+ All Categories
Home > Technology > Cyber espionage - Tinker, taylor, soldier, spy

Cyber espionage - Tinker, taylor, soldier, spy

Date post: 30-Nov-2014
Category:
Upload: b-coatesworth
View: 492 times
Download: 5 times
Share this document with a friend
Description:
A look at the methodology and techniques or hackers, cyber criminals and state sponsored attackers. Explores the kill chain, Geo political instability and the dark web.
39
BARRY COATESWORTH
Transcript
Page 1: Cyber espionage - Tinker, taylor, soldier, spy

BARRY

COATESWORTH

Page 2: Cyber espionage - Tinker, taylor, soldier, spy

Tier 3Hacktivist

Tier 2Cyber crime

Tier 1Cyber espionage

The Adversary

Page 3: Cyber espionage - Tinker, taylor, soldier, spy

The Adversary

Intellectual property secrets

Financial Economicgain

Hacktervist

Mo

tiva

tor

Expertise

Ideology political change

Cybercriminal Nation State

Vandalism

TheftMilitary / political

dominance

Page 4: Cyber espionage - Tinker, taylor, soldier, spy

The kill Chain

Page 5: Cyber espionage - Tinker, taylor, soldier, spy

Hacktavism

SQL Injection

Phishing

Weak Authentication

Account / DNS Hijacking

Page 6: Cyber espionage - Tinker, taylor, soldier, spy

Hacking and exposureGaining unauthorized access to and publicly exposing in plain view on the Internet large amounts of confidential data with the goal of causing monetary and reputational damages to the targeted entity.

Distributed denial-of-service (DDoS)usually infected with a Trojan or other form of malware to flood a targeted system, usually one or more web servers of a website

DDoS attacks are the hacktivist’ cyber attack weapon of choice.• They do not require actual hacking knowledge or skill. • Many “off-the-shelf” tools are available right on the Internet

DoxingGathering and exposing valuable personal information of public figures such as politicians and celebrities to the benefit of the hacktivist, and to react or take action in a way that favours the hacktivist’ ideology.

Hacktavism

Page 7: Cyber espionage - Tinker, taylor, soldier, spy

Hacktavism

Anonymous Attack Count

HTTP: SQL Injection (Benchmark)  1

HTTP: SQL Injection (Benchmark)          1

HTTP: SQL Injection (SELECT)  2

HTTP: SQL Injection (SELECT)  1

HTTP: SQL Injection Evasion SQL Comment Terminator       1

HTTP: SQL Injection (UNION)  1

HTTP: SQL Injection Evasion SQL Comment Terminator       1

HTTP: SQL Injection (Boolean Identity) 2

HTTP: SQL Injection Evasion Inline SQL Comment 1

HTTP: SQL Injection (Boolean Identity) 1

HTTP: SQL Injection (Boolean Identity) 1

HTTP: SQL Injection (Boolean Identity)  2

Page 8: Cyber espionage - Tinker, taylor, soldier, spy

The top five cybercrime specialties, courtesy of the FBI, are:

· Coders who write malware and exploit data theft tools· Vendors who trade stolen data, malware kits and footprints into compromised networks· Criminal IT guys who maintain criminal IT infrastructure like servers and bulletproof ISPs· Hackers who seek and exploit application, system and network vulnerabilities· Fraudsters who create and social engineering ploys like phishing and domain squatting.

• Botnet • Fast Flux Networks • Social Engineering • Denial-of-Service attacks • Skimmers • SPAM

Cyber Crime

Page 9: Cyber espionage - Tinker, taylor, soldier, spy

Cyber Crime

Cybercriminals developed sophisticated crime ware kits (Zeus, Citadel, Eleonor, Phoenix) • Easy to use development tools• Service level agreements – CaaS (Crimeware as a Service)• Evasion and anti detection built in

Page 10: Cyber espionage - Tinker, taylor, soldier, spy

Cyber Crime – going mobile

Trend of the year: mobile banking Trojans

2013 was marked by a rapid rise in the number of Android banking Trojans

Botnet targeting Android smartphone users who bank at financial institutions in the Middle East

Page 11: Cyber espionage - Tinker, taylor, soldier, spy

Cyber Crime – going mobileIn 2013 Cybercriminals made use of some exceptionally sophisticated methods to infect mobile devices.

• Infecting popular websites - water holes.

• Distribution via botnets by sending out text messages

Page 12: Cyber espionage - Tinker, taylor, soldier, spy

Cyber Crime – going mobile

Page 13: Cyber espionage - Tinker, taylor, soldier, spy

Pineapples?

The warning comes in the light of a growing number of cyber attacks using personal information stolen through public Wi-Fi hotspots.

Page 14: Cyber espionage - Tinker, taylor, soldier, spy

Pineapples?

Page 15: Cyber espionage - Tinker, taylor, soldier, spy

Cyber Espionage

1998 – Moon light maze 2003 – Titan rain

2009 – operation aurora 2009 – Ghost net2011 – Nightdragon2011 – Operation shady rat (2006)2012 – Red October (2007)2012 – Elderwood project2012 – Flame2012 – Gauss (2009)2012 – Shamoon2014 – Mask2014 – snake

APT

Cyber Warfare

APT - Advanced Persistent ThreatPTA - Persistent Targeted Attacks

Page 16: Cyber espionage - Tinker, taylor, soldier, spy

Cyber Espionage

Page 17: Cyber espionage - Tinker, taylor, soldier, spy

Kill Chain - Reconnaissance

• Target is analyzed and scoped to identify potential attack vectors

• Open source Intelligence:

• Social media, conferences, company directories, public records

• Public web site mapping

• Server scanning and fingerprintingg

Page 18: Cyber espionage - Tinker, taylor, soldier, spy

Asymmetric Warfare

Corporate

laptop

Home

server desktop

Peri

mete

rH

ost

based

direct attack

Firewall

IPS

indirect attack indirect attack

Firewall

IPS

Anti virus

BrowserURL Block

Antivirus

BrowserURL Block

Page 19: Cyber espionage - Tinker, taylor, soldier, spy

Kill Chain - Delivery

Common Attack vectors:

• Common vulnerability (e.g. SQL injection)

• Zero-day exploits

• USB keys

• Insider threat

• Physical access to devices

• Interactive social engineering

• “Spear Phishing”*

Page 20: Cyber espionage - Tinker, taylor, soldier, spy

Spear Phishing

From: Greg

To: Jussi

Subject: need to ssh into rootkit

im in europe and need to ssh into the server. can you drop open up firewall and allow ssh through port 59022 or something vague? and is our root password still 88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ? thanks

Page 21: Cyber espionage - Tinker, taylor, soldier, spy

Waterholes

Strategic Web Compromise (SWC)

Page 22: Cyber espionage - Tinker, taylor, soldier, spy

• Backdoors implemented as Windows service

• Usually “hide in plain sight”

• Use a simple command set

• Dwell time is a measure of time that an intruder has on the network

• Takes on average 18 days to respond and remove an intrusion

Kill Chain - Exploitation

Page 23: Cyber espionage - Tinker, taylor, soldier, spy

Once inside a network, malware “beacons” out to a Command and Control (C2) servers• C2 servers are either compromised or rented• Traffic is usually HTTP, HTTPS or DNS and mimics common protocols

Kill Chain - Command & Control

Page 24: Cyber espionage - Tinker, taylor, soldier, spy

Covert channels - DNS tunnelling

DNS TUNNELLING TOOLS

OzymanDNS

Dns2tcp

Iodine

Heyoka

DNSCat

NSTX

DNScapy

MagicTunnel, Element53, VPN-over-DNS (Android)

VPN over DNS

• DNS tunnels are commonly used to carry out covert file transfers, C&C server traffic and web browsing• Botnets can use DNS tunnelling to act as a covert channel, and these covert channels are very hard to detect

Covert Storage Channels – Stenography, unused parts of packets Timing Covert Channels – Modulating resources and response time (accurate clock)

Page 25: Cyber espionage - Tinker, taylor, soldier, spy

Covert channels - Stenography

Page 26: Cyber espionage - Tinker, taylor, soldier, spy

• Attacker performs internal reconnaissance

• User enumeration

• Analysis and monitoring of host user activity

• Dump of internal and external websites

• Scan of connected systems

• “Net use” and reverse shell commands

• Password logging

• Pass-the-hash*

Kill Chain - Lateral Movement

Page 27: Cyber espionage - Tinker, taylor, soldier, spy

Pass the hash

• “Hash” refers to a cached credential

• Usually not the “clear text” credential

• Hash is treated as the actual credential internally by most systems

• Then use hashes to move “laterally” through the network

• Network/domain privileged account - Game over

Page 28: Cyber espionage - Tinker, taylor, soldier, spy

Kill Chain - Exfiltration

• Identifies targeted assets for exfiltration• Move data to Staging servers• Positions itself for persistent presence• Maintains hold of key high-privilege accounts• Remains resident on only a selection of systems

Page 29: Cyber espionage - Tinker, taylor, soldier, spy

Nation states

Juniper firewall implant Huawei firewall implant Cisco PIX firewall implant

Page 30: Cyber espionage - Tinker, taylor, soldier, spy

Nation States

Wireless exploit kit USB Covert ChannelPC hardware implant

Page 31: Cyber espionage - Tinker, taylor, soldier, spy

SnakeBack in 2008 an unknown malicious file was discovered and auto-classified as “Agent.BTZ” which infected US military networks.

Reverse engineering showed that snake is a more advanced variant of Agent.BTZ.It is a rootkit using complex techniques for evading host defences utilising cover channels over Links to Red October and other cyber espionage campaigns

Page 32: Cyber espionage - Tinker, taylor, soldier, spy

Geo political events

Page 33: Cyber espionage - Tinker, taylor, soldier, spy

The Dark Side

Dark net

Deep web

Dark market

Malicious marketplace

In 2001

• Deep Web was 400 to 550 times larger than the commonly defined World Wide Web.

• The deep Web 7,500 terabytes of information compared to 19 terabytes in the surface Web.

• Contained nearly 550 billion individual documents compared to the one billion of the surface Web.

• More than 200,000 deep Web sites existed

• Deep Web site is not well known to the Internet-searching public.

Page 34: Cyber espionage - Tinker, taylor, soldier, spy

The Dark Side

Page 35: Cyber espionage - Tinker, taylor, soldier, spy

The Dark SideTo date, three main networks are used to grant anonymity on both

the client and server side: TOR, I2P, and Freenet.

Page 36: Cyber espionage - Tinker, taylor, soldier, spy

Dark market

Tor .onion domainsThere are many different techniques in use, but Tor’s onion router network is probably the easiest one to get started with. The .onion domains are not part of the ICANN registry and will not resolve until you are running Tor.

The combined effect leaves this form of Internet far beyond any kind of government control or regulation.

I2P2 Network and .i2p DomainsI2P works in a very similar way to Tor, although more flexible• Email• Anonymous websites • Blogging and forums • Website hosting • File sharing • Decentralized file storage

Page 37: Cyber espionage - Tinker, taylor, soldier, spy

Dark Market

Prices of Different Types of Goods

Site name Address Type of good Cost Normalized

Cost (US$)

Cloned credit cards http://mxdcyv6gjs3tvt

5u.onion/products.

html

EU/US credit cards €40 US$54

NSD CC Store http://4vq45ioqq5cx

7 u32.onion

EU/US credit cards US$10 US$10

Carders Planet http://wihwaoykcdzab

add.onion/

EU/US credit cards US$60–150 US$60–150

HakPal http://pcdyurvcdiz66

qjo.onion/

PayPal accounts 1 BTC for US$1,000 US$126 for

US$1,000

Onion identity http://abbujjh5vqtq7

7 wg.onion/

Fake IDs/passports €1,000–1,150 (ID)

€2,500–4,000

(passport)

US$1,352–1,555 (ID)

US$3,380–5,400

(passport)

U.S. citizenship http://ayjkg6ombrsah

bx2.onion/silkroad/

home

U.S. citizenship US$10,000 US$10,000

U.S. fake driver’s

licenses

http://en35tuzqmn4l

o fbk.onion/

Fake U.S. driver’s

license

US$200 US$200

U.K. passports http://vfqnd6mieccqy

iit.onion/

U.K. passports £2,500 US$4,000

Page 38: Cyber espionage - Tinker, taylor, soldier, spy

Mapping the hidden services directory: Both TOR and I2P use a domain database built upon a distributed system known as a “DHT.”

Social site monitoring: Sites like Pastebin are often used to exchange contact information and addresses for new hidden services

Hidden service monitoring: Most hidden services to date tend to be highly volatile and go offline very often, maybe to come back online later under a new domain name

Conclusion

• Threats will continue to evolve • Security breaches are Inevitable • You need collaboration from people, process & technology• Visibility and detection are key differentiators – centralise security• Threat intelligence internal (system monitoring) and external threat landscape • Survival of the fittest - Share threat Intelligence with your peers• Continual awareness and education

Page 39: Cyber espionage - Tinker, taylor, soldier, spy

Recap

THANK YOU

Reference/sources:


Recommended