Upload
k-buchi-babu
View
219
Download
0
Embed Size (px)
Citation preview
8/3/2019 Pen Tests Evolved
1/40
Pen Tests Evolved: The
Advanced Threat CycleDave ShacklefordOwner, Voodoo Security
CTO, IANS
8/3/2019 Pen Tests Evolved
2/40
Agenda
The advanced threat cycle, and what attacktechniques and tools are seen most frequently
What most internal pen testing teams aredoing today, and why it may not be adequatefor today's threat landscape
How internal pen testing teams can switch uptheir normal testing regimens to betterrepresent advanced threats to organizations
Tips for how to prevent and detect advancedmalware as part of your assessment program
8/3/2019 Pen Tests Evolved
3/40
Whats an APT?
The APT is
A more methodical, professional attack conductedby well-organized and possibly well-fundedattackers
The APT is NOT
Just malware. Or any one attack.
Weve settled on this term for anything even
remotely sophisticated or targeted
Is this a cop out?
Are all of these breaches that sophisticated at all?
8/3/2019 Pen Tests Evolved
4/40
The APT: An Attack Cycle
Todays advancedthreats are really anattack cycle:
Reconnaissance
IntrusionBackdoors andpersistence
Advancement
Privilege
escalationData theft
Additional attacks
Maintenance
Recon
Initial
intrusion
Backdoors &
malwareAdvancement
Maintenance
8/3/2019 Pen Tests Evolved
5/40
What are we seeing?(2009-2010)
The attacks are getting worse
More stealthy, more damaging, for longer termcompromises
April 2009:US Electrical Grid compromised by Chinese &Russian hackers
US Joint Strike Fighter Program compromisedthrough contractor networks data was encrypted
June 2010
Stuxnet discovered, affecting Siemens SCADAcontrol systems
8/3/2019 Pen Tests Evolved
6/40
What are we seeing in2011-2012?
RSA Breach in March 2011Compromised token seed files via initial vector ofsocial engineering (email) + 0-day Flash exploit
Lockheed Martin compromised 2 months laterwith fake tokens
Possibly other victims too, including NorthropGrumman
Citigroup hacked in June 2011210,000 customer records exposed
And theres plenty of hacktivism targetingthats happening with Lulzsec and Anonymous
8/3/2019 Pen Tests Evolved
7/40
Advanced ThreatTechniques
The methods, techniques, and technology wesee now, more than ever:
Social engineering, especially phishing
Use of 0-day exploitsHTTP and HTTPS C&C channels
Memory-resident payloads
Use of common document formats for delivery, suchas PDF, DOC, XLS, etc.
Focus on client-side software exploitsData stealing code components
8/3/2019 Pen Tests Evolved
8/40
Yesterday & Today: OneExample
Bot C&C Traffic in 2006:IRC
input: 20051116.BOT.CTRL.NET.pcap####T BOT.NET.EEE.12:2925 -> BOT.CTRL.215.148:153 [AP]PONG :sErVeR.BiTcHnEt.org..
##T BOT.NET.BBB.90:2241 -> BOT.CTRL.215.148:153 [AP]NICK [pullerindamouth]|92437..USER ezwic 0 0 :[pullerindamouth]|92437..
###T BOT.CTRL.215.148:153 -> BOT.NET.BBB.90:2275 [AP]ERROR :Closing Link: [BOT.NET.BBB.90] (Throttled: Reconnecting too
fast) -Emailsysop@blabla for more information.)..##T BOT.NET.BBB.90:2275 -> BOT.CTRL.215.148:153 [AP]NICK [pullerindamouth]|41050..USER hutvqa 0 0
:[pullerindamouth]|41050..
#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120--> #ownz :[DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds.--> #ownz :[DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds.
#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [7][pullerindamouth]|[email protected][DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds.#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [7][pullerindamouth]|[email protected]
Bot C&C Traffic Today:Encrypted UDP
Downloading a file
Attack instructions
Confirmation from infected client
Copied from: http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/
8/3/2019 Pen Tests Evolved
9/40
Operation Aurora
A highly sophisticated malware penetrationby Chinese hackers against majorcompanies like Google and Adobe
Involved:
0-day browser exploit
Embedded shellcode
Flexible payloadCustom encrypted C&C traffic on port443
8/3/2019 Pen Tests Evolved
10/40
Malware and AttackExamples
The Energizer Trojan
Bundled within a commercial
piece of software!
But it LOOKED like a PDF!
Via email, Web browser, etc!
8/3/2019 Pen Tests Evolved
11/40
The Energizer Trojan
Bundled with the Energizer USBRechargeable Battery software
Opens a listening port that acceptscommands
Was apparently there for several yearsbefore being discovered
No one is yet sure who putthe backdoor into the software,or why it was placed there
8/3/2019 Pen Tests Evolved
12/40
Numerous Changes toSystem
File Arucer.dll is added to %Windir%\System32
Added to Registry Run key
Controls a backdoor Trojan application
8/3/2019 Pen Tests Evolved
13/40
Network Backdoor
Opens abackdoorlistener on TCPport 7777
Accepts CLSIDvalues to theport, XORd with0xE5
{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}: Trojan Health Check
{F6C43E1A-1551-4000-A483-C361969AEC41}: Send a file to attacker{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}: Directory/file contents{783EACBF-EF8B-498e-A059-F0B5BD12641E}{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}: Drive information{98D958FC-D0A2-4f1c-B841-232AB357E7C8}: Create a file on thesystem{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}: Add a RunOnce Registryentry{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}: Download a file to
execute
8/3/2019 Pen Tests Evolved
14/40
But it LOOKED like a PDF
Many malware analysts estimate that ~50% ormore of the latest Trojansare being disseminated as PDF files
These can be sent as email attachmentsOr accessed via browser
8/3/2019 Pen Tests Evolved
15/40
Registry changes and files
These things can be NASTY.
A Before and After snapshot ofRegistry entries and the
%windir%\System32 directory weretaken with a tool called Regshot
Note this filename
8/3/2019 Pen Tests Evolved
16/40
A backdoor IRC channel
Opens a backdoor toan IRC server on TCPport 9899
Waits for commandslike most bot orTrojan-style malware
8/3/2019 Pen Tests Evolved
17/40
If not a PDFwhat is it?
Here it is again
8/3/2019 Pen Tests Evolved
18/40
Pen Test Teams Today
Many teams today do the following:
Basic vulnerability scans no pentesting!
Follow the classic cycle:
Scan
Exploit!
High-fiveRepeat
Skip Recon
FAIL TO EMULATE REAL THREATS!
8/3/2019 Pen Tests Evolved
19/40
Why Pen Test?
Find holes before attackers do!
Prove that security issues exist to skepticalmanagement
Raise overall security awareness
Verify secure system configurations
Test new technology
Discover gaps in compliance posture andsatisfy legal and/or governmental requirementssuch as HIPAA, SOX or GLBA.
8/3/2019 Pen Tests Evolved
20/40
Perform BetterAssessments
There are many ways to improve assessmentsand better represent advanced threats
The following are key considerations that
should be planned upfront before anassessment is started:
Scoping and rules of engagement
Following a methodology
Results, formatting, and tool output
Evidence of compromise and attack vectors
Repeatability
Prioritized and risk-focused remediation guidance
8/3/2019 Pen Tests Evolved
21/40
Scoping and Rules ofEngagement
Establish what networks and apps are in scope
Determine reason(s) for assessment
Compliance
General vulnerability understanding
Rules of engagement include time of tests, how toreport vulnerabilities, keeping track of issues, etc.
For pen tests, have a goal:
Get to PII
Establish specific attack vectors
Compromise specific systems or apps
Bypass security / stealth attacks
8/3/2019 Pen Tests Evolved
22/40
Follow a Methodology
There are not manystandards in usetoday forassessments andpen tests
Some exist, though:OSSTMM
NIST guidelines
A newer standard isthe PenetrationTesting ExecutionStandard (PTES)
Incredibly detailed may be overkill,but considerfollowing it
8/3/2019 Pen Tests Evolved
23/40
Results, Tools, Output
Ensure the assessment report includesdetails specific to the risks you face andbusiness you are in
Dont be generic!
Interpret language from scanners anddont just paste Nessus results into thereport
Include tools used and output from tools
for technical teams to leverage invalidation and remediation efforts
Usually best to include this as anAppendix or separate report
8/3/2019 Pen Tests Evolved
24/40
Evidence of compromise &attack vectors
Demonstrate true compromise or vulnerabilities
Screen shots, planted flags work best
Ensure false positives are eliminated
Have testers confirm with IT teams before report
A prelim report may be a good idea for thisreason
8/3/2019 Pen Tests Evolved
25/40
Repeatability
Listing the actual tools used, the processfollowed, and how things flowed during theassessment is key
This can follow the Recon
Scanning
Exploitcycle or some other format
This can also be used to validate logs, IDSevents, etc.
Keep track of process with a Wiki or someother tracking tools during assessments
8/3/2019 Pen Tests Evolved
26/40
Prioritized and risk-focusedremediation guidance
Define what is important to you interms of risk
Confidentiality for PII and other data?
Availability concerns with systems and
apps?Integrity with MitM and other attacks?
Build on this for the report
Ensure both attacks and successful
exploits are framed in the context ofpriorities to your business
Any VA/PT should be focused onyour actual risks not just ascan or exploit to prove yourevulnerable
8/3/2019 Pen Tests Evolved
27/40
A Targeted AttackExample
Competitor wants to gain access to R&Ddocuments
They decide to target the firms engineers
Step 1: Recon
Step 2: Targeted Attack
Step 3: Gaining Access
Step 4: Command and Control
Step 5: Data Access/Exfiltration
8/3/2019 Pen Tests Evolved
28/40
Step 1: Recon
Twitter Starbucks Starbucks Sniffing
Captured:Email address ([email protected])Friends email ([email protected])Interests (www.techstuff.com)
8/3/2019 Pen Tests Evolved
29/40
Step 2: Targeted Attack
Hey look! An email from Engineer2. With a catalogattached!
Spoofed, ofcourse
Most
certainlyclicking
here
8/3/2019 Pen Tests Evolved
30/40
Step 3: Gaining Access
The PDF gets clicked.
Code gets dropped.
The backdoor is opened.
8/3/2019 Pen Tests Evolved
31/40
Step 4: Command &Control
The attacker connects back to the listening port
A more likely scenario would be the other way aroundan outbound shell (Shoveling Shell) or a morerobust bot/rootkit
8/3/2019 Pen Tests Evolved
32/40
Step 5: Adios to the Data
At this point, the attackercould do any number of thingsto get more sensitive data
FTP/SFTP
SSH/SCPCustom encrypted channels(Base64/UDP)
8/3/2019 Pen Tests Evolved
33/40
Prevention + Detection =Success
Just attacking stuff is not that useful
One of my most successful techniques as a pentester is coming in AFTER the test
And marrying the detection side of the housewith what I did during the test.
This way, you can actually improve SECURITY
PROCESS, not just infrastructure posture
8/3/2019 Pen Tests Evolved
34/40
Detection: Behavior
Host level behavior:Should the lsass process be communicatingoutbound on port 30204?
Should the notepad process be modifying the
Registry?
Although difficult to detect, 0-day and stealthyattacks may be prevented by behavioralanalysis and lockdown
Network behavioral monitoring is also highlyrecommended
Signature-based only goes so far, use Netflow andother tools to detect unusual patterns and traffic
8/3/2019 Pen Tests Evolved
35/40
Detection: Whitelisting &Host Security
Whitelisting is host-based software thatmaintains a local fingerprint of applicationsthat are allowed based on policies
Policies tied to users, groups, systems, etc.
Everything not allowed by policy is denied.
This effectively brings a Default Deny policy to thehost
Use anti-virus too, although its effectiveness is
waningAny HIDS/HIPS and memory monitoring is alsovery useful
May be bundled with A/V and other agents
8/3/2019 Pen Tests Evolved
36/40
Detection: Logs and AuditTrails
Log analysis can be a major benefit to anyteam looking for evidence of APTs
DNS logs
Local user access and domain user access patternsOutbound firewall logs
VPN & remote access logs
System & application logs
Ensure you have remote logging and loganalysis technologies and capabilities in place
8/3/2019 Pen Tests Evolved
37/40
Reaction: IncidentResponse
Ensure you have an adequate plan!Everyone says they do. Have you tested it?
For adequate incident response, you need:
A designated team lead. One.The ability to segregate a machine on the networkquickly
Disk duplication and forensic analysis skills andtools
Memory analysis tools
Create customized pen test scenarios withclient-side exploits and obfuscated PDF/DOC-embedded malware
8/3/2019 Pen Tests Evolved
38/40
Security InfrastructureImprovement
Yesterdays tools are not wholly adequate anylonger for advanced attacks
Attackers are avoiding A/V left and right
Network traffic is outbound using HTTP/HTTPS
Sowhat can help?
New, next generation firewalls
Whitelisting and more advanced host security
Virtualized platforms for rapid response
Malware sandbox analysis tools (FireEye, Norman,etc.)
8/3/2019 Pen Tests Evolved
39/40
Continuous Monitoring
Although this is a FISMA concept in the USgovernment, it could and should apply to allorganizations
Key controls to monitor regularly (via scripts) orcontinually (with an agent):
File integrity for key areas of the OS
Logs for failed access or unusual access patterns
Anti-virus or other host security alerts
Network behaviors and flow data
SIEM console, if available
Port scans and local tools like netstat and ProcessExplorer can help, too
8/3/2019 Pen Tests Evolved
40/40
Final Discussion & Questions
Thanks for attending!