istherean armsrace in cyberspace? - ida > home · 2016-06-20 · page 2 about me –ivan bütler...
TRANSCRIPT
Page 1
Is there an arms race
in cyber space?
June 10th, 2016 by Ivan Bütler
Page 2
About Me – Ivan Bütler
… from Switzerland
… like hacking, cracking, securing, security
… Lecturing at the University of AppliedScience in Rapperswil, Lucerne and Zurich
… like building CTF games and infrastructures
… speaker @ Blackhat US, AppSec US, EU, CN
http://e1.compass-security.com/
Page 3
Who are you going to ask if she is rich?
Page 4
What I have learned
from being a Pentester
Page 5
Direct Attacks
BLOCKED
PASSED
BLOCKED
Page 6
Business Case for Cyber Criminals
Page 7
Search & Hack // Shodan Internet
of Things
Page 8
#### Default Passwords ####� https://github.com/scadastrangelove/SCADAPASS
Page 9
Indirect Attack
Page 10
Fake Job Application using an USB
stick
InternetCompany Network
Delivery with USB-Stick/CD-ROM
Start via Auto-Start
Attacker controls thecomputer of the victim
Page 11
Ukraine 6 hour Blackout // Dec
23th, 2015
Page 12
MS Word Virus Example
Page 13
Attacking Offline Networks
Page 14
PlugBot Concept (Inside-Out)
GPRS/UMTS
Covert Channel
Page 15
May you ask
yourself, is this an
‘arms race in cyber
space’ ?
Page 16
Swiss Government and Military
Department became victim of
a cyber espionage attack
� https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.htmlhttp://www.swissinfo.ch/eng/industrial-espionage_hackers-target-swiss-defence-ministry/42131890
Page 17
Initial Infection – harmless ‚game‘
2010 20142012 2016
C&C
Initial
Infection
Page 18
The Power of the Statistics
� [3] ETHZ Stefan Frei 2009 (Dissertation): We found that exploit availability consistently exceeds patch availability since 2000
Disclosure Security
Problem / Vulnerability
54 days
Exploit 6 days
Patch
Page 19
Very very slow polling of C&C
POLL
Command for infected Device
Next POLL in 90 Days
Next POLL in 90 Days
Execute commands
Page 20
Elevate Privileges to Local Adminand gaining AD Domain Admin
Privileges2010 20142012 2016
C&C
Initial
Infection
Page 21
Multi-stage polymorphic cyber
warfare framework
C&C RelayServer
Agent and C&C within companynetwork
Agent andC&C withincompanynetwork
InfectedClients
InfectedClients
Agent
C&C RelayServer
Hidden C&C Server
Page 22
Crucial decision; how
to respond? What
immediate actions?
Page 23
Defense Strategy using Fake C&C
Zombie Host
Zombie Host
Zombie Host
Agent
Agent
Agent
Zombie Host
C&C Server
Fake C&CSend the clients “sleep”
RedirectUpdate Service
Problems!!! Updates areEncrypted / SignedReverse Engineering required
Page 24
Threat Pyramid
„Justa Few“
AdvancedPersistent Threat
Professional actors,
Cyber criminals
Traditional Hacking threats, Development of tools
User of Hacking tools
Page 25
What does it mean
from a management
perspective?
Page 26
Having the right people, having trust and confidence; this is a key factor!
�Reverse engineering -> malware
�Reverse engineering -> C&C protocol
�Creation of a fake C&C service
�Interception and pattern based redirections
�Really, really, really good people
Page 27
European Cyber Security Challenge 2015http://www.europeancybersecuritychallenge.eu
Page 28
One last question;
Do we need offensive
capabilities?
Page 29
Thank You! – Questions?
Ivan Bütler
http://e1.compass-security.com/
Page 30
References
�National Cyber Defense Strategy in Switzerland https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/Switzerlands_Cyber_Security_strategy.pdf
�GovCert Report about this cyber espionagehttps://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html
�http://www.swissinfo.ch/eng/industrial-espionage_hackers-target-swiss-defence-ministry/42131890
Page 31
Swiss GovCert report
� https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.htmlhttp://www.swissinfo.ch/eng/industrial-espionage_hackers-target-swiss-defence-ministry/42131890