Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Who am I?
Vincent YiuFounder of SYON Security
Offensive Operations including Adversary Simulaton and Penetration Testing
Certifications: CREST certified, OSCP, OSCE
Speaker at: SSC Xi’an 2018, HITB Singapore 2017 and 2018, JD Security Conference Beijing 2017, Steelcon UK 2017, Bsides Manchester UK 2017, Snoopcon 2017 and 2018.
@vysecurity
Experiences• Global banks• Local banks• Wealth management• Global insurance• Smart grid• Retail• Manufacturing / R&D organizations• Satellite• HR companies• Financial technology providers• ISP / Registrars• Telecoms• Energy• Biomedical• Health• More…
Financial Technology?• Asset Management• Automated Teller Machine (ATM) Operators• ATM and self-service terminal manufacturing• Banks and Credit Unions• Credit Report Services• Electronic Payment Systems• Financial Planners and Investment Advisers• Financial Transaction Processing• Institutional Securities Brokerages• Investment Firms• Mortgage Breaks• Property/Casualty Insurance Carriers• Venture Capital• CRYPTOCURRENCY EXCHANGE
https://www.fireeye.com/content/dam/fireeye-www/solutions/pdfs/ib-finance.pdf
But it all boils down to…
• The target objective
• The attacker’s motivation
• The crown jewels
Hacking a target is not the end goal, acquisition of the objective is the mission.
Agenda
• Financial industry threats• What is intelligence?• Current state of Security Testing across the world• What is Cyber Attack Simulation Testing?• Attack lifecycle – Modelling real attacker techniques
Goals: Basic to Basics
Confidentiality
Integrity Availability
Data, Information• Benefit Records• Business and Strategic Plans and Goals• Finance Documents• Invoices• Organizational Charts• Pricing Data• Recurring Reports• Customer Data• Payment Card Data
Manipulation• Change Customer Account Data• Change Amount of Money• Change Software• Change Website
Access• Move Money• Withdraw Cash• Denial of Service
Intelligence• Who’s hacking who?• What are criminals after? • Is your company affected? • When are they going to hack you? • Have they already hacked you but you don’t know?• Current scam campaigns going on
Intelligence ReportYour Company1
2
???3
Intelligence Report: What’s in it?• Open Source Intelligence information on your company
• Enumerated digital asset IP ranges / domains
• Shodan passive enumeration of digital assets• Potential vulnerabilities
• Competent intelligence providers will have 20+ years historical database of data• Provide insight as to what CRIME groups are targeting YOUR industry• What CRIME groups are targeting YOUR organization• What accounts and data are being sold?• What are the capability levels of these CRIME groups?• What malware deployments? What tactics, techniques, and procedures do they use?
Open Source Intelligence• Company Name• Company Branches• Legal entities• Revenue• Executives• Organizational Chart• Office locations• Email addresses• Phone numbers• Passwords appeared in previous breaches• Digital assets• Potential vulnerabilities
Adversary Information• Name of groups and individuals who may be targeting your industry• Groups who may be targeting your particular organization• Mentions of your organization on the Dark Net / Underground communities
• TOR network• Exploit.in LEVEL X account
• Public APT and private APT reports• Malware samples• Indicators of compromise• Motivations• Origin country• Emails• Domains• IP addresses
• Accounts for your service being sold • Access to your organization being sold (insider threat / previously hacked access)
Improving Cyber Resiliency using Intelligence-led Attack Simulations
What threats are we facing?
• SWIFT – Financial motivation• ATM Jackpotting – Financial motivation• Cryptocurrency Exchange Transfers – Financial motivation
Improving Cyber Resiliency using Intelligence-led Attack Simulations
Who are the threat actors?
• Many Advanced Persistent Threat Groups• Cabarnak – ATM / Point of Sale Devices• Lazarus – SWIFT
Improving Cyber Resiliency using Intelligence-led Attack Simulations
What are we doing about it?• Prepare• Assess• Understand your company’s defensive capabilities
After breach:• Investigations• Security hardening
Case Study
• Bank X
2014Simulated
Attack$200K
2016Bangladesh
Hackedvia. SWIFT$81 Million
2018On-going
Simulations$200K
Prepared for the
FUTURE
Case Study
• Financial Technology company Y• Global Reach• Deploys Infrastructure for many banks
• “Can an attacker break into our network, and obtain access to our customer’s networks?”
Current State of Security Assessments
Can I get past the
door?
Can we break into the safe?
PENETRATIONTESTING
Project 1
Project 2
Current State of Security Assessments
UNLOCKED BALCONY DOOR
OPEN THE SAFE
ATTACK SIMULATION
ONE PROJECT
FIND SAFE COMBINATION IN
ROOM
SURVEILANCE TO FIND TIME WHEN NO
ONES HOME
JUMP DOWN FROM FLOOR
ABOVE
Where are we?
• United Kingdom / USA:• Red Teaming / Attack Simulation• Penetration Testing
• Asia:• Risk Assessment• Buy Security Products• Penetration Testing
Attack Simulation Regulations
• United Kingdom: CBEST (Financial), TBEST (Telecom), NBEST (Energy), ATTEST (Aviation)
• Europe: TIBER-EU• Hong Kong: iCAST• Singapore: Pending Singapore Montary Authority
Capabilities
Cyber Capability Spectrum
LOW HIGH
CREST Certified
CRESTBasic
CREST Simulated Attack Specialist
Experienced Consultant Dealing with Critical Infrastructure
Risk Assessment / Compliance
Watch a video, then say “He might take a right punch”Are you ready for the fight with no training?
Brief walkthrough of an attack on ACME corporation
• Financial Technology Provider• Global presence• Operations in UK, Germany, Singapore, and Philippines
• Goal: Obtain access to customer data• Goal: Obtain access to customer environment• Goal: Obtain credentials for a customer environment
How might you go about this sort of an attack?
Step 1: Reconaissance
• Map out digital assets• Scanning, visualising, understanding the surface• Digital footprint / Social media footprint• Code leaks, breach dumps
• Map out physical assets• Potential last resort if attack over internet proves infeasible
• Map out human resources• Scraping, searching the internet• LinkedIn, 脉脉
Step 2: Phishing
• Review target’s email security configuration
• Set up a phishing campaign
• Target gets phished
• Foothold on internal network
Step 3: Actions on Objectives
• Skip Privilege Escalation, phished target is a Philippines operations manager
• Login to internal password management server
• Dump all credentials for all APAC customers
• Surveillance of the target over multiple days
• Target logs into customer Citrix server via. secured virtual machine
Step 3: Actions on Objectives
• Connect to virtual machine
• Lookup customer credentials
• Login
• Access to customer environment granted