SlideShare una empresa de Scribd logo

Advanced Threat Protection: Lessons from a Red Team Exercise

Descargar como PPTX, PDF
Peter Wood
Peter Wood

Peter Wood is the CEO of First Base Technologies, an ethical hacking firm. He has decades of experience in cybersecurity. The document describes a red team exercise conducted by First Base against a client. It involved remote reconnaissance, spear phishing to steal credentials, and physical attacks on branch and head offices. The attacks were successful due to issues like unsecured computers and lack of visitor verification. The lessons highlighted weaknesses in the client's security controls that could be improved.

Tecnología
1 de 24
Peter Wood Chief Executive Officer First Base Technologies LLP Advanced Threat Protection Lessons from a Red Team Exercise
Slide 2 © First Base Technologies 2014 Who is Peter Wood? Worked in computers & electronics for 45 years Founded First Base in 1989 (the first ethical hackers in UK) Ethical hacker, security evangelist and public speaker • Fellow of the BCS, the Chartered Institute for IT • Chartered IT Professional • CISSP • Senior Member of the Information Systems Security Association (ISSA) • 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group • Member of the Institute of Information Security Professionals • Member of the BCS Register of Security Specialists • Deputy Chair of the BCS Information Risk Management and Audit Group • UK Programme Chair for the Corporate Executive Programme • Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors • Member of Mensa
Slide 3 © First Base Technologies 2014 Who are First Base Technologies? • Web Application Testing • Infrastructure Testing • Network Security Testing • Server Security Audits • SCADA Security Testing • PCI Penetration Testing • Endpoint Testing • Social Engineering • Red Teaming • Risk Assurance • Transformation Consultancy • Cloud Security • Architectural Reviews • Awareness Consultancy • Keynote Seminars • Security Evangelism • Multimedia Training • White-hats.co.uk User Group Penetration Testing & Ethical Hacking Security Consultancy & Awareness
Slide 4 © First Base Technologies 2014 RSA Advanced Attack (2011) https://blogs.rsa.com/anatomy-of-an-attack/
Slide 5 © First Base Technologies 2014 How an Advanced Attack Works
Slide 6 © First Base Technologies 2014 Red Team Testing • Use your threat analysis to pick a realistic attack scenario • Use your asset register to identify realistic targets • Engage a red team exercise to simulate a real attack • Check your preventative and detective controls! • Learn, improve, repeat!
Slide 7 © First Base Technologies 2014 Threat analysis for testing http://csrc.nist.gov/cyberframework/rfi_comments/040813_cba_part2.pdf
Slide 8 © First Base Technologies 2014 Lessons from a red team exercise We combined real examples to tell a story Stories are always more compelling than bald facts! “The story you are about to hear is true; only the names have been changed to protect the innocent vulnerable.”
Slide 9 © First Base Technologies 2014 Our attack timeline
Slide 10 © First Base Technologies 2014 Remote information gathering • 15 premises in UK, reviewed on Google maps and street view • 4 registered domains • 5 IP address ranges • 72 Internet-facing hosts • Metadata retrieved for Adobe, Office and QuarkExpress • Scan revealed OWA in use • Internet search for relevant email addresses • LinkedIn searches to construct email addresses for employees • 400 email addresses identified • ‘Interesting’ staff names and job titles from LinkedIn • Emails sent to obtain responding email style and layout
Slide 11 © First Base Technologies 2014 On-site reconnaissance • Head office: - Perimeter guards and external CCTV - Main reception manned and controlled - Goods entrance well controlled - No other access - Staff ID card design noted - Results used to plan on-site attack 2 • Branch office: - High street premises, no guarding - Small reception, one receptionist - Door intercom - Multi-tenanted building - Results used to plan on-site attack 1
Slide 12 © First Base Technologies 2014 Results of info gathering 1. Spear phishing is viable and can be used for theft of credentials 2. Head office will require legitimate appointment to gain physical access 3. Branch office may be vulnerable to ad hoc visitor with remote backup 4. Significant number of other premises available as fallback 5. Windows and Office in use, so typical network vulnerabilities will apply
Slide 13 © First Base Technologies 2014 Spear phishing plan 1. Convincing fake domain name available and purchased 2. OWA site cloned onto fake domain for credential theft 3. Large number of email addresses harvested as targets 4. Design of real emails copied to facilitate spear phishing 5. Names and job titles gathered as fake senders 6. Genuine OWA will be used to test stolen credentials (and gather further info) 7. Credentials will be deployed in first on-site attack
Slide 14 © First Base Technologies 2014 Spear phishing exercise 1. Email sent from IT manager, using fake domain address 2. OWA cloned on to tester’s laptop, DNS set accordingly 3. Email sent to three groups of 100 recipients 4. Within a few minutes, 41 recipients entered credentials 5. Credentials tested on legitimate OWA site 6. Significant information gathered from each account 7. Further emails can now be sent from legitimate addresses
Slide 15 © First Base Technologies 2014 Branch office attack plan 1. Team member “Harry” to pose as a contractor working for a telecomms firm 2. Clothing and ID badge prepared 3. Works order fabricated 4. Engineering toolkit prepared, including laptop 5. Credentials obtained from spear phishing stored on laptop 6. Other team members on landline phones for remote verification
Slide 16 © First Base Technologies 2014 Branch office attack exercise (1) 1. “Harry” arrives and tells receptionist he needs to fix a network fault 2. Receptionist asks for a contact name for verification 3. Harry claims not to know and gives receptionist his works order number and a phone number to get details 4. Receptionist calls and speaks to “George” who gives the name of an IT employee (who we know is ‘out of office’) 5. Receptionist cannot make contact with absent IT employee, so tells Harry to call their IT Manager to resolve the problem 6. Harry calls “Charlie” and asks him to impersonate the IT Manager 7. Charlie (impersonating the IT Manager) calls receptionist and tells them to give Harry access
Slide 17 © First Base Technologies 2014 Branch office attack exercise (2) 9. Harry is escorted into the office and given a desk and a network point 10.He is left unsupervised and plugs his laptop in to the network 11.He explores the network and identifies several Windows servers 12.He authenticates to a domain controller using credentials obtained during the phishing exercise 13.He explores various servers and identifies many interesting files 14.He plants several files to demonstrate full read-write access 15.He explains that he has run diagnostics and that the network connection seems ok. He is escorted to reception and signs out
Slide 18 © First Base Technologies 2014 Head office attack plan (1) A number of scenarios were considered: • Apply for a job vacancy with a suitable fake CV • Courier delivery of a parcel • Research and interview for newspaper or publication • Discussion about a school tour of premises • Tour of premises as a prospective customer Two alternatives were selected and developed: • Tour of premises as a prospective customer for a specific product • Interview for a charity magazine about corporate fund raising
Slide 19 © First Base Technologies 2014 Head office attack plan (2) Relevant domain names were obtained, email addresses and web pages created for both fake organisations. 1. Tour of premises as a prospective customer for a specific product: - “Anne” sent an email via the company’s online form - An exchange of emails occurred over the next few days and she obtained permission, as a new customer, to book a tour of the premises 2. Interview for a charity magazine about corporate fund raising: - “Anne” called the company and spoke to head of fund raising team - Press office called Anne and asked for more details - Background research proved convincing and pretext was accepted - Interview booked at head office Option 2 entailed less risk of exposure, so was attempted first.
Slide 20 © First Base Technologies 2014 Head office attack exercise 1. “Anne” and “Harry” arrive for the press interview, are given visitor passes and escorted to a meeting room 2. Harry asks to use the bathroom and is given directions 3. A senior employee joins the meeting and asks further questions to validate their story, which are answered satisfactorily 4. Harry returns from the bathroom, but quickly exits the meeting again leaving a pack of diarrhoea medicine on the table 5. During his ‘bathroom visit’ Harry is able to access unattended computers, simulate installing keyloggers and remote control software and copying files on to a USB drive 6. When the interview concludes, Anne and Harry are escorted from the building
Slide 21 © First Base Technologies 2014
Slide 22 © First Base Technologies 2014 Lessons 1. No checks on social networking using work email addresses 2. No sanitisation of metadata in published documents 3. Insufficient staff training on spear phishing 4. Inadequate visitor validation at branch office 5. Unsupervised visitor at branch office 6. Unsupervised visitor at head office (bathroom break) 7. Unlocked computers 8. No challenging of unescorted visitors 9. Sensitive information protected only by Windows credentials
Slide 23 © First Base Technologies 2014 Red Team Testing • Use your threat analysis to pick a realistic attack scenario • Use your asset register to identify realistic targets • Engage a red team exercise to simulate a real attack • Check your preventative and detective controls! • Learn, improve, repeat!
Peter Wood Chief Executive Officer First Base Technologies LLP peter@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Twitter: @peterwoodx Need more information?

Recomendados

How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksAlan Percy
 
Red Team
Red TeamRed Team
Red Teamcgann
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Fixing the broken Red Team
Fixing the broken Red TeamFixing the broken Red Team
Fixing the broken Red TeamDavid Warley
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
Welcome to Strategic Red Team Consulting
Welcome to Strategic Red Team ConsultingWelcome to Strategic Red Team Consulting
Welcome to Strategic Red Team ConsultingFred Aubin, CD MCGI
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply ChainOllie Whitehouse
 

Recomendados

How to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksHow to Protect Against TDOS Attacks
How to Protect Against TDOS AttacksAlan Percy
 
Red Team
Red TeamRed Team
Red Teamcgann
 
All your files now belong to us
All your files now belong to usAll your files now belong to us
All your files now belong to usPeter Wood
 
Fixing the broken Red Team
Fixing the broken Red TeamFixing the broken Red Team
Fixing the broken Red TeamDavid Warley
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Red teaming in the cloud
Red teaming in the cloudRed teaming in the cloud
Red teaming in the cloudPeter Wood
 
Welcome to Strategic Red Team Consulting
Welcome to Strategic Red Team ConsultingWelcome to Strategic Red Team Consulting
Welcome to Strategic Red Team ConsultingFred Aubin, CD MCGI
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply ChainOllie Whitehouse
 
Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014Fred Aubin, CD MCGI
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
Pentesting
PentestingPentesting
PentestingHenrik Jacobsen
 
Final Report Presentation Team Red O
Final Report Presentation Team Red OFinal Report Presentation Team Red O
Final Report Presentation Team Red OXu Bim
 
mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfwsBenjamin Delpy
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with MetasploitPrakashchand Suthar
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Strategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business WargamingStrategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business WargamingFred Aubin, CD MCGI
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
DetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksDetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksMike Saunders
 
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPeter Wood
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud securityPeter Wood
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting StartedAlan Percy
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting StartedTelcoBridges Inc.
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial PlannersMichael O'Phelan
 
Securing Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP LeaksSecuring Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP LeaksHokme
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security RisksImperva
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security SeminarJeremy Quadri
 
Lessonplan-1 (1).docx
Lessonplan-1 (1).docxLessonplan-1 (1).docx
Lessonplan-1 (1).docxALVAREZAPRILROSE
 
Lessonplan-1.docx
Lessonplan-1.docxLessonplan-1.docx
Lessonplan-1.docxALVAREZAPRILROSE
 

Más contenido relacionado

Destacado

Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014Fred Aubin, CD MCGI
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
Final Report Presentation Team Red O
Final Report Presentation Team Red OFinal Report Presentation Team Red O
Final Report Presentation Team Red OXu Bim
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Strategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business WargamingStrategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business WargamingFred Aubin, CD MCGI
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
DetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksDetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksMike Saunders
 

Destacado (11)

Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014Strategic Red Team Consulting - Company Intro - Jan 2014
Strategic Red Team Consulting - Company Intro - Jan 2014
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
Pentesting
PentestingPentesting
Pentesting
 
Final Report Presentation Team Red O
Final Report Presentation Team Red OFinal Report Presentation Team Red O
Final Report Presentation Team Red O
 
mimikatz @ asfws
mimikatz @ asfwsmimikatz @ asfws
mimikatz @ asfws
 
Pentesting with Metasploit
Pentesting with MetasploitPentesting with Metasploit
Pentesting with Metasploit
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 
Strategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business WargamingStrategic Red Team Consulting - Introduction to Business Wargaming
Strategic Red Team Consulting - Introduction to Business Wargaming
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
DetectingSpearPhishingAttacks
DetectingSpearPhishingAttacksDetectingSpearPhishingAttacks
DetectingSpearPhishingAttacks
 

Similar a Advanced Threat Protection: Lessons from a Red Team Exercise

Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPeter Wood
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud securityPeter Wood
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting StartedAlan Percy
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial PlannersMichael O'Phelan
 
Securing Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP LeaksSecuring Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP LeaksHokme
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security RisksImperva
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security SeminarJeremy Quadri
 
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docxSheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docxbjohn46
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.cnetworks
 
Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.cnetworks
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeNet at Work
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Information Security and Corporate Risk
Information Security and Corporate RiskInformation Security and Corporate Risk
Information Security and Corporate RiskAgilOne
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 

Similar a Advanced Threat Protection: Lessons from a Red Team Exercise (20)

Pragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World VulnerabilitiesPragmatic Network Security - Avoiding Real-World Vulnerabilities
Pragmatic Network Security - Avoiding Real-World Vulnerabilities
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud security
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting Started
 
FreeSBC - Getting Started
FreeSBC - Getting StartedFreeSBC - Getting Started
FreeSBC - Getting Started
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
 
Securing Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP LeaksSecuring Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP Leaks
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
 
Cyber Security Seminar
Cyber Security SeminarCyber Security Seminar
Cyber Security Seminar
 
Lessonplan-1 (1).docx
Lessonplan-1 (1).docxLessonplan-1 (1).docx
Lessonplan-1 (1).docx
 
Lessonplan-1.docx
Lessonplan-1.docxLessonplan-1.docx
Lessonplan-1.docx
 
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docxSheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
Sheet1WeaknessViolates a policy or procedureThreatWhat is th.docx
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
 
Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.Codec Networks Offering Courses in Cyber forensic in Delhi,India.
Codec Networks Offering Courses in Cyber forensic in Delhi,India.
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity Challenge
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Information Security and Corporate Risk
Information Security and Corporate RiskInformation Security and Corporate Risk
Information Security and Corporate Risk
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
internet
internetinternet
internet
 

Más de Peter Wood

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesPeter Wood
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 ThreatscapePeter Wood
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Peter Wood
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineeringPeter Wood
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big dataPeter Wood
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Peter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePeter Wood
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsPeter Wood
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsPeter Wood
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewPeter Wood
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesPeter Wood
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security LandscapePeter Wood
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerPeter Wood
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of AusterityPeter Wood
 

Más de Peter Wood (20)

Hacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilitiesHacking is easy: understanding your vulnerabilities
Hacking is easy: understanding your vulnerabilities
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 
Attacking the cloud with social engineering
Attacking the cloud with social engineeringAttacking the cloud with social engineering
Attacking the cloud with social engineering
 
Advanced threat protection and big data
Advanced threat protection and big dataAdvanced threat protection and big data
Advanced threat protection and big data
 
Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!Cloud, social networking and BYOD collide!
Cloud, social networking and BYOD collide!
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's View
 
Prime Targets in Network Infrastructure
Prime Targets in Network InfrastructurePrime Targets in Network Infrastructure
Prime Targets in Network Infrastructure
 
Security Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent ThreatsSecurity Intelligence: Advanced Persistent Threats
Security Intelligence: Advanced Persistent Threats
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Social Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's ViewSocial Networking - An Ethical Hacker's View
Social Networking - An Ethical Hacker's View
 
Top Five Internal Security Vulnerabilities
Top Five Internal Security VulnerabilitiesTop Five Internal Security Vulnerabilities
Top Five Internal Security Vulnerabilities
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised Environment
 
The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
 
The Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a HackerThe Ultimate Defence - Think Like a Hacker
The Ultimate Defence - Think Like a Hacker
 
Security Testing in an Age of Austerity
Security Testing in an Age of AusteritySecurity Testing in an Age of Austerity
Security Testing in an Age of Austerity
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Advanced Threat Protection: Lessons from a Red Team Exercise

  • 1. Peter Wood Chief Executive Officer First Base Technologies LLP Advanced Threat Protection Lessons from a Red Team Exercise
  • 2. Slide 2 © First Base Technologies 2014 Who is Peter Wood? Worked in computers & electronics for 45 years Founded First Base in 1989 (the first ethical hackers in UK) Ethical hacker, security evangelist and public speaker • Fellow of the BCS, the Chartered Institute for IT • Chartered IT Professional • CISSP • Senior Member of the Information Systems Security Association (ISSA) • 15 Year+ Member of ISACA, Member of the ISACA Security Advisory Group • Member of the Institute of Information Security Professionals • Member of the BCS Register of Security Specialists • Deputy Chair of the BCS Information Risk Management and Audit Group • UK Programme Chair for the Corporate Executive Programme • Member of ACM, IEEE, First Forensic Forum (F3), Institute of Directors • Member of Mensa
  • 3. Slide 3 © First Base Technologies 2014 Who are First Base Technologies? • Web Application Testing • Infrastructure Testing • Network Security Testing • Server Security Audits • SCADA Security Testing • PCI Penetration Testing • Endpoint Testing • Social Engineering • Red Teaming • Risk Assurance • Transformation Consultancy • Cloud Security • Architectural Reviews • Awareness Consultancy • Keynote Seminars • Security Evangelism • Multimedia Training • White-hats.co.uk User Group Penetration Testing & Ethical Hacking Security Consultancy & Awareness
  • 4. Slide 4 © First Base Technologies 2014 RSA Advanced Attack (2011) https://blogs.rsa.com/anatomy-of-an-attack/
  • 5. Slide 5 © First Base Technologies 2014 How an Advanced Attack Works
  • 6. Slide 6 © First Base Technologies 2014 Red Team Testing • Use your threat analysis to pick a realistic attack scenario • Use your asset register to identify realistic targets • Engage a red team exercise to simulate a real attack • Check your preventative and detective controls! • Learn, improve, repeat!
  • 7. Slide 7 © First Base Technologies 2014 Threat analysis for testing http://csrc.nist.gov/cyberframework/rfi_comments/040813_cba_part2.pdf
  • 8. Slide 8 © First Base Technologies 2014 Lessons from a red team exercise We combined real examples to tell a story Stories are always more compelling than bald facts! “The story you are about to hear is true; only the names have been changed to protect the innocent vulnerable.”
  • 9. Slide 9 © First Base Technologies 2014 Our attack timeline
  • 10. Slide 10 © First Base Technologies 2014 Remote information gathering • 15 premises in UK, reviewed on Google maps and street view • 4 registered domains • 5 IP address ranges • 72 Internet-facing hosts • Metadata retrieved for Adobe, Office and QuarkExpress • Scan revealed OWA in use • Internet search for relevant email addresses • LinkedIn searches to construct email addresses for employees • 400 email addresses identified • ‘Interesting’ staff names and job titles from LinkedIn • Emails sent to obtain responding email style and layout
  • 11. Slide 11 © First Base Technologies 2014 On-site reconnaissance • Head office: - Perimeter guards and external CCTV - Main reception manned and controlled - Goods entrance well controlled - No other access - Staff ID card design noted - Results used to plan on-site attack 2 • Branch office: - High street premises, no guarding - Small reception, one receptionist - Door intercom - Multi-tenanted building - Results used to plan on-site attack 1
  • 12. Slide 12 © First Base Technologies 2014 Results of info gathering 1. Spear phishing is viable and can be used for theft of credentials 2. Head office will require legitimate appointment to gain physical access 3. Branch office may be vulnerable to ad hoc visitor with remote backup 4. Significant number of other premises available as fallback 5. Windows and Office in use, so typical network vulnerabilities will apply
  • 13. Slide 13 © First Base Technologies 2014 Spear phishing plan 1. Convincing fake domain name available and purchased 2. OWA site cloned onto fake domain for credential theft 3. Large number of email addresses harvested as targets 4. Design of real emails copied to facilitate spear phishing 5. Names and job titles gathered as fake senders 6. Genuine OWA will be used to test stolen credentials (and gather further info) 7. Credentials will be deployed in first on-site attack
  • 14. Slide 14 © First Base Technologies 2014 Spear phishing exercise 1. Email sent from IT manager, using fake domain address 2. OWA cloned on to tester’s laptop, DNS set accordingly 3. Email sent to three groups of 100 recipients 4. Within a few minutes, 41 recipients entered credentials 5. Credentials tested on legitimate OWA site 6. Significant information gathered from each account 7. Further emails can now be sent from legitimate addresses
  • 15. Slide 15 © First Base Technologies 2014 Branch office attack plan 1. Team member “Harry” to pose as a contractor working for a telecomms firm 2. Clothing and ID badge prepared 3. Works order fabricated 4. Engineering toolkit prepared, including laptop 5. Credentials obtained from spear phishing stored on laptop 6. Other team members on landline phones for remote verification
  • 16. Slide 16 © First Base Technologies 2014 Branch office attack exercise (1) 1. “Harry” arrives and tells receptionist he needs to fix a network fault 2. Receptionist asks for a contact name for verification 3. Harry claims not to know and gives receptionist his works order number and a phone number to get details 4. Receptionist calls and speaks to “George” who gives the name of an IT employee (who we know is ‘out of office’) 5. Receptionist cannot make contact with absent IT employee, so tells Harry to call their IT Manager to resolve the problem 6. Harry calls “Charlie” and asks him to impersonate the IT Manager 7. Charlie (impersonating the IT Manager) calls receptionist and tells them to give Harry access
  • 17. Slide 17 © First Base Technologies 2014 Branch office attack exercise (2) 9. Harry is escorted into the office and given a desk and a network point 10.He is left unsupervised and plugs his laptop in to the network 11.He explores the network and identifies several Windows servers 12.He authenticates to a domain controller using credentials obtained during the phishing exercise 13.He explores various servers and identifies many interesting files 14.He plants several files to demonstrate full read-write access 15.He explains that he has run diagnostics and that the network connection seems ok. He is escorted to reception and signs out
  • 18. Slide 18 © First Base Technologies 2014 Head office attack plan (1) A number of scenarios were considered: • Apply for a job vacancy with a suitable fake CV • Courier delivery of a parcel • Research and interview for newspaper or publication • Discussion about a school tour of premises • Tour of premises as a prospective customer Two alternatives were selected and developed: • Tour of premises as a prospective customer for a specific product • Interview for a charity magazine about corporate fund raising
  • 19. Slide 19 © First Base Technologies 2014 Head office attack plan (2) Relevant domain names were obtained, email addresses and web pages created for both fake organisations. 1. Tour of premises as a prospective customer for a specific product: - “Anne” sent an email via the company’s online form - An exchange of emails occurred over the next few days and she obtained permission, as a new customer, to book a tour of the premises 2. Interview for a charity magazine about corporate fund raising: - “Anne” called the company and spoke to head of fund raising team - Press office called Anne and asked for more details - Background research proved convincing and pretext was accepted - Interview booked at head office Option 2 entailed less risk of exposure, so was attempted first.
  • 20. Slide 20 © First Base Technologies 2014 Head office attack exercise 1. “Anne” and “Harry” arrive for the press interview, are given visitor passes and escorted to a meeting room 2. Harry asks to use the bathroom and is given directions 3. A senior employee joins the meeting and asks further questions to validate their story, which are answered satisfactorily 4. Harry returns from the bathroom, but quickly exits the meeting again leaving a pack of diarrhoea medicine on the table 5. During his ‘bathroom visit’ Harry is able to access unattended computers, simulate installing keyloggers and remote control software and copying files on to a USB drive 6. When the interview concludes, Anne and Harry are escorted from the building
  • 21. Slide 21 © First Base Technologies 2014
  • 22. Slide 22 © First Base Technologies 2014 Lessons 1. No checks on social networking using work email addresses 2. No sanitisation of metadata in published documents 3. Insufficient staff training on spear phishing 4. Inadequate visitor validation at branch office 5. Unsupervised visitor at branch office 6. Unsupervised visitor at head office (bathroom break) 7. Unlocked computers 8. No challenging of unescorted visitors 9. Sensitive information protected only by Windows credentials
  • 23. Slide 23 © First Base Technologies 2014 Red Team Testing • Use your threat analysis to pick a realistic attack scenario • Use your asset register to identify realistic targets • Engage a red team exercise to simulate a real attack • Check your preventative and detective controls! • Learn, improve, repeat!
  • 24. Peter Wood Chief Executive Officer First Base Technologies LLP peter@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Twitter: @peterwoodx Need more information?