Upload
peter-wood
View
20
Download
2
Embed Size (px)
Citation preview
Peter WoodChief Executive Officer
First Base Technologies LLP
Red Teaming in the Cloud
Slide 2 © First Base Technologies 2016
Founder and CEO - First Base Technologies LLP• Engineer, IT and information security professional since 1969• Fellow of the BCS, Chartered IT Professional, CISSP• Senior Member of the Information Systems Security Association• 15 Year+ Member of ISACA, ISACA Security Advisory Group• Member of the Institute of Information Security Professionals• Chair of white-hats.co.uk• Chair of OTIS (Operational Technology and IoT Security)• Member of ACM, IEEE, First Forensic Forum, Institute of Directors, Mensa
Slide 3 © First Base Technologies 2016
Slide 4 © First Base Technologies 2016
What was advanced is now average• Well planned, strategic
approach• Automation assisted
manual attacks• Social engineering,
especially phishing• Sophisticated malware• Clear objectives• Lots of resources
The enemy
Slide 5 © First Base Technologies 2016
To counter these attacks, we need threat-based thinking • Who is attacking what and how?• Where do we know we are
vulnerable?• What can we fix right now?• Conduct a red team exercise• Fix the problems we found• Check our fixes work• Wash, rinse, repeat
The defence
Slide 6 © First Base Technologies 2016
http://csrc.nist.gov/cyberframework/rfi_comments/040813_cba_part2.pdf
• Understand each attacker’s capability, motivation and methodologies
• Analyse the likely impact to help prioritise
• Design relevant scenarios• Execute red team
exercises• Assess protective controls• Evaluate detective
controls
The method
Slide 7 © First Base Technologies 2016
The strategy
Slide 8 © First Base Technologies 2016
Cloud computing metaphor:For a user, the network elements representing the provider-rendered services are invisible, as if obscured by a cloud
https://en.wikipedia.org/wiki/Cloud_computing
Image by Sam Johnston (includes Computer.svg by Sasa Stefanovic)
Slide 9 © First Base Technologies 2016
What assets will threat actors be interested in?• Money• Intellectual property• Identities• Databases• Intercepts• Network access• Control systems
Slide 10 © First Base Technologies 2016
What is the most attractive approach?(Needs to be: easiest, cheapest, lowest risk, best success rate …)• Break into the cloud• Infiltrate the provider• Infiltrate the customer• Intercept traffic• Trick the user
Slide 11 © First Base Technologies 2016
What is the most attractive approach?(Needs to be: easiest, cheapest, lowest risk, best success rate …)• Break into the cloud• Infiltrate the provider• Infiltrate the customer• Intercept traffic• Trick the user
Slide 12 © First Base Technologies 2016
Why is it the most attractive approach?• Login from anywhere• Browser access• Single factor
authentication• No intruder detection• No physical security• Legitimate credentials• Good chance of
privilege escalation
Slide 13 © First Base Technologies 2016
Example methodologies• Spear phishing• Social networking• Watering hole attacks• Telephone social engineering• Theft of device• USB device• Charging points• Public computers• WiFi intercepts
How they think
Slide 14 © First Base Technologies 2016
• 4 registered domains• 5 IP address ranges• 72 Internet-facing hosts• Scan revealed OWA in use• LinkedIn search for relevant email addresses• 400 email addresses identified• Staff names and job titles analysed• Emails sent to obtain responding email style and layout
Reconnaissance
Slide 15 © First Base Technologies 2016
• Convincing fake domain name available and purchased• OWA site cloned onto fake domain for credential theft• Large number of email addresses harvested as targets• Design of real emails copied to facilitate spear phishing• Names and job titles gathered as fake senders• Genuine OWA will be used to test stolen credentials
(and gather further info)
Planning
Slide 16 © First Base Technologies 2016
• Email sent from IT manager, using fake domain address• OWA cloned on to tester’s laptop, DNS set accordingly• Email sent to three groups of 100 recipients• Within a few minutes, 41 recipients entered credentials• Credentials tested on legitimate OWA site• Significant information gathered from each account• Further emails can now be sent from legitimate addresses
Execution
Slide 17 © First Base Technologies 2016
Single-factor authentication may not be your best choice• We cracked 48% of 9,569
passwords• 98% of these passwords were
cracked within two hours• The remaining 2% were
cracked over the course of one week
Passwords – really?
Slide 18 © First Base Technologies 2016
Invest in your human firewall• Train your staff to recognise
social engineering attacks• Explain the why and how of
passphrases• Invest in continual
awareness campaigns• Use every medium available
to spread the word
Enable your best defence
Peter WoodChief Executive Officer
First Base Technologies LLP
[email protected]: @FBTechies
+44 (0)1273 454525
Need more information?