White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP

Anatomy of an Attack

Minnesota Medical Group Management Association March 2018

White Hat Hacker

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING

The Attacker

• David Anderson

– Farm kid turned hacker

– Offensive Security Certified Professional

– Oversee and participate in: ◊ Penetration Testing

◊ Social Engineering

◊ Vulnerability Assessments

– Yes, I am older than 18

2

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Outline

• Anatomy of an Attack

– Reconnaissance

– Remote Access

– Privileges, Pivoting, and Accessing Data

• Key Takeaways

– Mitigate these risks

3

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Target

• Who am I after?

– Healthcare System

• Who to I target initially?

– Their billing company

• Why?

– Let’s find out

4

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP

5

Reconnaissance

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Reconnaissance

• Technical

– Port and Service enumeration

– Shodan

– Web Applications

• Non-Technical (OSINT)

– Social Media

– Employees / Customers / Business Partners

– Public Resources (Court Records)

6

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Service Enumeration

7

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Shodan

8

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Reconnaissance

9

• Why are we doing this?

– Find interesting/potential targets

– Does the company have a VPN system?

– Does the company have “juicy” websites? ◊ Outlook Web App / Web-based Email

◊ Sites that allow access to medical records

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Reconnaissance

10

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Reconnaissance

11

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


LinkedIn

12

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


LinkedIn

13

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Court Records

14

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP

15

Remote Access

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Delivery

• Social Engineering

– Phishing / Email spoofing

– Call spoofing

– In Person

16

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Phishing Website

17

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Phishing Website

18

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Phishing Website

19

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Poor Email Filtering

Connected to mail.XXXXXXX.com (38.9.X.X).

MAIL FROM: <[email protected]>

250 OK

RCPT TO: <[email protected]>

250 Accepted

DATA

354 Enter message, ending with "." on a line by itself

FROM: <[email protected]>

TO: <[email protected]>

Subject: Free Tesla Car

SMTP Envelope

SMTP Message

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Delivery

• On the Phone

– It is easy to spoof caller ID

• [AUDIO]

21

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Delivery

• In Person

– RFID clone

– Media drops

– Tailgating

22

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Not this tailgating…

23

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Delivery

• In Person

– RFID clone

– Media drops

– Tailgating

• [VIDEO]

24

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Success!

25

Remote access to billing company!

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP

26

Privileges, Pivoting, and Accessing Data

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Internal Network Recon

• Where am I?

• Who am I?

• What privileges do I have?

• Do I have local admin rights?

• Who is on the network?

• Who are the administrators?

27

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


One Big Happy Family

28

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


BloodHound

29

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Internal Network Recon

• Default/easily guessable passwords – Winter2018

• Misconfiguration – Open file shares (no restrictions)

• Missing patches – WANNACRY

30

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Capture the Flag

• Gain Admin Creds

• Asset Identification

• Asset Acquisition

31

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Exfiltration

• Collect Data

• Package it up – Compress

– Encrypt

• Send it out

32

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP

33

How to Protect Yourself

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Key Takeaways

• Understand what you publish online in the public

• Two-Factor Authentication – VPN, webmail, etc.

– Protect all external authentication that employees/vendors use

• Configure spam filter to block spoofing

• Understand remote connections to vendors – Restrict and monitor this access

34

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP


Key Takeaways

• Don’t give standard users administrative privileges to workstations/servers

• Restrict egress traffic – Don’t allow users to use file sharing services

• Monitor your systems – Everything supports logging, make sure you configure it

35

©2

01

7 C

lifto

nLa

rso

nA

llen

LLP

CLAconnect.com

Thank you!

David Anderson 612-397-3132

david.anderson @CLAconnect.com

Documents

White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker