• Home

  • Technology

  • Advanced Data Exfiltration - the way Q would have done it
152
Iftach Ian Amit | November 2011 www.security-art.com All rights reserved to Security Art ltd. 2002-2011 Advanced Data Exfiltration The way Q would have done it Iftach Ian Amit VP Consulting DC9723 CSA-IL Board member IL-CERT Visionary Wednesday, December 7, 11

Advanced Data Exfiltration - the way Q would have done it

Tags:

Embed Size (px)

DESCRIPTION

An updated version of my data exfiltration talk. Much more "visual" in nature.Used it at Hashdays, Govcert.NL, SourceBCN, and SecurityZone.

Citation preview

Page 1: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

www.security-art.comAll rights reserved to Security Art ltd. 2002-2011

Advanced Data ExfiltrationThe way Q would have done it

Iftach Ian AmitVP Consulting

DC9723CSA-IL Board memberIL-CERT Visionary

Wednesday, December 7, 11

http://www.security-art.com
http://www.security-art.com
http://2011.brucon.org/index.php/Content#Pushing_in.2C_leaving_a_present.2C_and_pulling_out_without_anybody_noticing_.28Ian_Amit.29
http://2011.brucon.org/index.php/Content#Pushing_in.2C_leaving_a_present.2C_and_pulling_out_without_anybody_noticing_.28Ian_Amit.29
http://2011.brucon.org/index.php/Content#Pushing_in.2C_leaving_a_present.2C_and_pulling_out_without_anybody_noticing_.28Ian_Amit.29
http://2011.brucon.org/index.php/Content#Pushing_in.2C_leaving_a_present.2C_and_pulling_out_without_anybody_noticing_.28Ian_Amit.29
Page 2: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 3: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 4: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 5: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 6: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 7: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 8: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 9: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 10: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 11: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 12: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

whoami

2

Wednesday, December 7, 11

Page 13: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Agenda

3

Wednesday, December 7, 11

Page 14: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Agenda

3

Wednesday, December 7, 11

Page 15: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Agenda

3

Wednesday, December 7, 11

Page 16: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Agenda

3

Wednesday, December 7, 11

Page 17: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

4

Wednesday, December 7, 11

Page 18: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

5

Wednesday, December 7, 11

Page 19: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

5

Wednesday, December 7, 11

Page 20: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

5

Wednesday, December 7, 11

Page 21: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

5

Wednesday, December 7, 11

Page 22: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

5

Wednesday, December 7, 11

Page 23: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

6

Wednesday, December 7, 11

Page 24: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

6

Wednesday, December 7, 11

Page 25: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

6

Wednesday, December 7, 11

Page 26: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

6

Wednesday, December 7, 11

Page 27: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

6

Wednesday, December 7, 11

Page 28: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

6

Wednesday, December 7, 11

Page 29: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

6

Wednesday, December 7, 11

Page 30: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

7

Wednesday, December 7, 11

Page 31: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

7

Wednesday, December 7, 11

Page 32: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

7

Wednesday, December 7, 11

Page 33: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

7

Wednesday, December 7, 11

Page 34: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

7

Wednesday, December 7, 11

Page 35: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

7

Wednesday, December 7, 11

Page 36: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 8

Wednesday, December 7, 11

Page 37: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 8

Wednesday, December 7, 11

Page 38: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 8

Wednesday, December 7, 11

Page 39: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 8

Wednesday, December 7, 11

Page 40: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

9

Wednesday, December 7, 11

Page 41: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

9

• eMails, web links, phishing...

Wednesday, December 7, 11

Page 42: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

9

• eMails, web links, phishing...

• Works like a charm!

Wednesday, December 7, 11

Page 43: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

9

• eMails, web links, phishing...

• Works like a charm!

• And can be mostly automated

Wednesday, December 7, 11

Page 44: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

9

• eMails, web links, phishing...

• Works like a charm!

• And can be mostly automated

• SET to the rescue

Wednesday, December 7, 11

Page 45: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

9

• eMails, web links, phishing...

• Works like a charm!

• And can be mostly automated

• SET to the rescue

Wednesday, December 7, 11

Page 46: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

10

And... being nice/nasty/obnoxious/needy always helps!

Wednesday, December 7, 11

Page 47: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

10

And... being nice/nasty/obnoxious/needy always helps!

Wednesday, December 7, 11

Page 48: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

10

And... being nice/nasty/obnoxious/needy always helps!

Wednesday, December 7, 11

Page 49: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

10

And... being nice/nasty/obnoxious/needy always helps!

Wednesday, December 7, 11

Page 50: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

10

And... being nice/nasty/obnoxious/needy always helps!

Wednesday, December 7, 11

Page 51: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

11

Wednesday, December 7, 11

Page 52: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

11

Wednesday, December 7, 11

Page 53: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Internet

11

3rd partyYou!

Target

Wednesday, December 7, 11

Page 54: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Internet

11

3rd partyYou!

Target

Wednesday, December 7, 11

Page 55: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Internet

11

3rd partyYou!

Target

Wednesday, December 7, 11

Page 56: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Internet

11

3rd partyYou!

Target

Wednesday, December 7, 11

Page 57: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Internet

11

3rd partyYou!

Target

Wednesday, December 7, 11

Page 58: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Internet

11

3rd partyYou!

Target

Wednesday, December 7, 11

Page 59: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Internet

11

3rd partyYou!

Target

Wednesday, December 7, 11

Page 60: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

12

Wednesday, December 7, 11

Page 61: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

12

Wednesday, December 7, 11

Page 62: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

12

Wednesday, December 7, 11

Page 63: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

What is the target “willing” to tell about itself?

13

Wednesday, December 7, 11

Page 64: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

What is the target “willing” to tell about itself?

13

Wednesday, December 7, 11

Page 65: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

What is the target “willing” to tell about itself?

13

Wednesday, December 7, 11

Page 66: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Who’s your daddy?And buddy, and friends, relatives, colleagues...

14

Wednesday, December 7, 11

Page 67: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Who’s your daddy?And buddy, and friends, relatives, colleagues...

14

Wednesday, December 7, 11

Page 68: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Who’s your daddy?And buddy, and friends, relatives, colleagues...

14

Wednesday, December 7, 11

Page 69: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Who’s your daddy?And buddy, and friends, relatives, colleagues...

14

Wednesday, December 7, 11

Page 70: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 15

Wednesday, December 7, 11

Page 71: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 15

Wednesday, December 7, 11

Page 72: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Select your target wisely

And then craft your payload :-)

16

Wednesday, December 7, 11

Page 73: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

17

Wednesday, December 7, 11

Page 74: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

17

Wednesday, December 7, 11

Page 75: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

17

Wednesday, December 7, 11

Page 76: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

17

Wednesday, December 7, 11

Page 77: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

17

Wednesday, December 7, 11

Page 78: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

• ZeuS: $3000-$5000

• SpyEye: $2500-$4000

• Limbo: $500-$1500

17

Wednesday, December 7, 11

Page 79: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

• ZeuS: $3000-$5000

• SpyEye: $2500-$4000

• Limbo: $500-$1500

17

FREE!

Wednesday, December 7, 11

Page 80: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

18

Wednesday, December 7, 11

Page 81: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

18

Wednesday, December 7, 11

Page 82: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

18

Experienced travelers know the importance of packing properly

Wednesday, December 7, 11

Page 83: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

18

Experienced travelers know the importance of packing properly

Wednesday, December 7, 11

Page 84: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

• File servers

• Databases

• File types

• Gateways (routes)

• Printers

19

Wednesday, December 7, 11

Page 85: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

20

Mass infection:5-6 days before

detection

APT:5-6 months before

detection

Wednesday, December 7, 11

Page 86: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

20

Mass infection:5-6 days before

detection

APT:5-6 months before

detection

Wednesday, December 7, 11

Page 87: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

20

Mass infection:5-6 days before

detection

APT:5-6 months before

detection

Frequent updates No* updates* Almost

Wednesday, December 7, 11

Page 88: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

21

PATIENCEMass infection:5-6 days before

detection

APT:5-6 months before

detection

Frequent updates No* updates* Almost

Wednesday, December 7, 11

Page 89: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

22

Wednesday, December 7, 11

Page 90: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

22

Wednesday, December 7, 11

Page 91: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

22

Wednesday, December 7, 11

Page 92: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

22

Wednesday, December 7, 11

Page 93: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

22

Wednesday, December 7, 11

Page 94: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

22

Wednesday, December 7, 11

Page 95: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

22

Wednesday, December 7, 11

Page 96: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

23

Wednesday, December 7, 11

Page 97: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

23

Wednesday, December 7, 11

Page 98: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

24

Wednesday, December 7, 11

Page 99: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

24

Wednesday, December 7, 11

Page 100: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

24

Wednesday, December 7, 11

Page 101: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

So...

25

-----BEGIN PGP MESSAGE-----Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZpFGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8BfBHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt/gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuSGilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakpTm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfOhdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLeiSyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIGvu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX/vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbTYcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5KgmMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Isqvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI==jN3t-----END PGP MESSAGE-----

Wednesday, December 7, 11

Page 102: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Still “too detectable”

26

Wednesday, December 7, 11

Page 103: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Still “too detectable”

26

hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZpFGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8BfBHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt/gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuSGilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakpTm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfOhdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLeiSyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIGvu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX/vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbTYcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5KgmMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Isqvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI==jN3t

Wednesday, December 7, 11

Page 104: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Much better• Throws in some additional encodings

• And an XOR for old time’s sake

• And we are good to go...

• 0% detection rate

27

Wednesday, December 7, 11

Page 105: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 28

Resistance is futile

Wednesday, December 7, 11

Page 106: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

29

Wednesday, December 7, 11

Page 107: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

29

80

44353

Wednesday, December 7, 11

Page 108: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

29

80

44353

Wednesday, December 7, 11

Page 109: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Kill some trees

30

Wednesday, December 7, 11

Page 110: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

31

Wednesday, December 7, 11

Page 111: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

31

Wednesday, December 7, 11

Page 112: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011

Good ol’e DD...

32

Wednesday, December 7, 11

Page 113: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

33

Wednesday, December 7, 11

Page 114: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

33

Wednesday, December 7, 11

Page 115: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

33

1 0 1 0

1/2 byte=

16 values

Wednesday, December 7, 11

Page 116: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

33

1 0 1 0

1/2 byte=

16 values

Wednesday, December 7, 11

Page 117: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

33

1 0 1 0

1/2 byte=

16 values

Wednesday, December 7, 11

Page 118: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 119: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 120: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 121: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 122: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 123: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 124: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 125: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

34

Wednesday, December 7, 11

Page 126: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 35

Wednesday, December 7, 11

Page 127: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 35

Wednesday, December 7, 11

Page 128: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 35

1 0 1 0

Wednesday, December 7, 11

Page 129: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

DEMO

36

Wednesday, December 7, 11

Page 130: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

DEMO

36

Wednesday, December 7, 11

Page 131: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

DEMO

36

Wednesday, December 7, 11

Page 132: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

DEMO

36

Wednesday, December 7, 11

Page 133: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

DEMO

36

Wednesday, December 7, 11

Page 134: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

DEMO

36

Wednesday, December 7, 11

Page 135: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

37

Wednesday, December 7, 11

Page 136: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Killing paper isn’t nice• Fax it!

• Most corporations have email-to-fax services

• heard of the address [email protected] ?

• Just send any document (text, doc, pdf) to it and off you go with the data...

38

Wednesday, December 7, 11

mailto:[email protected]
mailto:[email protected]
Page 137: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Conclusions

39

Wednesday, December 7, 11

Page 138: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Conclusions

39

Wednesday, December 7, 11

Page 139: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Conclusions

39

Wednesday, December 7, 11

Page 140: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

Conclusions

39

Wednesday, December 7, 11

Page 141: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

• Start with the human factor

• Then add technology

40

Wednesday, December 7, 11

Page 142: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

• Start with the human factor

• Then add technology

40

Wednesday, December 7, 11

Page 143: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

• Where people leave data

• Hint - spend time with developers.

• “Hack” the business process

• Test, test again, and then test. Follow with a surprise test!

41

Wednesday, December 7, 11

Page 144: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

• Where people leave data

• Hint - spend time with developers.

• “Hack” the business process

• Test, test again, and then test. Follow with a surprise test!

41

Wednesday, December 7, 11

Page 145: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 42

“be true to yourself, not to what you believe things should look like”

Old chinese proverb

Wednesday, December 7, 11

Page 146: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 42

“be true to yourself, not to what you believe things should look like”

Old chinese proverb

Wednesday, December 7, 11

Page 147: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 43

They are YOUR assetsafter all

No reason to beshy about it...

And remember to add honey...

Wednesday, December 7, 11

Page 148: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

44

Wednesday, December 7, 11

Page 149: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

44

Wednesday, December 7, 11

Page 150: Advanced Data Exfiltration - the way Q would have done it

All rights reserved to Security Art ltd. 2002-2011

I f tach Ian Amit | November 2011

44

Wednesday, December 7, 11

Page 151: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011 45

TEST SOME MORE

For hints/guides see: www.pentest-standard.org

Wednesday, December 7, 11

http://www.pentest-standard.org
http://www.pentest-standard.org
Page 152: Advanced Data Exfiltration - the way Q would have done it

I f tach Ian Amit | November 2011

All rights reserved to Security Art ltd. 2002-2011

Questions?

46

Thank you! Whitepapers:www.security-art.com

Too shy to ask [email protected]

Need your daily chatter?twitter.com/iiamit

Data modulation Exfil POC:http://code.google.com/p/

data-sound-poc/

Wednesday, December 7, 11

http://www.security-art.com
http://www.security-art.com
mailto:[email protected]
mailto:[email protected]
http://code.google.com/p/data-sound-poc/
http://code.google.com/p/data-sound-poc/
http://code.google.com/p/data-sound-poc/
http://code.google.com/p/data-sound-poc/

DNS Data Exfiltration - Exclusive Networkspassport.exclusive-networks.it/upload/workdoc/Infoblox Data... · protection is ineffective against ... DNS Data Exfiltration Portal

DNS Data Exfiltration - Exclusive Networkspassport.exclusive-networks.it/upload/workdoc/Infoblox Data... · protection is ineffective against ... DNS Data Exfiltration Portal

Documents
Detecting and Preventing Data Exfiltration Through ... and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection George J. Silowash Todd Lewellen Joshua

Detecting and Preventing Data Exfiltration Through ... and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection George J. Silowash Todd Lewellen Joshua

Documents
Data exfiltration in organisations - 日動 LEDエコ ... Web viewDATA EXFILTRATION IN ... SQL injection is a type of Web application security ... Data exfiltration as portrayed is

Data exfiltration in organisations - 日動 LEDエコ ... Web viewDATA EXFILTRATION IN ... SQL injection is a type of Web application security ... Data exfiltration as portrayed is

Documents
Data Exfiltration 101 - Basics & DNS Tunnelling

Data Exfiltration 101 - Basics & DNS Tunnelling

Documents
How would ESBs look like, if they were done today

How would ESBs look like, if they were done today

Technology
Advanced Data Exfiltration The Way Q Would Have Done It

Advanced Data Exfiltration The Way Q Would Have Done It

Technology
Exfiltration Forensics in the Age of the Cloud

Exfiltration Forensics in the Age of the Cloud

Documents
DNS Data Exfiltration

DNS Data Exfiltration

Documents
Reconnaissance and Surveillance Leader Course Infiltration/Exfiltration Insertion/Extraction

Reconnaissance and Surveillance Leader Course Infiltration/Exfiltration Insertion/Extraction

Documents
Insider Threat Webinar Series The Resource Exfiltration

Insider Threat Webinar Series The Resource Exfiltration

Documents
What Would Daddy Have Done? Overt and Covert Constructions

What Would Daddy Have Done? Overt and Covert Constructions

Documents
Egress-Assess and Owning Data Exfiltration

Egress-Assess and Owning Data Exfiltration

Technology
Ventilation, Exfiltration and Infiltration

Ventilation, Exfiltration and Infiltration

Documents
Detecting Sensitive Data Exfiltration by an Insider Attackseclab.cs.ucdavis.edu/meetings/cip/slides/ghosal.pdf · 2008. 6. 25. · CSIIRW2008 1 Detecting Sensitive Data Exfiltration

Detecting Sensitive Data Exfiltration by an Insider Attackseclab.cs.ucdavis.edu/meetings/cip/slides/ghosal.pdf · 2008. 6. 25. · CSIIRW2008 1 Detecting Sensitive Data Exfiltration

Documents
DNS Data Exfiltration - Exclusive Networks Data Exfiltration...DNS -Leading Culprit for Data Exfiltration Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk,

DNS Data Exfiltration - Exclusive Networks Data Exfiltration...DNS -Leading Culprit for Data Exfiltration Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk,

Documents
Exfiltration Trench Design Manual

Exfiltration Trench Design Manual

Engineering
EXFILTRATION TECHNIQUES: AN EXAMINATION AND EMULATION … d.attaques . Failles... · EXFILTRATION TECHNIQUES: AN EXAMINATION AND EMULATION by ... EXFILTRATION TECHNIQUES: AN EXAMINATION

EXFILTRATION TECHNIQUES: AN EXAMINATION AND EMULATION … d.attaques . Failles... · EXFILTRATION TECHNIQUES: AN EXAMINATION AND EMULATION by ... EXFILTRATION TECHNIQUES: AN EXAMINATION

Documents
“WHEN WOULD PROPHESY BE “DONE AWAY?”

“WHEN WOULD PROPHESY BE “DONE AWAY?”

Documents
Investigating Cooridinated Data Exfiltration

Investigating Cooridinated Data Exfiltration

Technology
Data Exfiltration in Depth

Data Exfiltration in Depth

Data & Analytics
Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels

Valletta - NYSCSC 2011 - Data Exfiltration Using Covert Channels

Documents
Expressing what someone would have done = el condicional

Expressing what someone would have done = el condicional

Documents
Goodbye Data, Hello Exfiltration

Goodbye Data, Hello Exfiltration

Software
Framtidens cyberangrepp - Exfiltration, Bitcoin och zero-days

Framtidens cyberangrepp - Exfiltration, Bitcoin och zero-days

Technology
How I Would Have Done This Rapp Collins Advertising Website

How I Would Have Done This Rapp Collins Advertising Website

Marketing
Would Lehman Sisters Have Done It Differently? An ... · Nataliya Barasinska (DIW Berlin) April 12, 2010. Would Lehman Sisters Have Done It ... In such cases, portfolio decisions

Would Lehman Sisters Have Done It Differently? An ... · Nataliya Barasinska (DIW Berlin) April 12, 2010. Would Lehman Sisters Have Done It ... In such cases, portfolio decisions

Documents
SITU_Ventilation, Exfiltration and Infiltration

SITU_Ventilation, Exfiltration and Infiltration

Documents
Click to Print logout Challenges · 2018-04-22 · 1 ) had done 2 ) has done 3 ) is done 4 ) would done Correct Answer: had done Candidate Answer: has done QID : 4 - In the following

Click to Print logout Challenges · 2018-04-22 · 1 ) had done 2 ) has done 3 ) is done 4 ) would done Correct Answer: had done Candidate Answer: has done QID : 4 - In the following

Documents
Sensorless, Permissionless Information Exfiltration with Wi-Fi … · 2019-12-18 · Micro-Jamming Done Passively When an antenna switches its impendence in a given frequency, it

Sensorless, Permissionless Information Exfiltration with Wi-Fi … · 2019-12-18 · Micro-Jamming Done Passively When an antenna switches its impendence in a given frequency, it

Documents
GSMem: Data Exfiltration from Air-Gapped … Association 24th USENIX Security Symposium 849 GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies Mordechai Guri,

GSMem: Data Exfiltration from Air-Gapped … Association 24th USENIX Security Symposium 849 GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies Mordechai Guri,

Documents