The 7 Habits of Highly Effective Hackers

Transcript

1. The 7 Habits of Highly- Effective Hackers
 (and what we

   can learn from them) Ryan Kazanciyan Chief Security Architect, Tanium

2. Contributing 
 Author (2014) whoami 2004 - 2009 2009 -

   2015 2015 - Present Alexandria, VA

3. Technical Consultant (S2 & S3)

4. The 7 5 Habits of Highly- Effective Hackers
 (and what

   we can learn from them) Ryan Kazanciyan Chief Security Architect, Tanium

5. Knowing your
 environment

6. Initial Infection Reconnaissance

7. Users Systems Data

8. unmanaged endpoints typically identified by Tanium 
 in production networks

   ~20% Source: https://blog.tanium.com/broken-cyber-hygiene-case-study/

9. Source: Matt Swann @ https://github.com/swannman/ircapabilities

10. None

11. • Hostname • Hardware • Geolocation • Custodian • User

    role / function • Current logged-in users • Recent logged-in users • Common logon sources • Common logon destinations • Installed applications • Application usage metrics • Missing patches • Compliance status • Processes and libraries • Autostart programs • Network traffic profile • New binaries • Script activity • …

12. Assessing risk and maximizing opportunity

13. Build your lists Network
 team Database servers Remote access
 servers

    Domain
 controllers Engineering
 team Legal team Helpdesk
 team Web servers Finance team SOC analysts PoS terminals Security 
 servers E-mail servers Employee
 desktops Executive 
 team Endpoint
 admins ?
14. None

15. Source: Microsoft Security Intelligence Report v21 of malicious files detected

    by Microsoft Office365 in 
 2016 were Word documents 38.5%

16. Source: @JohnLaTWC

17. said the greatest rise in potential IT security risk came

    from mobile devices, such as smartphones 86% Source: Ponemon Institute, 2016 State of the Endpoint Report, April 2016

18. 0.03% percentage of mobile devices infected with “truly malicious” (non-adware)

    malware Source: Verizon DBIR 2015

19. Source: https://www.darkreading.com/attacks-breaches/massive-android-ddos-botnet-derailed/d/d-id/1329747?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

20. None

21. said that zero day attacks do the most harm 71%

    Source: Ponemon Institute, 2016 State of the Endpoint Report, April 2016

22. https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf

23. But…what about Shadow Brokers and EternalBlue and and WannaCry and

    NotPetya and…

24. April 2015

25. September 2016

26. January 2017

27. March 2017

28. None

29. “We found 12 weeks was where most organizations had completed

    their patch process” ‘on time’ may be seven days for [critical] findings, where a quarterly patch cycle may be the “norm” for the rest.” -Verizon DBIR 2017
30. None

31. https://www.us-cert.gov/ncas/alerts/TA17-181A

32. https://www.us-cert.gov/ncas/alerts/TA17-181A

33. None

34. Building on platforms

35. COZYCAR REGIN GH0ST ZEROACCESS NECURS BLACKENERGY FLAME SEADUKE DRIDEX DUQU

    KAZUAR Source: Palo Alto X-AGENT

36. •Extensibility & flexibility •Operator consistency •Development efficiencies •Endpoint footprint

37. Source: Ponemon Institute, 2016 State of the Endpoint Report, April

    2016 34% - 6-10 Average # of endpoint agents 15% - 10+
38. None
39. None
40. None
41. None

42. Managing your software supply chain

43. What software do organized attack groups trust?

44. https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf APT10

45. https://www.scmagazine.com/fin10-extorting-companies-in-cyber-schemes-fireeye/article/669244/ https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf APT10 FIN10

46. https://www.scmagazineuk.com/fireeye-report-hacking-group-apt28-and-their-tradecraft/article/631133/ https://www.scmagazine.com/fin10-extorting-companies-in-cyber-schemes-fireeye/article/669244/ https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf APT10 APT28 FIN10

47. Hacking tools are not immune to exploitable bugs!

48. What do the best attackers worry about? 
 (as learned

    from certain leaks) • Identifiers and exposure from re-used code • Standardized vs. homegrown protocols and crypto • Development rigor → stability and reliability • Forensic footprint • Code security

49. What end-user applications do you “trust” in your environment?

50. None
51. None

52. EvLog Classic Shell Linux Mint Ask.com 
 Toolbar Transmission August

    
 2016 January 
 2016 November 
 2016 April 
 2015

53. UltraEdit Web Developer 
 for Chrome HandBrake MeDoc March 


    2017 May 
 2017 June 
 2017 Aug. 
 2017 Sept. 
 2017 CCleaner

54. Managing what you trust • Review completeness and accuracy of

    application inventory • Assess where controls implicitly trust end-user software • Table-top supply-chain attack scenarios • Baseline trusted application behaviors • Manage and restrict software sources

55. Engineering for resilience https://www.flickr.com/photos/cambridgeuniversity-engineering/14272521260

56. 99 days median dwell time from compromise to detection in

    2016 Source: Mandiant M-Trends 2017

57. •Software failure •Operator error •Automated detection •Human detection •Hardware replacement

58. None
59. None
60. None

61. Source: http://www.shipmates.in/mmd-exams/ship-construction/bulkhead-construction-and-drawings/

62. Thank you! @ryankaz42