Technology Security Through Absurdity: Lessons Learned

Security Through Absurdity:

Lessons Learned

December 13th, 2013

Security Through Absurdity:

Lessons Learned

December 13th, 2013

Chris Brenton

Director of Security

@chris_brenton

[email protected]

Why Security Through Absurdity?

Pg. 2 Security Through Absurdity: Lessons Learned @chris_brenton


Because we need to enjoy life’shumorous moments

Two paths lie before you…


Enjoy the Journey

•Find the humor “nuggets”•Leverage the life lessons•Grow and move forward


•Find the humor “nuggets”•Leverage the life lessons•Grow and move forward

Let It Thin Your Soul


“Like butter scraped overtoo much bread”

Rock The Gandalf Look

By increasing the gray hair density



Rock The Gandalf Look


I already have a 14 yr old daughter

dedicated to that last task



I already have a 14 yr old daughter

dedicated to that last task

Our Journey Begins

Contracted as a security consultant

Owner wants locked down VPN

access to business


Contracted as a security consultant

Owner wants locked down VPN

access to business

Security Requirements

Normally disabled state

Must call first to get access

Must know IP address


Normally disabled state

Must call first to get access

Must know IP address

More Security Requirements

2 Factor authentication

Time limit on access

Log and alert on everything!



Time limit on access

Log and alert on everything!

First Day Onsite

I show up early


First Day Onsite

I show up early

UPS arrives


I show up early

UPS arrives

First Day Onsite

I show up early

UPS arrives

Retrieves key from under rock


I show up early

UPS arrives


First Day Onsite

I show up early

UPS arrives


Lets themselves into building


I show up early

UPS arrives


Lets themselves into building

Is This A Problem?


Is This A Problem?

Key has been under rock for 5 years


Is This A Problem?


Everyone knows its there



Everyone knows its there

Is This A Problem?


Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers



Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers

Is This A Problem?


Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers– Even the local pizza parlor staff



Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers– Even the local pizza parlor staff

Did I Forget to Mention…

Business model was computer sales




In excess of $15K in inventory







Nothing high risk saved on the

corporate network




Nothing high risk saved on the

corporate network

Security Task List

Mitigate risks that could put you out

of business next week




Security Task List



Then move on to the week after that





Security Task List




Lather, rinse repeat





Lather, rinse repeat

What Did Life Teach Me?

Never assume a business risk analysis

has been performed


Never assume a business risk analysis

has been performed

What I Now Do Differently

Don’t assume your contact

understands their risks

Perform a mini risk assessmentPg. 28 Security Through Absurdity: Lessons Learned @chris_brenton

Don’t assume your contact

understands their risks

Perform a mini risk assessment


We implemented a great security solution…But don’t have resources to maintaining it

Case Study #2

Phishing test


Phishing test

Phishing Test Exercise

Contracted to help IT test

social engineering

Test all employees via email


Contracted to help IT test

social engineering

Test all employees via email

The Setup


The Results

13 of 450 employees hit reply


The Results


Sent their logon credentials




The Results



Via plaintext email




Via plaintext email

The Results



Via plaintext email

To an unknown outside address




Via plaintext email

To an unknown outside address

The Response

Email sent from real IT account


The Response


Phishing test revealed




The Response



Detailed explanation





The Response




Phishing email included as reference





Phishing email included as reference

What Happened Next?

19 people hit “reply”


What Happened Next?


and sent their credentials




What Happened Next?



In response to an email telling

them never to do this




In response to an email telling

them never to do this

Math Sanity Check…

13 < 19


Root Cause Analysis

“I just skipped to the executive

summary”


“I just skipped to the executive

summary”


Email is the wrong medium for

in-depth concepts

How you convey info matters


Email is the wrong medium for

in-depth concepts

How you convey info matters


Consider the proper medium to

convey required information


Consider the proper medium to

convey required information


We rely on host-based security… To warn uswhen the host has been compromised

Case Study #3

Phishing Rev 2


Phishing Rev 2

Phishing Attack

Spoofed email from CEO


Phishing Attack


Claims to point to a BBC article




Phishing Attack



Link prompts for email logon

name and password




Link prompts for email logon

name and password

The Results

6 people are duped


The Results

6 people are duped

Give away their logon name

and password


6 people are duped


and password

The Results

6 people are duped


and password

In order to read a news story


6 people are duped


and password

In order to read a news story

The Response

Containment


The Response

Containment



Containment


The Response

Containment


Followed by a huge education

and awareness effort


Containment


Followed by a huge education

and awareness effort

What Was Included

Email to all employees


What Was Included


Internal blog entries




What Was Included



Updates to awareness training





What Was Included




Leverage the grape vine





Leverage the grape vine

Segway to 30 days later


Pentester Hired

Measure results of education effort


Pentester Hired


Mass email phishing test sent



Mass email phishing test sent

The Results

Good news!


The Results

Good news!

An order of magnitude improvement

in people reporting the attack


Good news!

An order of magnitude improvement

in people reporting the attack

The Results

Bad News!


The Results

Bad News!

6 people failed the test


Bad News!


The Results

Bad News!


It’s a different 6 people


Bad News!


It’s a different 6 people

6 = 6


You Can Never Save Everyone

Strive for 100% but have realistic

(cost effective) expectations


You Can Never Save Everyone

Strive for 100% but have realistic

(cost effective) expectations


Awareness training is good

A reward system motivates people to

leverage what they learned


Awareness training is good

A reward system motivates people to

leverage what they learned


We have an Internet policy…But not a Bring Your Own Device policy.

Case Study #4

Product security evaluation


Product security evaluation

The Setup

Contracted by a bank


The Setup


Evaluate a new system they are

considering for purchase





The Setup




Hired to evaluate security





Hired to evaluate security

The Evaluation


The Evaluation

Worst system ever!!!


The Evaluation


Hybrid that combines Windows

and a mini computer




and a mini computer

The Evaluation



and a mini computer

Got root 3 times in 20 minutes




and a mini computer

Got root 3 times in 20 minutes

0wn3d During Preso


My Write Up

Most pointed review I’ve written to date


My Write Up


Documented why the architecture was

horribly flawed




horribly flawed

My Write Up



horribly flawed

Can’t be patched!




horribly flawed

Can’t be patched!

Quick Factoid!

The word “horrible” has over 50

synonyms


Quick Factoid!


synonyms

It is actually possible to use them all

in a single professional documents



synonyms

It is actually possible to use them all

in a single professional documents

How The Bank Responded



They purchased the system




And opted for the premium support







Contract had already been signed




Contract had already been signed

Convo With The Bank

Me: Which part of “horribly insecure”

did you not understand?


Me: Which part of “horribly insecure”

did you not understand?

Convo With The Bank

Bank: But we can migrate the data

without any conversion costs!


Bank: But we can migrate the data

without any conversion costs!

Convo With The Bank

Me: Sounds like you made up your

mind ahead of time. Why did you

have me evaluate the system?


Me: Sounds like you made up your

mind ahead of time. Why did you

have me evaluate the system?

Convo With The Bank

Bank: We hoped you would like it.



Not everyone understands

“Security Speak”


Not everyone understands

“Security Speak”


Tailor to your audience: Convert

“security speak” to “risk” and

“financial” lingo


Tailor to your audience: Convert

“security speak” to “risk” and

“financial” lingo


We collect system logs…but no one actually looks at them

Case Study #5

The Epic battle of good and evil…


The Setup

DNS SaaS company


The Setup

DNS SaaS company

Offers a “dynamic DNS” product


DNS SaaS company


The Setup

DNS SaaS company


Great solution for cloud users


DNS SaaS company



The Setup

DNS SaaS company



Unfortunately can be used for evil


DNS SaaS company



Unfortunately can be used for evil

How The Bad Guys Operate

Build an infrastructure of “Command

and Control” servers





These manage infections and propagate

malware





malware





malware

The “brains” of the setup





malware

The “brains” of the setup

C&C Infrastructure

Designed to be fault tolerant


C&C Infrastructure


Kill one server, the rest take up the slack


C&C Infrastructure



Dynamic DNS provides redundancy if

server is blocked or taken down






C&C Infrastructure





Can recover when a few servers are lost






Can recover when a few servers are lost

Old IR Methodology

Block the account


Old IR Methodology

Block the account

Black hole the host names


Block the account


Old IR Methodology

Block the account


Problem: If you don’t get the

whole C&C network it can recover


Block the account


Problem: If you don’t get the

whole C&C network it can recover

New IR Methodology

Research the account


New IR Methodology


Help innocent clients recover their

system from infection





New IR Methodology




When evil, play cat and mouse





When evil, play cat and mouse

New IR in Practice

Account created from Russia



New IR in Practice


Ticked boxes as a suspect account




New IR in Practice



12+ scripted host names created





New IR in Practice




Fingerprint of Neutrino actors





Fingerprint of Neutrino actors

Time For Some Fun

Let them create their servers



Time For Some Fun


Gave them time to deploy iframes




Time For Some Fun



Let servers get integrated into C&C





Time For Some Fun




Pointed their hosts at honeypots





Pointed their hosts at honeypots

Impact of Redirection

Broke some C&C functionality




ID 30+ other C&C servers







Block 140,000 infections









Collect new data on functionality





Collect new data on functionality

What We Did Next

Warn C&C owners of infection


What We Did Next


Analyze previously unknown data




What We Did Next



Share data with the community





What We Did Next




Update our detection





Update our detection

What The Bad Guys Did Next

What they always do


What they always do

What The Bad Guys Did Next

What they always do

Try to set their network back up


What they always do

Try to set their network back up

Segway to 6 hours later

Bad guys come back



Bad guys come back

Using different account credentials


Bad guys come back



Bad guys come back


Same fingerprint


Bad guys come back


Same fingerprint


Bad guys come back


Same fingerprint

Start spinning up new C&C servers


Bad guys come back


Same fingerprint

Start spinning up new C&C servers

Lather, Rinse, Repeat

We let them setup their C&C

network



network



network

Then take it all away



network




network


This repeats a third time



network


This repeats a third time

Don’t Go Away Mad…

Bad guys relocate to Central

America service provider

We warn the provider

C&C network has yet to recover


Bad guys relocate to Central

America service provider

We warn the provider

C&C network has yet to recover


Remember as you watch this film




When things appear their darkest







Evil may win some of the battles









Good always wins the epic war





Good always wins the epic war

Thanks For Attending!

[email protected]

@Chris_Brenton


[email protected]

@Chris_Brenton