Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?



Similar documents

Penetration Testing Report Client: Business Solutions June 15 th 2015

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Penetration Testing with Kali Linux

The Trivial Cisco IP Phones Compromise

Protecting Your Organisation from Targeted Cyber Intrusion

Vulnerability Assessment and Penetration Testing

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

1. LAB SNIFFING LAB ID: 10

Targeted attacks: Tools and techniques

CYBERTRON NETWORK SOLUTIONS

CS5008: Internet Computing

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Cyber Essentials. Test Specification

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

McAfee Certified Assessment Specialist Network

Client logo placeholder XXX REPORT. Page 1 of 37

Setting Up Scan to SMB on TaskALFA series MFP s.

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

IBM Protocol Analysis Module

April 11, (Revision 2)

Advanced Persistent Threats

The Nexpose Expert System

CYBER ATTACKS EXPLAINED: THE MAN IN THE MIDDLE

Malicious Network Traffic Analysis

External Network Penetration Test Report

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

4. Getting started: Performing an audit

Penetration Test Report

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Locking down a Hitachi ID Suite server

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Pwning Intranets with HTML5

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Web App Security Audit Services

Learn Ethical Hacking, Become a Pentester

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

How We're Getting Creamed

End-to-end Processing with TIBCO Managed File Transfer (MFT) Improving Performance and Security during Internet File Transfer

WHY ATTACKER TOOLSETS DO WHAT THEY DO

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Network and Host-based Vulnerability Assessment

Spear Phishing Attacks Why They are Successful and How to Stop Them

Detailed Description about course module wise:

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

CRYPTUS DIPLOMA IN IT SECURITY

Covert Operations: Kill Chain Actions using Security Analytics

Quarterly Report: Symantec Intelligence Quarterly

TIBCO Cyber Security Platform. Atif Chaughtai

VMware vcenter Support Assistant 5.1.1

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Deploying F5 to Replace Microsoft TMG or ISA Server

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Why The Security You Bought Yesterday, Won t Save You Today

Windows Remote Access

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

RSA Security Anatomy of an Attack Lessons learned

Course Content: Session 1. Ethics & Hacking

VULNERABILITY ASSESSMENT WHITEPAPER INTRODUCTION, IMPLEMENTATION AND TECHNOLOGY DISCUSSION

Common Cyber Threats. Common cyber threats include:

!!!!!!!!!!!!!!!!!!!!!!

How Do Threat Actors Move Deeper Into Your Network?

Ethical Hacking Course Layout

IBM Security re-defines enterprise endpoint protection against advanced malware

Penetration Testing 2014

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Hacking: Information Gathering and Countermeasures

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Firewalls, Tunnels, and Network Intrusion Detection

Security: Attack and Defense

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

24/7 Visibility into Advanced Malware on Networks and Endpoints

V ISA SECURITY ALERT 13 November 2015

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Marble & MobileIron Mobile App Risk Mitigation

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Where every interaction matters.

Reference Architecture: Enterprise Security For The Cloud

SCP - Strategic Infrastructure Security

Information Security Services

Global Partner Management Notice

Top 20 Critical Security Controls

2X HTML5 Gateway v10.6

DiamondStream Data Security Policy Summary

Transcription:

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis? This paper presents a scenario in which an attacker attempts to hack into the internal network of the fictitious Sec 1 Police Force to gain access to the HR database. The attack is an all-too-common and pernicious advanced persistent threat (APT). WHAT IS AN APT AND HOW DOES IT WORK? An APT is an attack on a network in which an unauthorized person gains access and remains undetected for a long period of time. The intention is to steal data rather than cause damage. APT attacks target organizations in sectors with highvalue information, such as national defense, manufacturing, and finance. To remain undetected, an attacker has to find a legitimate way into the network. Attackers frequently use spear phishing attacks to gain credentials for web login ports, remote access servers, and VPNs. After the attacker gains initial access, they try to install a back door for unimpeded access.

WHITEPAPER 2 FINDING A LEGITIMATE WAY IN EXTERNAL ENUMERATION First, the attacker looks for web pages, login ports, email addresses, and usernames related to the target. To build this list, tools can be used such as Whois, reverse DNS, and DNS brute forcers. This is how it could be done. Step 1: Take all the known hostnames and resolve them to IP addresses. Step 2: Perform a Whois lookup against each. Step 3: Perform a reverse DNS lookup of each IP in the discovered ranges. Step 4: Identify all domain names and use some logic to work out what is valid/invalid. Step 5: Perform DNS brute force on the domains. Step 6: Repeat on new hostnames discovered. This process should identify all subdomains and help identify all login portals relating to the target. To gather email address, an attacker would use tools such as Theharvester, Burp, and Foca. For example, Theharvester works by searching Google, Google profiles, Bing, PGP servers, LinkedIn, and Exalead for emails and subdomains/ hostnames relating to the target. Once a list of email addresses has been identified, a spear phishing attack can begin. The attacker may use LinkedIn to pick his targets according to their job role and likelihood of having higher access rights than other users. The attacker could also perform a password attack against these enumerated accounts; however, a number of failed login attempts could be logged and the originating IP blocked by an IPS or firewall. SPEAR PHISHING Spear phishing entails sending messages that appear to come from a trusted source. These client-side attacks target both network users and their installed software. Common applications compromised include, Microsoft Office, web browsers, and the Adobe suite of tools including Acrobat Reader, Flash, and others. The attacks against these applications usually rely on some interaction from the end user, such as visiting a malicious or compromised web site or opening attachments or files stored on network shares. The attacker might create a domain name that s very similar to the target s: sec1police rather than sec-1police, for example. A user receiving an email from bobj@sec1police.gov.uk could be easily tricked into believing the email is legitimate. The email includes an attachment or link that, when run or opened, creates a backdoor into the user s computer, enabling control over it Dear TargetUser, I am contacting you regarding recent changes we have made to the online login system. A number of users have been unable to login. Please confirm that you can access your account by clicking the link below. https://www.login.sec-1police.com Kind Regards, James Pickard IT Consultant

WHITEPAPER 3 This vulnerability can affect any operating system running Java: Mac OSX, Linux, Windows. If the exploit is successful and the client clicks the link, depending on what version browser, Flash and Java are running, the attacker can be provided with a remote command shell on the client s machine. The attacker now has a valid way into the internal network. Another way into the network would be: Exploiting a zero day threat SQL injection Password attacks Misconfiguration Running vulnerable versions of software Authentication bypass Remote command execution INTERNAL ENUMERATION Once the attacker has compromised a machine and is on the internal network, he would want to escalate his privileges. He would do this by collecting as much information from the current computer and others on the network. This would include: Network addresses Password hash Services running Running operating systems Usernames Open server message block (SMB) shares User information could be enumerated using net user for local machine accounts and net user/domain for domain user accounts. If successful, a list of domain usernames and their associated user groups would result. This information could be used to perform password attacks against SMB services or a Citrix portal. The attacker could then try and open other services such as a remote desktop protocol (RDP). If he had Internet access (this scenario assumes that he does), he could then download tools onto the compromised machine from his own PC or from an online cloud storage system like Dropbox. The information that could be gathered depends on the compromised machine s operating system. Tools may be used to try and extract the local administrator hashes. If successful, the attacker would try offline techniques to crack the hash. The hash would be used to check whether the same local administrator password could be reused on other hosts on the network. Generally a lot of networks reuse local administrator passwords, which are sometimes domain administrator passwords. An attacker would try to identify the server range because it would have the most sensitive information. An attacker could do this by looking in the network interface settings and identifying gateway IP addresses or DNS servers. There are several ways machines can be identified as live, such as through ICMP ping sweeps or port scans using tools such as: Nmap Nbtscan Ping Netcat

WHITEPAPER 4 Example: Nmap sn 172.16..0.1/24 sn ping scan Once the live hosts have been identified, an attacker would inspect them in detail to identify interesting targets, such as domain controllers and database servers. Depending on how stealthy the attacker wanted to be, there are several methods that could be used: Standard scanning methods Vanilla connect( ) scanning Half-open SYN flag scanning Stealth TCP scanning methods Inverse TCP flag scanning ACK flag probe scanning TCP fragmentation scanning Third-party and spoofed TCP scanning methods FTP bounce scanning Proxy bounce scanning Sniffer-based spoofed scanning IP ID header scanning An example: Nmap -il LiveIPs.txt -p 1433, 3307 --open Syntax explanation: -il Input file of IP address -p Ports that will be scanned --open Only show open ports The accuracy of the results depends on which scanning method is used. It is possible to identify the database versions on the server, which would allow the attacker to search for exploits associated with them. That provides a way of compromising other machines using yet other tools. INFORMATION THEFT AND EXFILTRATION Now that the database servers have been identified, a number of methods could be used to gain access to them: Compromised domain account that has access to the databases Weak database credentials, default or predictable credentials Unpatched or unsupported version of database SQL injection Compromising the machine that the database is running on and connecting using stored credentials. Once the database has been compromised, the attacker would try and extract data, modify fields, or delete information. The database could be extracted through the compromised machine and copied onto the attacker s PC.

WHITEPAPER 5 SUMMARY APTS ARE A REAL THREAT Advanced persistent threats (APTs) are multi-pronged, long-running attacks often used to extract large amounts of information over an extended period of time. There are many real-world examples of APTs in the wild, including several recent credit card breaches at US retailers. HOW DO YOU IDENTIFY AND STOP AN APT? By their nature, APTs leave multiple footprints in the sand, which give security teams an opportunity to identify and interdict before damage is done. There is no single answer to the problem of identifying and stopping APTs. Many security tools from virus scanners to email security to security analytics have a role to play. The question is, what logs would you need to identify an APT and perform forensic analysis? Are the following items sufficient? Queries to database Downloading a large amount of information from a database Port scans Failed logon to local accounts, database accounts, and domain accounts. Abnormal amounts of network traffic from a host Connected IP from a different geographical location Adding users Geotagging of destination for data extraction Global Headquarters 3307 Hillview Avenue Palo Alto, CA 94304 +1 650-846-1000 TEL +1 800-420-8450 +1 650-846-1005 FAX www.tibco.com TIBCO Software Inc. is a global leader in infrastructure and business intelligence software. Whether it s optimizing inventory, cross-selling products, or averting crisis before it happens, TIBCO uniquely delivers the Two-Second Advantage the ability to capture the right information at the right time and act on it preemptively for a competitive advantage. With a broad mix of innovative products and services, customers around the world trust TIBCO as their strategic technology partner. Learn more about TIBCO at www.tibco.com. 2015, TIBCO Software Inc. All rights reserved. TIBCO, the TIBCO logo, and TIBCO Software are trademarks or registered trademarks of TIBCO Software Inc. or its subsidiaries in the United States and/or other countries. All other product and company names and marks in this document are the property of their respective owners and mentioned for identification purposes only. 03/13/15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information