Extrusion TestingExtrusion Testing…testing your controls “inside-out” against …testing your controls “inside-out” against

the threats that actually matter!the threats that actually matter!

Panos Dimitriou, MSc InfoSec, CISSP,CISMDirector, Managed Security Services

2007

What is “Extrusion”

If you look it up at Wikipedia:

“Extrusion is a manufacturing process used to create long objects of a fixed cross-sectional profile. A material, often in the form of a billet, is

pushed and/or drawn through a die of the desired profile shape. Hollow sections are usually extruded by placing a pin or piercing mandrel inside of the die, and in some cases positive pressure is applied to the internal

cavities through the pin. Extrusion may be continuous (producing indefinitely long material) or semi-continuous (producing many short

pieces). Some materials are hot drawn whilst others may be cold drawn.”

However in Information Security:

“Extrusion is the leakage/theft of internal sensitive data.”

“Extrusion Attack”

Attacking “inside-out”Attacking “inside-out”

If you cannot get directly to the data

Let the Users come to you

…and the data will follow

“Extrusion Testing” Defined

Testing the Threats that matter!Testing the Threats that matter!

Targeted, Internet-initiated “Extrusion Attacks”

The Objective:

– Demonstrate external access to internal

system(s)/network(s)

– Demonstrate external access to specific data/services

Puts the organization's security controls & capabilities to

the test against the professional attacker:

– Web access/content security

– Endpoint security

– Information leak prevention

– Network Monitoring

– …

Extrusion Testing

MethodologyMethodology

– e-footprinting & e-Social Engineering

» Profile users in the organization» Trick users to access a specific web-site…

– Web-born Attack

» Use mobile code exploits to get access on internal user system (endpoint)

– Full-blown Extrusion Testing

» Escalate attack to compromise internal business system(s) and/or network

» Demonstrate ability to obtain specific critical data

e-footprinting…the power of Google™

“e-social engineering”…the power of e-mail

“e-social engineering”…the power of e-mail

“Web-born” Attack – drive-by infection

Invisible frame Mobile code (JavaScript,

VBScript) Exploiting browser

vulnerability

drive-by infection by What???

AuthenticatingHTTP Proxy

Victim PCFirewall

Attacker

Internet

Trojan

NTLMAuthentication

Successful

HTTP or HTTPSTraffic fromProxy...Ok!

IDS

No SuspiciousActivity...onlyoutbound Web

Access

PersonalFirewall

IE goes to theInternet...Ok!

The Mechanics…– Spawns a IE process, not visible– Controls IE via OLE– Establishes a connection with the

attacker– Receives Commands as “HTML pages”

from the attacker’s “Web Site”…– Sends output of commands as HTTP

Requests (POST)

We are in!...now is Extrusion

We are in!...now is Extrusion

Actions: Download Files Upload tools

We are in!...now is Extrusion

Execute Commands Under the privileges of the

logged-on user Access internal network

We are in!...now is Extrusion

Escalate attack Get access on internal

critical systems Get critical data out of the

systems

“Extrusion Testing” Facts

Usually it takes:Usually it takes:

a couple of days to e-footprint an organisation

and launch a e-social enginnering attack

1hour to a few days to take control of an

internal endpoint…only a matter of determination

…and then a few days, or even hours, to

“stealthily” take control of critical internal

business systems and data, if not of the entire

network,

and thus being able to conduct fraud, industrial

espionage, sabotage, you name it

www.encodegroup.com_