Out of the Blue:Responding to New Zero-Day Threats

Peter WoodChief Executive Officer

First Base Technologies LLP

An Ethical Hacker’s View

Slide 2 © First Base Technologies 2012

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupCorporate Executive Programme UK Chair

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa

Slide 3 © First Base Technologies 2012

Agenda

1. Why zero-day threats are a concern to CIOs

2. Examples of zero-day attacks

3. Minimising your vulnerabilities

4. Responding to the CIO

Beware: this presentation offers no easy solutions!

Slide 4 © First Base Technologies 2012

Why CIOs are concerned

• Criminals targeting intellectual property and corporate credentials

• Attacks are strategic

• Tools are ‘drag and drop’

• Malicious attacks cause 37% of data breaches(2012 Ponemon Cost of a Data Breach survey)

Slide 5 © First Base Technologies 2012

Why CIOs are concerned

http://www.net-security.org/secworld.php?id=11850

Slide 6 © First Base Technologies 2012

Examples of zero-day attacks

Slide 7 © First Base Technologies 2012

The Aurora attack

http://threatpost.com/

Slide 8 © First Base Technologies 2012

The Aurora attack

“If you have done or been around any high-level incident response, you would know that these advanced persistent threats have been going on in various sectors for years.Nor is it a new development that the attackers used an 0day client-side exploit along with targeted social engineering as their initial access vector.What is brand new is the fact that a number of large companies have voluntarily gone public with the fact that they were victims to a targeted attack.And this is the most important lesson: targeted attacks do exist and happen to a number of industries besides the usual ones like credit card processors and e-commerce shops.”

Dino Dai Zovi

http://trailofbits.com/2010/01/24/one-exploit-should-not-ruin-your-day/

Slide 9 © First Base Technologies 2012

The RSA attack

1. Research public information about employees2. Select low-value targets3. Spear phishing email “2011 Recruitment Plan” with.xls

attachment4. Spreadsheet contains zero-day exploit that installs backdoor

through Flash vulnerability(Backdoor is Poison Ivy variant RAT reverse-connected)

5. Digital shoulder surf & harvest credentials6. Performed privilege escalation7. Target and compromise high-value accounts8. Copy data from target servers9. Move data to staging servers and aggregate, compress and

encrypt it10. FTP to external staging server at compromised hosting site11. Finally pull data from hosted server and remove traces

Slide 10 © First Base Technologies 2012http://blogs.rsa.com/rivner/anatomy-of-an-attack/

Slide 11 © First Base Technologies 2012

Organisations remain vulnerable

Slide 12 © First Base Technologies 2012

Some background in the news

http://www.forbes.com/sites/andygreenberg/

Slide 13 © First Base Technologies 2012

Minimising your vulnerabilities

Slide 14 © First Base Technologies 2012

Traditional thinking

• Firewalls & perimeter defences

• Anti-virus

• SSL VPNs

• Desktop lock down (GPOs)

• Intrusion Detection / Prevention

• Password complexity rules

• HID (proximity) cards

• Secure server rooms

• Visitor IDs

Slide 15 © First Base Technologies 2012

Think like an attacker!

Hacking is a way of thinking:

- A hacker is someone who thinks outside the box

- It's someone who discards conventional wisdom, and does something else instead

- It's someone who looks at the edge and wonders what's beyond

- It's someone who sees a set of rules and wonders what happens if you don't follow them

[Bruce Schneier]

Hacking applies to all aspects of life - not just computers

Slide 16 © First Base Technologies 2012

Do you know how vulnerable you are?

Slide 17 © First Base Technologies 2012

Talk to the CIO before an attack!

CIO, we need budget for:

•Security standards and procedures•On-going staff training•Secure builds and secure development•On-going scans and penetration tests•Fixes to the problems we find

… and we need sign-off for the risk!

Remember: I said “no easy solutions”

OR

Slide 18 © First Base Technologies 2012

Peter WoodChief Executive Officer

First Base Technologies LLP

peterw@firstbase.co.uk

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Twitter: peterwoodx

Need more information?