cyber analysts: who they are, what they do, where they are - marco ramilli - codemotion milan 2016
TRANSCRIPT
Profilo aziendale YOROI
November 26 2016 CodeMotion Milan
Marco Ramilli
Profilo aziendale YOROI
Cyber Analysts: who they are, what they do,where they are !
Profilo aziendale YOROI
Agenda:
- Cyber Analysts: who they are!
- Cyber Analysts: what they do!
- Cyber Analysts: where they are!
Profilo aziendale YOROI
Today’s Host● PhD in Bologna Joint UCDavis
○ Cyber Security, Penetration Testing US Voting Machines○ Books and Publications
● NIST○ OEVT○ Penetration Testing methodologies to help US Democracy
● Palantir○ Product Company○ Intelligence Company
● Yoroi○ One of the most extraordinary cyber security company founded
in Europe (Hakin9)
Profilo aziendale YOROI
Who they are!Nowadays is not a trivial topic:
● Deep Learning Machines● Cognitive Computing● Machine Learning Algorithms ● Neural Networks
Undermine the Human side of Cyber Security Analysis.
But could that technology really take off the human side of this job ?
Profilo aziendale YOROI
Who they are!Dark Avenger Mutation Algorithm (1993)
It could produce some decryptor cases that appeared only in about 5% or less of all cases. However, the engine had a couple of minor limitations that were enough to detect the virus reliably using an instruction size disassembler and a state machine. In fact, there is only one constant byte in an MtE decryptor, the 0x75 (JNZ), which is followed by a negative offset—and even that is placed at a variable location (at the end of the decryptor, whose length is not constant).
Profilo aziendale YOROI
Who they are!
Super Simple Malware Evasion Technique. Credits: https://www.exploit-db.com/34591
Profilo aziendale YOROI
Who they are!Red Pill Approach credits: A fistful of red-pills: How to automatically generate procedures to detect CPU emulators
Profilo aziendale YOROI
Who they are!
Profilo aziendale YOROI
What they do!
● Day 1, Morning. A phone call (from IT department) saying a server is performing weird network requests.
● Day 1, Afternoon. A VMWare image is sent to Cyber Analyst email box
he’ gotta run !
Profilo aziendale YOROI
What they do!
Apport -> Intercepts crashes right when they happen the first time, gathers system information and send back to developers stack traces and useful infos to fixt the crash
package-data-downloader -> used by software installers such as dpkg and apt.
Profilo aziendale YOROI
What they do!
SubProcess … Why ?/usr/bin/lls … What ?
Profilo aziendale YOROI
What they do!
SubProcess … Why ?/usr/bin/lls … What ?
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
Connect to 198.216.87.22 ?
Profilo aziendale YOROI
What they do!Ok, let’s intercept what it sends to 198 !
On the client side in the meanwhile ...
Oh boy… really ?
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!Ok, we’ve got password exfiltration every crash dump and every software update and machine control since ssh is available.
But how they trigger persistence on a server ?
Maybe attackers trigger crashes from outside ?
Profilo aziendale YOROI
What they do!
Et Voilà ! CVE-2014-3583
Profilo aziendale YOROI
What they do!Ok, we know pretty much a lot of things about the intrusion even how they get persistence...
But why the user reported a “strange behavior” ?
Maybe attackers needed such a server as pivot server ?
Oh..Oh !!
Profilo aziendale YOROI
What they do!Here we go !A nice SEH BOverflow on Windows
We need to asks for another server Image ….. :D
Ok not today...
Profilo aziendale YOROI
What they do!
It was a quite original way to penetrate a system… is it a new fancy opportunistic way ?
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
How “lls” landed here ?
Profilo aziendale YOROI
What they do!
Only 5 iterations ? - Let’s check it out !
Profilo aziendale YOROI
What they do!A simple reminds on Linux passwords:● schema: $id$salt$hashed
○ $1$ -> MD5○ $2a$ -> Blowfish○ $2y$ -> Blowfish (8-bit chars)○ $5$ -> SHA-256○ $6$ -> SHA-512
● !: account is password locked● *: account is locked● !!: no password set (RedHat)
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
Where they are!● Unfortunately there is not a full learning path to become Cyber
Security Analyst so far.● There are a lot of classes on:
○ Reverse Engineer○ Firmware Analyses○ Forensic Analyses○ Penetration Testing○ Vulnerability Assessments○ Secure Policy Assessment○ . . . . .
● But a Cyber Security Analyst should be able to perform each of these actions + human interactions + strategic thinking + organization chart knowledge + problem solving
Profilo aziendale YOROI
Where they are ?
Profilo aziendale YOROI
We are Hiring !
www.yoroi.company