Agile Pentesting - Cisco RTP Cyber Security Summit

Transcript

1. 2014 RTP Cybersecurity Summit Session ID 18PT Called To Duty:

   AttackOps [email protected] / @mosesrenegade

2. © 2014 Cisco and/or its affiliates. All rights reserved. 64282

   Cisco Public Moses Hernandez | @mosesrenegade WARNING This talk may contain comments or opinions that at times may differ with those of cisco systems. The views expressed here do not necessarily reflect those of cisco systems. Audience discretion is advised.

3. © 2014 Cisco and/or its affiliates. All rights reserved. 64282

   Cisco Public Moses Hernandez | @mosesrenegade [d3adlist$]./whoami About Me: Moses Hernandez Consulting Systems Engineer [at] cisco moses[at]cisco.com @mosesrenegade about.me/moseshernandez I break apps… …and networks…

4. © 2014 Cisco and/or its affiliates. All rights reserved. 64282

   Cisco Public Moses Hernandez | @mosesrenegade © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

5. © 2014 Cisco and/or its affiliates. All rights reserved. 64282

   Cisco Public Moses Hernandez | @mosesrenegade - Hattori Hanzo “The truth lies at the heart of the art of combat” © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

6. AttacksOps: What? DevOps constructs in Security Space. Industry Says: • 

   Penetration Testing (Must) •  Red Teaming (Why Not?) •  “Attacker Emulation” (Who does this?) © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

7. AttacksOps: What? DevOps constructs in Security Space. Reality Is: • 

   Economics and Tools •  Strategies and Goals •  Machines vs Humans © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

8. © 2014 Cisco and/or its affiliates. All rights reserved. 64282

   Cisco Public Moses Hernandez | @mosesrenegade Rules of the road… Buy the ticket, take the ride §  Some goals for the session today: –  Hopefully: A changing of ‘how’ we conduct internal/external testing paradigms –  Potentially: Leave with some neat new tricks. –  Collectively: Connect the dots for everyone, where will be going. © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

9. §  Your going to see tools in here, some tools

   are considered to be somewhat ‘safe’. §  There will also be code in here that, well. Not so safe. © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade Your in for a ride. …Hold on.

10. Tibet Case Study © 2014 Cisco and/or its affiliates. All

    rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

11. gh0stnet §  Example of Highly ‘Effective’ Campaign –  Consider that

    only 300-400 compromised hosts spread across the globe. –  “Highly effective” targeting. §  What does this show us? ü Goal Setting. ü Detection and Avoidance ü Data Collection and Gathering © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

12. Tooling §  It would seem that they employed a few

    strategies. –  Gh0strat – A remote access tool, which was Poison Ivy. –  Used Real Documents (PDFs) of interest from W.H.O. and other Organizations like the U.N., in order to deliver the gh0strat payloads. –  Spear phishing + well designed (Remote Access Trojan) RAT. © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

13. Emulate the Attacker? © 2014 Cisco and/or its affiliates. All

    rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

14. Demo Discretion. © 2014 Cisco and/or its affiliates. All rights

    reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

15. AttackOps: Architecture 2009 Style © 2014 Cisco and/or its affiliates.

    All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

16. AttackOps Example Architectures §  More than likely multiple levels of

    obfuscation. §  Looking for the Loot? Maybe its ‘big data-style’. (Fast Data?) –  Because you know, once you know what your after you can do more targeted mining. §  Purpose Built –  For example, purpose built ‘RATS’ with purposed built ‘Plugin Architecture’. –  Servers (Linux) to serve as software routers. §  Obfuscation, for example a "Darknet within THE Darknet. –  Why use White Tools when the Black Hat tools are ‘better’? © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

17. AttackOps Example Architectures Victims / Targets Victims / Targets Victims

    / Targets © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

18. AttackOps Example Architectures Compromised Server Watering Hole Attack? Software Router

    Raw Sockets or HTTP(S) Victims / Targets Victims / Targets Victims / Targets © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

19. AttackOps Example Architectures Compromised Server Watering Hole Attack? Software Router

    Raw Sockets or HTTP(S) C&C C&C Victims / Targets Victims / Targets Victims / Targets © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

20. AttackOps Example Architectures Attacker Compromised Server Watering Hole Attack? Software

    Router Raw Sockets or HTTP(S) C&C C&C Victims / Targets Victims / Targets Victims / Targets Data Collection © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

21. CLANDESTINE INFOTECH © 2014 Cisco and/or its affiliates. All rights

    reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

22. Defining the problem © 2014 Cisco and/or its affiliates. All

    rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

23. US § We are the problem. § …A big big problem… – 

    Tools – Which Tools do Attackers use? –  Techniques – What techniques do they use? What do we know they do? –  Procedures – What procedures do they employ? Why do they do that? © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

24. Attackers and Goal Setting §  Attacker Goals: ü Military Advantage ü Power

    ü Corporate Espionage ü Intellectual Property Theft ü Monies. $$$ §  Pen Tester Goals: ü Find all the “Vulnerabilities” ü “On time and On Budget” ü “Prove it” ü Fix all at once. ü “Bragging Rights” ü (More on this Later) © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

25. Tools? §  Attackers Don’t Use Our Tools! –  Obfuscation Through

    DDoS –  They use RATs §  Connection Optional §  Highly Stealth §  ‘User’ friendly §  “Customer First” §  Mobile Ready –  Motivations and Goals §  “Pen Testers” –  Use “Developers Tools” –  Lots of Command Line –  “Scripts” –  Connection Oriented §  Lose the Connection loose it all §  Not designed to be user friendly §  Mobile (YMMV) © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

26. Let’s fix it © 2014 Cisco and/or its affiliates. All

    rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

27. Three suggestions Better Tactics, Tools, Goaling

28. Tactics: Agile and Waterfall… §  Many organizations are looking at

    Agile methods of software construction or assembly. –  (Notice I didn’t say development or creation… ) §  …most software today is ‘assembled…isn’t it? §  …most exploit frameworks are assembled though aren't they? §  We called the original method waterfall…. We call the new ‘better’ way ‘agile’. –  Its mostly about quick small feedback loops though isn’t it? © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

29. “Penetration Tests today are waterfall…” •  Me © 2014 Cisco

    and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

30. “Penetration Tests today are waterfall…” •  Me © 2014 Cisco

    and/or its affiliates. All rights reserved. Cisco Public Moses Hernandez | @mosesrenegade

31. Waterfall vs Agile §  Tendency to be Lengthier Cycles § 

    Project Managed §  Features on Features §  Ready for the Big “Release” –  Think Windows NT, 2000, 2003 §  Agile tends to not have much of a Project Plan –  More Roadmap focused –  Smaller feedback loops –  Smaller features into production at a time. §  Think Version 1, 1.1, 1.2, 1.3 §  Maybe more ‘weekly’, bi-weekly, or ‘monthly’ outcomes.

32. Tactics: Scrumy Goal Setting © 2014 Cisco and/or its affiliates.

    All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

33. Tactics: Scrumy Scrum Starts Goal Setting Operations Support © 2014

    Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

34. Tactics: Scrumy Scrum Starts Goal Setting Recon/ Vuln/ Mapping Operations

    Support Data Storage © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

35. Tactics: Scrumy Scrum Starts Goal Setting Recon/ Vuln/ Mapping Exploit

    Operations Support Data Storage © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

36. Tactics: Scrumy Scrum Starts Goal Setting Recon/ Vuln/ Mapping Exploit

    Operations Support Data Storage Post Exploit © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

37. Tactics: Scrumy Scrum Starts Goal Setting Recon/ Vuln/ Mapping Exploit

    Operations Support Data Storage Post Exploit Goals Met © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

38. Goaling: Jeopardy Style § Lets take a page out of our

    War Games! § Jeopardy Style Goaling –  Change from “Find All” to “Goals” –  Use Jeopardy style Game Boards. –  Make sure you have Finite Goals! §  No ambiguity. © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

39. Better Tools? § I think we need better tools. –  But

    for now, lets do the best with what we have. §  Demo: –  Waterhole attack, exploit of a Wordpress 3.5 Vulnerability released last year. –  Drop a BeefHook –  Roll to a Metasploit Listener delivering a Metasploit Backdoor. –  Potentially can be Browser Autopwn. –  Emulation of Exploit Kit Delivery + Waterhole Attack –  Not as workable as Poison Ivy, best effort. © 2014 Cisco and/or its affiliates. All rights reserved. 64282 Cisco Public Moses Hernandez | @mosesrenegade

40. Demo Watch this…

41. © 2014 Cisco and/or its affiliates. All rights reserved. 64282

    Cisco Public Moses Hernandez | @mosesrenegade WARNING The demo you are about to see is conducted in a controlled environment. It is the authors suggestion that the audience do not attempt to use all of the tools described without proper validation.

42. © 2014 Cisco and/or its affiliates. All rights reserved. 64282

    Cisco Public Moses Hernandez | @mosesrenegade Thanks! Moses Hernandez [email protected] @mosesrenegade