DMA - Stupid Cyber Criminal Tricks

DMA April 2020 Meeting
I
R
I
R
- Matt Scheurer
Dayton Microcomputer Association
April 28, 2020
Stupid Cyber Criminal Tricks
and How to Combat Them
@c3rkah | https://www.linkedin.com/in/mattscheurer/
https://www.slideshare.net/cerkah/

I work for a big well-known
business...
As an Information Security
(InfoSec) Engineer,
Performing Digital Forensics &
Incident Response (DFIR)
On a Computer Security Incident
Response Team (CSIRT)
About Me...About Me...
I serve as Chair for the
I am also an
Ambassador & Security Researcher for
S||||

Disclaimer # 1 / 2Disclaimer # 1 / 2
Yes, I have a day job.
However…
Opinions expressed are
based solely on my own
independent security
research and do not
express or reflect the views
or opinions of my employer.

Disclaimer # 2 / 2Disclaimer # 2 / 2
The informational material presented is for
educational purposes only. The presenter is not
responsible for its use or misuse. No warranties
or guarantees implied or otherwise are in effect.
Use of these tools, techniques and technologies
are at your own risk!

Cyber Criminals?Cyber Criminals?
I work here:
As a Sr.
Systems Security Engineer
●
Are NOT “Hackers”!
– Call them
●
Threat Actors
●
Malicious Threat Actors
●
Cyber Criminals
●
Or simply just “Criminals”

Nothing worth taking?Nothing worth taking?
I work here:
As a Sr.
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Operational Security EssentialsOperational Security Essentials
I work here:
As a Sr.
●
Run up-to-date software and keep it patched
– Only use supported systems / devices & OS’es
●
Harden / Secure your network equipment
– Especially anything Internet facing
●
Change default usernames (where possible)
and passwords

OpSec BasicsOpSec Basics
I work here:
As a Sr.
●
Anti-Virus
– Immunet (https://www.immunet.com/)
●
Enterprise-grade next-generation AV for free
●
Nice compliment to Windows Defender
●
Firewall / HIDS / HIPS
– Search online for a Windows Firewall tutorial
– Or buy something better

Credential SafeguardingCredential Safeguarding
I work here:
As a Sr.
●
Strong Passwords
– Long passphrases
– Avoid re-use
●
Password Safes
– KeePass (On-premises)
– LastPass (Cloud / Mobile)
●
Have I been pwned?
– https://haveibeenpwned.com/
●
Multi-factor authentication
– Dual-factor or MFA
●
VPN for wireless / mobile
– Commercial Solutions
– https://cloudatcost.com/cloud-vpn
– PfSense (at home)
– Home Router
– L2TP/IPSEC if supported

Scams: Be skeptical!Scams: Be skeptical!
I work here:
As a Sr.
●
Go to sites yourself
– Instead of using links
●
Vendors & the IRS
don’t ask for gift cards
●
Callback directly to
verify
●
https://www.bbb.org/scamtracker/
“I roll to disbelieve!”

Motherly adviceMotherly advice
I work here:
As a Sr.

PhishingPhishing
I work here:
As a Sr.
●
Social engineering attacks using email
●
Most common attack method
– Leveraged by the most inexperienced script kiddies
– Used by nation-states
– And every type of threat actor in-between

Compromised EmailCompromised Email
I work here:
As a Sr.
https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/

What is an email message really?What is an email message really?
I work here:
As a Sr.
●
A single text file in logical parts
– Headers
– Message body (source)
●
Attachments
– Base64 Encoded Text
– May contain hyperlinks
●
In the message body, or in the attachment

Obtaining the message sourceObtaining the message source
I work here:
As a Sr.
●
Will vary from email client and platform
– https://mxtoolbox.com/Public/Content/EmailHeaders/

Checking AttachmentsChecking Attachments
I work here:
As a Sr.
●
VirusTotal
– https://www.virustotal.com/
CAUTION: Do not upload potentially sensitive files to
VirusTotal or any other public web sites!

Checking HyperlinksChecking Hyperlinks
I work here:
As a Sr.
●
urlscan.io
– https://urlscan.io/
●
VirusTotal
– https://www.virustotal.com/

Beware of Gotcha’s...Beware of Gotcha’s...
I work here:
As a Sr.
●
Obfuscation by a URL Shortener
●
Evasion Code / DGA
●
iFrames
●
Redirects and Forwards
●
Encoded content
●
Relying too heavily on your defenses / tools...

Phishing email live demosPhishing email live demos
I work here:
As a Sr.
●
We’ll cover looking at email message source
– Potential malicious content may exist
●
In attachments
●
In hyperlinks potentially going to phishing sites

Script KiddiesScript Kiddies
I work here:
As a Sr.
Script kiddies may be low-skilled, but they are a real threat...
Some offensive security tools have become so user friendly and
simple that the barrier to compromising vulnerable systems has
become trivial. We will use Kali Linux, SPARTA (Legion), OWASP
ZAP, and Armitage to demonstrate just how easy exploiting some
vulnerabilities has become. The takeaways will be on vulnerability
scanning systems in your environment and Proof-of-Concept those
findings to help improve your overall security posture by eliminating
the low hanging fruit of vulnerabilities.

●
All of the tools
demonstrated here
are included in Kali
Linux
●
Free to download and
use
●
https://www.kali.org/
Kali LinuxKali Linux

The OWASP Zed Attack Proxy (ZAP) is one of the
world’s most popular free security tools and is
actively maintained by hundreds of international
volunteers*. It can help you automatically find
security vulnerabilities in your web applications
while you are developing and testing your
applications. Its also a great tool for experienced
pentesters to use for manual security testing.
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
OWASP ZAPOWASP ZAP

OWASP ZAP Demo
●
In this live demo, I will use OWASP ZAP to find
hidden files on the web
●
OWASP ZAP will uncover accidental exposure
●
Sensitive data exposure is #3 on the latest
OWASP Top 10 list
OWASP ZAP DemoOWASP ZAP Demo

SPARTA
SPARTA is a python GUI application which simplifies
network infrastructure penetration testing by aiding the
penetration tester in the scanning and enumeration
phase. It allows the tester to save time by having
point-and-click access to his toolkit and by displaying
all tool output in a convenient way. If little time is spent
setting up commands and tools, more time can be
spent focusing on analyzing results.
https://sparta.secforce.com/
SPARTA (Legion)SPARTA (Legion)

SPARTA Demo
●
In this live demo, I will use SPARTA to scan a network
●
This should reveal hosts and the services running on
them
●
It will also check discovered services for
vulnerabilities
●
Also collecting screen shots of web services
SPARTA (Legion) DemoSPARTA (Legion) Demo

Metasploit & Armitage
●
Metasploit is the world's most used penetration testing
software. Uncover weaknesses in your defenses,
focus on the right risks, and improve security.
●
Armitage - Cyber Attack Management for Metasploit.
Armitage makes penetration testing easy by adding a
GUI to the Metasploit framework
https://www.rapid7.com/products/metasploit/
http://www.fastandeasyhacking.com/
Metasploit & ArmitageMetasploit & Armitage

Metasploit & Armitage Demo
●
In this live demo, I will use Armitage in an
attempt to find and exploit vulnerabilities on
another host
●
Our goal is to establish a remote shell with root
level privledges
Metasploit & Armitage DemoMetasploit & Armitage Demo

●
Check out the Metasploit Unleashed
Free Ethical Hacking Course
– https://www.offensive-security.com/metasploit-unleashed/
Leveling UpLeveling Up

●
Powerful vulnerability exploitation tools are
readily available for free to tech defenders and
malicious threat actors alike
●
The barrier to entry for unskilled attackers is
very low
ConclusionsConclusions

Are you actively scanning your web sites and
cloud storage for sensitive data exposure?
Provocative QuestionsProvocative Questions

Are you checking for credentials susceptible to
simple dictionary and brute force attacks?

Are you checking for credentials susceptible to
simple dictionary and brute force attacks?
Are your systems and network devices vulnerable
to simple exploit kit attacks?

Malicious threat actors are probably already doing
these things against us...
ConsiderationsConsiderations

Malicious threat actors are probably already doing
these things against us...
Who would you rather have discover exposed
data, weak credentials, or easily exploitable
vulnerabilities first?
ConsiderationsConsiderations

●
Next CiNPA Security SIG meeting (Threat Roundup)
– Thursday, May 21, 2020 6:30 PM to 9:00 PM
– https://www.meetup.com/TechLife-Cincinnati/events/njkqnpybchbcc/
●
I am speaking at Circle City Con
– Topic “Lend me your IR’s!”
– June 12 – 14 (Online Virtual Conference)
– https://circlecitycon.com/
Shameless PlugsShameless Plugs

QuestionsQuestions
●
Who ...
●
What ...
●
When ...
●
Where ...
●
Why ...
●
How ...

Thank you for attending!
I
R
I
R
- Matt Scheurer
Dayton Microcomputer Association
April 28, 2020
Stupid Cyber Criminal Tricks
and How to Combat Them
@c3rkah | https://www.linkedin.com/in/mattscheurer/
https://www.slideshare.net/cerkah/

DMA - Stupid Cyber Criminal Tricks

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a DMA - Stupid Cyber Criminal Tricks

Similar a DMA - Stupid Cyber Criminal Tricks (20)

Más de CiNPA Security SIG

Más de CiNPA Security SIG (16)

Último

Último (20)

DMA - Stupid Cyber Criminal Tricks