Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu
Who am I? @vysecurity Vincent Yiu vincent.yiu@syonsecurity.com Founder of SYON Security Offensive Operations including Adversary Simulaton and Penetration Testing Certifications: CREST certified, OSCP, OSCE Speaker at: SSC Xi’an 2018, HITB Singapore 2017 and 2018, JD Security Conference Beijing 2017, Steelcon UK 2017, Bsides Manchester UK 2017, Snoopcon 2017 and 2018.
Experiences Global banks • Local banks • Wealth management • Global insurance • Smart grid • Retail • Manufacturing / R&D organizations • Satellite • HR companies • Financial technology providers • ISP / Registrars • Telecoms • Energy • Biomedical • Health • More… •
Financial Technology? Asset Management • Automated Teller Machine (ATM) Operators • ATM and self-service terminal manufacturing • Banks and Credit Unions • Credit Report Services • Electronic Payment Systems • Financial Planners and Investment Advisers • Financial Transaction Processing • Institutional Securities Brokerages • Investment Firms • Mortgage Breaks • Property/Casualty Insurance Carriers • Venture Capital • CRYPTOCURRENCY EXCHANGE • https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf
But it all boils down to… • The target objective • The attacker’s motivation • The crown jewels Hacking a target is not the end goal, acquisition of the objective is the mission.
Agenda • Financial industry threats • What is intelligence? • Current state of Security Testing across the world • What is Cyber Attack Simulation Testing? • Attack lifecycle – Modelling real attacker techniques
Goals: Basic to Basics Data, Information • Benefit Records • Business and Strategic Plans and Goals • Finance Documents Confidentiality • Invoices • Organizational Charts • Pricing Data • Recurring Reports • Customer Data Manipulation • Payment Card Data • Change Customer Account Data • Change Amount of Money • Change Software Integrity • Availability Change Website Access • Move Money • Withdraw Cash • Denial of Service
Intelligence Who’s hacking who? • What are criminals after? • Is your company affected? • When are they going to hack you? • Have they already hacked you but you don’t know? • Current scam campaigns going on • 1 3 ??? Your Company Intelligence Report 2
Intelligence Report: What’s in it? Open Source Intelligence information on your company • Enumerated digital asset IP ranges / domains • Shodan passive enumeration of digital assets • Potential vulnerabilities • Competent intelligence providers will have 20+ years historical database of data • Provide insight as to what CRIME groups are targeting YOUR industry • What CRIME groups are targeting YOUR organization • What accounts and data are being sold? • What are the capability levels of these CRIME groups? • What malware deployments? What tactics, techniques, and procedures do they use? •
Open Source Intelligence Company Name • Company Branches • Legal entities • Revenue • Executives • Organizational Chart • Office locations • Email addresses • Phone numbers • Passwords appeared in previous breaches • Digital assets • Potential vulnerabilities •
Adversary Information Name of groups and individuals who may be targeting your industry • Groups who may be targeting your particular organization • Mentions of your organization on the Dark Net / Underground communities • TOR network • Exploit.in LEVEL X account • Public APT and private APT reports • Malware samples • Indicators of compromise • Motivations • Origin country • Emails • Domains • IP addresses • Accounts for your service being sold • Access to your organization being sold (insider threat / previously hacked access) •
Improving Cyber Resiliency using Intelligence-led Attack Simulations What threats are we facing? • SWIFT – Financial motivation • ATM Jackpotting – Financial motivation • Cryptocurrency Exchange Transfers – Financial motivation
Improving Cyber Resiliency using Intelligence-led Attack Simulations Who are the threat actors? • Many Advanced Persistent Threat Groups • Cabarnak – ATM / Point of Sale Devices • Lazarus – SWIFT
Improving Cyber Resiliency using Intelligence-led Attack Simulations What are we doing about it? • Prepare • Assess • Understand your company’s defensive capabilities After breach: • Investigations • Security hardening
Case Study • Bank X 2014 2018 2016 Prepared for the Simulated On-going Bangladesh FUTURE Attack Simulations Hacked $200K $200K via. SWIFT $81 Million
Case Study • Financial Technology company Y • Global Reach • Deploys Infrastructure for many banks • “Can an attacker break into our network, and obtain access to our customer’s networks?”
Current State of Security Assessments COMPLIANCE Is there a Safe? Is the Door Locked?
Current State of Security Assessments PENETRATION TESTING Can we break into the safe? Can I get past the Project 2 door? Project 1
Current State of Security Assessments ATTACK SURVEILANCE TO FIND TIME WHEN NO SIMULATION ONES HOME OPEN THE SAFE UNLOCKED BALCONY DOOR FIND SAFE JUMP DOWN COMBINATION IN FROM FLOOR ROOM ABOVE ONE PROJECT
Where are we? • United Kingdom / USA: • Red Teaming / Attack Simulation • Penetration Testing • Asia: • Risk Assessment • Buy Security Products • Penetration Testing
Attack Simulation Regulations • United Kingdom: CBEST (Financial), TBEST (Telecom), NBEST (Energy), ATTEST (Aviation) • Europe: TIBER-EU • Hong Kong: iCAST • Singapore: Pending Singapore Montary Authority
Capabilities LOW HIGH Cyber Capability Spectrum CREST Basic CREST Certified CREST Simulated Attack Specialist Experienced Consultant Dealing with Critical Infrastructure
You’ve got an upcoming match against Mike Tyson
Risk Assessment / Compliance Watch a video, then say “He might take a right punch” Are you ready for the fight with no training?
Penetration Testing Practicing against a punching bag
Attack Simulation Train against someone who can mimic Mike Tyon
Cyber Attack Lifecycle: Microsoft’s Version
Brief walkthrough of an attack on ACME corporation Financial Technology Provider • Global presence • Operations in UK, Germany, Singapore, and Philippines • Goal: Obtain access to customer data • Goal: Obtain access to customer environment • Goal: Obtain credentials for a customer environment • How might you go about this sort of an attack?
Step 1: Reconaissance Map out digital assets • Scanning, visualising, understanding the surface • Digital footprint / Social media footprint • Code leaks, breach dumps • Map out physical assets • Potential last resort if attack over internet proves infeasible • Map out human resources • Scraping, searching the internet • LinkedIn, 脉脉 •
Step 2: Phishing Review target’s email security configuration • Set up a phishing campaign • Target gets phished • Foothold on internal network •
Step 3: Actions on Objectives Skip Privilege Escalation, phished target is a Philippines operations manager • Login to internal password management server • Dump all credentials for all APAC customers • Surveillance of the target over multiple days • Target logs into customer Citrix server via. secured virtual machine •
Step 3: Actions on Objectives Connect to virtual machine • Lookup customer credentials • Login • Access to customer environment granted •
THANKS! Any questions? @vysecurity vincent.yiu@syonsecurity.com www.vincentyiu.co.uk
Recommend
More recommend
