Improving Cyber Resiliency using Intelligence-led Attack Simulations - - PowerPoint PPT Presentation

Improving Cyber Resiliency using Intelligence-led Attack Simulations

Vincent Yiu

Who am I?

Vincent Yiu Founder of SYON Security Offensive Operations including Adversary Simulaton and Penetration Testing Certifications: CREST certified, OSCP, OSCE Speaker at: SSC Xi’an 2018, HITB Singapore 2017 and 2018, JD Security Conference Beijing 2017, Steelcon UK 2017, Bsides Manchester UK 2017, Snoopcon 2017 and 2018. @vysecurity vincent.yiu@syonsecurity.com

Experiences

• Global banks
• Local banks
• Wealth management
• Global insurance
• Smart grid
• Retail
• Manufacturing / R&D organizations
• Satellite
• HR companies
• Financial technology providers
• ISP / Registrars
• Telecoms
• Energy
• Biomedical
• Health
• More…

Financial Technology?

• Asset Management
• Automated Teller Machine (ATM) Operators
• ATM and self-service terminal manufacturing
• Banks and Credit Unions
• Credit Report Services
• Electronic Payment Systems
• Financial Planners and Investment Advisers
• Financial Transaction Processing
• Institutional Securities Brokerages
• Investment Firms
• Mortgage Breaks
• Property/Casualty Insurance Carriers
• Venture Capital
• CRYPTOCURRENCY EXCHANGE

https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf

But it all boils down to…

• The target objective
• The attacker’s motivation
• The crown jewels

Hacking a target is not the end goal, acquisition

• f the objective is the mission.

Agenda

• Financial industry threats
• What is intelligence?
• Current state of Security Testing across the world
• What is Cyber Attack Simulation Testing?
• Attack lifecycle – Modelling real attacker techniques

Goals: Basic to Basics

Confidentiality Integrity Availability

Data, Information

• Benefit Records
• Business and Strategic Plans and Goals
• Finance Documents
• Invoices
• Organizational Charts
• Pricing Data
• Recurring Reports
• Customer Data
• Payment Card Data

Manipulation

• Change Customer Account Data
• Change Amount of Money
• Change Software
• Change Website

Access

• Move Money
• Withdraw Cash
• Denial of Service

Intelligence

• Who’s hacking who?
• What are criminals after?
• Is your company affected?
• When are they going to hack you?
• Have they already hacked you but you don’t know?
• Current scam campaigns going on

Intelligence Report Your Company 1 2 ??? 3

Intelligence Report: What’s in it?

• Open Source Intelligence information on your company
• Enumerated digital asset IP ranges / domains
• Shodan passive enumeration of digital assets
• Potential vulnerabilities
• Competent intelligence providers will have 20+ years historical database of data
• Provide insight as to what CRIME groups are targeting YOUR industry
• What CRIME groups are targeting YOUR organization
• What accounts and data are being sold?
• What are the capability levels of these CRIME groups?
• What malware deployments? What tactics, techniques, and procedures do they use?

Open Source Intelligence

• Company Name
• Company Branches
• Legal entities
• Revenue
• Executives
• Organizational Chart
• Office locations
• Email addresses
• Phone numbers
• Passwords appeared in previous breaches
• Digital assets
• Potential vulnerabilities

Adversary Information

• Name of groups and individuals who may be targeting your industry
• Groups who may be targeting your particular organization
• Mentions of your organization on the Dark Net / Underground communities
• TOR network
• Exploit.in LEVEL X account
• Public APT and private APT reports
• Malware samples
• Indicators of compromise
• Motivations
• Origin country
• Emails
• Domains
• IP addresses
• Accounts for your service being sold
• Access to your organization being sold (insider threat / previously hacked access)

Improving Cyber Resiliency using Intelligence-led Attack Simulations

What threats are we facing?

• SWIFT – Financial motivation
• ATM Jackpotting – Financial motivation
• Cryptocurrency Exchange Transfers – Financial motivation

Improving Cyber Resiliency using Intelligence-led Attack Simulations

Who are the threat actors?

• Many Advanced Persistent Threat Groups
• Cabarnak – ATM / Point of Sale Devices
• Lazarus – SWIFT

Improving Cyber Resiliency using Intelligence-led Attack Simulations

What are we doing about it?

• Prepare
• Assess
• Understand your company’s defensive capabilities

After breach:

• Investigations
• Security hardening

Case Study

• Bank X

2014

Simulated Attack $200K

2016

Bangladesh Hacked

• via. SWIFT

$81 Million

2018

On-going Simulations $200K Prepared for the

FUTURE

Case Study

• Financial Technology company Y
• Global Reach
• Deploys Infrastructure for many banks
• “Can an attacker break into our network, and
• btain access to our customer’s networks?”

Current State of Security Assessments

Is the Door Locked? Is there a Safe?

COMPLIANCE

Current State of Security Assessments

Can I get past the door? Can we break into the safe?

PENETRATION TESTING

Project 1 Project 2

Current State of Security Assessments

UNLOCKED BALCONY DOOR OPEN THE SAFE

ATTACK SIMULATION

ONE PROJECT FIND SAFE COMBINATION IN ROOM SURVEILANCE TO FIND TIME WHEN NO ONES HOME JUMP DOWN FROM FLOOR ABOVE

Where are we?

• United Kingdom / USA:
• Red Teaming / Attack Simulation
• Penetration Testing
• Asia:
• Risk Assessment
• Buy Security Products
• Penetration Testing

Attack Simulation Regulations

• United Kingdom: CBEST (Financial), TBEST (Telecom),

NBEST (Energy), ATTEST (Aviation)

• Europe: TIBER-EU
• Hong Kong: iCAST
• Singapore: Pending Singapore Montary Authority

Capabilities

Cyber Capability Spectrum LOW HIGH CREST Certified CREST Basic CREST Simulated Attack Specialist Experienced Consultant Dealing with Critical Infrastructure

You’ve got an upcoming match against Mike Tyson

Risk Assessment / Compliance Watch a video, then say “He might take a right punch” Are you ready for the fight with no training?

Penetration Testing Practicing against a punching bag

Attack Simulation Train against someone who can mimic Mike Tyon

Cyber Attack Lifecycle: Microsoft’s Version

Brief walkthrough of an attack on ACME corporation

• Financial Technology Provider
• Global presence
• Operations in UK, Germany, Singapore, and Philippines
• Goal: Obtain access to customer data
• Goal: Obtain access to customer environment
• Goal: Obtain credentials for a customer environment

How might you go about this sort of an attack?

Step 1: Reconaissance

• Map out digital assets
• Scanning, visualising, understanding the surface
• Digital footprint / Social media footprint
• Code leaks, breach dumps
• Map out physical assets
• Potential last resort if attack over internet proves infeasible
• Map out human resources
• Scraping, searching the internet
• LinkedIn, 脉脉

Step 2: Phishing

• Review target’s email security configuration
• Set up a phishing campaign
• Target gets phished
• Foothold on internal network

Step 3: Actions on Objectives

• Skip Privilege Escalation, phished target is a Philippines operations manager
• Login to internal password management server
• Dump all credentials for all APAC customers
• Surveillance of the target over multiple days
• Target logs into customer Citrix server via. secured virtual machine

Step 3: Actions on Objectives

• Connect to virtual machine
• Lookup customer credentials
• Login
• Access to customer environment granted

THANKS!

Any questions?

@vysecurity vincent.yiu@syonsecurity.com www.vincentyiu.co.uk