Tweet
Tweet

Slide 1

Slide 1 text

Attack & Defense Methods

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Example of Attack: Operation Shadowhammer // Barium APT (ASUS Live Update Utility) Defense: Ensure devices are bought through a supply chain that is as secure as possible. SOC / Blue Team should still monitor devices for unexpected actions.

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Attack: Stuxnet (Nuclear Enrichment Sabotage) Defense: Automated and manual review of devices. (Hardware too if applicable.)

Slide 13

Slide 13 text

Source: https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/

Slide 14

Slide 14 text

Source: https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/ “With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,”

Slide 15

Slide 15 text

Attack: - Malicious attachments (Macros, overflows, etc.) - Malicious websites (DNS Rebinding) Defense: Educate users on how spear phishing, targeted email campaigns and social engineering work.

Slide 16

Slide 16 text

Source: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/

Slide 17

Slide 17 text

Attack: - Vulnerable software behind a firewall, that accesses the Internet, either manually or automated. - Example could be software update agents. Evilgrade is a framework that can inject fake updates through MITM. - MITM over the Internet can be performed with BGP or DNS Hijacking.

Slide 18

Slide 18 text

Defense: - Ensure software accessing the Internet is secure - Pay attention to custom software update agents in particular - Inspect inbound and outbound traffic - Air gap sensitive networks completely

Slide 19

Slide 19 text

Passive Attack: TempestSDR - A lot of screens can leak data, but also other types of devices - Requires somewhat close proximity Defense: - Shield rooms in close proximity to the public - Perform signals intelligence and identify noticeable leaks.

Slide 20

Slide 20 text

Screenshot of TempestSDR Source: https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on-computer-screens-via-unintentionally-radiated-rf/

Slide 21

Slide 21 text

Source: https://twitter.com/cn0xroot/status/936559487753773059

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

Active Attack: - GPS Spoofing - HbbTV Hacks (Rogue DVB-T) Defense: - Monitor RF spectrum for unknown TX - Check direction of TX when applicable (Low-cost Kerberos SDR can do this) - Perform signal analysis when necessary

Slide 24

Slide 24 text

Device: BladeRF

Slide 25

Slide 25 text

Device: Raspberry Pi Model 3B

Slide 26

Slide 26 text

Device: USB-to-VGA Adapter (Osmo-FL2K Software)

Slide 27

Slide 27 text

Overview: - Everything is a computer - Not reviewed as much in depth (cost) - Most seem to run Linux (uBoot, BusyBox, vendor framework, custom binaries, etc.) - Majority can be analyzed through UART, JTAG or dumping Flash ROM directly from the chip

Slide 28

Slide 28 text

Device: TP-Link Router // USB Oscilloscope // UART

Slide 29

Slide 29 text

Device: TP-Link Router // Unsoldered UART Ports

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

Attacks: - Hardcoded/Default passwords - Some passwords can’t be changed by user (i.e. backdoor accounts) - Often running outdated software - Custom binaries sometimes have questionable security - Mirai Botnet (Telnet TCP 23, Default PW) (Used a list of 61 default passwords)

Slide 32

Slide 32 text

Defense: - Monitor network and all devices for anomalous behavior. - All Internet connected equipment is more prone to compromise, will likely be first entry points, and also used for pivoting onto other networks. Therefore, monitor these devices closely, especially if they access any type of sensitive information.

Slide 33

Slide 33 text

Attack: Fax machines can be compromised through phone calls Defense: Fax machines are very likely to become targeted more over the next couple of years, and should not be able to access any sensitive information.

Slide 34

Slide 34 text

Attack: - BadUSB (Reprogram a USB key to act as a keyboard or mouse.) - Teensy, Digispark USB Dev Board, etc. - Modified USB Cables - PwnPlug - And so forth

Slide 35

Slide 35 text

Source: https://hackaday.com/2018/09/17/diy-rubber-ducky-is-as-cheap-as-its-namesake/

Slide 36

Slide 36 text

Defense: - Clear policies for handling USB keys e.g. Unknown USB keys found inside and outside the facility must not be inserted into computers.

Slide 37

Slide 37 text

Attack: - Cloning - Unencrypted and encrypted cards - Long distance readers (5-10 meters) - Modified readers Defense: - PINs on all access cards - Only strongly encrypted cards

Slide 38

Slide 38 text

Source: https://krebsonsecurity.com/2014/08/how-secure-is-your-security-badge/

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Domain Fronting APT29 (Identified by Mandiant)

Slide 41

Slide 41 text

Source: https://www.kaspersky.com/blog/domain-fronting-rsa2019/26352/

Slide 42

Slide 42 text

Attack Methods: - Outdated services (e.g. MS08_067 & MS17-010), routers and other IoT equipment - Excess privileges (especially within active directory) - BloodHound - Custom web applications with little to no security Defense: - Patch management - Principle of least privilege - Secure development of custom applications

Slide 43

Slide 43 text

Source: https://markgamache.blogspot.com/2017/08/detecting-attackers-in-windows-active.html

Slide 44

Slide 44 text

Attack Methods: - Intel AMT - Pass-The-Hash (PTH) - SMBEXEC by brav0hax - DCOM Lateral Movement - Network scan visualization with Neo4J, Moloch, etc. Defense: - Hardening of workstations, servers, etc. - Previous recommendations (least privileges, etc.)

Slide 45

Slide 45 text

Methods: - RF Exfiltration - Hacked/Modified printers - USB devices with long USB cables - Basically (almost) anything with a wire, the longer the better. - DNS - ICMP - Any other protocol that is commonly used - Other methods

Slide 46

Slide 46 text

Defense: RF Exfiltration - Monitor RF spectrum for unknown TX - Check direction of TX when applicable - Perform signal analysis when necessary DNS, ICMP & Other Protocols - Deep Packet Inspection - Anomalous Contents

Slide 47

Slide 47 text

And a few extras: - Perform threat intelligence on the dark web for signs of intrusions into any sensitive systems. - Encryption of data in transit and at rest, must evolve over time.

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

Video: https://www.youtube.com/watch?v=pL9q2lOZ1Fw

Slide 51

Slide 51 text

Video: https://www.youtube.com/watch?v=pL9q2lOZ1Fw

Slide 52

Slide 52 text

Fonts: http://www.losttype.com/edmondsans/ http://www.losttype.com/font/?name=maven

Slide 53

Slide 53 text

HbbTv Hack: https://www.youtube.com/watch?v=bOJ_8QHX6OA Mirai: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm- author/ Securelist: https://apt.securelist.com/#!/threats/ APT29: https://www.fireeye.com/blog/threat- research/2017/03/apt29_domain_frontin.html Powergrid Physical Pentest: https://www.youtube.com/watch?v=pL9q2lOZ1Fw TempestSDR: https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on- computer-screens-via-unintentionally-radiated-rf/ Stuxnet: https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/ BlackEnergy2 APT: https://securelist.com/be2-custom-plugins-router-abuse-and- target-profiles/67353/ DIY Rubber Ducky: https://hackaday.com/2018/09/17/diy-rubber-ducky-is-as- cheap-as-its-namesake/ Covert Data Exfiltration: https://www.youtube.com/watch?v=-YXkgN2-JD4 Fax Machine Hack: https://www.youtube.com/watch?v=1VDZTjngNqs

Slide 54

Slide 54 text

No content