo aziendale YOROI
Today’s Host● PhD in Bologna Joint UCDavis
○ Cyber Security, Penetration Testing US Voting Machines○ Books and Publications
● NIST○ OEVT○ Penetration Testing methodologies to help US Democracy
● Palantir○ Product Company○ Intelligence Company
● Yoroi○ One of the most extraordinary cyber security company founded
in Europe (Hakin9)
Profilo aziendale YOROI
Who they are!Nowadays is not a trivial topic:
● Deep Learning Machines● Cognitive Computing● Machine Learning Algorithms ● Neural Networks
Undermine the Human side of Cyber Security Analysis.
But could that technology really take off the human side of this job ?
Profilo aziendale YOROI
Who they are!Dark Avenger Mutation Algorithm (1993)
It could produce some decryptor cases that appeared only in about 5% or less of all cases. However, the engine had a couple of minor limitations that were enough to detect the virus reliably using an instruction size disassembler and a state machine. In fact, there is only one constant byte in an MtE decryptor, the 0x75 (JNZ), which is followed by a negative offset—and even that is placed at a variable location (at the end of the decryptor, whose length is not constant).
Profilo aziendale YOROI
Who they are!
Super Simple Malware Evasion Technique. Credits: https://www.exploit-db.com/34591
Profilo aziendale YOROI
Who they are!Red Pill Approach credits: A fistful of red-pills: How to automatically generate procedures to detect CPU emulators
Profilo aziendale YOROI
What they do!
● Day 1, Morning. A new event from Yoroi Defence Center saying a server is performing weird network requests.
● Day 1, Afternoon. A VMWare image is sent to Cyber Analyst email box
he’ gotta run !
Profilo aziendale YOROI
What they do!
Apport -> Intercepts crashes right when they happen the first time, gathers system information and send back to developers stack traces and useful infos to fixt the crash
package-data-downloader -> used by software installers such as dpkg and apt.
Profilo aziendale YOROI
What they do!Ok, let’s intercept what it sends to 198 !
On the client side in the meanwhile ...
Oh boy… really ?
Profilo aziendale YOROI
What they do!Ok, we’ve got password exfiltration every crash dump and every software update and machine control since ssh is available.
But how they trigger persistence on a server ?
Maybe attackers trigger crashes from outside ?
Profilo aziendale YOROI
What they do!
Et Voilà ! CVE-2014-3583
Profilo aziendale YOROI
What they do!Ok, we know pretty much a lot of things about the intrusion even how they get persistence...
But why the user reported a “strange behavior” ?
Maybe attackers needed such a server as pivot server ?
Oh..Oh !!
Profilo aziendale YOROI
What they do!Here we go !A nice SEH BOverflow on Windows
We need to asks for another server Image ….. :D
Ok not today...
Profilo aziendale YOROI
What they do!
It was a quite original way to penetrate a system… is it a new fancy opportunistic way ?
Profilo aziendale YOROI
What they do!A simple reminds on Linux passwords:● schema: $id$salt$hashed
○ $1$ -> MD5○ $2a$ -> Blowfish○ $2y$ -> Blowfish (8-bit chars)○ $5$ -> SHA-256○ $6$ -> SHA-512
● !: account is password locked● *: account is locked● !!: no password set (RedHat)
Profilo aziendale YOROI
Where they are!● Unfortunately there is not a full learning path to become Cyber
Security Analyst so far.● There are a lot of classes on:
○ Reverse Engineer○ Firmware Analyses○ Forensic Analyses○ Penetration Testing○ Vulnerability Assessments○ Secure Policy Assessment○ . . . . .
● But a Cyber Security Analyst should be able to perform each of these actions + human interactions + strategic thinking + organization chart knowledge + problem solving