Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP
Anatomy of an Attack
Minnesota Medical Group Management Association March 2018
White Hat Hacker
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
The Attacker
• David Anderson
– Farm kid turned hacker
– Offensive Security Certified Professional
– Oversee and participate in: ◊ Penetration Testing
◊ Social Engineering
◊ Vulnerability Assessments
– Yes, I am older than 18
2
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Outline
• Anatomy of an Attack
– Reconnaissance
– Remote Access
– Privileges, Pivoting, and Accessing Data
• Key Takeaways
– Mitigate these risks
3
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Target
• Who am I after?
– Healthcare System
• Who to I target initially?
– Their billing company
• Why?
– Let’s find out
4
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
5
Reconnaissance
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
• Technical
– Port and Service enumeration
– Shodan
– Web Applications
• Non-Technical (OSINT)
– Social Media
– Employees / Customers / Business Partners
– Public Resources (Court Records)
6
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Service Enumeration
7
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Shodan
8
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
9
• Why are we doing this?
– Find interesting/potential targets
– Does the company have a VPN system?
– Does the company have “juicy” websites? ◊ Outlook Web App / Web-based Email
◊ Sites that allow access to medical records
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
10
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
11
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
12
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
13
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Court Records
14
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
15
Remote Access
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Social Engineering
– Phishing / Email spoofing
– Call spoofing
– In Person
16
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
17
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
18
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
19
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Email Filtering
Connected to mail.XXXXXXX.com (38.9.X.X).
MAIL FROM: <[email protected]>
250 OK
RCPT TO: <[email protected]>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
FROM: <[email protected]>
TO: <[email protected]>
Subject: Free Tesla Car
SMTP Envelope
SMTP Message
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• On the Phone
– It is easy to spoof caller ID
• [AUDIO]
21
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• In Person
– RFID clone
– Media drops
– Tailgating
22
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Not this tailgating…
23
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• In Person
– RFID clone
– Media drops
– Tailgating
• [VIDEO]
24
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Success!
25
Remote access to billing company!
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
26
Privileges, Pivoting, and Accessing Data
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Where am I?
• Who am I?
• What privileges do I have?
• Do I have local admin rights?
• Who is on the network?
• Who are the administrators?
27
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
One Big Happy Family
28
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
BloodHound
29
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Default/easily guessable passwords – Winter2018
• Misconfiguration – Open file shares (no restrictions)
• Missing patches – WANNACRY
30
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Gain Admin Creds
• Asset Identification
• Asset Acquisition
31
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exfiltration
• Collect Data
• Package it up – Compress
– Encrypt
• Send it out
32
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
33
How to Protect Yourself
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Key Takeaways
• Understand what you publish online in the public
• Two-Factor Authentication – VPN, webmail, etc.
– Protect all external authentication that employees/vendors use
• Configure spam filter to block spoofing
• Understand remote connections to vendors – Restrict and monitor this access
34
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Key Takeaways
• Don’t give standard users administrative privileges to workstations/servers
• Restrict egress traffic – Don’t allow users to use file sharing services
• Monitor your systems – Everything supports logging, make sure you configure it
35
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Thank you!
David Anderson 612-397-3132
david.anderson @CLAconnect.com