Pen Tests Evolved

8/3/2019 Pen Tests Evolved

1/40

Pen Tests Evolved: The

Advanced Threat CycleDave ShacklefordOwner, Voodoo Security

CTO, IANS


2/40

Agenda

The advanced threat cycle, and what attacktechniques and tools are seen most frequently

What most internal pen testing teams aredoing today, and why it may not be adequatefor today's threat landscape

How internal pen testing teams can switch uptheir normal testing regimens to betterrepresent advanced threats to organizations

Tips for how to prevent and detect advancedmalware as part of your assessment program


3/40

Whats an APT?

The APT is

A more methodical, professional attack conductedby well-organized and possibly well-fundedattackers

The APT is NOT

Just malware. Or any one attack.

Weve settled on this term for anything even

remotely sophisticated or targeted

Is this a cop out?

Are all of these breaches that sophisticated at all?


4/40

The APT: An Attack Cycle

Todays advancedthreats are really anattack cycle:

Reconnaissance

IntrusionBackdoors andpersistence

Advancement

Privilege

escalationData theft

Additional attacks

Maintenance

Recon

Initial

intrusion

Backdoors &

malwareAdvancement

Maintenance


5/40

What are we seeing?(2009-2010)

The attacks are getting worse

More stealthy, more damaging, for longer termcompromises

April 2009:US Electrical Grid compromised by Chinese &Russian hackers

US Joint Strike Fighter Program compromisedthrough contractor networks data was encrypted

June 2010

Stuxnet discovered, affecting Siemens SCADAcontrol systems


6/40

What are we seeing in2011-2012?

RSA Breach in March 2011Compromised token seed files via initial vector ofsocial engineering (email) + 0-day Flash exploit

Lockheed Martin compromised 2 months laterwith fake tokens

Possibly other victims too, including NorthropGrumman

Citigroup hacked in June 2011210,000 customer records exposed

And theres plenty of hacktivism targetingthats happening with Lulzsec and Anonymous


7/40

Advanced ThreatTechniques

The methods, techniques, and technology wesee now, more than ever:

Social engineering, especially phishing

Use of 0-day exploitsHTTP and HTTPS C&C channels

Memory-resident payloads

Use of common document formats for delivery, suchas PDF, DOC, XLS, etc.

Focus on client-side software exploitsData stealing code components


8/40

Yesterday & Today: OneExample

Bot C&C Traffic in 2006:IRC

input: 20051116.BOT.CTRL.NET.pcap####T BOT.NET.EEE.12:2925 -> BOT.CTRL.215.148:153 [AP]PONG :sErVeR.BiTcHnEt.org..

##T BOT.NET.BBB.90:2241 -> BOT.CTRL.215.148:153 [AP]NICK [pullerindamouth]|92437..USER ezwic 0 0 :[pullerindamouth]|92437..

###T BOT.CTRL.215.148:153 -> BOT.NET.BBB.90:2275 [AP]ERROR :Closing Link: [BOT.NET.BBB.90] (Throttled: Reconnecting too

fast) -Emailsysop@blabla for more information.)..##T BOT.NET.BBB.90:2275 -> BOT.CTRL.215.148:153 [AP]NICK [pullerindamouth]|41050..USER hutvqa 0 0

:[pullerindamouth]|41050..

#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120--> #ownz :[DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds.--> #ownz :[DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds.

#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [7][pullerindamouth]|[email protected][DDoS]: Flooding: (VIC.NET.AAA.143:80) for 120 seconds.#ownz [email protected] .ddos.syn VIC.NET.AAA.143 80 120#ownz [7][pullerindamouth]|[email protected]

Bot C&C Traffic Today:Encrypted UDP

Downloading a file

Attack instructions

Confirmation from infected client

Copied from: http://www.paloaltonetworks.com/researchcenter/2009/10/mariposa-tool/


9/40

Operation Aurora

A highly sophisticated malware penetrationby Chinese hackers against majorcompanies like Google and Adobe

Involved:

0-day browser exploit

Embedded shellcode

Flexible payloadCustom encrypted C&C traffic on port443


10/40

Malware and AttackExamples

The Energizer Trojan

Bundled within a commercial

piece of software!

But it LOOKED like a PDF!

Via email, Web browser, etc!


11/40

The Energizer Trojan

Bundled with the Energizer USBRechargeable Battery software

Opens a listening port that acceptscommands

Was apparently there for several yearsbefore being discovered

No one is yet sure who putthe backdoor into the software,or why it was placed there


12/40

Numerous Changes toSystem

File Arucer.dll is added to %Windir%\System32

Added to Registry Run key

Controls a backdoor Trojan application


13/40

Network Backdoor

Opens abackdoorlistener on TCPport 7777

Accepts CLSIDvalues to theport, XORd with0xE5

{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}: Trojan Health Check

{F6C43E1A-1551-4000-A483-C361969AEC41}: Send a file to attacker{EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}: Directory/file contents{783EACBF-EF8B-498e-A059-F0B5BD12641E}{0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}: Drive information{98D958FC-D0A2-4f1c-B841-232AB357E7C8}: Create a file on thesystem{4F4F0D88-E715-4b1f-B311-61E530C2C8FC}{384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}: Add a RunOnce Registryentry{8AF1C164-EBD6-4b2b-BC1F-64674E98A710}: Download a file to

execute


14/40

But it LOOKED like a PDF

Many malware analysts estimate that ~50% ormore of the latest Trojansare being disseminated as PDF files

These can be sent as email attachmentsOr accessed via browser


15/40

Registry changes and files

These things can be NASTY.

A Before and After snapshot ofRegistry entries and the

%windir%\System32 directory weretaken with a tool called Regshot

Note this filename


16/40

A backdoor IRC channel

Opens a backdoor toan IRC server on TCPport 9899

Waits for commandslike most bot orTrojan-style malware


17/40

If not a PDFwhat is it?

Here it is again


18/40

Pen Test Teams Today

Many teams today do the following:

Basic vulnerability scans no pentesting!

Follow the classic cycle:

Scan

Exploit!

High-fiveRepeat

Skip Recon

FAIL TO EMULATE REAL THREATS!


19/40

Why Pen Test?

Find holes before attackers do!

Prove that security issues exist to skepticalmanagement

Raise overall security awareness

Verify secure system configurations

Test new technology

Discover gaps in compliance posture andsatisfy legal and/or governmental requirementssuch as HIPAA, SOX or GLBA.


20/40

Perform BetterAssessments

There are many ways to improve assessmentsand better represent advanced threats

The following are key considerations that

should be planned upfront before anassessment is started:

Scoping and rules of engagement

Following a methodology

Results, formatting, and tool output

Evidence of compromise and attack vectors

Repeatability

Prioritized and risk-focused remediation guidance


21/40

Scoping and Rules ofEngagement

Establish what networks and apps are in scope

Determine reason(s) for assessment

Compliance

General vulnerability understanding

Rules of engagement include time of tests, how toreport vulnerabilities, keeping track of issues, etc.

For pen tests, have a goal:

Get to PII

Establish specific attack vectors

Compromise specific systems or apps

Bypass security / stealth attacks


22/40

Follow a Methodology

There are not manystandards in usetoday forassessments andpen tests

Some exist, though:OSSTMM

NIST guidelines

A newer standard isthe PenetrationTesting ExecutionStandard (PTES)

Incredibly detailed may be overkill,but considerfollowing it


23/40

Results, Tools, Output

Ensure the assessment report includesdetails specific to the risks you face andbusiness you are in

Dont be generic!

Interpret language from scanners anddont just paste Nessus results into thereport

Include tools used and output from tools

for technical teams to leverage invalidation and remediation efforts

Usually best to include this as anAppendix or separate report


24/40

Evidence of compromise &attack vectors

Demonstrate true compromise or vulnerabilities

Screen shots, planted flags work best

Ensure false positives are eliminated

Have testers confirm with IT teams before report

A prelim report may be a good idea for thisreason


25/40

Repeatability

Listing the actual tools used, the processfollowed, and how things flowed during theassessment is key

This can follow the Recon

Scanning

Exploitcycle or some other format

This can also be used to validate logs, IDSevents, etc.

Keep track of process with a Wiki or someother tracking tools during assessments


26/40

Prioritized and risk-focusedremediation guidance

Define what is important to you interms of risk

Confidentiality for PII and other data?

Availability concerns with systems and

apps?Integrity with MitM and other attacks?

Build on this for the report

Ensure both attacks and successful

exploits are framed in the context ofpriorities to your business

Any VA/PT should be focused onyour actual risks not just ascan or exploit to prove yourevulnerable


27/40

A Targeted AttackExample

Competitor wants to gain access to R&Ddocuments

They decide to target the firms engineers

Step 1: Recon

Step 2: Targeted Attack

Step 3: Gaining Access

Step 4: Command and Control

Step 5: Data Access/Exfiltration


28/40

Step 1: Recon

Twitter Starbucks Starbucks Sniffing

Captured:Email address ([email protected])Friends email ([email protected])Interests (www.techstuff.com)


29/40

Step 2: Targeted Attack

Hey look! An email from Engineer2. With a catalogattached!

Spoofed, ofcourse

Most

certainlyclicking

here


30/40

Step 3: Gaining Access

The PDF gets clicked.

Code gets dropped.

The backdoor is opened.


31/40

Step 4: Command &Control

The attacker connects back to the listening port

A more likely scenario would be the other way aroundan outbound shell (Shoveling Shell) or a morerobust bot/rootkit


32/40

Step 5: Adios to the Data

At this point, the attackercould do any number of thingsto get more sensitive data

FTP/SFTP

SSH/SCPCustom encrypted channels(Base64/UDP)


33/40

Prevention + Detection =Success

Just attacking stuff is not that useful

One of my most successful techniques as a pentester is coming in AFTER the test

And marrying the detection side of the housewith what I did during the test.

This way, you can actually improve SECURITY

PROCESS, not just infrastructure posture


34/40

Detection: Behavior

Host level behavior:Should the lsass process be communicatingoutbound on port 30204?

Should the notepad process be modifying the

Registry?

Although difficult to detect, 0-day and stealthyattacks may be prevented by behavioralanalysis and lockdown

Network behavioral monitoring is also highlyrecommended

Signature-based only goes so far, use Netflow andother tools to detect unusual patterns and traffic


35/40

Detection: Whitelisting &Host Security

Whitelisting is host-based software thatmaintains a local fingerprint of applicationsthat are allowed based on policies

Policies tied to users, groups, systems, etc.

Everything not allowed by policy is denied.

This effectively brings a Default Deny policy to thehost

Use anti-virus too, although its effectiveness is

waningAny HIDS/HIPS and memory monitoring is alsovery useful

May be bundled with A/V and other agents


36/40

Detection: Logs and AuditTrails

Log analysis can be a major benefit to anyteam looking for evidence of APTs

DNS logs

Local user access and domain user access patternsOutbound firewall logs

VPN & remote access logs

System & application logs

Ensure you have remote logging and loganalysis technologies and capabilities in place


37/40

Reaction: IncidentResponse

Ensure you have an adequate plan!Everyone says they do. Have you tested it?

For adequate incident response, you need:

A designated team lead. One.The ability to segregate a machine on the networkquickly

Disk duplication and forensic analysis skills andtools

Memory analysis tools

Create customized pen test scenarios withclient-side exploits and obfuscated PDF/DOC-embedded malware


38/40

Security InfrastructureImprovement

Yesterdays tools are not wholly adequate anylonger for advanced attacks

Attackers are avoiding A/V left and right

Network traffic is outbound using HTTP/HTTPS

Sowhat can help?

New, next generation firewalls

Whitelisting and more advanced host security

Virtualized platforms for rapid response

Malware sandbox analysis tools (FireEye, Norman,etc.)


39/40

Continuous Monitoring

Although this is a FISMA concept in the USgovernment, it could and should apply to allorganizations

Key controls to monitor regularly (via scripts) orcontinually (with an agent):

File integrity for key areas of the OS

Logs for failed access or unusual access patterns

Anti-virus or other host security alerts

Network behaviors and flow data

SIEM console, if available

Port scans and local tools like netstat and ProcessExplorer can help, too


40/40

Final Discussion & Questions

Thanks for attending!

Documents

Pen Tests Evolved