feedbacks on 10y of pentesting and dfir how to increase
play

Feedbacks on 10y of pentesting and DFIR How to increase your - PowerPoint PPT Presentation

Nov 14, 2022 •263 likes •677 views

Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien Bachmann @milkmix_ 24 April 2017 OWASP, Geneva INTRO 1 24/04/2017 OWASP, Geneva ABOUT ME 3 Julien Bachmann Current CTO @ Hacknowledge Swiss

  1. Feedbacks on 10y of pentesting and DFIR How to increase your detection capabilities Julien Bachmann @milkmix_ 24 April 2017 OWASP, Geneva

  2. INTRO 1 24/04/2017 OWASP, Geneva

  3. ABOUT ME 3 Julien Bachmann Current CTO @ Hacknowledge Swiss security monitoring solution Guest lecturer @ Swiss schools on software exploitation and dfir Past 10 years Security Researcher • • Security Architect Pentester and incident responder • 24/04/2017 OWASP, Geneva

  4. THIS TALK 4 No magic spell • Unfortunately what I present will not make you hackproof Still looking for the magic solution if anyone care to share ;) • Yet, techniques learned from the other side Before being fully on the incident detection side, we were mostly “creating them” • • Help to detect incidents faster Practical tips • 24/04/2017 OWASP, Geneva

  5. TODAY’S STATUS 5 Companies still got owned • No-one found this silver bullet, yet Mean time to discovery is still high • Could be up to 6 months, or even more Problem is that attackers can grab their loots or destroy your infrastructure in less • than a week… Discovery is often not due to the company own detection capabilities • Ransom request or public leak Third party that detected something suspicious • 24/04/2017 OWASP, Geneva

  6. TODAY’S STATUS 6 “Yeah but it’s those damn 0day! What could I do!” • Unfortunately it’s not, stop blaming them Yet this could be a major PITA if the attack is targeted or event large scale 0day • shopping • Struts2 CVE-2017-5638 at the beginning of this month CVE-2017-7269 • But true that they can hit you Worm using 0day to propagate • • Sometimes the patch is not existing yet CVE-2017-0016 • • Still, most of the time it uses a N-day that hasn’t been patched yet 24/04/2017 OWASP, Geneva

  7. FIRST STEP 2 DON’T FORGET PEOPLE 24/04/2017 OWASP, Geneva

  8. LEVERAGE PEOPLE 8 Before speaking about technical aspects • This part is often neglected and creates silos within the company Dev vs Ops vs Net, all against Sec ;) • • How to detect suspicious behavior in your business application if security never spoke with business people? 24/04/2017 OWASP, Geneva

  9. LEVERAGE PEOPLE 9 Methods that help • Recruit security champions within teams as liaison-agents Join the DevOps/Agile movements and integrate security within all processes • • Easier said than done • Also, use techniques advertised by DevOps movement CD/CI • API and integrate your tools • 24/04/2017 OWASP, Geneva

  10. THE 3 EXFILTRATION CASE 24/04/2017 OWASP, Geneva

  11. THE EXFILTRATION CASE 11 Attacker compromised company’s infrastructure • Gain access from vulnerable server in the DMZ Pivoted a few times • Gain access to internal infrastructure • Their goal • Data extraction Created massive tarball with files to extract • 24/04/2017 OWASP, Geneva

  12. THE EXFILTRATION CASE 12 How attackers got detected? • Windows administrator created alerts for hard disks nearly full, which triggered Inspected the machine and found the large file • Listed processes and schedule tasks • >> Called the ghostbusters ;) Morality Use monitoring tools as a first easy line • 24/04/2017 OWASP, Geneva

  13. THE EXFILTRATION CASE 13 Next step : gain persistence • Multiple ways to do so like registry keys, services, or… In this case they used Scheduled Tasks • Tasks ran RAT dropped and stored locally • Services • Another way to gain persistence is through services 24/04/2017 OWASP, Geneva

  14. THE EXFILTRATION CASE 14 From the blue team side of things this leaves plenty of traces! Execution Execution of at.exe • • Creation of tasks pointing to suspicious folders Logs Creation of a scheduled task : eventID 106 • Creation of a new service : eventID 7045 • • RunAs generated by scheduled tasks 4648 Traces of execution of the at command: eventID 4688 • • Since 7 / 2008r2, but you don’t have any XP/2003 left yeah? In the GPO : Process Tracking > Process Creation • Don’t forget to enable command line traces • 24/04/2017 OWASP, Geneva

  15. THE EXFILTRATION CASE 15 Ok they got access and persistence now what? • Multiply, just like Gremlins! Meaning: look for other targets to pivot to on your infrastructure • Techniques that can be used Basic network scan for 135/tcp and 445/tcp • • RDP or SSH scanner and bruteforce Larger range of ports to scan (ex: nmap in powershell) • “Advanced” attacker List connections using netstat command ;) • 24/04/2017 OWASP, Geneva

  16. THE EXFILTRATION CASE 16 Again, back on the blue team side Network probing implies Connections to hosts that shouldn’t be contacted • Bruteforce implies • Plenty of failed authentication attempts If you enabled those… • Good reason to use old friends that are quite hype lately Honeypots • • Blackholes that accept everything and throw alerts 24/04/2017 OWASP, Geneva

  17. THE EXFILTRATION CASE 17 Last step, they want access to files • Will issue searched for interesting files Based on name, metadata and content • Probably not only on file shares but also on email accounts Trying to gather more privileges and access administrative interfaces • 24/04/2017 OWASP, Geneva

  18. THE EXFILTRATION CASE 18 But the Blue team is still here watching! Access to files can be detected Monitor specific files and folders using Windows Audit (eventID 4663) • • Create fake accounts and or login interfaces One reason why communication w/ business applications team is important • Deploy files that callback once opened Idea popularized by the OpenCanary project • 24/04/2017 OWASP, Geneva

  19. THE 4 MALWARE CASE 24/04/2017 OWASP, Geneva

  20. THE MALWARE CASE 2 0 Several ways to infect a machine • What is considered “advanced” : exploit kits What is considered “low-tech” : social engineering • Everyone thought that macros problem was solved… Reality is we (security industry) spend too much time thinking about “advanced” • vectors Way more fun than macros! • Not really taking the problem to its core • Analysis tools focused on binaries • Attackers switched to script languages Javascript and Powershell are all the rage lately • 24/04/2017 OWASP, Geneva

  21. THE MALWARE CASE 21 Detection on the network side is limited • IDS are like AV : based on signatures that can be bypassed But still really useful when properly tuned • Recent cases have made it even more so Let’s Encrypt and certificates for everyone • • Dridex campaign hosted on Azure Sharepoint Cerber campaign hosted on Dropbox • 24/04/2017 OWASP, Geneva

  22. THE MALWARE CASE 2 2 A common schema lately • Credit: govcert.admin.ch 24/04/2017 OWASP, Geneva

  23. THE MALWARE CASE 2 3 When attackers want to bypass UAC • Should be less of a problem in enterprises You don’t have users w/ administrative rights right?!? • Social engineering still seems to be the most successful path • Leveraging logic flaws in Windows signed binaries • Some executables from Microsoft allow to elevate privileges w/o UAC prompting Usually patched by Microsoft • 24/04/2017 OWASP, Geneva

  24. THE MALWARE CASE 2 4 From a Blue team perspective several scenarios “We block all macros and Powershell scripts using it ’ s execution policy” Or for the more startup-ish: “we use only cloud-based editing suites ;)” • • Also possible to block activation of macros downloaded from the Internet through GPO Problem is that it is rarely deployed Operation charge is too costly in most cases • • Business workflows requiring macros for example As for Powershell, it is possible to bypass execution policies • • Up to v5 24/04/2017 OWASP, Geneva

  25. THE MALWARE CASE 2 5 Taking a logs and detection approach “Standard ops w/ wscript.exe and powershell.exe processes ran from Word.exe?” Need to study the attacker (cyber-kill-)chain • • Start with easy rules based on parent process Add processes command line • “ok, I will buy that EDR. <SecConfXYZ> had a floor full of them” Not so fast, actually Microsoft got you covered in this area • • Out-of-the-box since 2008r2 and getting better since last year! 24/04/2017 OWASP, Geneva

  26. THE MALWARE CASE 2 6 Audit processes creation from the GPO • EventID 4688 Don ’ t forget to enable command line from Server 2012r2 • SysInternals Sysmon In short: Microsoft free EDR • • Well almost… only the reporting no analysis or correlation is made out-of-the-box Except if using Defender Advanced Threat Protection • Sadly, it is cloud-only… • • Simple to configure Public large deployments documented to reassure you • 24/04/2017 OWASP, Geneva

  27. THE MALWARE CASE 2 7 The rest is up to you: create detection rules by knowing attacker’s techniques • Suspicious parents for set of applications Suspicious children for set of applications • Suspicious execution paths for applications • • %APPDATA% for example … • Powershell examples Detect “-Version 2” in command line • • Argument that looks like base64 encoding Detect “-EncodedCommand“ argument • • … http://www.gsdays.fr/wp-content/uploads/2011/09/RUFF-Se-proteger-contre-les-intrusions-gratuitement-0.2.pdf 24/04/2017 OWASP, Geneva

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 2: Climate Feedbacks and the Carbonate-Silicate Cycle Climate feedbacks/ The carbon

Lecture 2: Climate Feedbacks and the Carbonate-Silicate Cycle Climate feedbacks/ The carbon

41st Saas-Fee Course From Planets to Life 3-9 April 2011 Lecture 2: Climate Feedbacks and the Carbonate-Silicate Cycle Climate feedbacks/ The carbon cycle/ Importance of plate tectonics J. F. Kasting From last time I dont

494 views • 31 slides
Assessing the strength of self-aggregation feedbacks from in situ data Caroline Muller

Assessing the strength of self-aggregation feedbacks from in situ data Caroline Muller

Assessing the strength of self-aggregation feedbacks from in situ data Caroline Muller Laboratoire de Mtorologie Dynamique Dave Turner NOAA Allison Wing Florida State University Assessing the strength of self-aggregation feedbacks from

461 views • 29 slides
DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) &gt;&gt; whois Dev.Dua # Star Wars fan, clearly.

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) &gt;&gt; whois Dev.Dua # Star Wars fan, clearly.

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) &gt;&gt; whois Dev.Dua # Star Wars fan, clearly. # M.Eng. Cybersecurity # JOATMON Full Stack Developer, Security Engineer, Scripting/Automation, Researcher # Twitter: dev0x01 # Web:

1.03k views • 43 slides
15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this

15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this

15-Minute Linux DFIR Triage Dr. Phil Polstra Bloomsburg University of Pennsylvania What is this talk about? Determining with some certainty if you have been hacked In a matter of minutes With minimal disturbance to the subject system

518 views • 39 slides
Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

1.06k views • 49 slides
Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com

Team Cymru Cymru Team Penetration Testing Ryan Connolly, ryan@cymru.com &lt;http://www.cymru.com&gt; Penetration Testing Agenda Pentesting Basics Pentesting Defined Vulnerability Scanning vs. Penetration testing Pentesting

879 views • 83 slides
Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF

Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF

Digital Intelligence Gathering Using The Powers Of OSINT For Both Blue And Red Teams BSidesSF February 2016 1 / 71 Ethan Dodge DFIR @ Nuna Health. DFIR professional and perpetual learner. @__eth0 dodgesec.com 2 / 71 Nuna Health

861 views • 71 slides
Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me

Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me

Virtually Pwned Pentesting Virtualization Claudio Criscione @paradoxengine c.criscione@securenetwork.it /me Claudio Criscione The need for security Breaking virtualization means hacking the underlying layer accessing systems

781 views • 46 slides
DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com @jblukach AGENDA DATA SOURCE

DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com @jblukach AGENDA DATA SOURCE

IM GONNA HAVE TO DATA SCIENCE THE DFIR OUT OF THIS! John Lukach blog.4n6ir.com @jblukach AGENDA DATA SOURCE CLEAN DATA ADD CONTEXT VISUALIZATION SYSMON System Monitor is a Windows system service and device driver that,

769 views • 45 slides
Feedbacks: Feedbacks: Oceans and El Nio Oceans and El Nio EES 3310/5310 EES 3310/5310

Feedbacks: Feedbacks: Oceans and El Nio Oceans and El Nio EES 3310/5310 EES 3310/5310

Feedbacks: Feedbacks: Oceans and El Nio Oceans and El Nio EES 3310/5310 EES 3310/5310 Global Climate Change Global Climate Change Jonathan Gilligan Jonathan Gilligan Class #9: Class #9: Monday, January 27 Monday, January 27 2020

812 views • 29 slides
Web Application Pentesting mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711

Web Application Pentesting mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711

Frankfurter Entwicklertag 2017 Web Application Pentesting mit OpenSource-Werkzeugen Christian Schneider | @cschneider4711 CHRISTIAN SCHNEIDER Christian Schneider @cschneider4711 Developer, Whitehat Hacker &amp; Trainer Focus on Java

1.17k views • 94 slides
PART II. Deformation of plates 1. Overview : Questions ! 2. Feedbacks and localization : 1)

PART II. Deformation of plates 1. Overview : Questions ! 2. Feedbacks and localization : 1)

PART II. Deformation of plates 1. Overview : Questions ! 2. Feedbacks and localization : 1) grainsize, 2) temperature, 3) segregation of melt/ fluids / weak phases. (This week !) 3. Strength Envelopes: Background, successes, failures...

887 views • 49 slides
Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio

Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio

Pentesting iPhone &amp; iPad Apps Hack In Paris 2011 June 17 Who are we? Flora Bottaccio Security Analyst at ADVTOOLS Sebastien Andrivet Director, co-founder of ADVTOOLS ADVTOOLS Swiss company founded in 2002 in Geneva

727 views • 39 slides
TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING This talk IS NOT about Android platform itself This talk IS about how we want to contribute auditing apps that run on Android systems With

975 views • 74 slides
Radiative feedbacks from stochastic variability in temperature and radiative imbalance in a

Radiative feedbacks from stochastic variability in temperature and radiative imbalance in a

Radiative feedbacks from stochastic variability in temperature and radiative imbalance in a hierarchy of CESM simulations Cristian Proistosescu JISAO, University of Washington NCAR May 10, 2018 Collaborators: Kyle Armour - University of

643 views • 47 slides
Mixed Factorization for Collaborative Recommendation with Heterogeneous Explicit Feedbacks Weike

Mixed Factorization for Collaborative Recommendation with Heterogeneous Explicit Feedbacks Weike

Mixed Factorization for Collaborative Recommendation with Heterogeneous Explicit Feedbacks Weike Pan , Shanchuan Xia, Zhuode Liu, Xiaogang Peng and Zhong Ming panweike@szu.edu.cn, shaun.xia@outlook.com, zero.lzd@gmail.com,

808 views • 38 slides
Performance Tuning and Debugging Don Porter CSE/ISE 311:

Performance Tuning and Debugging Don Porter CSE/ISE 311:

CSE/ISE 311: Systems Administra5on Performance Tuning and Debugging Don Porter CSE/ISE 311: Systems Administra5on Why is my applica3on slow? No silver

606 views • 24 slides
A Highly Selective, Deeply Biased, and Mildly Heretical View of Software Engineering Jim

A Highly Selective, Deeply Biased, and Mildly Heretical View of Software Engineering Jim

A Highly Selective, Deeply Biased, and Mildly Heretical View of Software Engineering Jim Herbsleb School of Computer Science Carnegie Mellon University 1 Outline Software engineering isnt Our conception of software engineering is

420 views • 24 slides
Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams jwilliams@csr-group.com @MalwareJake Agenda The problem (cloud backup/synchronization) The solution (DropSmack) Next steps Insecure Authentication

1.1k views • 55 slides
parameterized regular expressions in JavaMOP CS 119 which file?

parameterized regular expressions in JavaMOP CS 119 which file?

parameterized regular expressions in JavaMOP CS 119 which file? http://fsl.cs.uiuc.edu/index.php/Monitoring-Oriented_Programming 2 What is MOP? (their own words) Framework for reliable software development Monitoring is basic

937 views • 72 slides
Highlights from Physics 2017 Dec 08 General notes Productive Physics Week last month .

Highlights from Physics 2017 Dec 08 General notes Productive Physics Week last month .

Highlights from Physics 2017 Dec 08 General notes Productive Physics Week last month . 71 attendees. Workshop / Hack days style meeting WGs continue to be guided by TDR timeline , with some notable milestones of - Jan 2018:

347 views • 6 slides
Introduction Applied Bioinformatics Michael Schroeder Biotechnology Center TU Dresden DNA

Introduction Applied Bioinformatics Michael Schroeder Biotechnology Center TU Dresden DNA

Introduction Applied Bioinformatics Michael Schroeder Biotechnology Center TU Dresden DNA the molecule of life http://www.ornl.gov/hgmis 2 High-throughput Technology 1950s: 2000s: 2010s: Watson and Crick Sanger Center BGI,

500 views • 30 slides
EXTREME BEHAVIOR IN Consists of many entities that interact in involved ways Entities adapt

EXTREME BEHAVIOR IN Consists of many entities that interact in involved ways Entities adapt

OVERVIEW Extreme behavior in information and communications technology ( ICT ) systems Limits of predictive risk analysis Complexity is the enemy From fragile to antifragile systems Design and operational principles ANTIFRAGILE

499 views • 25 slides
Trading perfection for robustness in extraordinary software Benoit Baudry (EPI DiverSE) Journes

Trading perfection for robustness in extraordinary software Benoit Baudry (EPI DiverSE) Journes

Trading perfection for robustness in extraordinary software Benoit Baudry (EPI DiverSE) Journes scientifiques 2015 June, 19 2015. 1 Extraordinary software 2 Unstable environment Users Customization, extensions, add-ons Malicious

532 views • 25 slides

More recommend