via authoritative servers ◦ Public code to do this! ▪ https://github.com/iagox86/dnscat2 ◦ Add a PAM module that calls edentremont.P@SSW0RD.badguy.net • Tor ◦ Anonymity network prevents IP Reputation • Legal Dept ◦ Attacks that aren’t publicly disclosed may not in signature lists (for liability reasons)
▪ Latency ◦ Signature based detection ◦ IDS is reactive have to know about it first ◦ Brittle, signature based, if modified wont be found ▪ Loader around it and xor the binary. ▪ NOOP, obfuscation, etc.
against a NGFW. Concern for internal personnel / contractors • Walk into NSA with a Taylor Swift CD-RW with a single song on it. ◦ Walk out with the Snowden Archives • Dialing out over phone network ◦ 1 (800) BAD-GUYS ext 146 398 832 • Mail a RPi to a non-existent employee ◦ Physical access via their mailroom
for malware ◦ https://letsencrypt.org/2015/10/29/phishing-and-m alware.html ◦ “Not our job to be content watchdogs and a DV cert is not that” - Let’s Encrypt • Key pinning (HPKP) ◦ makes MITM implausible ◦ Facebook, Google, Dropbox, tor2web do it.
Computationally expensive ◦ Introduces latency ◦ SNI collateral • SSL termination is usually impractical ◦ Not everyone can do it; ▪ University can, corp can. BYOD difficult, ▪ ISP can’t ◦ 11% of internet is SSL terminated. ◦ Not generally done at a national scale. ▪ Technically North Korea could • #redstarOS
detection asymptotically more difficult ◦ HPKP means you can’t SSL terminate. ◦ Even if you could... • Hiding within legitimate traffic ◦ Infeasible in realtime ◦ Traditional; Hiding in images ◦ Hiding in videos - Youtube numbers station ◦ Hiding in syntax - HASK talk
Savoie • Only store what you need to • Airgapped storage ◦ Robot tape loaders ◦ Encrypted offline storage / at rest ◦ Cryptolocker • Host level security ◦ Encryption provides end to end security ◦ The bad guy controls one end; ◦ You control the other.