Guerrillas in the Wire

7/30/2019 Guerrillas in the Wire

http://slidepdf.com/reader/full/guerrillas-in-the-wire 1/159

COMPLIACE

CHRIS NICKERSONGuerillas in

the Wires



the Wires

hi. =)



Thanks























Anyway...



I’m Chris











-me

• Pain in the arse

•Loudmouth

• Hacker Punk

• Tells lies (professionally)

• Is called all sorts of bad

words.. That I will likelysay throughout this talk

• Cant code well

• Talks $hit

•

Drinks a LOT• Is an overall J3rk















LARES















Electronic• Network Pentesting

• Surveillance/ plants

Social• In Person Social Engineering

• Phone Conversation

• Social Profiling

Physical• Lockpicking

• Direct Attack

EP Convergance

• Attacks on

physical

systems that

are network

enabled

ES Convergance

• Blackmail

•

Phishing• Profiling

• Creating moles

PS Convergance

• Tailgaiting

• Impersonation



Figure Out Whatis Important tothe company

Steal It !







To get you awake



Get you to THINK about

what we are doing





So…























We areclearly

doingsomething

wrong







2012 Infosec Year In review

2,644 incidents were reported (Up117.3% from 2011)

267,000,000 records exposed

Over 150,000,000 in ONE incident

84.7% of the records exposed camefrom business

45% of incidents included publicreleases of passwords







Persians vs Scythians



ROME vs Britons





Mongolians vs Tanguts



Vs.





El Empecinado

Aka

Juan Martín Díez

























Structureexists even

in Guerilla

warfare





h l



The only

patch for

Human

Stupidity isEXPERIENCE







So how does

all of this

apply to us?



Environment

AttackerDefender

Home Field

Advantage



















ENCRYPTION

Own the box/steal the keys



Keylog

GPU Cracking is fun TO the cloud!!

Attack 3rd party crypt

And if all else fails…







Nmap… --data-

length=0

Or –f

Or just go faster –T5

Lame… that this STILL

works in many cases



Roll your own crypto



Use “other” data streams

(mDNS, Airdrop,BITS,DNS, HTTP,SIP)

Go to the phones..

(Translate to 16 octave

audio and exfil over fax)

Hopefully you sawSteffen Wendzel’s talk

if not go find em





AV/Anti-







Custom checksums are

not hard… theres

apps for that =)



Clearthelog.rb



… rm

Run scripty logcleaners in your

tools*MSF,CORE,CANVAS all

have **so do mostexploit kits (yeay

china)



Of the



6Top Firewalls

How many can

effectivelyblock TCP ports?



-Source NSS Labs Firewall Group test

:Section: TCP Split Handshake















WHAT DO

WE DO?

STEP 0



STEP 0

EDUCATION



Implement



Implement

Awareness

and

KnowledgeFormula



Defense = capability (awareness + knowledge) +experience

Capability =(Knowledge + Awareness) Can we defend

against an attack?

Experience – over all ability to

understand/plan/execute/and remain on task during

the event

**ps… this is not math… just conceptual. Most companies out there couldn’t put

actual ACURATE values on controls or any of the areas above if they even tried.

Crawl,walk,run…







Practice

BASIC

INFOSEC!

Patching



Patching



“The more

sophisticated



sophisticated

thetechnology, the

more vulnerable

it is toprimitive

attack. People

often overlook

the obvious” –

Dr WHO



Align With

the business

objectives









What does

your company

DO???



How does it

do it?









Now what?

Grow Revenew Buy firewall



Increase Productreliability

Increase brand

value

Launch xyz new

thing

Increase customerservice/satisfaction

Deploy DLP

Move to Cloud

Install moar AV

WAF









How much do



you spend onDisaster

Recovery.

(Average is

1 8% t t l



Average costof a

downtime

$287,600

Multiply that



by the # ofbugs found in

code that can

stop aservice





TEST TO SEE IF ITWORKS….. DUMMY

VulnerabilityAssessments?







Process



Figure Out Whatthe Company

Thinks is Important

Steal It !



5

+ Customdesigned attack

kitsAt ANY time

Non Interactive,without update

+ CorporatePartner Attacks

4 + 0daydevelopment

At ANY time

Non Interactive,Without update

unlessurgent/issue

based

+ Physical Attacks

3Exploitation of ALL

KNOWNvulnerabilities w/non-interactive

sessions

Extendedengagement time

window

Non interactive w/update

+ Individualattacks

2

Exploitation of Known

vulnerabilities atALL layers w/

interactive sessions

Unlimited Timewindow during

engagement

Interactivew/scheduled update

+ Indirect attacks

1Exploitation of

knownVulnerabilities atall layers underApplication with

interactivesessions

Constrained Timewindows

Interactive w/constant client

updateDirect Attacks



FOLLOW A REPEATABLE

METHODOLOGY

Allow a FULL TEST



Allow a FULL TEST

to get FULL VALUE• ACT as you would NORMALLY

– Systems attack : tests IR plan

– System Error: tracks mean time to

issue identification

– Service Outage: tests/identifies

flaws in BCP – System down: tests/identifies

flaws in DR plan





SET REASONABLE

EXPECTAITONS







What do you

have to lose?



YOU HAVE

ALREADY BEENHACKED



Documents

Guerrillas in the Wire