Mining attackers mind

© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com

www.cyberoam.com

Our Products

© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.

Network Security Appliances - UTM, NGFW (Hardware & Virtual)

Modem Router Integrated Security appliance

Presenter: Cyberoam

Mining Attackers Mind


Agenda

• Innovative technologies impacting complexity in security• Challenges to IT security administrators and gaps in security

infrastructure• Changing motivation of cyber criminals and evolving threat

engineering• Hacking into the mind of today's cyber criminal


Innovative technology changes everythingInnovative technology changes everything

Social business

1 billion mobile workers

1 trillion Connected objects

Bring your own IT

Cloud and virtualization


Innovative technology changes everythingInnovative technology changes everything

People Data Applications Infrastructure

… that requires a new approach… that requires a new approach

Employees

Hackers

Outsourcers

Suppliers

Consultants

Terrorists

Customers

SystemsApplications

Web Applications

Web 2.0

MobileApplications

Datacenters

PCs

Laptops

Mobile

Structured

Unstructured

At rest

In motion

Cloud

Non-traditional


Administrators approachAdministrators approach

Most spend 50% of their security budgets on reactive tools and resources

No actionable information or outcome analysis on How can an attack happen

Security infrastructure has Gaps

Endpoint Suites

Network UTM

Application Security

Vulnerability Management


Engineering for AttacksEngineering for Attacks


2,641,350

Security AttacksThe Average Company Faces per Week


If you think you are safe- Think AgainIf you think you are safe- Think Again

Source: IBM X-Force@ Research and Development


If you think you are safe- Think AgainIf you think you are safe- Think Again

Source: IBM X-Force@ Research and Development


Script-Kiddy Undergraduate Expert Specialist

National Interest

PersonalGain

PersonalFame

Curiosity

Vandal

Thief

Spy

Trespasser

Author


Motivations and sophistication are rapidly evolvingMotivations and sophistication are rapidly evolving

Monetary Gain

Organized crimeZeus

Espionage,Activism

Competitors and Hacktivists

Aurora

National Security

Nation-state actors

Stuxnet

Insiders and Script-kiddies

Code Red

Revenge,Curiosity


Thinking like an attackerThinking like an attacker

Plan

Practice

Covering Tracks

Attack on defense

Organized community


5 Phases Hacker follows5 Phases Hacker follows

Reconnaissance

Preparatory phase Competitive

intelligence Time consuming Most important

Scanning

Network Mapping Check for open ports Banner Grabbing Identify open services Scanning for

vulnerabilities Prepare proxies

Gaining Access

Potential Damage logic or time bomb session Hijacking,

buffer overflows Targeted attack Brute force/Dictionary

attack

Maintaining access

Backdoor Trojans Rootkit Data trafer

Covering Tracks

Erasing contaminated logs

Cover for additional attack


ReconnaissanceReconnaissance

preparatory phase competitive intelligence Time consuming

Hacker’s list Result

Search Fine Web Employee contact information, Phone numbers, Business Partners, Recent Mergers

Search Engines Search employee group for sensitive information or Job related infromation

Whois Database Internet address, Domain names, Contact information, ARIN

Domain lookup IP address, Mail Server information

Ping, Traceroute, SMTP VRFY

Live IP, Round trip time, Possible Firewall, Valid Email addresses


Defending ReconnaissanceDefending Reconnaissance

No way to prevent attackers from gaining Registration data

Avoid DNS leaking unnecessary information

Restrict Zone transfer

Use Slipt DNS and limit the amount of DNS information

Disable ping from WAN side on Firewall

Remember employees contact information can be used in social engineering


ScanningScanning

Hacker’s list Result

Network Mapping Network security assessment

Port Scanning Search for open well known ports

Banner Grabbing/OS finger printing

Search of operating system on end PC

Vulnerability Scanning Identify vulnerabilities of computing systems

Proxies Masking the traceback


Defending ScanningDefending Scanning

Check the systems before hacker does

Scan, find and patch – Regular process

Change content of 404 Page

Edit server info properties – if you want to engage hacker and study behavior

Evade them using IPS at network level

Do not forget about UDP open ports

Check for traffic with known source ports- can be a disguise


Gaining AccessGaining Access

Hacker’s List Result

Session Hijacking Sniffing, capturing passwords

Brute Force Strong against weak passwords

DNS poisoning Redirect traffic to another imitating website

Exploit Vulnerability Access to the restricted content, privilege elevation


Defending Gaining AccessDefending Gaining Access

Complex passwords

Find vulnerabilities before hacker does

Scan Patch Test

DHCP snooping on L2 switches

Create separate management VLAN

All protocols must be encrypted

Use SSH, SSL, HTTPS

Use LDAPS instead of simple LDAP bind requests

Protect webservers against OWASP top vulnerabilities with WAF


Maintaining accessMaintaining access

Hackers List Result

Backdoor Preinstalled or Backdoor soft wares are used by hackers to gain access to systems so that they can send in the malicious soft wares to that particular system.

Trojan horses Trojan horse is used as a dropper it will allow other hackers and worms to attack the network easily.

Root Kits Very hard to get detected


Defending Maintaining accessDefending Maintaining access

Regular scanning

Regular monitoring of the data passing through the network

updated Antivirus with advanced Root kit removal capabilities

IPS should be capable to stop the bots getting connected to the command center

LAN to WAN should not be open for all the traffic

Outbound Spam filter should be included in the priority list


Covering TracksCovering Tracks

Hackers list Result

Hide the entry points Difficult in passive monitoring to detect

Hide the logs Too many logs confuse the customers

Hide the data transfer logs Data transfer is done using the encrypted tunnels.

Difficult to predict Professional work


Defending Covering TracksDefending Covering Tracks

Logs should be stored and multiple servers

Regular backup of the logs should be done to

Hackers usually clean and shut the service. SNMP will help.

Close monitoring of the logs may help

SIEM tools are better in those scenarios


Analyze to LearnAnalyze to Learn

To protect a system, you have to learn how it can be attacked

Systems are resistant to changes once deployed

Thinking like attacker is not always easy- may sound counter productive

But hackers do that everyday


Security EvaluationSecurity Evaluation

Threat Modeling Most power security engineering activities

Focus on actual Threat, not just vulnerabilities

Plans and reviews by offering deep insight into the methods attackers could use to manipulate service or servers

Weigh security decisions against other design goals

Understand attack vectors and conditions for successful attack


Threat Priority

ImpactWhat is the impact to the business?

ResourceHow likely is the threat given the controls?

VulnerabilityHow could the threat

occur?

MitigationWhat is currently reducing the risk?

ThreatWhat are you afraid

of happening?

ResourceWhat are you trying

to protect?


10 Assumptions to get hacked easily10 Assumptions to get hacked easily

Allow everything from LAN to WAN

DMZ to LAN allowed by default

use very easy passwords

allow applications to use administrative passwords

no update of antivirus

Running unhardened application servers

Assume your security is fully secure

Assume Firewall can save you from all type of attacks

Do not patch servers, end machines or workstations

Allow users to use BYOD without corporate policy

Virtual network are secure by design


Thank you

Technology

Mining attackers mind