Professional Documents
Culture Documents
Agenda
The advanced threat cycle, and what attack techniques and tools are seen most frequently What most internal pen testing teams are doing today, and why it may not be adequate for today's threat landscape How internal pen testing teams can switch up their normal testing regimens to better represent advanced threats to organizations Tips for how to prevent and detect advanced malware as part of your assessment program
Whats an APT?
The APT is
A more methodical, professional attack conducted by well-organized and possibly well-funded attackers
Weve settled on this term for anything even remotely sophisticated or targeted Is this a cop out?
Are all of these breaches that sophisticated at all?
Intrusion
Backdoors and persistence Advancement
Maintenance
Initial intrusion
Maintenance
April 2009:
US Electrical Grid compromised by Chinese & Russian hackers US Joint Strike Fighter Program compromised through contractor networks data was encrypted
June 2010
Stuxnet discovered, affecting Siemens SCADA control systems
And theres plenty of hacktivism targeting thats happening with Lulzsec and Anonymous
Use of common document formats for delivery, such as PDF, DOC, XLS, etc. Focus on client-side software exploits
Data stealing code components
Attack instructions
Operation Aurora
A highly sophisticated malware penetration by Chinese hackers against major companies like Google and Adobe
Involved: 0-day browser exploit Embedded shellcode Flexible payload Custom encrypted C&C traffic on port 443
Network Backdoor
Opens a backdoor listener on TCP port 7777 Accepts CLSID values to the port, XORd with 0xE5
{E2AC5089-3820-43fe-8A4D-A7028FAD8C28}: Trojan Health Check {F6C43E1A-1551-4000-A483-C361969AEC41}: Send a file to attacker {EA7A2EB7-1E49-4d5f-B4D8-D6645B7440E3}: Directory/file contents {783EACBF-EF8B-498e-A059-F0B5BD12641E} {0174D2FC-7CB6-4a22-87C7-7BB72A32F19F}: Drive information {98D958FC-D0A2-4f1c-B841-232AB357E7C8}: Create a file on the system {4F4F0D88-E715-4b1f-B311-61E530C2C8FC} {384EBE2C-F9EA-4f6b-94EF-C9D2DA58FD13}: Add a RunOnce Registry entry {8AF1C164-EBD6-4b2b-BC1F-64674E98A710}: Download a file to execute
Here it is again
Follow a Methodology
There are not many standards in use today for assessments and pen tests
Some exist, though:
OSSTMM NIST guidelines
Interpret language from scanners and dont just paste Nessus results into the report Include tools used and output from tools for technical teams to leverage in validation and remediation efforts
Usually best to include this as an Appendix or separate report
Repeatability
Listing the actual tools used, the process followed, and how things flowed during the assessment is key
This can follow the ReconScanningExploit cycle or some other format
Keep track of process with a Wiki or some other tracking tools during assessments
Build on this for the report Ensure both attacks and successful exploits are framed in the context of priorities to your business
Any VA/PT should be focused on your actual risks not just a scan or exploit to prove youre vulnerable
Step 1: Recon Step 2: Targeted Attack Step 3: Gaining Access Step 4: Command and Control
Step 1: Recon
Twitter Starbucks Starbucks Sniffing
And marrying the detection side of the house with what I did during the test.
This way, you can actually improve SECURITY PROCESS, not just infrastructure posture
Detection: Behavior
Host level behavior:
Should the lsass process be communicating outbound on port 30204? Should the notepad process be modifying the Registry?
Although difficult to detect, 0-day and stealthy attacks may be prevented by behavioral analysis and lockdown
Use anti-virus too, although its effectiveness is waning Any HIDS/HIPS and memory monitoring is also very useful
May be bundled with A/V and other agents
Ensure you have remote logging and log analysis technologies and capabilities in place
Create customized pen test scenarios with client-side exploits and obfuscated PDF/DOCembedded malware
Continuous Monitoring
Although this is a FISMA concept in the US government, it could and should apply to all organizations
Key controls to monitor regularly (via scripts) or continually (with an agent):
File integrity for key areas of the OS Logs for failed access or unusual access patterns Anti-virus or other host security alerts Network behaviors and flow data SIEM console, if available
Port scans and local tools like netstat and Process Explorer can help, too