How i'm going to own your organization v2

“How I'm going to own your organization in just a few days”

The Malware obfuscation attack

Introduction to the Cyber Kill Chain™

@RazorEQX

http://404hack.blogspot.com

Safety TIP

@RazorEQX

• Army 1985-89

• Cracker

• Starving Nurse

• Gamer turned Networker

• Network Guy

• Firewall Guy

• Hacker

• Malware Reverse Engineer

USER: This is very bad file

Access to facebook to the setting bars..CODE: SELECT ALL

http://www.facebook.com/abe2869f-9b47-4cd9-a358-c22904dba7f7

Settings

aPlib cmpressor's trace:CODE: SELECT ALL

aPLib v1.01 - the smaller the better :)Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.

More information: http://www.ibsensoftware.com/

Pony gates:CODE: SELECT ALLhttp://webmail.alsultantravel.com:8080/ponyb/gate.phphxxp://alsultantravel.com:8080/ponyb/gate.phphxxp://webmail.alsultantravel.info:8080/ponyb/gate.phphxxp://198.57.130.35:8080/ponyb/gate.php

CODE: SELECT ALL<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="5.1.0.0" processorArchitecture="x86" name="Progmn.Program_Code" type="win32"></assemblyIdentity><description>Program Description</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembl

@Malwaremustdie• Are a group of dedicated Malware Researchers.

• Recognize that Malware is a serious threat.

• Recognize that Malware inhibits Internet

technology.

• Agree that Malware is an obfuscation for Advanced

Threats.

Kelihos Update

• http://malwaremustdie.blogspot.com/2013/08/the-

quick-report-on-48hours-in-battle.html

What Do They Want?

The Silver Bullet Solution

This product will save your life and put your kids

through college

Sounds good. Give

me two!

I feel so safe………

How do they get your Information?

Reconnaissance

Social

Media

Social Engineeri

ngSearch

Engines

Professional

Networking

Social Engineering Resources

Sept 23, 2013 Rohit Shaw – Social Engineering: A Hacking Story

Paterva: Maltego

Maltego is a program that can be used to determine relationships

and real world links between:

– People

– Groups (Social Networks)

– Companies

– Organizations

– Web Sites

– Domains

Maltego

Maltego

The Target XYZ Corp.

Hi I'm social engineering you.

Oh great! Its in my human nature to help anyone in anyway I can.

The Weapon

Some Hints

/usr/local/share/ettercap/etter.dns

tools.google.com A 10.10.10.10

#

NSURL *url = [NSURL

URLSTRING:@10.10.10.10:xxxx”;

The Delivery

Take the Bait: Installation

The Expected Response

Its all clean now.

Operation “Where is my Target”Action on Objectives

SSL

Exploitation

ExfiltrationExhibition

Exposure

Introducing "Cyber Kill Chain™"• Concept derived from offensive military doctrine:– Navy: Find, Fix, Track, Target, Engage, and Assess

– OODA Loop: Observe, Orient, Decide, and Act

– Key concept: Cyber Kill Chain™ defines how an adversary moves from target observation to a final objective. As with any chain, if any link breaks, the whole process fails

• Turn it into our advantage: – "To compromise our infrastructure, the bad guys have to be right

every step; we only have to be right once"

Cyber Kill Chain™ Model

• Intrusion

Cyber Kill Chain™

Detect Deny Disrupt Degrade Deceive

Recon

Weaponize

Delivery

Exploit

Installation

Command & Control

Actions on Objectives

Incre

asin

g R

isk

Internet

Mail Server

User

User

Open this attachment!CLICK!

COMMAND & CONTROL ESTABLISHED!

Data Exfiltration Begins

Cyber Kill Chain™ ModelRecon

• Research, identification, and selection of targets

• Crawling Internet websites looking for email addresses or information on specific

technologies

• Research conducted on business relationships and supply chain

• Enumeration of systems and infrastructure

– Active

– Passive

Recon Weaponize

Deliver Exploit Install C2

Actions on

Objectives

Cyber Kill Chain™ Model Weaponize

• The tool that puts the remote access trojan with an exploit into a deliverable payload

• Application data files such as Microsoft Office documents or Adobe PDF files serve as the weaponized payloads

• Compromised websites hosting malformed Java or Flash files

Recon Weaponize Deliver Exploit Install C2

Actions on

Objectives

Cyber Kill Chain™ Model Delivery

• Transmission of weapon into targeted environment

• The three most prevalent delivery vectors for weaponized payloads are – Emails with attachments or embedded hyperlinks

– Compromised website with malicious code

– USB drives or other removable media

Recon Weaponize Deliver Exploit Install C2 Actions on Objectives

DGA: Domain Generation Algorithm

DNS Queries

Cyber Kill Chain™ Model Exploit

• After the weapon is delivered to target host, exploitation triggers attackers’ code

• Most often, this exploits an application or operating system vulnerability

• In most cases, exploitation occurs when users are– Coerced to open an executable attachment

– Leveraging a feature of the operating system that executes code automatically


Cyber Kill Chain™ Model Installation

• Typically occurs immediately after the exploit is complete

• The install is often a backdoor or a tool grabber

• Also installation might occur during lateral movements by the attacker


Cyber Kill Chain™ ModelC2

• Typically the compromised host must beacon outbound to its Internet controller server to establish command and control (C2) channel

• APT malware typically requires manual interaction vs. acting autonomously

• Once the C2 channel is established, attackers have "hands-on- the-keyboard" access


Cyber Kill Chain™ Model Actions on Objectives

• Attackers begin collecting, encrypting, and exfiltrating data from compromised systems.

• Attackers may further propagate themselves throughout the internal network in lateral compromises.

• While exfiltration is the most common objective, attackers could also violate the integrity or availability of data as well.

• Consider what would happen if the attacker modified certain critical internal critical data.


Cyber Kill Chain™ ModelBenefits

• Provides for a more defensible network by providing incident responders with multiple locations that can stop the progress of the adversary

• Provides a framework for working forward and backward in order to gauge effect and identify mitigations

• Articulates prioritization and strategy

• Identifies data gaps and source collection requirements

• Enables adversary attribution and campaign tracking

• Drives investigations to completion

• Intelligence feeds into gaining more intelligence

Lessons learned:• 1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.

• 2. Don't take a crimeware kit for face value. You might have missed the advanced threat you've been

looking for.

• 3. Stop wasting money on tools that are always one step behind the adversary and always promising

”That feature is in the next release”

• 4. COLLABORATE with other organizations in your industry. This is priceless information. What activity

are you both seeing, and put two and two together.

• 5. OSINT - RSS research feeds are your friend. Pull out indicators you can use for detection tools and

track events to correlations to form campaigns. These groups are already doing the hard part for you.

XOR, Obfuscation, identifying fake registrar's selling domains to crimeware organizations.. etc.

• 6. Most important of all. Have a damn good incident response plan. Know what and how you're going

to recover from this type of breech when it finally hits your organization.

Education

How i'm going to own your organization v2