View
498
Download
5
Category
Preview:
DESCRIPTION
A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
Citation preview
BARRY
COATESWORTH
Tier 3Hacktivist
Tier 2Cyber crime
Tier 1Cyber espionage
The Adversary
The Adversary
Intellectual property secrets
Financial Economicgain
Hacktervist
Mo
tiva
tor
Expertise
Ideology political change
Cybercriminal Nation State
Vandalism
TheftMilitary / political
dominance
The kill Chain
Hacktavism
SQL Injection
Phishing
Weak Authentication
Account / DNS Hijacking
Hacking and exposureGaining unauthorized access to and publicly exposing in plain view on the Internet large amounts of confidential data with the goal of causing monetary and reputational damages to the targeted entity.
Distributed denial-of-service (DDoS)usually infected with a Trojan or other form of malware to flood a targeted system, usually one or more web servers of a website
DDoS attacks are the hacktivist’ cyber attack weapon of choice.• They do not require actual hacking knowledge or skill. • Many “off-the-shelf” tools are available right on the Internet
DoxingGathering and exposing valuable personal information of public figures such as politicians and celebrities to the benefit of the hacktivist, and to react or take action in a way that favours the hacktivist’ ideology.
Hacktavism
Hacktavism
Anonymous Attack Count
HTTP: SQL Injection (Benchmark) 1
HTTP: SQL Injection (Benchmark) 1
HTTP: SQL Injection (SELECT) 2
HTTP: SQL Injection (SELECT) 1
HTTP: SQL Injection Evasion SQL Comment Terminator 1
HTTP: SQL Injection (UNION) 1
HTTP: SQL Injection Evasion SQL Comment Terminator 1
HTTP: SQL Injection (Boolean Identity) 2
HTTP: SQL Injection Evasion Inline SQL Comment 1
HTTP: SQL Injection (Boolean Identity) 1
HTTP: SQL Injection (Boolean Identity) 1
HTTP: SQL Injection (Boolean Identity) 2
The top five cybercrime specialties, courtesy of the FBI, are:
· Coders who write malware and exploit data theft tools· Vendors who trade stolen data, malware kits and footprints into compromised networks· Criminal IT guys who maintain criminal IT infrastructure like servers and bulletproof ISPs· Hackers who seek and exploit application, system and network vulnerabilities· Fraudsters who create and social engineering ploys like phishing and domain squatting.
• Botnet • Fast Flux Networks • Social Engineering • Denial-of-Service attacks • Skimmers • SPAM
Cyber Crime
Cyber Crime
Cybercriminals developed sophisticated crime ware kits (Zeus, Citadel, Eleonor, Phoenix) • Easy to use development tools• Service level agreements – CaaS (Crimeware as a Service)• Evasion and anti detection built in
Cyber Crime – going mobile
Trend of the year: mobile banking Trojans
2013 was marked by a rapid rise in the number of Android banking Trojans
Botnet targeting Android smartphone users who bank at financial institutions in the Middle East
Cyber Crime – going mobileIn 2013 Cybercriminals made use of some exceptionally sophisticated methods to infect mobile devices.
• Infecting popular websites - water holes.
• Distribution via botnets by sending out text messages
Cyber Crime – going mobile
Pineapples?
The warning comes in the light of a growing number of cyber attacks using personal information stolen through public Wi-Fi hotspots.
Pineapples?
Cyber Espionage
1998 – Moon light maze 2003 – Titan rain
2009 – operation aurora 2009 – Ghost net2011 – Nightdragon2011 – Operation shady rat (2006)2012 – Red October (2007)2012 – Elderwood project2012 – Flame2012 – Gauss (2009)2012 – Shamoon2014 – Mask2014 – snake
APT
Cyber Warfare
APT - Advanced Persistent ThreatPTA - Persistent Targeted Attacks
Cyber Espionage
Kill Chain - Reconnaissance
• Target is analyzed and scoped to identify potential attack vectors
• Open source Intelligence:
• Social media, conferences, company directories, public records
• Public web site mapping
• Server scanning and fingerprintingg
Asymmetric Warfare
Corporate
laptop
Home
server desktop
Peri
mete
rH
ost
based
direct attack
Firewall
IPS
indirect attack indirect attack
Firewall
IPS
Anti virus
BrowserURL Block
Antivirus
BrowserURL Block
Kill Chain - Delivery
Common Attack vectors:
• Common vulnerability (e.g. SQL injection)
• Zero-day exploits
• USB keys
• Insider threat
• Physical access to devices
• Interactive social engineering
• “Spear Phishing”*
Spear Phishing
From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague? and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ? thanks
Waterholes
Strategic Web Compromise (SWC)
• Backdoors implemented as Windows service
• Usually “hide in plain sight”
• Use a simple command set
• Dwell time is a measure of time that an intruder has on the network
• Takes on average 18 days to respond and remove an intrusion
Kill Chain - Exploitation
Once inside a network, malware “beacons” out to a Command and Control (C2) servers• C2 servers are either compromised or rented• Traffic is usually HTTP, HTTPS or DNS and mimics common protocols
Kill Chain - Command & Control
Covert channels - DNS tunnelling
DNS TUNNELLING TOOLS
OzymanDNS
Dns2tcp
Iodine
Heyoka
DNSCat
NSTX
DNScapy
MagicTunnel, Element53, VPN-over-DNS (Android)
VPN over DNS
• DNS tunnels are commonly used to carry out covert file transfers, C&C server traffic and web browsing• Botnets can use DNS tunnelling to act as a covert channel, and these covert channels are very hard to detect
Covert Storage Channels – Stenography, unused parts of packets Timing Covert Channels – Modulating resources and response time (accurate clock)
Covert channels - Stenography
• Attacker performs internal reconnaissance
• User enumeration
• Analysis and monitoring of host user activity
• Dump of internal and external websites
• Scan of connected systems
• “Net use” and reverse shell commands
• Password logging
• Pass-the-hash*
Kill Chain - Lateral Movement
Pass the hash
• “Hash” refers to a cached credential
• Usually not the “clear text” credential
• Hash is treated as the actual credential internally by most systems
• Then use hashes to move “laterally” through the network
• Network/domain privileged account - Game over
Kill Chain - Exfiltration
• Identifies targeted assets for exfiltration• Move data to Staging servers• Positions itself for persistent presence• Maintains hold of key high-privilege accounts• Remains resident on only a selection of systems
Nation states
Juniper firewall implant Huawei firewall implant Cisco PIX firewall implant
Nation States
Wireless exploit kit USB Covert ChannelPC hardware implant
SnakeBack in 2008 an unknown malicious file was discovered and auto-classified as “Agent.BTZ” which infected US military networks.
Reverse engineering showed that snake is a more advanced variant of Agent.BTZ.It is a rootkit using complex techniques for evading host defences utilising cover channels over Links to Red October and other cyber espionage campaigns
Geo political events
The Dark Side
Dark net
Deep web
Dark market
Malicious marketplace
In 2001
• Deep Web was 400 to 550 times larger than the commonly defined World Wide Web.
• The deep Web 7,500 terabytes of information compared to 19 terabytes in the surface Web.
• Contained nearly 550 billion individual documents compared to the one billion of the surface Web.
• More than 200,000 deep Web sites existed
• Deep Web site is not well known to the Internet-searching public.
The Dark Side
The Dark SideTo date, three main networks are used to grant anonymity on both
the client and server side: TOR, I2P, and Freenet.
Dark market
Tor .onion domainsThere are many different techniques in use, but Tor’s onion router network is probably the easiest one to get started with. The .onion domains are not part of the ICANN registry and will not resolve until you are running Tor.
The combined effect leaves this form of Internet far beyond any kind of government control or regulation.
I2P2 Network and .i2p DomainsI2P works in a very similar way to Tor, although more flexible• Email• Anonymous websites • Blogging and forums • Website hosting • File sharing • Decentralized file storage
Dark Market
Prices of Different Types of Goods
Site name Address Type of good Cost Normalized
Cost (US$)
Cloned credit cards http://mxdcyv6gjs3tvt
5u.onion/products.
html
EU/US credit cards €40 US$54
NSD CC Store http://4vq45ioqq5cx
7 u32.onion
EU/US credit cards US$10 US$10
Carders Planet http://wihwaoykcdzab
add.onion/
EU/US credit cards US$60–150 US$60–150
HakPal http://pcdyurvcdiz66
qjo.onion/
PayPal accounts 1 BTC for US$1,000 US$126 for
US$1,000
Onion identity http://abbujjh5vqtq7
7 wg.onion/
Fake IDs/passports €1,000–1,150 (ID)
€2,500–4,000
(passport)
US$1,352–1,555 (ID)
US$3,380–5,400
(passport)
U.S. citizenship http://ayjkg6ombrsah
bx2.onion/silkroad/
home
U.S. citizenship US$10,000 US$10,000
U.S. fake driver’s
licenses
http://en35tuzqmn4l
o fbk.onion/
Fake U.S. driver’s
license
US$200 US$200
U.K. passports http://vfqnd6mieccqy
iit.onion/
U.K. passports £2,500 US$4,000
Mapping the hidden services directory: Both TOR and I2P use a domain database built upon a distributed system known as a “DHT.”
Social site monitoring: Sites like Pastebin are often used to exchange contact information and addresses for new hidden services
Hidden service monitoring: Most hidden services to date tend to be highly volatile and go offline very often, maybe to come back online later under a new domain name
Conclusion
• Threats will continue to evolve • Security breaches are Inevitable • You need collaboration from people, process & technology• Visibility and detection are key differentiators – centralise security• Threat intelligence internal (system monitoring) and external threat landscape • Survival of the fittest - Share threat Intelligence with your peers• Continual awareness and education
Recap
THANK YOU
Reference/sources:
Recommended