Attack & Defense Methods

Transcript

1. Attack & Defense Methods

2. None
3. None
4. None
5. None
6. None
7. None
8. None
9. None

10. Example of Attack: Operation Shadowhammer // Barium APT (ASUS Live

    Update Utility) Defense: Ensure devices are bought through a supply chain that is as secure as possible. SOC / Blue Team should still monitor devices for unexpected actions.
11. None

12. Attack: Stuxnet (Nuclear Enrichment Sabotage) Defense: Automated and manual review

    of devices. (Hardware too if applicable.)

13. Source: https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/

14. Source: https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/ “With the forensics we now have it is

    evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge,”

15. Attack: - Malicious attachments (Macros, overflows, etc.) - Malicious websites

    (DNS Rebinding) Defense: Educate users on how spear phishing, targeted email campaigns and social engineering work.

16. Source: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/

17. Attack: - Vulnerable software behind a firewall, that accesses the

    Internet, either manually or automated. - Example could be software update agents. Evilgrade is a framework that can inject fake updates through MITM. - MITM over the Internet can be performed with BGP or DNS Hijacking.

18. Defense: - Ensure software accessing the Internet is secure -

    Pay attention to custom software update agents in particular - Inspect inbound and outbound traffic - Air gap sensitive networks completely

19. Passive Attack: TempestSDR - A lot of screens can leak

    data, but also other types of devices - Requires somewhat close proximity Defense: - Shield rooms in close proximity to the public - Perform signals intelligence and identify noticeable leaks.

20. Screenshot of TempestSDR Source: https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on-computer-screens-via-unintentionally-radiated-rf/

21. Source: https://twitter.com/cn0xroot/status/936559487753773059

22. None

23. Active Attack: - GPS Spoofing - HbbTV Hacks (Rogue DVB-T)

    Defense: - Monitor RF spectrum for unknown TX - Check direction of TX when applicable (Low-cost Kerberos SDR can do this) - Perform signal analysis when necessary

24. Device: BladeRF

25. Device: Raspberry Pi Model 3B

26. Device: USB-to-VGA Adapter (Osmo-FL2K Software)

27. Overview: - Everything is a computer - Not reviewed as

    much in depth (cost) - Most seem to run Linux (uBoot, BusyBox, vendor framework, custom binaries, etc.) - Majority can be analyzed through UART, JTAG or dumping Flash ROM directly from the chip

28. Device: TP-Link Router // USB Oscilloscope // UART

29. Device: TP-Link Router // Unsoldered UART Ports

30. None

31. Attacks: - Hardcoded/Default passwords - Some passwords can’t be changed

    by user (i.e. backdoor accounts) - Often running outdated software - Custom binaries sometimes have questionable security - Mirai Botnet (Telnet TCP 23, Default PW) (Used a list of 61 default passwords)

32. Defense: - Monitor network and all devices for anomalous behavior.

    - All Internet connected equipment is more prone to compromise, will likely be first entry points, and also used for pivoting onto other networks. Therefore, monitor these devices closely, especially if they access any type of sensitive information.

33. Attack: Fax machines can be compromised through phone calls Defense:

    Fax machines are very likely to become targeted more over the next couple of years, and should not be able to access any sensitive information.

34. Attack: - BadUSB (Reprogram a USB key to act as

    a keyboard or mouse.) - Teensy, Digispark USB Dev Board, etc. - Modified USB Cables - PwnPlug - And so forth

35. Source: https://hackaday.com/2018/09/17/diy-rubber-ducky-is-as-cheap-as-its-namesake/

36. Defense: - Clear policies for handling USB keys e.g. Unknown

    USB keys found inside and outside the facility must not be inserted into computers.

37. Attack: - Cloning - Unencrypted and encrypted cards - Long

    distance readers (5-10 meters) - Modified readers Defense: - PINs on all access cards - Only strongly encrypted cards

38. Source: https://krebsonsecurity.com/2014/08/how-secure-is-your-security-badge/

39. None

40. Domain Fronting APT29 (Identified by Mandiant)

41. Source: https://www.kaspersky.com/blog/domain-fronting-rsa2019/26352/

42. Attack Methods: - Outdated services (e.g. MS08_067 & MS17-010), routers

    and other IoT equipment - Excess privileges (especially within active directory) - BloodHound - Custom web applications with little to no security Defense: - Patch management - Principle of least privilege - Secure development of custom applications

43. Source: https://markgamache.blogspot.com/2017/08/detecting-attackers-in-windows-active.html

44. Attack Methods: - Intel AMT - Pass-The-Hash (PTH) - SMBEXEC

    by brav0hax - DCOM Lateral Movement - Network scan visualization with Neo4J, Moloch, etc. Defense: - Hardening of workstations, servers, etc. - Previous recommendations (least privileges, etc.)

45. Methods: - RF Exfiltration - Hacked/Modified printers - USB devices

    with long USB cables - Basically (almost) anything with a wire, the longer the better. - DNS - ICMP - Any other protocol that is commonly used - Other methods

46. Defense: RF Exfiltration - Monitor RF spectrum for unknown TX

    - Check direction of TX when applicable - Perform signal analysis when necessary DNS, ICMP & Other Protocols - Deep Packet Inspection - Anomalous Contents

47. And a few extras: - Perform threat intelligence on the

    dark web for signs of intrusions into any sensitive systems. - Encryption of data in transit and at rest, must evolve over time.
48. None
49. None

50. Video: https://www.youtube.com/watch?v=pL9q2lOZ1Fw

51. Video: https://www.youtube.com/watch?v=pL9q2lOZ1Fw

52. Fonts: http://www.losttype.com/edmondsans/ http://www.losttype.com/font/?name=maven

53. HbbTv Hack: https://www.youtube.com/watch?v=bOJ_8QHX6OA Mirai: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm- author/ Securelist: https://apt.securelist.com/#!/threats/ APT29: https://www.fireeye.com/blog/threat-

    research/2017/03/apt29_domain_frontin.html Powergrid Physical Pentest: https://www.youtube.com/watch?v=pL9q2lOZ1Fw TempestSDR: https://www.rtl-sdr.com/tempestsdr-a-sdr-tool-for-eavesdropping-on- computer-screens-via-unintentionally-radiated-rf/ Stuxnet: https://www.wired.com/2011/07/how-digital-detectives-deciphered-stuxnet/ BlackEnergy2 APT: https://securelist.com/be2-custom-plugins-router-abuse-and- target-profiles/67353/ DIY Rubber Ducky: https://hackaday.com/2018/09/17/diy-rubber-ducky-is-as- cheap-as-its-namesake/ Covert Data Exfiltration: https://www.youtube.com/watch?v=-YXkgN2-JD4 Fax Machine Hack: https://www.youtube.com/watch?v=1VDZTjngNqs
54. None