How to Think Like a Hacker: Lessons Learned & Best Practices Jointly hosted by:
PRESENTERS BRIAN KIRK ANNIE BRINK DIRECTOR BUSINESS DEVELOPMENT Digital Operations Digital Operations And Cybersecurity And Cybersecurity Direct: 864.242.2685 Direct: 864.242.2606 Annie.Brink@elliottdavis.com Brian.Kirk@elliottdavis.com ANONYMOUS INTERNATIONAL Hacktivist / Activist Internet Vigilante
(IN) FAMOUS HACKING GROUPS i
WHO ARE WE DEFENDING AGAINST AGAIN? i State Sponsored Organized • Cyber war, state Crime secrets, industrial espionage Hacktivist • Economic gain • Highly sophisticated • Significant technical • Statement • Nearly unlimited resources and Criminal • Relentless, resources capabilities emotionally • Advanced persistent • Vandalism • Established committed threats Recreational • Limited technical syndicates • Vast networks capabilities • Adware, crimeware, • Targeted attacks • Fame and notoriety IP theft • Limited technical resources • Known exploits INCREASING RESOURCES AND SOPHISTICATION The expansion of attacker types, their resources, and their sophistication
IN THE NEWS i
ANYTHING DIFFERENT THIS YEAR? i
TRENDING THREATS i A type of malware that prevents or limits users from accessing their Ransomware system, either by locking the system's screen or by locking the users' files unless a ransom is paid Business Email Attack through corporate email systems on individuals who have access Compromise and means to conduct fraudulent financial transactions Incident where information is stolen or taken from an Office 365 O365 Data Breach email system without the knowledge or authorization of the system’s owner
A LOOK INTO THE CURRENT STATE OF THE INDUSTRY i • A 238% increase in cyber attacks against banks is linked to COVID-19 - ZDNET.COM • As of May 2 nd , the FBI is showing an increase of 800% reported cyber crimes to their divisions – entrepreneur.com • Coronavirus may be the largest-ever global security threat. - thenextweb.com • Anyone know of any schools recently impacted by cybersecurity problems?
WHY ARE ATTACKS SO SUCCESSFUL? i • Lack of understanding of risk : Organizations do not think they are a target for cybercrime • Lack of funding : Budget for information technology is limited, and security is an overall fraction because… • UPTIME is considered the most important metric (and rightfully so) • Lack of knowledge about real world threats and methods to prevent them
ALL ORGANIZATIONS ARE TARGETS i • Nearly half of all cyberattacks are committed against small businesses. • 60 percent of small companies that suffer a cyberattack are out of business within six months, according to the U.S. National Cyber Security Alliance. • Cisco security experts explain that small/midmarket businesses are more inclined to pay ransoms to adversaries so that they can quickly resume normal operations after a ransomware attack. They simply can’t afford the downtime and lack of access to critical data — including customer data.
HOW SOME TARGETS ARE ACQUIRED BY CRIMINALS i Attacks are initially driven through automated ‘bots’ which either automate spam messages or scan the internet for vulnerabilities and carry out large portions of cyber attacks without any human interaction. Live Security Test Performed in Late 2018 Fake finance server placed online +15 seconds + 2 days with known software Automated bot exploits known Hacker returns to vulnerabilities vulnerabilities remove system data +2 hours + 5 mins Automated bot discovers and Automated bot traverses system, scans system catalogs data, and goes quiet
HOW RANSOMWARE WORKS i
HOW RANSOMWARE WORKS i 76% of attacks typically happen during the night or on weekends
HOW RANSOMWARE WORKS – A NEW WRINKLE i Starting in late 2019, a hybrid variety of cyber attack has emerged, in which traditional ransomware tactics are combined with data exfiltration. Attackers notify their victims that if they fail to pay the ransom demand, not only will data on the infected systems remain encrypted, but the attackers will expose highly sensitive data to the public as well.
HOW RANSOMWARE WORKS – A NEW WRINKLE i The only way to know that exfiltrated data is safe from misuse is to know that it was protected by strong, persistent encryption before it was exfiltrated. Encryption isn't a complete answer — firewalls, antimalware, and then some, will continue to be necessary — but by locking down its highest- value data in advance, an organization can protect itself against the worst consequences of this emerging threat.
HOW ATTACKS HAPPEN (BEC) i Bogus Invoice Scheme From Third Party Internal Email Account Compromise High Ranking Executive Scheme
Cybersecurity: Where to Start
WHAT SHOULD BUSINESSES BE DOING? i Define what risks are acceptable to your organization: A risk assessment is a non- technical consideration that most organizations overlook when considering cybersecurity. It is important for every organization to determine their greatest area of risk to profitability. Develop an Incident Response Plan (and test it): One area often overlooked by many organizations is the ability to recover from a serious incident (physical, weather related, cyber, etc.). The risks associated with many cybersecurity threats can be mitigated by having a mature Incident Response Plan that meets a recovery time pre-approved by executive management.
WHAT SHOULD BUSINESSES BE DOING? i Secure your backups: Do you think Garmin had a backup? Of course they did. Make sure you have an OFFLINE backup…tape or cloud….something attackers can’t reach if they gain administrative access to your network. Develop a ‘Defense in Depth’ strategy: If you spend much time with cybersecurity professionals, you will often hear the term “defense in depth”. This terminology is used to define a process where organizations do not trust one technology, control, or even IT provider to secure their organization. Test your team: Trust but verify is a well known mantra in the security industry. You should trust your information technology team but verify they are protecting your organization from known risks.
WAYS TO MEASURE CYBER PROGRAM EFFECTIVENESS i PROGRAM ASSESSMENT
WAYS TO MEASURE CYBER PROGRAM EFFECTIVENESS i PROGRAM ASSESSMENT
PENETRATION TESTING i Key Capabilities Example Tools • • Apply custom OSINT inventory to domains, systems, and employees Recon-NG Reconnaissance • • Evaluate internet / social media footprint of key employees Shodan/dnsdumpster • • Perform passive reconnaissance and external footprinting Custom Scripts • • Identify live hosts, their services and service versions NMAP Masscan • • Active Scanning Discover web applications running on each system Nikto/Wpscan • • Create a target list and approach Directory Scanner/Custom Scripts • • Determine risk and likelihood of attack success Custom Code Exploitation • • Develop and manually execute custom exploits Metasploit • • If in-scope, perform user based attacks using social engineering toolkit Social Engineer Toolkit (SET) • • Use local tools and expertise to move laterally and escalate privileges Local tools such as PowerShell or Bash Post Exploitation • • Assess if accounts can be enumerated or password hashes extracted Custom scripts in Python or JS • • Attempt to script exploit to evaluate data exfiltration capabilities Metasploit/Core Impact • • Final Report containing all the above steps Overview of each issue with a risk score Reporting • Screen Shots and POC code • Remediation steps
OPEN SOURCE INTELLIGENCE (OSINT) REVIEW i OSINT reports are useful as they give your company insight into the types and amounts of information that has been gathered and stored on the Internet about your organization. The review is performed without directly engaging the Customer network or systems, utilizing a range of effective open source gathering tools to collect information. The goal of this report is to assist your team in improving its cybersecurity posture. • This assessment utilizes gathering techniques based on the Penetration Testing Execution Standard (PTES) methodology. This approach is designed to mimic the intelligence gathering actions of computer attackers looking to identify security vulnerabilities against an organization. • We analyze impact of publicly exposed user credentials from recent high profile security breaches against the user base since credential reuse can result in data breaches, system compromises, and loss of data. • This assessment will use open source information to discover lists of known exploitable weaknesses in your network and hosts, along with unauthorized routes into the target network.
Disclaimer This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis.
Thank you! Brian Kirk Brian.Kirk@elliottdavis.com 864.242.2606
Recommend
More recommend
