Presented by:!!dave Kennedy (RELIK)"!!!!!Ryan Macfarlane "

Transcription

1 Presented by:!!dave Kennedy (RELIK)"!!!!!Ryan Macfarlane "

2

3

4 Head Tail

5 Hit Driven economy and retail market The limits of inventory The emergence of "everything" Key factors: Declining cost of inventory Digital vs physical Global Market Targeting of global niches The power to find what you need Recommendations Crumbling of barriers to production

6 Amazon Physical and Digital Customer are warehouse Search Recommendations Reviews Google Traditional Barriers of Ad Niche driven Unlimited inventory itunes Digital Almost no cost of Customer content Netflix inventory Digital and Physical Recommendations drive demand Service vs per item

7 itunes Customers : Us Inventory Cost = ~$0.00 Digital Medium Global Market Customers Drive Niches Culmination of Niches have high impact Search is important Production is distributed Hackers Customers: Us Unwillingly! Inventory Cost = $0.00 Digital Medium Global Targets Hackers Drive Niches Niches have high impact Individual Niches have high impact Search is important Production is distributed

8

9 Zeus v1 Fake AV Zlob Phoenix Exploit Kit Zeus v2 Lucky Sploit Bredolab YES Exploit Kit

10 $3,000 to $4,000 for the latest version depending on source Backconnect Module: $1,500 allows connection from the internet back into the infected host through firewalls Firefox Form Grabber: $2,000 Jabber Module: $500 instant messaging architecture for wire transfer data VNC module: $10,000 privately developed, full access to the victim machine Windows 7 & Vista Support: $2,000 Source: Homeland Security Presentation: Al Capone and the Olympians

11 [Version 1.4.*] Full incompatibility with all the previous versions. Ability to work with "Roaming User Accounts". [*] The core of the bot has been completely changed. Everything - from the installation to the callback process. As it installs itself, it re- encrypt itself so every computer has a unique copy of the exe file [+] When running as LocalSystem, it tries to infect all windows users Source: Homeland Security Presentation: Al Capone and the Olympians

12 An attacker has performed reconnaissance on your organization. A subset of addresses have been harvested for a spear-phishing attack utilizing and a malicious website. The attacker utilizes known browser exploits to attempt to compromise the unsuspecting victims.

13 Niches can be equated to targeted (or semi-targeted) attacks Advanced Persistent Threat Aurora IP collection ATM Card Skimming Physical Attack Mobile attacks... Add this app. Financial Financial Niches Credit Union example Physical Attacks VOIP Run your own telecom for free nice margins Create your own 866 number, have PBX call it every every other Thursdays for the rest of your life.

14 Source: Homeland Security Presentation: Al Capone and the Olympians

15

16 An attacker has performed reconnaissance on your organization. A subset of addresses have been harvested for a spear-phishing attack utilizing and a malicious website. The attacker utilizes not widely blocked and hard to prevent browser attacks to attempt to compromise the unsuspecting victims.

17 An attacker solders a malicious microprocessor into the keyboard. Keyboard is shipped to individuals in the company as part of a hardware replacement program. Keyboard is designed to compromise the computer systems.

18 Bypasses all autorun capabilities to execute arbitrary code on the system. Can drop malicious binaries, trigger overflows, utilize downloaders, or backdoor your stuff! Easily hidden in peripheral devices like docking stations, mouse, keyboards, computers, USB thumb drives, and much more.

19

20 Spam Credit Card Fraud Phishing Spear Phishing Bankers ACH Fraud

21

22 Software Integrity Denial of Service

23 Commercial Security Products are designed to handle the head. Great security people defend against the tail. (via detection*)

24 Decent Commercial Coverage Little Commercial Coverage

25 You must understand the tail to defend the against the tail Developing a comprehensive security program that can detect and prevent these targeted attacks. Establish a team of experts that are focused on preventing these types of attacks from occurring. Detailed understanding of our assets and what our true threats are out in the wild. Strong focus on application security, monitoring and prevention, incident response, penetration testing, database security, vulnerability management, user awareness, and security architecture.

26 Validation of the Tail Pentests by hour

27 The game has changed, penetration testing isn t the vulnerability scans and exploiting the vulnerabilities. Hopefully we re past that stage as corporations, our true risk is towards the tail where our attack vectors require skill and effort. Penetration testing companies will suffer as companies must find their expertise moving towards the tail in order to produce real world attacks. A hacker doesn t stop after getting domain administrator rights, or rooting your Linux box.

28 Compliance will not secure you, the focus for Compliance is something that has already occurred (the head). Compliance is a check mark, a good starting point but is reactive in nature. If your basing your security program on PCI, good luck J

29 `