Upload
antoniadoucon
View
65
Download
3
Tags:
Embed Size (px)
DESCRIPTION
how to be secure against hacking
Citation preview
5/24/2018 Inside a Hacker's Playbook
1/22
TEN TARGETED TECHNIQUES THATWILL BREAK YOUR SECURITY
INSIDEA HACKER'SPLAYBOOK
5/24/2018 Inside a Hacker's Playbook
2/22
Targeted attacks are successful because they
are stealthy, specific and disarmingly personal. If they
do it right, advanced attackers can quietly infiltrate
a network and steal data or information at will for
months or even years.
5/24/2018 Inside a Hacker's Playbook
3/22
Learn how to stop them by taking a page from
their playbookliterally. Trustwave presents a
never-before-seen copy of an advanced attackers
technique manual. Use it well to design security that
counters their plays perfectly.
5/24/2018 Inside a Hacker's Playbook
4/22
A Playbook On Profiting
From Targeted AttacksBefore we tackle the finer techniques of building amoney-making cyber scam, lets talk a little about thebasics of this gig, shall we?
First of all heres what we are not trying to do. Werenot trying to blanket the internet with malicious V1agrospam or mass SQL inject a zillion websites.
Were narrowing our work down to a specific company
or industry based on vulnerability opportunities that wescare up. The broadest well get is hitting a range ofcompanies vulnerable to one precise vulnerability eithernever discovered by security researchers or just recentlypatched by a vendor.
Do it right and youll get your hands on huge cachesof valuable customer data, and maybe even hit thejackpot with the targets most important intellectualproperty. With that, you can blackmail people or sell tocompetitors or even to nation states.
You wont just be buying a new Ferrari.Youll be buying a fleet of em.
With a little bit of research,some crafty writing and theright technology, crooks makea good living running targetedattacks to steal corporateand government data. Themore we can learn about theirtechniques, the better we cancounter them.
As we sneak a look ateach of the plays insidethis bad guy instruction manual,lets look for ways to turn thisinside knowledge on its head.Well also offer advice on howto block each attack technique.
Know Your Adversary
5/24/2018 Inside a Hacker's Playbook
5/22
of breachedorganizations
neededsomeone
else to tell themthey'd been
compromised
76%
Play1: Staging
YourAttackLetsgettoeasymoney!Mosttimes,thereare fivestages toa reallygnarly targetedattack:RESEARCH: Startby doingreconontheanticipatedtarget. Digforpubliclyavailableinformationandsociallyengineeryourway toexploitableinfo abouttheir ITsystems
INTRUDE: Usethatinformationtofindthe rightemployeetospearphish andtherightvulnerabilitytotargetwith
yourmalicious payloadoncethe baitstaken youllhaveyour initial toeholdinthe targetsnetwork
PROPAGATE:Whenyou pwn onemachine, useitsnetworkconnectionsto spreadmalwareontoothermachinessoevenifyoure detectedinoneplaceyouve gotcontrol ofothermachines
INFECT: Once yougetthelayofthe landthroughyourdifferentconnections, installmoretools toreallystarttostealandaggregatedata
EXFILTRATE:Finally, youvegottoget allthatdataoutof there.Amongotheroptions, publicweb trafficworkswell
48%were told byregulatory bodies
25%by law enforcement1% by the public2% by a third part
5/24/2018 Inside a Hacker's Playbook
6/22
Play 2: Specialize and
OutsourceIts not what you know, its who you know. Put togetheryour own little mafia with specialists who work togetherto keep your multi-step campaign running. Just like cavemen split labor into hunting and gathering, you just haveto break it up into hacking and scamming.
Build the team however you like. Hire people, outsource tomalware kit vendors, even work in an equal partnership.Just remember what they say about honor among
thievesJust think: no n00bs allowed. If they cant spell or findthe caps lock, or code better than your average scriptkiddie can, its hasta la vista, baby.
Targeted attackers are
building a business aroundstealing from your business.Just as youd dedicate a lotof specialized employeesand vendors to solving yourbusiness problem, theyresourcing skills necessary tocrack your defenses. Hereare the top five out of 10common specialties namedby the FBI:
CODERS: write malware,
exploits and data theft tools
VENDORS: trade andsell stolen data, malwarekits, footprints intocompromised networks
CRIMINAL IT GUYS:Maintain criminal ITinfrastructure like serversand bullet-proof ISPs
HACKERS:seek and
exploit application, systemand network vulnerabilities
FRAUDSTERS:create andexecute social engineeringploys like phishing anddomain squatting
The FBIs List of Cyber Crime Specialties
5/24/2018 Inside a Hacker's Playbook
7/22
More thana third of
data breach
investigationsoccur withinfranchise
businesses
>1/3
Play3: ScaleYour
AttacksOnceyougettogether thatA-team,youregoingtomilkeveryvulnerabilitydry.
Developedor boughtanexploitforanewvulnerabilityinsome sorryoldcompanysretailpointofsale (POS)system?Maybeit'sforsomesmall-timegrocerystoreinSanFrancisco, but thenmaybethatsameexactvulnerabilityandsystemconfigurationisgoingtoworkinPOSmachinesatother franchisesofthesamebrand.
Then,son, your meal-ticketis punched.Youllsteal tentimesthedatabutonly reallydo theworktobreakintoone location.
5/24/2018 Inside a Hacker's Playbook
8/22
of largecompanies haveexperienced 25or more social
engineeringattacks in the
past two years1
of young
workersregularlyignore
IT policies2
48%
70%
Play 4: Play The Player,
Not The GameTheres a good chance your targets employees will beoh-so-helpful without even knowing it. Theyll give youinformation, help you upload malware on their machine aneven hold the door open for you if you need to sneak intoa building. These peeps should be your best friends duringthe first two stages of attack: research and intrusion.So work this to your advantage. Here are some tips:
If you want information-about the org chart, locationof a data center, technology they use or whatevercasomeone who would know, pretend to be from anotherdepartment and just ask. Nine times out of ten theyllfreely tell you out of the kindness of their hearts.
Official-sounding emergencies work every time. Act likeyou need help to get a mission-critical project done orelse heads will roll. Works best if you know the name oftheir boss boss.
5/24/2018 Inside a Hacker's Playbook
9/22
of largecompaniessaid social
engineering costthem an averageof $100,000 per
incident3
30%
Ifyourtargetemployee is highupthefoodchainandtooparanoidtotakeyourbait, tryworkingsomeoneintheirentourage. Alot ofadminseventempsaresittingat workstationsthatcan access thesamesystems thebosscomputers arehooked into.
Congratsyoujust gotajobinHR. Pretendtobe arecruiter.Inthis market,peoplesjudgment tendsto getcloudediftheythinktheresanewjobonthe horizon.
Depending on howmuch youvegotridingon thisattack, youmay even investina littlein-person socialengineering.Put onadelivery uniform, bringsomeflowersandseeifsomeone will let youinthe building.
5/24/2018 Inside a Hacker's Playbook
10/22
Elite cybercriminals aretapping into search enginesand social networks tohelp them target specificemployees for social-engineering trickery at a wide range of companies,professional firms and government agencies.
Byron AcohidoUSA Today
Play 5: Get Social For
Better ReconSometimes you dont even need to ask employees forinformationtheyll offer it up right on their Twitterfeed. Use social media to find out all sorts of sweetintel. Heres what you can find out by making a dummyFacebook account and tricking someone into friending it:
Where they went to high school or college Their mothers maiden name Their birthday Their dogs name Facts about their job: title, promotions, boss name, big
projects coming up etc.
All of these are valuable hints at passwords, systemchallenge question answers and information thats gonnagrease the skids of your targeted campaign. Even if youdont friend the person directly, you can potentially dig uinfo by friending one of THEIR friends. Evil genius, no?
Social media also rules when it comes to building a psych
profile on an employee who might turn out to be thekind of tool to help you roll out that first intrusion intoa target company. If you know what his or her hobbiesare, what teams they root for or any other personalinformation, you can craft the perfect bait that willget them to visit a site youve infected or trick theminto opening a malicious document.
5/24/2018 Inside a Hacker's Playbook
11/22
of passwordscontain a namein the top 100girl and boyname lists
of passwordscontain a nameon the top 100dog names list
(this is the kind of infopeople readily giveaway on their social
media feeds)
32.8%
16.7%
5/24/2018 Inside a Hacker's Playbook
12/22
of organizationshave IT staff
sharingpasswordsor access tosystems or
applications4
don't change
their privilegedpasswords
within 90 days5
or more enterpriseshave informal or nopatch management
processes in place7
42%
48%
40%
Play 6: Probe for
Every WeaknessWhy break a window when youve got the key for the frodoor? Look for user credentials at every step of the wayGoal number two is to find clues about the architectureof the target companys IT infrastructure to choose thright malware kit or custom build something that canhelp you pick the proverbial locks if the keys arent lyingaround. This can be anything from unencrypted passwordfiles to lists of company IP addresses to system versioninformation of deployed assets.There are vulnerabilities in just about every corporatenetwork between here and the moon. If your targetcompany doesnt have them, chances are a third partyvendor or partner company with ties into the networkprobably does.
Should you exploit zero-day vulnerabilities never beforediscovered by the security industry or vulnerabilities thatalready have a patch? Uh, yeah. Yeah, you should. If your
smart, theyll both play a part in your plans.
5/24/2018 Inside a Hacker's Playbook
13/22
of Apache Tomcat
installationswith accessibleadministrative
interface have thedefault credentials
30%
Zero-dayvulnerabilities rock. Buttheyreexpensivetofindand exploit, andknownvulnerabilitiescan bepretty wideopen. MostITdepartmentsare too busy to plug theirholeswithpatches.
In situationswhereyoure seeking very specificinformationsaymanufacturingschematics yourestealingfor a competing companyornationstateanddetectionisntan option, thenshellingoutfor zero-daydiscovery andexploitation makessense.
Butifitisall aboutpropagating malwareinacompanyyou already know (orhaveahunch about) hasunpatchedsystems,itmakes more sensetotakeadvantage of oldvulnerabilities.
5/24/2018 Inside a Hacker's Playbook
14/22
of targetedattacks initiallyoccur through
web use
of targetedattacks initiallyoccur through
e-mail use
enter throughlocal devices
50%
48%
2%
Play 7: Reinvent old
Web & Email AttacksOnce your crew has done its homework on a target, itstime to cast your line and wait for a bite. Some of themost effective initial intrusion plays are fundamentallypretty old-school in natureyoure just phishing peoplewith fake emails, IMs or social media messages to trickthem into visiting an infected site or downloadinga malicious executable. Now use the information yougathered to custom fit that interaction! Craft a lure
thats believable and build a hook that seems so painlessthat no one even notices theyve been landed.
Do it like this:
Example 1: Your hackers just found a killer vulnerability ina software platform commonly used by entertainmentcompanies. But you need control of a machine withaccess to exploit it. Fortunately for you, there aremore than a few gossip fanatics in the entertainmentcommunity. Since most of the companies youre targeting
are based in Hollywood, you use SQL injection tostrategically compromise the homepage of a few localgossip sites with malicious code that downloads onvisitors machines. To keep pesky reputation-based filtersfrom finding your website infection, you set it up sothat it will only interact with machines working within ablock of IP addresses originating from Los Angeles.
Advanced attackers areincreasingly usingstrategic web compromisesto infect theirtargets via drive-by-
download:
The goal is not large-scale malware distributionthrough mass compromises.Instead the attackersplace their exploit code
on websites that cater
towards a particular set ofvisitors that they might beinterested in.
--Shadowserver
Intel About the Enemy
5/24/2018 Inside a Hacker's Playbook
15/22
Example2:Youvefoundsomemiddle managerinaccounting whosgot access tosystemsthatholdtonsofsaleablefinancial andcustomer data. You chumitupwith himonFacebook,convincinghimyoumethimatanaccountingprofessional groupconference. Throughyourfriend status youfindouthisreal passionisntledgerbooksbutphotography. So, youtaskyourhackersandcoderstobuildabasic photography buffwebsitewithsomehiddendrive-by-downloadpayloads. While he looksattipsondigitalSLRs, yourmalicious payloadsilentlyloadsinthebackground.
Example3: Youvegottenyourhandsontheorganizationalchartofatargetcompanyandreadina companyblogaboutastrategicnewhire ofJohn Smithinthe marketingdepartment. Youcreate aGmail accountunderthenameoftheHRmanageranduse it towritean emailthatlookslike HRblewitand gave everyoneinfoonSmiths salaryandbenefits.Theyopentheattachment,JohnSmithcompensation.xls,andbang,curiositykilledthenetwork.
5/24/2018 Inside a Hacker's Playbook
16/22
of targetedmalware remains
undetectedby traditional
anti-virus
88%
of incident responseinvestigations, a third
party responsiblefor system support,development and/or maintenance of
business environmentsintroduced the security
deficiencies.
In76% Play 8: Think SidewaysOne backdoor into a corporate network might be good,but more is always better. If you want to stay on anetwork for a long time, youve got to use that initialclient-side pwnage to move sideways through the networkThat way, if your first intrusion is detected and yourmalware package is eliminated from that machine, youllstill keep your hands on the steering wheel elsewhere.
The secret? Youve got to propagate with diversity. Youneed to use completely different types of payloads ondifferent systems because once one type is found out,odds are theyre gonna scan the network looking foreverything that looks like that sample. But if you controa bunch of endpoints with different types of malware,theyll probably never even know theyre still compromised.
INTEL ABOUT THE ENEMY
5/24/2018 Inside a Hacker's Playbook
17/22
5/24/2018 Inside a Hacker's Playbook
18/22
Play 9: Hide in
plain sightStealth is the name of the game in these targetedattacks. Sometimes you just want to do the old smash-and-grab, where you want to get in and out of thenetwork with as much loot as possible or with a veryspecific piece of information. But generally the mostprofitable way is to drain the database is a littleat a time for a LONG time.
Put some technical noise dampeners on your intrusions.You dont want to knock over any expensive vases whileyou digitally cat burgle the place, do you? Every movemenshould be planned to avoid setting off any alarms. As yodrop tools on systems to aggregate data and controlbackdoors, here are some tips:
Avoid self-replicating malware Hide malware in system folders and get them
to look like common processes Make use of webmail accounts to route SSL-encrypte
command-and-control traffic to your backdoors Use packer utilities to hide malicious binaries If you can, store some malware components
in the cloud
Because the endgame forany targeted attack is tosteal data, it only makessense to depend on data-centric security tools tofrustrate adversaries. Thiscan be accomplished byunderstanding the context
of the data and detectingmalicious networkapplication traffic thatis dragging the data outthrough application-aware,next generation firewalls.The use of encryption tohide attacks and theft of
data is on the rise. Over25 percent of all dataexfiltrated by attackersis encrypted by cybercriminals. Also critical areencryption techniques thatrender data useless even if itis exfiltrated.
Intel About the Enemy
5/24/2018 Inside a Hacker's Playbook
19/22
Play10:Takedata
QuietlySomaybeyoure al33tspearphisher,youre wickedgoodtaking overanetwork andyouvegot anoselike abloodhoundforjuicy data. Itall amounts tonadaifyoucantgetthe data outofthenetwork.Bepatient!Quietandslowexfiltration makesiteasiertosteallargerstoresofinformationwithoutsettingoffalarmsthatwill shutyou downmidstream.
Luckyforyou, mostcompanies todaydontsetuptheirfirewalls toblockoutboundtrafficsoyouhavealotofoptions.Publicweb trafficcanproveto be oneofthemostefficientwaysofslowlyleakingdataoff thenetwork.HTTPStrafficcan have addedbenefitof
steeringclearofdata leakpreventiontools byhidingdataunder cloakofSSL.
5/24/2018 Inside a Hacker's Playbook
20/22
5/24/2018 Inside a Hacker's Playbook
21/22
5/24/2018 Inside a Hacker's Playbook
22/22
SECURITY IS A PROCESS,NOT A PRODUCTThats why, through an integrated, automated and agileapproach, Trustwave delivers stronger security, continuouscompliance and fewer headaches. Our broad portfolio ofintegrated technologies, compliance and risk services, and eliteSpiderLabs research, testing and threat intelligence can helpyou to secure your business, centralize compliance, and gainthe meaningful, actionable intelligence you need to make fasterand proactive decisions. And our unique approach helps you toseamlessly achieve business continuity and compliance by swiftlyimplementing, monitoring, auditing and enforcing protection andcontrol over your sensitive assets and data. Interested in howTrustwave can help? Visit www.trustwave.com.