SlideShare a Scribd company logo

Anatomy of an Attack

S
spoofyroot

Cyber Crime intro along with some perspectives on how to look at risk vs vulnerabilities

Technology
1 of 32
Anatomy of an Attack Understanding the means and motivation of your enemies Johnathan Norman Director of Security Research Alert Logic
Whoami • Director of Security Research @ Alert Logic – Manage investigations – Responsible for “0day” coverage – Vulnerability analysis and discovery • Exploit Developer • 10+ years monitoring networks • Winner of a few CTF’s – Netwars All-Star challenge
Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
If you know your enemies and know yourself, you will not be imperiled in a hundred battles… - Sun Tzu
The Actors • Hacktivists – Anonymous, LulzSec etc… • Cyber Criminals – Impact 73% of online users1 • Government – Stuxnet anyone? 1 Norton Cyber Crime Report 2010
Traditional Attacks Hacker Profile – Talented individual – Young, bored Motivation – To prove a point – Curiosity – Credibility Attack Methods – Worms targeting memory vulns in network services – Attack payload not usually customized
Modern Attack Profile Hacker Profile – Organized Crime – Dedicated teams who are paid – Teams often work for criminal organizations as a career Motivation – Targeted attack for financial gain – Desire anonymity Attack Methods – Vulnerable web applications – Client side applications – Malware used to keep control
Cybercrime Market The Numbers – Global computer crime market estimated to be $7B in 20102 – Russia responsible for $2.5B – Growing ~35% per year overall Interesting Trends – Increase of specialization of participants – On-Demand and Pay-Per-Use services – Developing C2C market 2Group-IB Report - 2010
Roles Role Description Malware Developers Develop kits to control owned systems and steal data Rootkit Developers Develop advanced software to hide presence of malware Traditional Hackers Search for vulns, write and sell exploits to pack vendors Distributors Find ways to install malware kits on as many victims as possible Hosting Providers Hosting with few restrictions Misc Tools Developers Executable packers and obfuscators Organization Leaders Assemble teams and influence PPI prices per country
Crime Pays Stolen Assets/Criminal Activity Payout Credit Card Details $5-10, expected $1-2 post PSN Bank Credentials $80-$700 Bank Transfers 10% to 40% of amount transferred Social Security Numbers $30-50 0Day Exploits $5000 - $100,000 Exploits for published vulnerabilities $5000 – $50,000 Exploit Packs $200 – $5,000 Malware Pay-Per-Install Up to $1.50 for US victims, $0.15-0.60 for other countries
Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
Hacking 101 • The 3 Questions – What do I have – What do I know – What is my target? • The Process – Reconnaissance – Discovery – Mapping – Exploit
The World is Yours My Skills – P2P networking – Defacing websites The Plan – Get paid distributing malware
How it Works – The Business Model Register With Cybercrime Group 2 Data Sold Wholesale 5 BLACK MARKET Purchase Malware Pack CYBERCRIME GROUP 1 6 Payment Made 4 Infected Users Send Data to Group DISTRIBUTOR Infect Users, P2P 3 seeding, XSS VICTIMS
What do I get? Malware likely based on TDSS – First widely used x64 rootkit for Windows Vista and Windows 7 – Kernel mode rootkit – Modified binaries generated on-demand to avoid AV detection Choosing an Affiliate – Pay-Per-Install model – Reputation – Claim up to US $7000 per day – Phone support provided with personal account manager
The Final Touches Binary Modification Tool Anti-Virus Bypass
Delivery/Attack Surface Infection Method Difficulty Effectiveness Websites Easy Good P2P Networks Easy Medium SPAM Easy Medium Paid Ads Medium Medium Phishing Easy Poor Traditional Network Exploit Difficult Poor Blackhat SEO Medium Medium Cross Site Scripting ‐ Most sites are vulnerable ‐ Easy to find and users trust the websites SQL Injection ‐ Easy to find ‐ Very common Source: Veracode State of Software Security Report, April 2011
Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
Open SMB shares/ Weak Passwords Web App Vulnerability Netbios Open RDP Spear phishing
Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
Limit Your Exposure Lifecycle of a Threat Risk Patch is Released RISK = Vulnerabilities x Assets x Threats Risk Reduction Framework OBJECTIVE -> REDUCE RISK # of Vulnerable Limit Exposure Assets Policy Review Patch Management Vulnerability Scanning Monitor Be Aware of Known Vulnerabilities Risk Threshold Daily IDS/Log Data Review Know your network! Educate Users Awareness Training Time Management Focus on Security Exploit is Public Vulnerability Automated Passé Discovered Exploit
Tools or Expert Help?
Remember the Questions… • 3 Questions – What do I have – What do I know – What is my target? • Penetration testing helps
Defending Users AV Isn’t Enough – Malware evolves ahead of AV signatures – 60% of malware is undetected by AV Education – At least half of the executables on P2P network infected – Don’t install software from untrusted sources – Safe browsing – Flash drives
Key Takeaways 0day is rarely the average users weak point Tools are not always the solution Focus on your attack surface, not the latest news Antivirus will not save you! educate users
Next Generation Mobile Devices – Full blown operating systems with IP stacks – Security posture like OS’s in the 90’s – High-speed 4G Internet connectivity – get owned faster! – Malware in Android market (50+ apps) – Users connect to the office wifi
Q&A jnorman@alertlogic.com @spoofyroot http://www.alertlogic.com/blog

Recommended

Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03Wiliam Ferraciolli
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionSymantec
 
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS AttacksDSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS AttacksAndris Soroka
 
Sophos a-to-z
Sophos a-to-z Sophos a-to-z
Sophos a-to-z Cheng Olayvar
 
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Lumension
 
Robin Hoods And Criminals
Robin Hoods And CriminalsRobin Hoods And Criminals
Robin Hoods And CriminalsZiv Ichilov
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsLumension
 

Recommended

Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03Wiliam Ferraciolli
 
RSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionRSA 2012 Presentation: Information Protection
RSA 2012 Presentation: Information ProtectionSymantec
 
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS AttacksDSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS Attacks
DSS ITSEC Conference 2012 - Radware - Protection from SSL DDOS AttacksAndris Soroka
 
Sophos a-to-z
Sophos a-to-z Sophos a-to-z
Sophos a-to-z Cheng Olayvar
 
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Lumension
 
Robin Hoods And Criminals
Robin Hoods And CriminalsRobin Hoods And Criminals
Robin Hoods And CriminalsZiv Ichilov
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsLumension
 
RSA 2010 Francis De Souza
RSA 2010 Francis De SouzaRSA 2010 Francis De Souza
RSA 2010 Francis De Souzaguest8a3b501b
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingNagarani Nag
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot ProjectManikyala Rao
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management ProcessBill Ross
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreRadware
 
Honeypot
HoneypotHoneypot
HoneypotAkhil Sahajan
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceBikrant Gautam
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
Threat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueThreat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueAvkash Kathiriya
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
20111214 iisf shinoda_Directorate of Information Security | Ditjen Aptika
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is ImpossibleRichard Stiennon
 
MCR X Force 2011 Trend And Risk Report
MCR X Force 2011 Trend And Risk ReportMCR X Force 2011 Trend And Risk Report
MCR X Force 2011 Trend And Risk Reportmrittmayer
 
Mobile Security
Mobile Security Mobile Security
Mobile Security Fresh Digital Group
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Public Private Partnership - Combating CyberCrime
Public Private Partnership - Combating CyberCrime Public Private Partnership - Combating CyberCrime
Public Private Partnership - Combating CyberCrime c0c0n - International Cyber Security and Policing Conference
 
Cyber Threat Intel : Overview
Cyber Threat Intel : OverviewCyber Threat Intel : Overview
Cyber Threat Intel : OverviewDeepak Kumar (D3)
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
Ddos dos
Ddos dosDdos dos
Ddos dosarichoana
 

More Related Content

What's hot

RSA 2010 Francis De Souza
RSA 2010 Francis De SouzaRSA 2010 Francis De Souza
RSA 2010 Francis De Souzaguest8a3b501b
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management ProcessBill Ross
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreRadware
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceBikrant Gautam
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
Threat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueThreat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueAvkash Kathiriya
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is ImpossibleRichard Stiennon
 
MCR X Force 2011 Trend And Risk Report
MCR X Force 2011 Trend And Risk ReportMCR X Force 2011 Trend And Risk Report
MCR X Force 2011 Trend And Risk Reportmrittmayer
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesamit kumar
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 

What's hot (19)

RSA 2010 Francis De Souza
RSA 2010 Francis De SouzaRSA 2010 Francis De Souza
RSA 2010 Francis De Souza
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving TheatreThe Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
The Art of Cyber War: Cyber Security Strategies in a Rapidly Evolving Theatre
 
Honeypot
HoneypotHoneypot
Honeypot
 
Cyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrenceCyber warfare an architecture for deterrence
Cyber warfare an architecture for deterrence
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
 
Threat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders LeagueThreat Deception - Counter Techniques from the Defenders League
Threat Deception - Counter Techniques from the Defenders League
 
20111214 iisf shinoda_
20111214 iisf shinoda_20111214 iisf shinoda_
20111214 iisf shinoda_
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is Impossible
 
MCR X Force 2011 Trend And Risk Report
MCR X Force 2011 Trend And Risk ReportMCR X Force 2011 Trend And Risk Report
MCR X Force 2011 Trend And Risk Report
 
Mobile Security
Mobile Security Mobile Security
Mobile Security
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
HONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantagesHONEYPOTS: Definition, working, advantages, disadvantages
HONEYPOTS: Definition, working, advantages, disadvantages
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Public Private Partnership - Combating CyberCrime
Public Private Partnership - Combating CyberCrime Public Private Partnership - Combating CyberCrime
Public Private Partnership - Combating CyberCrime
 
Cyber Threat Intel : Overview
Cyber Threat Intel : OverviewCyber Threat Intel : Overview
Cyber Threat Intel : Overview
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
 

Viewers also liked

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack 2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack Raleigh ISSA
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographicCMR WORLD TECH
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks Ajay Ohri
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts
 
cmd injection
cmd injectioncmd injection
cmd injectionhackstuff
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and FuzzingSimon Bennetts
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting StartedSimon Bennetts
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksStefano Di Paola
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesSimon Bennetts
 
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15Benjamin D. Brooks, CISSP
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Sophos Benelux
 
Automated Targeted Attacks: The New Age of Cybercrime
Automated Targeted Attacks: The New Age of CybercrimeAutomated Targeted Attacks: The New Age of Cybercrime
Automated Targeted Attacks: The New Age of CybercrimeStefan Tanase
 

Viewers also liked (20)

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Ddos dos
Ddos dosDdos dos
Ddos dos
 
2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack 2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack
 
Alert logic anatomy owasp infographic
Alert logic anatomy owasp infographicAlert logic anatomy owasp infographic
Alert logic anatomy owasp infographic
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
Top Ten Web Attacks
Top Ten Web Attacks Top Ten Web Attacks
Top Ten Web Attacks
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
cmd injection
cmd injectioncmd injection
cmd injection
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Web attacks
Web attacksWeb attacks
Web attacks
 
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
 
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced FeaturesOWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
 
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15
 
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
 
Automated Targeted Attacks: The New Age of Cybercrime
Automated Targeted Attacks: The New Age of CybercrimeAutomated Targeted Attacks: The New Age of Cybercrime
Automated Targeted Attacks: The New Age of Cybercrime
 

Similar to Anatomy of an Attack

2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance Raleigh ISSA
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013 The eCore Group
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec UbiquitySymantec
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionShane Rice
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)Jeff Green
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesSecunia
 
Final presentation of IT security project
Final presentation of IT security projectFinal presentation of IT security project
Final presentation of IT security projectArmandas Rokas
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotShah Sheikh
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresCarl B. Forkner, Ph.D.
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedKavin K
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securityfrcarlson
 

Similar to Anatomy of an Attack (20)

2011-10 The Path to Compliance
2011-10 The Path to Compliance 2011-10 The Path to Compliance
2011-10 The Path to Compliance
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Cyber crime trends in 2013
Cyber crime trends in 2013 Cyber crime trends in 2013
Cyber crime trends in 2013
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Symantec Ubiquity
Symantec UbiquitySymantec Ubiquity
Symantec Ubiquity
 
Spiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout sessionSpiceworld 2011 - AppRiver breakout session
Spiceworld 2011 - AppRiver breakout session
 
Doten apt presentaiton (2)
Doten apt presentaiton (2)Doten apt presentaiton (2)
Doten apt presentaiton (2)
 
Maximize Computer Security With Limited Ressources
Maximize Computer Security With Limited RessourcesMaximize Computer Security With Limited Ressources
Maximize Computer Security With Limited Ressources
 
Final presentation of IT security project
Final presentation of IT security projectFinal presentation of IT security project
Final presentation of IT security project
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized HoneypotDefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
S series presentation
S series presentationS series presentation
S series presentation
 
The Threat Landscape & Network Security Measures
The Threat Landscape & Network Security MeasuresThe Threat Landscape & Network Security Measures
The Threat Landscape & Network Security Measures
 
Ethical hacking : Beginner to advanced
Ethical hacking : Beginner to advancedEthical hacking : Beginner to advanced
Ethical hacking : Beginner to advanced
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Anatomy of an Attack

  • 1. Anatomy of an Attack Understanding the means and motivation of your enemies Johnathan Norman Director of Security Research Alert Logic
  • 2. Whoami • Director of Security Research @ Alert Logic – Manage investigations – Responsible for “0day” coverage – Vulnerability analysis and discovery • Exploit Developer • 10+ years monitoring networks • Winner of a few CTF’s – Netwars All-Star challenge
  • 3. Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
  • 4. If you know your enemies and know yourself, you will not be imperiled in a hundred battles… - Sun Tzu
  • 5. The Actors • Hacktivists – Anonymous, LulzSec etc… • Cyber Criminals – Impact 73% of online users1 • Government – Stuxnet anyone? 1 Norton Cyber Crime Report 2010
  • 6. Traditional Attacks Hacker Profile – Talented individual – Young, bored Motivation – To prove a point – Curiosity – Credibility Attack Methods – Worms targeting memory vulns in network services – Attack payload not usually customized
  • 7. Modern Attack Profile Hacker Profile – Organized Crime – Dedicated teams who are paid – Teams often work for criminal organizations as a career Motivation – Targeted attack for financial gain – Desire anonymity Attack Methods – Vulnerable web applications – Client side applications – Malware used to keep control
  • 8. Cybercrime Market The Numbers – Global computer crime market estimated to be $7B in 20102 – Russia responsible for $2.5B – Growing ~35% per year overall Interesting Trends – Increase of specialization of participants – On-Demand and Pay-Per-Use services – Developing C2C market 2Group-IB Report - 2010
  • 9. Roles Role Description Malware Developers Develop kits to control owned systems and steal data Rootkit Developers Develop advanced software to hide presence of malware Traditional Hackers Search for vulns, write and sell exploits to pack vendors Distributors Find ways to install malware kits on as many victims as possible Hosting Providers Hosting with few restrictions Misc Tools Developers Executable packers and obfuscators Organization Leaders Assemble teams and influence PPI prices per country
  • 10. Crime Pays Stolen Assets/Criminal Activity Payout Credit Card Details $5-10, expected $1-2 post PSN Bank Credentials $80-$700 Bank Transfers 10% to 40% of amount transferred Social Security Numbers $30-50 0Day Exploits $5000 - $100,000 Exploits for published vulnerabilities $5000 – $50,000 Exploit Packs $200 – $5,000 Malware Pay-Per-Install Up to $1.50 for US victims, $0.15-0.60 for other countries
  • 11. Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
  • 12. Hacking 101 • The 3 Questions – What do I have – What do I know – What is my target? • The Process – Reconnaissance – Discovery – Mapping – Exploit
  • 13. The World is Yours My Skills – P2P networking – Defacing websites The Plan – Get paid distributing malware
  • 14.
  • 15.
  • 16.
  • 17.
  • 18. How it Works – The Business Model Register With Cybercrime Group 2 Data Sold Wholesale 5 BLACK MARKET Purchase Malware Pack CYBERCRIME GROUP 1 6 Payment Made 4 Infected Users Send Data to Group DISTRIBUTOR Infect Users, P2P 3 seeding, XSS VICTIMS
  • 19. What do I get? Malware likely based on TDSS – First widely used x64 rootkit for Windows Vista and Windows 7 – Kernel mode rootkit – Modified binaries generated on-demand to avoid AV detection Choosing an Affiliate – Pay-Per-Install model – Reputation – Claim up to US $7000 per day – Phone support provided with personal account manager
  • 20. The Final Touches Binary Modification Tool Anti-Virus Bypass
  • 21. Delivery/Attack Surface Infection Method Difficulty Effectiveness Websites Easy Good P2P Networks Easy Medium SPAM Easy Medium Paid Ads Medium Medium Phishing Easy Poor Traditional Network Exploit Difficult Poor Blackhat SEO Medium Medium Cross Site Scripting ‐ Most sites are vulnerable ‐ Easy to find and users trust the websites SQL Injection ‐ Easy to find ‐ Very common Source: Veracode State of Software Security Report, April 2011
  • 22. Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
  • 23. Open SMB shares/ Weak Passwords Web App Vulnerability Netbios Open RDP Spear phishing
  • 24. Agenda Old & New Enemies Thinking like the attacker Real world example Best Practices
  • 25. Limit Your Exposure Lifecycle of a Threat Risk Patch is Released RISK = Vulnerabilities x Assets x Threats Risk Reduction Framework OBJECTIVE -> REDUCE RISK # of Vulnerable Limit Exposure Assets Policy Review Patch Management Vulnerability Scanning Monitor Be Aware of Known Vulnerabilities Risk Threshold Daily IDS/Log Data Review Know your network! Educate Users Awareness Training Time Management Focus on Security Exploit is Public Vulnerability Automated Passé Discovered Exploit
  • 26.
  • 28. Remember the Questions… • 3 Questions – What do I have – What do I know – What is my target? • Penetration testing helps
  • 29. Defending Users AV Isn’t Enough – Malware evolves ahead of AV signatures – 60% of malware is undetected by AV Education – At least half of the executables on P2P network infected – Don’t install software from untrusted sources – Safe browsing – Flash drives
  • 30. Key Takeaways 0day is rarely the average users weak point Tools are not always the solution Focus on your attack surface, not the latest news Antivirus will not save you! educate users
  • 31. Next Generation Mobile Devices – Full blown operating systems with IP stacks – Security posture like OS’s in the 90’s – High-speed 4G Internet connectivity – get owned faster! – Malware in Android market (50+ apps) – Users connect to the office wifi
  • 32. Q&A jnorman@alertlogic.com @spoofyroot http://www.alertlogic.com/blog

Editor's Notes

  1. hello!my name is JM and i am on the research team at alert logictoday we’ll be talking about how organized groups have come to dominate the computer crime scene
  2. first i’m going to cover the differences between the attackers at work today vs. what we saw 5 years agothen we’ll talk about how modern organizations are structured and how they operate,finally we’ll look at what you need to do to minimize your risk as an IT manager and also as a user with your own data to protect.
  3. this is a quote from the art of warhighly regarded, but w/comp crime landscape, optimisticthe idea is the same... in order to defend against skilled & highly motiv. attackers,your security team needs to know what they’re up against,as well as having an realistic understanding of their own capabilities and limitationsraise your hand if you have ever had your credit card number stolen?ok...who has ever exposed patient or customer information as a result of a network intrusion?haha, it’s ok no one ever wants to admit that in public... hahahathat sort of thing can seriously damage a company’s reputation, like we’re seeing now with Sony.S: everyone is familiar w/the stereotypical hacker
  4. You have 3 primary groups of actors to worry about.. This is not an exhaustive list but does account for the majority of malcious activity
  5. young student, bored, maybe problems with authoritythink it’s cool, looking for a challenge, out defacing websites of organizations they disagree withunlikematthewbroderick, none of the guys i knew who were writing dos viruses at 16 ever had a girl in their bedroomskorgo, sasser, mostly static payload built & released to run its courseS: things have changed a lot since then
  6. overwhelming majority of attacks are carried out by professional teams who do it for a livingonly goal is to control as many computers as they can to steal as much data as possiblethey can use or sell wholesalenot making noise, not defacing websitesremain undetected as long as possibletarget vulns in client appsS: it’s working really well
  7. business is booming, 7B last year, russia 1/3 and growing 35% per yearw/that growth the business models evolve like the legit IT industryppl are taking on specialized roles either to limit personal risk or maximize profit within the context of their personal situation.This is a business and like any other business the goal is to make as much money possible while spending the least amount of money
  8. MW Dev – build custom C&C software w/dev kits to embed it in 3rd party executablesppl would want to installDistributors – equiv to the corner drug dealer, lower on the food chain, not the most skilled, these are the guys in direct contact with the target systems when you find malware on a system, it was often put there by a distributor who didn’t actually write itHosting providers – liberal AUP, often only up for a short period of time before they are shutdown unless hosted in safe haven countriesS: so how much money are these guys making?
  9. Credit cards – influenced by supply/demand, Sony PSN +70M cards stolen, if majority are valid & dumped on market, would push prices way downExploit packs cover multiple vulns, price based on ageAffiliate programs – in the same way banner ads, browser toolbars affiliate programs developed in the 90’s with pay-per-view and pay-per-click models, malware install affiliate programs have sprung upSegue: I’m a young unemployed ukranian guy & i want in on the action
  10. first i’m going to cover the differences between the attackers at work today vs. what we saw 5 years agothen we’ll talk about how modern organizations are structured and how they operate,finally we’ll look at what you need to do to minimize your risk as an IT manager and also as a user with your own data to protect.
  11. Hacking is really about answering 3 questions and each time you get to a new step you repeat the process .. More on this later in our example
  12. This is a screenshot of the old Dogma Millions website. This has since been taken down but you can see from the graphics the msg they send.Work for us & you can drive your own Porsche SUV on a blue water beach with Victoria’s Secret modelsSegue: unfortunately the English language sites aren’t as creative...
  13. Payperinstall.com is a clearinghouse for pay per install groupsyou sign up with a affiliate, they provide a custom set of executables embedded with your affiliate IDfor every US machine you get the malware installed on, you get a dollar10,000 machines = $10,000
  14. PPI – lower rate, always paid per install, similar to pay-per-click banner advertisingAlternatively, programs where you simply take a cut of the revenue generated from selling the stolen data. The potential payout is higher here, but the risk of your affiliate skimming is high too.
  15. reputation is important – you can’t call the police if your affiliate doesn’t pay out or they are obviously skimming
  16. Once you have your malware packs, you have a # of choices of how to get it installed.
  17. So now that you have everything you have to find the most effective way to spread your malware.
  18. This is a high level network diagram of an actual client which is a major hospital . The data is from a recent investigation of the compromise that was completed last week.. So lets see how this compares to the previous scienario I mentioned above..
  19. Ok so now I gave you the spill on the actors.. How do you handle this situation.
  20. This is a lifecycle model for a vulnerability taken from a grad students thesis . One of the common mistakes users make is focus their defenses heavily on 0day attacks. But this diagram shows that the most commonly exploited vulnerabilities are actually patched flaws that have been in the wild for quite some time. Publicly known vulnerabilitys are your actual risk
  21. left 2 columns are publishedvulns from oldest to newest, 2003 to 2010columns on the right are examples of exploit packs and which vulns they targetMost of these vulnerably are old and have assigned CVE’s
  22. Tools are a critical part of your defense, but they are useless without expertise and guidance.Simply having a firewall and an IDS device will not do much in the face of today’s attackers if you don’t have the people in place with the expertise to interpret what the tools are telling you.
  23. Tools are a critical part of your defense, but they are useless without expertise and guidance.Simply having a firewall and an IDS device will not do much in the face of today’s attackers if you don’t have the people in place with the expertise to interpret what the tools are telling you.
  24. Education – sounds extremely basic but some people don’t knowBrowsing – browsers are complex pieces of software & they all have holes, The majority of owned desktop systems I’ve seen were used by avid IE usersI use firefox, automatic updates and a number of plugins that improve your security like NoScript and RequestPolicythese tools can defeat CSRF and some XSS attacks even though the webapps you use are vulnerable.Filtering web proxies
  25. Cell phones are big brothers wet dream. Can track users within a few meters and running full blown operating systemsIn fact Verizon just changed their TOS so they can sell your location data