Upload
lares
View
221
Download
0
Embed Size (px)
Citation preview
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 1/159
COMPLIACE
CHRIS NICKERSONGuerillas in
the Wires
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 2/159
the Wires
hi. =)
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 3/159
Thanks
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 14/159
Anyway...
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 15/159
I’m Chris
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 20/159
-me
• Pain in the arse
•Loudmouth
• Hacker Punk
• Tells lies (professionally)
• Is called all sorts of bad
words.. That I will likelysay throughout this talk
• Cant code well
• Talks $hit
•
Drinks a LOT• Is an overall J3rk
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 27/159
LARES
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 34/159
Electronic• Network Pentesting
• Surveillance/ plants
Social• In Person Social Engineering
• Phone Conversation
• Social Profiling
Physical• Lockpicking
• Direct Attack
EP Convergance
• Attacks on
physical
systems that
are network
enabled
ES Convergance
• Blackmail
•
Phishing• Profiling
• Creating moles
PS Convergance
• Tailgaiting
• Impersonation
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 35/159
Figure Out Whatis Important tothe company
Steal It !
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 38/159
To get you awake
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 39/159
Get you to THINK about
what we are doing
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 52/159
We areclearly
doingsomething
wrong
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 55/159
2012 Infosec Year In review
2,644 incidents were reported (Up117.3% from 2011)
267,000,000 records exposed
Over 150,000,000 in ONE incident
84.7% of the records exposed camefrom business
45% of incidents included publicreleases of passwords
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 58/159
Persians vs Scythians
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 59/159
ROME vs Britons
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 61/159
Mongolians vs Tanguts
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 64/159
El Empecinado
Aka
Juan Martín Díez
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 76/159
Structureexists even
in Guerilla
warfare
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 79/159
The only
patch for
Human
Stupidity isEXPERIENCE
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 82/159
So how does
all of this
apply to us?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 83/159
Environment
AttackerDefender
Home Field
Advantage
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 92/159
ENCRYPTION
Own the box/steal the keys
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 93/159
Keylog
GPU Cracking is fun TO the cloud!!
Attack 3rd party crypt
And if all else fails…
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 96/159
Nmap… --data-
length=0
Or –f
Or just go faster –T5
Lame… that this STILL
works in many cases
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 97/159
Roll your own crypto
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 98/159
Use “other” data streams
(mDNS, Airdrop,BITS,DNS, HTTP,SIP)
Go to the phones..
(Translate to 16 octave
audio and exfil over fax)
Hopefully you sawSteffen Wendzel’s talk
if not go find em
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 100/159
AV/Anti-
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 103/159
Custom checksums are
not hard… theres
apps for that =)
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 104/159
Clearthelog.rb
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 105/159
… rm
Run scripty logcleaners in your
tools*MSF,CORE,CANVAS all
have **so do mostexploit kits (yeay
china)
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 106/159
Of the
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 107/159
6Top Firewalls
How many can
effectivelyblock TCP ports?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 108/159
-Source NSS Labs Firewall Group test
:Section: TCP Split Handshake
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 115/159
WHAT DO
WE DO?
STEP 0
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 116/159
STEP 0
EDUCATION
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 117/159
Implement
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 118/159
Implement
Awareness
and
KnowledgeFormula
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 119/159
Defense = capability (awareness + knowledge) +experience
Capability =(Knowledge + Awareness) Can we defend
against an attack?
Experience – over all ability to
understand/plan/execute/and remain on task during
the event
**ps… this is not math… just conceptual. Most companies out there couldn’t put
actual ACURATE values on controls or any of the areas above if they even tried.
Crawl,walk,run…
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 122/159
Practice
BASIC
INFOSEC!
Patching
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 123/159
Patching
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 124/159
“The more
sophisticated
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 125/159
sophisticated
thetechnology, the
more vulnerable
it is toprimitive
attack. People
often overlook
the obvious” –
Dr WHO
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 126/159
Align With
the business
objectives
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 130/159
What does
your company
DO???
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 131/159
How does it
do it?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 135/159
Now what?
Grow Revenew Buy firewall
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 136/159
Increase Productreliability
Increase brand
value
Launch xyz new
thing
Increase customerservice/satisfaction
Deploy DLP
Move to Cloud
Install moar AV
WAF
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 140/159
How much do
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 141/159
you spend onDisaster
Recovery.
(Average is
1 8% t t l
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 142/159
Average costof a
downtime
$287,600
Multiply that
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 143/159
by the # ofbugs found in
code that can
stop aservice
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 145/159
TEST TO SEE IF ITWORKS….. DUMMY
VulnerabilityAssessments?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 148/159
Process
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 149/159
Figure Out Whatthe Company
Thinks is Important
Steal It !
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 150/159
5
+ Customdesigned attack
kitsAt ANY time
Non Interactive,without update
+ CorporatePartner Attacks
4 + 0daydevelopment
At ANY time
Non Interactive,Without update
unlessurgent/issue
based
+ Physical Attacks
3Exploitation of ALL
KNOWNvulnerabilities w/non-interactive
sessions
Extendedengagement time
window
Non interactive w/update
+ Individualattacks
2
Exploitation of Known
vulnerabilities atALL layers w/
interactive sessions
Unlimited Timewindow during
engagement
Interactivew/scheduled update
+ Indirect attacks
1Exploitation of
knownVulnerabilities atall layers underApplication with
interactivesessions
Constrained Timewindows
Interactive w/constant client
updateDirect Attacks
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 151/159
FOLLOW A REPEATABLE
METHODOLOGY
Allow a FULL TEST
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 152/159
Allow a FULL TEST
to get FULL VALUE• ACT as you would NORMALLY
– Systems attack : tests IR plan
– System Error: tracks mean time to
issue identification
– Service Outage: tests/identifies
flaws in BCP – System down: tests/identifies
flaws in DR plan
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 154/159
SET REASONABLE
EXPECTAITONS
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 157/159
What do you
have to lose?
7/30/2019 Guerrillas in the Wire
http://slidepdf.com/reader/full/guerrillas-in-the-wire 158/159
YOU HAVE
ALREADY BEENHACKED