The Cyber Attack Lifecycle and Real-World Attack Vectors

The Cyber Attack Lifecycle and Real-World Attack Vectors

CRITICAL SECURITY CONTROLS: LESSONS FROM PENETRATION TESTERS 2019 RSM US LLP. All Rights Reserved. Todays Presenter [email protected] Loras Even Principal Security and Privacy Risk Consulting National FI leader for security, privacy and risk consulting Also National Leader, Technical Security Services

Located in Cedar Rapids, Iowa Created the attack and penetration testing practice in RSM in the late 90s, plus about six other practices Helps clients build or enhance cybersecurity programs domestically and globally More years of experience than I openly admit to Other interests are reprograming vehicles, disabling OnStar, GPS tracking, etc. 2019 RSM US LLP. All Rights Reserved. Todays Presenter [email protected]

Dave Cossa Manager Security and Privacy Risk Consulting 7 years with RSM Sits on RSMs national security testing leadership group Specializes in penetration testing, social engineering, and tool development Located in Des Moines, Iowa Hobbies outside of work include basically doing the things I do at work 2019 RSM US LLP. All Rights Reserved.

Overview Review of cyber insurance claims over the past year Take a brief look at the state of threat actor activities in 2019 Discuss the state of RSMs offensive operations in the past year (external compromise / internal impact) Examine critical controls that were not in place or not appropriately enforced at each link in the attack chain 2019 RSM US LLP. All Rights Reserved. CYBER INSURANCE CLAIM STATISTICS 2019 RSM US LLP. All Rights Reserved.

2018 NetDiligence Claims Study 2017 Claims by Sector (N=298) 6.00% 0.30% 1.00% 10.70% 21.00% 61.00% 01-Nano (<$50M) 02-Micro ($50M-$300M) 03-Small ($300M-$2B) 04-Mid ($2B-$10B) 05-Large ($10B-$100B) 06-Unknown Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf 2019 RSM US LLP. All Rights Reserved. 2018 NetDiligence Claims Study 2017 Claims by Sector (N=298) 23.00%

10.00% 7.00% 2.00% 2.00% 9.00% 15.00% 10.00% 11.00% 11.00%

Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf 2019 RSM US LLP. All Rights Reserved. Professional Services Healthcare Financial Serices Retail Education Manufacturing Public Entity Technology Non-Profit All Other

2018 NetDiligence Claims Study 2017 Claims by Cause of Loss (N=298) 2.00% 4.00% 2.00% 2.00% 31.00% Ransomware Hacker Malware/Virus

Business Email Compromise Phishing Rogue Employee Legal Action Staff Mistake Lost/Stolen Device Programming Error All Other 5.00% 3.00% 10.00% 11.00%

11.00% 19.00% Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf 2019 RSM US LLP. All Rights Reserved. 2018 NetDiligence Claims Study 2013-2017 Claims by Cause of Loss (N=1201) 5.00%2.00% 21.00%

5.00% 3.00% 4.00% 5.00% 6.00% 15.00% 7.00% 9.00% 7.00% 11.00%

Hacker Ransomware Malware/Virus Lost/Stolen Device Phishing Legal Action Staff Mistake Rogue Employee Business Email Compromise Third Party Paper Records Programming Error All Other

Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf 2019 RSM US LLP. All Rights Reserved. 2018 NetDiligence Claims Study 2013-2017 Cost by Revenue Size (thousands) Total Legal Guidance Credit ID/Monitoring Notification Forensics

Other $0 $2,000 $4,000 01-Nano (<$50M) 04-Mid ($2B-$10B) $6,000 $8,000

02-Micro ($50M-$300M) 05-Large ($10B-$100B) $10,000 03-Small ($300M-$2B) 06-Unknown Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf 2019 RSM US LLP. All Rights Reserved. $12,000

$14,000 2018 NetDiligence Claims Study Criminal Involvement (2013-2017) 100% 90% 80% 70% 60% 50% 40% 30% 20% 10%

0% 2013 2014 2015 Criminal 2016 Non-Criminal

Source: https://rsmus.com/content/dam/mcgladrey/pdf_download/wp_0119-netdiligence-cyber-claims-study.pdf 2019 RSM US LLP. All Rights Reserved. 2017 STATE OF THREAT ACTOR ACTIVITIES 2019 RSM US LLP. All Rights Reserved. Threat Actor Activities Attacks coming from a mixture of internal & external sources Phishing is still the primary method of gaining network access Phishing attacks focusing on stealing credentials to be used to log into

email 2019 RSM US LLP. All Rights Reserved. Tables from 2019 Verizon Data Breach Report Threat Actor Activities When payloads are being used, office documents containing macros, OLE (Object Linking & Embedding), or DDE functionality are the favored vector Other payload types that allow for immediate execution on-click (.js, .hta, etc.) have seen increased usage due to proliferation of offensive toolkits Tables from 2019 Verizon Data Breach Report 2019 RSM US LLP. All Rights Reserved.

Threat Actor Activities For the first time since 2013, there has been a decrease in overall ransomware activity over the past year However, ransomware is trending more towards enterprise infections (vs. consumers), with business-related ransomware outbreaks up 12% Powershell scripts continue to increase in popularity amongst commodity attackers, but have become easier to detect over 1000% increase in malicious script blocks in the past year 2019 RSM US LLP. All Rights Reserved. Statistics obtained from 2019 Symantec Internet Security Threat Report

Weaponization & Delivery Hopefully by now you all have your hacker ski masks in the appropriate down position Next, well take a look at how we gained access to networks & escalated that access to gain access to sensitive data over the past year 2019 RSM US LLP. All Rights Reserved. TAKEAWAYS FROM RSMS OPERATIONS IN 2018-2019 External Compromise Vectors

2019 RSM US LLP. All Rights Reserved. External Access Methods The number one way weve gained access to organizations is through a lack of Multifactor Authentication (MFA) on VPN / Email / Citrix etc. Passwords can be easily phished, guessed, or obtained from breach dumps 2019 RSM US LLP. All Rights Reserved. External Access Methods Lack of MFA plays a large role in another common way weve been able to gain access via insecure externally facing services such as SMB, RDP, RPC, etc.

These are services which can give a user the ability to remotely execute code, potentially with administrative rights, and oftentimes cannot be configured to use MFA Moreover, these services are often vulnerable to remote code execution attacks (BlueKeep, EternalBlue, etc.) that can allow an attacker anywhere in the world the ability to point and shoot and in turn gain admin rights on your network 2019 RSM US LLP. All Rights Reserved. External Access Methods Key Controls So what can we do to protect ourselves? Review your web-facing footprint, identify all web login portals and ensure high-risk services are only accessible via VPN and are not exposed to the world Ensure all web login portals (including cloud-based portals such as Office 365) are

configured to use some sort of MFA If portal cant be secured, consider retiring it or developing an alternative 2019 RSM US LLP. All Rights Reserved. External Access Methods Key Controls What makes a good password? We historically have seen the following configurations recommended: Change password every 90 days 8 char minimum length Complexity enabled 24 passwords remembered

What does this lead to? Predictable, repeated user passwords: 2019 RSM US LLP. All Rights Reserved. - Change password every 90 days: ok, something thats easy to remember that changes every 90 days 3 months Season? summer - 8 char minimum length: Summer by itself isnt long enough, lets toss the year on to the end, that way we also hit the 24 passwords remembered requirement: summer2019 - Complexity enabled: Well we need 3 of the 4 (lowercase, uppercase, number, symbol), oh I know,

lets just capitalize the first letter! - End result: Summer2019 -- this password is completely fine if using the accepted standards External Access Methods Key Controls How do we fix this? Longer minimum password length (passphrase vs. password) Increased duration between forced changes in order to discourage simple pattern guessing (Password1, Password2, Password3, etc.) Employee training & education Stress password uniqeness 2019 RSM US LLP. All Rights Reserved.

Phishing Domains We often perform targeted phishing from expired domains or similar domains using official-looking TLDs. 2019 RSM US LLP. All Rights Reserved. Phishing Domains Key Controls Monitor domain records, use expireddomains.net (or a similar tool) to check what domains are available that are similar to yours. Block traffic from YourOrg.* TLDs not owned by your organization Block or quarantine messages from senders without valid SPF records in order to increase difficulty in spoofing email messages Apply a sent from external sender tag to messages coming from outside the organization

2019 RSM US LLP. All Rights Reserved. Payload Delivery We frequently use links to dropper sites containing malicious code vs. a direct email attachment in order to evade spam filters / sandboxes Have moved away from macros in our offensive operations due to high detection rate of process creation chain / injection using static winapi calls More employees will click links vs. open attachments typically AV remains trivial to bypass in most cases 2019 RSM US LLP. All Rights Reserved. Payload Delivery Key Controls

Employee awareness training focused on risks of clicking links, how to identify phishing links, etc. Block macros on documents from external senders, block suspicious filetypes (.hta, .vbs, etc.) at perimeter from non-trusted domains 2019 RSM US LLP. All Rights Reserved. Post-Exploitation Offensive Tooling As noted, malicious Powershell detection is up over 1000% over prior year This doesnt necessarily mean attackers are using Powershell more often, but that defenders are getting much better at identifying malicious usage Under most circumstances, offensive PS usage is dead for advanced attackers Attackers have been moving to .NET/CLR languages (c#, booLang,

IronPython) for post-exploitation tooling, but really any language goes 2019 RSM US LLP. All Rights Reserved. Post-Exploitation Offensive Tooling Key Controls Ensure Powershell is updated to v5.0 A big reason for the increased malicious Powershell detections is the introduction of AMSI (anti-malware scan interface) hooks into this version Update .NET v4 to the latest version in order to get AMSI hooks into the popular execute-assembly functionality leveraged by attackers to execute tools Monitor / disallow binaries on the Microsoft Recommended Block Rules list, as these cover the majority of stage 0 execution vectors in a compromise https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defenderapplication-control/microsoft-recommended-block-rules

2019 RSM US LLP. All Rights Reserved. Endpoint Detection & Response / Antivirus next-gen EDR solutions are a big improvement over their more traditional signature-based AV competitors, but bypasses are still possible There is no silver bullet in security Defense in depth, robust monitoring & alerting at multiple points in the network are key Microsoft ATA, DarkTrace, etc. can make an attackers job of getting anything useful out of a network much more difficult 2019 RSM US LLP. All Rights Reserved. TAKEAWAYS FROM RSMS OPERATIONS IN 2018-2019

Internal Network Lateral Movement & Privilege Escalation 2019 RSM US LLP. All Rights Reserved. Internal Network Operations What happens if an attacker is able to gain code execution on one of your systems? This is the focus of an internal penetration test The goal of an attacker is not necessarily to gain administrative access to the network, but rather to gain access to sensitive data Typically when an attacker gets onto a network they have user level permissions (the permissions of the user that opened the attachment, gave away their credentials, etc.) 2019 RSM US LLP. All Rights Reserved.

Multicast Traffic Poisoning Link Local Multicast Name Resolution Say that three times fast Enabled by default, no security/authentication component NetBios Naming Service (NBNS) and IPv6 have similar weaknesses Allows us to intercept traffic and impersonate users on the network 2019 RSM US LLP. All Rights Reserved. Image from pentest.blog

Multicast Traffic Poisoning Key Controls Disable LLMNR, NBNS, and IPv6 when possible These protocols are not typically used in most corporate networks Typically can be disabled on large numbers of systems via GPO 2019 RSM US LLP. All Rights Reserved. Re-used Account Passwords Built-in account password re-use An attacker with admin rights can dump the local SAM database and obtain NTLM hashes for all local accounts

Oftentimes these accounts are shared between systems, letting attackers password spray and gain remote administrative access via pass-the-hash Lets us turn a compromise of one system into a compromise of many systems Service account password re-use Similar concept, lower-privileged accounts using a password shared with other, higher-privileged accounts 2019 RSM US LLP. All Rights Reserved. Re-used Account Passwords Key Controls Utilize Microsofts LAPS (Local Administrator Password Solution) or another identity management tool to set unique passwords for all local accounts on systems LAPS is free

Audit last password change time on administrative and service accounts, and discuss password management procedures with IT to ensure unique passwords are in use for service accounts 2019 RSM US LLP. All Rights Reserved. Excessive Rights for Systems and Users Excessive administrative rights on systems (allowing all users / large groups of users admin rights) make it much easier to move around the network Typically a legacy setting due to old software which required all users to have admin rights

Kerberos unconstrained delegation on systems allows an attacker to impersonate any user or system they can convince to authenticate to it Typically seen as another legacy setting 2019 RSM US LLP. All Rights Reserved. Excessive Rights for Systems and Users Key Controls Restrict local admin rights as much as possible Bloodhound is a great tool for use by defenders that maps relationships in Active Directory Can easily show administrative rights in an intuitive graphical manner Query AD for systems configured with Kerberos Unconstrained Delegation (or via Bloodhound)

2019 RSM US LLP. All Rights Reserved. Patching & Remote Code Execution Missing patches is the oldest trick in the book. I still see MS17-010 (EternalBlue / WannaCry) on 50%+ of engagements Im involved with (this vuln is 2.5 years old) Bluekeep on 100% of engagements The bad guys will be able to find the old system sitting in the corner that hasnt been patched in three years There will always be the next Big One 2019 RSM US LLP. All Rights Reserved. Patching & Remote Code Execution Key Controls Prioritize high-profile and high risk bugs

Scan the internal network to ensure high-risk vulnerabilities are patched Dont make exclusions unless absolutely necessary, the bad guys wont. Consider patching schedules for things such as Exchange Server which arent covered by traditional patch management tools PrivExchange is still seen on ~1/3 of engagements 2019 RSM US LLP. All Rights Reserved. Default Credentials Default credentials on network devices (printers, iLO interfaces, etc.) can allow attackers to control the device There are big lists of default passwords out there Printers, especially multi-function devices, can be a great starting

point. If we locate a printer with an LDAP connection set up on it we can point it to our system and grab the credentials the printer is configured with in plaintext. Ensure proper hardening and configuration standards are in place, which include changing default credentials on devices on the network. 2019 RSM US LLP. All Rights Reserved. Summary Dont Panic. Plan to fail, but plan to fail gracefully. Ability to know when a control has failed Ability to recover quickly and with minimal damage

Weve pointed out methods to bypass individual types of controls on a case-by-case basis. Consolidated, robust controls defense-in-depth style are the most effective. 2019 RSM US LLP. All Rights Reserved. Summary Just because the attacker got into the network doesnt mean they have won. Do not become a hacker snack. Hard and crunchy on the outside, soft and gooey in the middle Every hoop you force the attacker to jump through is a chance for you to detect them if you are watching.

With appropriate controls, it is now the attacker that has to be perfect, a single slip could alert defenders and result in them losing all access 2019 RSM US LLP. All Rights Reserved. Questions ? 2019 RSM US LLP. All Rights Reserved. 43

Recently Viewed Presentations

  • Diapositiva 1 - University Carlo Cattaneo

    Diapositiva 1 - University Carlo Cattaneo

    Self-executing norms: they do not need any implementation measure, under Italian law. Non self-executing. norms: they need to be supplemented / "completed" by Italian legal norms. Non directly applicable in Italy, unless by means of a specific measure created according...
  • IOSH&#x27;s Safety Training Presentations

    IOSH's Safety Training Presentations

    Define how to empowering the adult learner. ... Skillful means involvement is the focus, rather than favorable impressions such as oratorical skills. You should be less concerned with platform skills and more concerned with skills that facilitate learning. The days...
  • University of Connecticut MBA SMF Presentation Dec-5-2013 George

    University of Connecticut MBA SMF Presentation Dec-5-2013 George

    Investment Thesis Only U.S automaker not to declare bankruptcy or accept a government bailout One Ford plan has allowed Ford to fix balance sheet, sell unprofitable brands, and improve the quality of vehicles
  • Performance Enhancement of TFRC in Wireless Networks

    Performance Enhancement of TFRC in Wireless Networks

    I frame, where I stands for Intra-coded, uses intra-frame compression only and it is independent to other frames. When the client get an I frame, it can decode it and play it immediately. P frame, where P stands for Predictive-coded,...
  • Sally &amp; Anthony Mann Center Youth Empowerment Program (YEP!)

    Sally & Anthony Mann Center Youth Empowerment Program (YEP!)

    The Residential Treatment Facility Team including Clinicians, Milieu Counselor, and CPI Coordinator from the Sally & Anthony Mann Center will present our new Youth Empowerment Program (YEP!) We will discuss how our Youth Empowerment Program was created and implemented as...
  • Cymraeg Ail Iaith Summer 2018 - St Albans RC High School

    Cymraeg Ail Iaith Summer 2018 - St Albans RC High School

    Cymraeg Ail IaithSummer 2018. Why is Welsh important? Welsh Government - Compulsory. Welsh is regarded as a valuable qualification by employers - many actually seek Welsh speaking staff. Welsh based businesses / companies. Education. Public sector services. Pam? We need...
  • I. Intro to Acids &amp; Bases - Weebly

    I. Intro to Acids & Bases - Weebly

    I. Intro to Acids & Bases (p.466-473) ... red/blue phenolphthalein - colorless/pink goldenrod - yellow/red red cabbage juice - pink/green B. Properties sour taste corrosive electrolytes turn litmus red react with metals to form H2 gas bitter taste corrosive electrolytes...
  • Unit 5: Becoming an Industrial Society

    Unit 5: Becoming an Industrial Society

    Steel is made by injecting oxygen into molten iron to burn all impurities. After it has cooled and hardened, steel has been made ... Bosses would steal from taxpayers in the form of graft/fraud . Boss Tweed: 65% of public...