Upload
cyberrabbit
View
212
Download
0
Embed Size (px)
Citation preview
8/21/2019 DaveAitel_TheHackerStrategy2
1/40
1
The Hacker Strategy
Security Research
Dave Aitel
mailto:[email protected]:[email protected]8/21/2019 DaveAitel_TheHackerStrategy2
2/40
2
Who am I !T"# Immunity Inc.
History$ %SA&'@stake &' Immunity
Res(onsi)le *or ne+ (roductdevelo(ment
,ulnera)ility Sharing !lu)
Immunity !A%,AS
Immunity De)ugger
SI-I!A
8/21/2019 DaveAitel_TheHackerStrategy2
3/40
Hackers use /eo(le# /rocesses andTechnology to o)tain a singular
goal$ In*ormation dominance
8/21/2019 DaveAitel_TheHackerStrategy2
4/400
our strategic security (lan$AI-
/olicy
Secure Develo(ment-i*ecyclesTechnology
Automated Source!ode Analysis
%on&34ecuteAS-R Stack /rotecting
!om(ilers Hea( cookies
8/21/2019 DaveAitel_TheHackerStrategy2
5/405
Take a sam(le (roduct 6 andattack it remotely
")tain /roduct /rotocol Analysis
u77ing8anual %et+ork
,ulnera)ility Analysis
Source9:inary
Analysis
34(loit Develo(ment
"(en SourceResearch/rivate Source
Research
8/21/2019 DaveAitel_TheHackerStrategy2
6/40;
The unseen ste($ /icking yourtargets
Target$ :o)
8/21/2019 DaveAitel_TheHackerStrategy2
7/40=
Third (arty so*t+are is o*tenthe (ro)lem
Target So*t+are
/lat*orm A/IWin29/osi49etc?
3tc
li)!rystalRe(orts
"(en-DA/ li)curl
SS-eay
This youthink you
understand
This you may noteven kno+ is )eing
used
8/21/2019 DaveAitel_TheHackerStrategy2
8/40
")taining hard+are andso*t+are is the hardest ste(
8/21/2019 DaveAitel_TheHackerStrategy2
9/40B
/rotocol Analysis is o*ten Cuite easy
8/21/2019 DaveAitel_TheHackerStrategy2
10/401
Hackers al+ays create custom client(rotocol li)raries
!ustom !lient
u77ers8anual Analysis
34(loits
8/21/2019 DaveAitel_TheHackerStrategy2
11/4011
8anual Security Analysis
"ther
Authentication
!ry(to
"ver*lo+s
:ackdoors
Recon
8/21/2019 DaveAitel_TheHackerStrategy2
12/4012
:asic :inary Analysis or unand /ro*it
-ook at all D--
8/21/2019 DaveAitel_TheHackerStrategy2
13/40
%ot The Ideal
!oding Style
8/21/2019 DaveAitel_TheHackerStrategy2
14/40
10
What you can *ind in 1 houro* )inary analysis
:asic data *lo+ *rom the net+ork !oding style >the use o* )ad A/IED3:FG string in
command list# etc? /otential vulnera)ilities
8/21/2019 DaveAitel_TheHackerStrategy2
15/40
15
"ne Week o* :inary Analysisshould get you at least one goodvulnera)ility
:ut +ill (ro)a)ly get you several e4(loita)le)ugs# and (otentially an e4(loit as +ell
Real )inary analysis is almost never uststatic analysis
Which is +hy automated static analy7ersare at a severe disadvantage *rom ahuman
This data +ill *eed Cuite +ell into your *u77er
8/21/2019 DaveAitel_TheHackerStrategy2
16/40
1;
Dynamic analysis (rovides *or)etter analysis
:inDi**Ty(e
ReconstructionData lo+Analysis
!all Gra(hs>unction
/ointers?
StaticDisassem)ly
DynamicAnalysis
HumanAnalysis
8/21/2019 DaveAitel_TheHackerStrategy2
17/40
1=
"ne month o* )inary analysis+ill get you a vulnera)ility noone else +ill ever *ind
De*eating the automated systems such as/re*i49/re*ast# the SD- and Sa*eS3HJ%6JASD- may reCuire this amount o* e**ort
A lot o* +hat you +ill do is )uild custom
)inary analysis scri(ts and (rotocol li)raries
,ulnera)ilities no one else +ill ever have aree4tremely use*ul
8/21/2019 DaveAitel_TheHackerStrategy2
18/40
1
What )inary analysis is and isnot
In its most advanced *orm# youtrans*orm the (rogram into anotherkind o* (rogram or eCuation andEsolve it to *ind vulnera)ilities
8ost (eo(le scan *or code (atterns orhave code scanning *or code (atterns
inding some )ug classes is insanelyhard this +ay
8/21/2019 DaveAitel_TheHackerStrategy2
19/40
1B
Source !ode Analysis
%ot as hard as you think *rom ahacker
8/21/2019 DaveAitel_TheHackerStrategy2
20/40
2
Hackers do have the sourcecode
8aintaining glo)al in*ormationdominance means that source code toalmost every (roduct is availa)le to askilled hacker grou(
This (uts them at an immediateadvantage over security teams
They also have a tendency to +ork atso*t+are vendors
8/21/2019 DaveAitel_TheHackerStrategy2
21/40
21
Automated source codeanaly7ers don
8/21/2019 DaveAitel_TheHackerStrategy2
22/40
22
"n Tools
Tools are very use*ul# +e )uild a lot o* tools#and use them all the time here at 8icroso*t.Some o* those tools have *ound their +ay into
our SDMs and ,isual Studio so our customerscan use them too. :ut I +ould never claim thatthese tools make code N*ree o* securityde*ects.N & 8ichael Ho+ard >8icroso*t SWI?
8/21/2019 DaveAitel_TheHackerStrategy2
23/40
2
The de*ensive side
8anual analysis :urns out (rogrammers Cuickly
Secure So*t+are Design /rograms
such as 8icroso*t
8/21/2019 DaveAitel_TheHackerStrategy2
24/40
20
Ho+ to )uild a *u77er that*inds )ugs you care a)out
8/21/2019 DaveAitel_TheHackerStrategy2
25/40
25
our *u77er and anotherhacker
8/21/2019 DaveAitel_TheHackerStrategy2
26/40
2;
What kind o* *u77er to +rite
I (re*er )lock )ased Fse /ython >everyone does?
Sulley is a good o(tion
S/IM3 . /each
etc
8/21/2019 DaveAitel_TheHackerStrategy2
27/40
2=
u77ing is a many year(rocess
or each vulnera)ility that comes out# makesure your *u77er can *ind it# then a)stract ita )it more
There
8/21/2019 DaveAitel_TheHackerStrategy2
28/40
2
8yth$ u77ing only catcheslo+ hanging *ruit
u77ing can catch many vulnera)ilitiesthat are hard to see *rom the nakedeye or *rom static analysis
DT-ogin Ar)itrary ree# is one e4am(le "** )y ones
Race conditions
8/21/2019 DaveAitel_TheHackerStrategy2
29/40
2B
-ooking at emergent )ehavioursin the hacker community *romsmall to large
8/21/2019 DaveAitel_TheHackerStrategy2
30/40
Things you can
8/21/2019 DaveAitel_TheHackerStrategy2
31/40
1
Hackers maintain a (i(elineo* things$
What (rotocols are most )uggy that noone else is looking at
:ug classes that are hard to scan *or
)y automated technologies :ugs themselves
34(loitation techniCues
8/21/2019 DaveAitel_TheHackerStrategy2
32/40
2
days are a hacker o)session
An day is a vulnera)ility that is not (u)liclykno+n
IDS9I/S cannot *ind them
!an your *orensics team *igure them out
8odern days o*ten com)ine multi(le attackvectors and vulnera)ilities into one e4(loit
8any o* these are used only once on high
value targets
8/21/2019 DaveAitel_TheHackerStrategy2
33/40
Real&+orld day StatisticsAs o* une 1; 2=$
Average day li*etime$ 0 days
Shortest li*e$ BB days
-ongest li*e$ 1 > years?
8/21/2019 DaveAitel_TheHackerStrategy2
34/40
0
The 8arket Al+ays Wins$day is *or sale. Deal +ith it.
Ti((ing(oint 3eye
Gleg.net
DsCuare
Ide*ense
DigitalArmaments
Wa)iSa)i-a)i :reaking(oint
etc
8/21/2019 DaveAitel_TheHackerStrategy2
35/40
5
!lasses o* ,ulnera)ilities
The classic e4am(le is the *ormatstring )ug
(rint*>usersu((liedstring#args?
3asy to scan *or +ith automatic tools orcom(iler o(tions
!ommonly availa)le in code in 2
%o+ an e4tinct s(ecies
8/21/2019 DaveAitel_TheHackerStrategy2
36/40
;
,ulnera)ility !lasses youkno+ a)out
Stack9Hea( over*lo+s ormat Strings
Race conditions
Fninitiali7ed varia)le (ro)lems
Integer over*lo+s and inde4ing(ro)lems
8/21/2019 DaveAitel_TheHackerStrategy2
37/40
=
,ulnera)ility classes youdon
8/21/2019 DaveAitel_TheHackerStrategy2
38/40
%o+$ De*eating /atching#IDS# Anti&,irus# etc.
:e *aster to attack than the de*endercan de(loy (atches
Attack *rame+orks# )etter de)uggers
Attack +ith vulnera)ilities that areunkno+n >days?
%e+ )ug classes# )etter de)uggers# ne+e4(loit techniCues
8/21/2019 DaveAitel_TheHackerStrategy2
39/40
B
The uture
-ook *or more em)edded system
attacks -ook *or more interesting )ug classes
,ista9Windo+s = K not the ans+er
Hacker Team+ork
8/21/2019 DaveAitel_TheHackerStrategy2
40/40
0
Thank you *or your time
!ontact us at$
Security Research Team