Breach analysis slideshare

Breach Analysis - Jonathan Sinclair 1

Breach Analysis - Insights from technical breach to protective measures

By J.Sinclair


Talk Outcomes

• Demonstrate security from two perspectives

– The goal of a Blackhat

– The goal of a Whitehat

• An introduction to tooling


Perspectives

White vs. Black


Blackhat Perspective• Motivating Factors – Like the challenge (dedication)– Self-promotion / Fame

• Want to improve security by showing it’s failing (grey see the work by: Tavis Ormandy)

– Money• Focus– Breaching security

• Penetration Testing• Exploit writing• Bug hunting• Social Engineering


Where to start

• Follow a methodology /plan– Intelligence Gathering: Passive/Active– Vulnerability Analysis: Active– Exploitation: Active– Post Exploitation: Active– Reporting (Bad guys don’t care about this. It

leaves evidence)


Steps of an attacker(Tools of the trade)

• Intelligence Gathering : Maltego, Social harvesting

• Reconnaissance:– Zenmap/Nmap – Find a service• Get the service listing:

– Telnet, smtp, https, printer, msrpc, irc, http-proxy, ftp• Query the services:

– Test login’s e.g. ftp, telnet, smtp• Identify software information:

– WinFTP version 2.3.0


Steps of an attacker

• Exploit– Check exploit-db, NIST, metasploit, Nessus etc.– Set-up a lab environment– Download the app you want to exploit– Start fuzzing : test the application to simulate a

crash



• Attach to Immunity or your favourite debugger: OllyDbg, WinDbg, IdaPro



• Control the crash– Manipulate EIP via ECX and EDX– Jump to your shell code

• Generate via Metasploit:– msf payload(shell_bind_tcp) > generate -b '\x00\x44\x67\x66\xfa\

x01\xe0\x44\x67\xa1\xa2\xa3\x75\x4b‘

– Prep your exploit in Ruby– Launch at the target system

• ./msfconsole• use auxiliary/dos/windows/ftp/winftp230_remote• exploit



• Got shell – Bad guy wins– Starting interaction with 2... – Microsoft Windows XP [Version 5.1.2600] (C)

Copyright 1985-2001 Microsoft Corp. – C:\Documents and Settings\victim\Desktop>


Access Granted

• Network security bi-passed

• Access of a single system can lead to additional breaches

• Pivot point (post-exploitation) for future attacks identified

Game Over


Whitehat Perspective

• Motivating Factors – Secure your enterprise– Keep company assets and intellectual property safe– Engineer a secure solution– Fame (would be nice but rarely appreciated)

• Focus– Salary– Watching the bad guys– Staying current while maintaining the old


Why it’s so hard to be good

• Security dilemma:– “The intruder only needs to exploit one of the

victims in order to compromise the enterprise.”• Security mantra:– “There is no perfect defence”

• Security solution – the 3 pillars:– Awareness– Process– Tools


Security Awareness(1)

• Ensure people are educated– Set up awareness campaigns– Create training programmes– Bring security thinking to the people

• Relate to cultural differences (US vs. Switzerland)


Security Awareness(2)

• Create a mind-set of critical thinking and encouraging people to ask the ‘what if..’ type questions

• Security thinking has nothing to do with being a techy. (Techies nearly always forget this)


Security Process

• What is actually important to you?

– Know what you want

– Know what you’re risk appetite is

– Integrate security into everything you do


Tooling

• Firewalls, IPS/IDS’s, DLP, SIEM, Antivirus etc. will only cover your last 20%

• Most incidents come from internal employees– Symantec figures (1996 – 2002) : 59%– CERT figures (2010) : 60%– Open Security Foundation (2010) : 47%

• Tools have vulnerabilities: Wireshark!


Enterprise security

• The message: “Your organisation will be breached”

• What to consider– You need to know when this happens– You need to know how to contain it – You need to be able to understand your reputation


Enterprise security: Sony

• Case Study:– Sony breach in 2011– 25 million personal details stolen from the Sony

Online Entertainment network• Name, Address, Email, DoB, Phone numbers

• Motive:– Unknown but potentially to sell on credit card

information (the hack didn’t reveal the 3-digit security code)



• Reaction by Sony– SOE network was suspended• SOE was then rebuilt

– Company would grant 30 days additional playing time to registered users

• Reaction by the public– Legal action brought against Sony– In the UK Sony was fined £250,000



• Overall cost– Profits plunged 59% or 15.5bn Yen as a combined

result of cyber breach and Japanese tsunami– Continued losses to the brand into 2012

• Real issues– Personal data lost– Credit card fraud became more prevalent


Enterprise security: Final Thoughts

• Take away message:– The data a company may lose in a security breach

may not be ‘secret’ data e.g. IP, however reputation loss will ALWAYS cost an enterprise

• Security in an enterprise is about protecting reputation!


Questions and Answers

?

Technology

Breach analysis slideshare