White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING |...
Transcript of White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING |...
![Page 1: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/1.jpg)
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor. | ©2017 CliftonLarsonAllen LLP
Anatomy of an Attack
Minnesota Medical Group Management Association March 2018
White Hat Hacker
![Page 2: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/2.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
The Attacker
• David Anderson
– Farm kid turned hacker
– Offensive Security Certified Professional
– Oversee and participate in: ◊ Penetration Testing
◊ Social Engineering
◊ Vulnerability Assessments
– Yes, I am older than 18
2
![Page 3: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/3.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Outline
• Anatomy of an Attack
– Reconnaissance
– Remote Access
– Privileges, Pivoting, and Accessing Data
• Key Takeaways
– Mitigate these risks
3
![Page 4: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/4.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Target
• Who am I after?
– Healthcare System
• Who to I target initially?
– Their billing company
• Why?
– Let’s find out
4
![Page 5: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/5.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
5
Reconnaissance
![Page 6: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/6.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
• Technical
– Port and Service enumeration
– Shodan
– Web Applications
• Non-Technical (OSINT)
– Social Media
– Employees / Customers / Business Partners
– Public Resources (Court Records)
6
![Page 7: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/7.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Service Enumeration
7
![Page 8: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/8.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Shodan
8
![Page 9: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/9.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
9
• Why are we doing this?
– Find interesting/potential targets
– Does the company have a VPN system?
– Does the company have “juicy” websites? ◊ Outlook Web App / Web-based Email
◊ Sites that allow access to medical records
![Page 10: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/10.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
10
![Page 11: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/11.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Reconnaissance
11
![Page 12: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/12.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
12
![Page 13: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/13.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
13
![Page 14: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/14.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Court Records
14
![Page 15: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/15.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
15
Remote Access
![Page 16: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/16.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• Social Engineering
– Phishing / Email spoofing
– Call spoofing
– In Person
16
![Page 17: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/17.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
17
![Page 18: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/18.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
18
![Page 19: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/19.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Phishing Website
19
![Page 20: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/20.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Poor Email Filtering
Connected to mail.XXXXXXX.com (38.9.X.X).
MAIL FROM: <[email protected]>
250 OK
RCPT TO: <[email protected]>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
FROM: <[email protected]>
TO: <[email protected]>
Subject: Free Tesla Car
SMTP Envelope
SMTP Message
![Page 21: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/21.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• On the Phone
– It is easy to spoof caller ID
• [AUDIO]
21
![Page 22: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/22.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• In Person
– RFID clone
– Media drops
– Tailgating
22
![Page 23: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/23.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Not this tailgating…
23
![Page 24: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/24.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Delivery
• In Person
– RFID clone
– Media drops
– Tailgating
• [VIDEO]
24
![Page 25: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/25.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Success!
25
Remote access to billing company!
![Page 26: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/26.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
26
Privileges, Pivoting, and Accessing Data
![Page 27: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/27.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Where am I?
• Who am I?
• What privileges do I have?
• Do I have local admin rights?
• Who is on the network?
• Who are the administrators?
27
![Page 28: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/28.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
One Big Happy Family
28
![Page 29: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/29.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
BloodHound
29
![Page 30: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/30.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Internal Network Recon
• Default/easily guessable passwords – Winter2018
• Misconfiguration – Open file shares (no restrictions)
• Missing patches – WANNACRY
30
![Page 31: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/31.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Capture the Flag
• Gain Admin Creds
• Asset Identification
• Asset Acquisition
31
![Page 32: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/32.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Exfiltration
• Collect Data
• Package it up – Compress
– Encrypt
• Send it out
32
![Page 33: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/33.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
33
How to Protect Yourself
![Page 34: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/34.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Key Takeaways
• Understand what you publish online in the public
• Two-Factor Authentication – VPN, webmail, etc.
– Protect all external authentication that employees/vendors use
• Configure spam filter to block spoofing
• Understand remote connections to vendors – Restrict and monitor this access
34
![Page 35: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/35.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING
Key Takeaways
• Don’t give standard users administrative privileges to workstations/servers
• Restrict egress traffic – Don’t allow users to use file sharing services
• Monitor your systems – Everything supports logging, make sure you configure it
35
![Page 36: White Hat Hacker Anatomy of an Attack€¦ · White Hat Hacker . P WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTING The Attacker •David Anderson –Farm kid turned hacker](https://reader035.fdocuments.us/reader035/viewer/2022070112/60541a2a94b6705180797e5a/html5/thumbnails/36.jpg)
©2
01
7 C
lifto
nLa
rso
nA
llen
LLP
CLAconnect.com
Thank you!
David Anderson 612-397-3132
david.anderson @CLAconnect.com