how to steal a billion dollars - nacusac - home 2018_ho… · –presentation format –cyber kill...
TRANSCRIPT
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP
(and how to prevent it)
NACUSAC - 2018Louisville, KY
How to Steal a Billion Dollars
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 2
Outline
• Introductions– Presenter
– Presentation format
– Cyber Kill Chain example
• Anatomy of an Attack– External Recon
– Weaponization
– Delivery
– Exploitation
– Internal Network Recon
– Command and Control
– Capture the flag
– Exfiltration
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
The Attacker
• David AndersonManager, CliftonLarsonAllen
• OSCP – Offensive Security Certified Professional
• BS – Information Technology – Minnesota State University Mankato
• Oversee and participate in:
– Penetration Testing
– Social Engineering
– Vulnerability Assessments
3
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
The Defenders
• Your IS/IT department
• Your employees
4
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 5
Anatomy of an Attack
• How do attackers work?
• What defenses are effective?
• How do I evaluate my own security needs?
• How can I spend my money efficiently?
5
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 6
CyberKill Chain
6
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
External Recon
7
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 8
CyberKill Chain
8
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• Port and Service enumeration
• Shodan
• OSINT
– Social Media
– Staff
– Customers
– webapps
9
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Service Enumeration
10
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Shodan
11
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
12
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Website
13
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• Documentation
– Network map◊ Data flow
– IP range
– External access provided to staff
14
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• OSINT– Social Media
◊ Staff
◊ Blogs / News
– Internet accessible documents
• Shodan
• Self Assessments– Google Alerts
15
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
External Recon
• Security Assessments
– Validation◊ Is it as secure as we think or expect?
– Assurance◊ Prove it to others it is as good as we say it is.
16
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
WEAPONIZATION
17
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 18
CyberKill Chain
18
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Weaponization
• Exploit announcements
• Exploit research
• Creation of an exploit or attack vector
• Purchase an exploit
• Payload creation
19
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Weaponization
• Open Source Weaponization Tools
– Metasploit
– Empire
– Kodiac
– Veil
– Etc…
20
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Weaponization
• Understand current environment
– Center for Internet Security – Controls 1 and 2
– Sign up for vendor bulletins and review
• IT Security Awareness training
• Mitigate Gaps
• Ongoing training on new technology
21
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Delivery
22
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 23
CyberKill Chain
23
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Social Engineering
– Phishing
– Email spoofing
– Call spoofing
24
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
25
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
26
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
27
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Email Filtering
Connected to mail.cogentco.com (38.9.X.X).
MAIL FROM: <[email protected]>
250 OK
RCPT TO: <[email protected]>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
FROM: <[email protected]>
TO: <[email protected]>
Subject: Free Tesla Car
SMTP Envelope
SMTP Message
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Phone Calls
• [Audio Sample]
29
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• In Person
– RFID clone
– Media drops
– Tailgating
30
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Not this tailgating…
31
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Security Awareness Training
• Mail Security Controls
• Security Assessments of email system
– Cloud
– OWA
– Endpoint
• Spam Filters
32
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Exploitation
33
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 34
CyberKill Chain
34
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Missing patches
– MS17-010 (WannaCry / ETERNALBLUE)
• End user
– Malicious Office documents (Macros, OLE, etc.)
– HTML Applications (.HTA)
• Windows PowerShell
– Can inject malicious code straight into memory
35
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
PowerShell
Malicious Macro
36
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
ETERNALBLUE
37
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
ETERNALBLUE
38
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Patch management– Simplify support
– Mitigation
• Security Policy– Least Privilege
– Layered Defense
– Secure by Design
– Assume Breach
39
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
Security Baseline– “Golden Image”
– Group Policy
– Benchmarks◊ CIS
◊ NIST
◊ STIGS
◊ USGCB
40
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Application whitelisting– AppLocker
– Windows Device Guard
• Protect Office Applications– Block Macros
– Windows Defender Exploit Guard
• Prevent script files from auto-executing– Change default application of file extensions: .hta, .js, .bat, etc…
41
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Tools– Sysinternals suite
– LAPS
– Sysmon◊ IR focused configuration
42
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exploitation
• Network Monitoring
– User level
– Temporal
– Attempts
– Behavior
• Segmentation
– Block endpoint SMB
– Guest Wi-Fi
– IoT
– Secure transactions
43
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Internal Network Recon
44
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 45
CyberKill Chain
45
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Where am I?– ipconfig /all
• Who am I?– whoami
• What privileges do I have?– whoami /groups
• Do I have local admin rights?– net localgroup administrators
46
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Who is on the network?– netstat
– Port scans
– DNS enumeration
– AD enumeration
• Who are the administrators?– BloodHound
47
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
BloodHound
48
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Default/easily guessable passwords
• Misconfiguration
• Missing patches
49
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Secure Network– Network Segmentation
– BLOCK workstation to workstation communication
• Network Monitoring– Netflow
– Endpoint logs
– “user” behavior
– Sensor alerts
– Log analysis
50
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Security Policy– Least Privilege
– Assume Breach
• Encryption– At-rest
– In Transit
51
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
PowerShell Security
• Upgrade to PowerShell v5
• Remove PowerShell v2
• Enable Script Block Logging
• Enable Script Transcription
• OPTIONAL: Configure Constrained Language Mode– Prevents advanced features, such as .NET execution, Windows API
calls, and COM access
– This may cause issues with managing systems with PowerShell
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Command and Control
53
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 54
CyberKill Chain
54
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Command and Control
• Remote access tool– Stabilize connection
– Persistence
• Communication– Encrypted
– Mimic “real” network traffic (HTTPS / DNS)
• Operational Security
55
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Command and Control
• Network Monitoring
– Bandwidth, traffic patterns, IP geolocation
• Threat Intelligence
– Internal◊ SEIM, Next-gen Firewalls
– External feeds◊ Industry – Microsoft, Google, Cisco, HP, etc
◊ STIX, TAXII, CybOX
56
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Capture the Flag
57
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 58
CyberKill Chain
58
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Asset Identification
• Asset Acquisition
– Open file shares are a goldmine
– AIRES files
59
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Admin Creds
– SQL creds in web.config files
– Cloud (e.g. Office 365)
• Open File Shares
• Insecure databases
60
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Network Map
– “Treasure map”
• Encryption
– “at rest” encryption
• Logging
– SQL access
– File access
61
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Exfiltration
62
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 63
CyberKill Chain
63
External Recon
Weaponization
Delivery
Command Control
Capture the Flag
Exploitation Exfiltration
Internal Network Recon
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exfiltration
• Collection point
• Package it up– Compress
– Encrypt
• Send it out– FTP, SSH, HTTP(S), ICMP, DNS, etc…
– We use whatever you allow outbound
64
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exfiltration
• Network Monitoring– Bandwidth
– Egress traffic
• Firewall Rules
• Threat Intelligence– Blacklists
– Geo location of IP
– Real-time analysis
65
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Summary
66
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGWEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING 67
Summary
67
External Recon
Weaponization
Delivery
Exploitation
Internal Network Recon
Command Control
Capture the Flag
Exfiltration
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Thank you!
David Anderson612-397-3132
david.anderson @CLAconnect.com