尊敬的 微信汇率:1円 ≈ 0.046089 元 支付宝汇率:1円 ≈ 0.04618元 [退出登录]
SlideShare a Scribd company logo

Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green

North Texas Chapter of the ISSA
North Texas Chapter of the ISSA

The Hacking Team breach resulted in more than 400GBs of sensitive information being publicly released, including the source code for the offensive security programs the company sold and details on zero-day exploits. The leak had significant repercussions in the security world and caused major technology vendors (including Adobe and Microsoft) to issue emergency patches. In this presentation, you’ll hear about the results of Cybereason’s investigation into the Hacking Team’s operation as well as the writeup by Phineas Phisher, who claims credit for the hack. We’ll discuss what we learned and what we think it means for defenders moving forward.

Technology
1 of 21
Download to read offline
DissectingtheHackingTeam's OperationMethods: WhatSecurityProfessionals NeedtoKnow By: Ian Muller, Senior Security Writer Amit Serper, Senior Security Researcher Alex Frazer, Security Researcher
2 The Cybereason philosophy is that the attack methodology matters much more than the exploits and tools that the hackers leverage, which is why we focus so much on malicious operations, or Malops. Exploits will be patched and tools will evolve and change, but attack methods and hacker behavior are more likely to remain the same over time. By analyzing this angle of a cyber attack, we are able to better recognize malicious behavior and react faster to a threat. The main idea behind this approach is that being able to identify malicious activity sooner will give you a leg up on an attacker. A zero day exploit by itself is a threat, but it’s only a method for the attackers to gain access to your system. Once they’re inside, the exploit becomes unimportant. By assessing the behavior and activity, rather than the file signatures and hashes, we can recognize the malicious operation before the attackers have enough time to start exfiltrating data. One example of this is one of the zero day exploits released in the recent Hacking Team data leak. Because of our focus on behavior, we were able to instantly identify the privilege escalation activity within our lab when testing it against our platform, without changing anything in our own system.
3 “The exploits themselves, while dangerous, aren't the most interesting thing here,” says Amit Serper, Senior Security Researcher. “Any antivirus can detect using signatures, the signatures always come after the damage had happened. It’s a game of cat and mouse out there. New exploit - patch; new exploit - patch; repeat. We at Cybereason actually made a paradigm shift long ago. That is why the company was founded and that is why we are able to catch zero days so quickly.” Penetration is inevitable, and it doesn’t matter which drivers or applications are vulnerable to an exploit. If you are able to detect abnormal activity in your environment and react to it as it occurs, you’ll be able to take a proactive stance against cyber attacks and stop hackers in their tracks.
4 In order to fully understand the Malop philosophy, we delve deeply into the Hacking Team data leak. With the public release of the Hacking Team’s secrets, our researchers took advantage of the ability to dig deeply into the minds behind their operational theater. For security researchers this information is a veritable gold mine, providing us with even more clues into the latest techniques and tactics hackers are using, and how easily they are able to maintain their attacks over time. Two of our security researchers recently sat down to examine the available data, and found some amazing details about Hacking Team's activities, victims... and even the hackers that in turn brought them down. This data dump is akin to the fall of the Soviet Union in a way. When the U.S.S.R. fell, global black markets were overflowing with Soviet weapons and, more importantly, knowledge of WMDs. This put more sophisticated weaponry and nuclear capabilities in the hands of the highest bidder, much like the Hacking Team leak has done. Except in this case the information is free, and none of the vendors whose products are exploitable, e.g. Adobe and Microsoft, were notified, amplifying the danger of the leak. The widespread availability of this data is going to empower hacking teams across the globe, providing them with much more sophisticated techniques to launch their own attacks. These newer operations will have a completely different signature than Hacking Team’s efforts, but because of how detailed the information on their delivery server is, with perfectly readable code and extremely detailed comments, we can assess the behavior these attacks will follow and more accurately and quickly identify these operations in the future.
5 What we want to look more closely at is how Hacking Team targeted their attacks, and the techniques they used to maintain such large-scale operations over extended periods of time. Hacking Team used a particular ingenious strategy for gaining access to victim machines. Firstly, the team’s operations mirrored that of the Flame malware discovered in 2012. Flame’s C&C server interface mimicked a news and adwords service, offering its “customers” - the term they used to refer to targets - a link to an “ad hosting” server, which then installed the malware. Many of its commands and protocols used news-related jargon to continue to fool detection tools and security analysts, and Hacking Team’s tactics followed the same strategy. Note the buzzwords, “news, adwords,” used in the code.
6 In fact, on Hacking Team’s delivery server, we found a base64 binary file titled “news,” which we discovered was their payload. When we de-scrambled the base64 file, we found a big data blob - an AES encoded binary - containing a multi-staged payload that runs a zero day exploit for privilege escalation. The payload then executes Hacking Team’s Remote Control System (RCS) agent, which is padded with random binary data, a common anti-virus avoidance tactic. Using a variety of standard and new techniques, such as phishing and watering hole attacks, potential targets would receive a link. Once the recipient clicked on the link, the infection server would immediately assess whether or not the machine was, in fact, a targeted recipient. If not, the script would automatically redirect them to a 404 error page or another homepage - something news or ad related (customer configurable) so as to not arouse suspicion. However, if the clicker was the intended target, the server would then profile their machine to determine their OS and browser. The server would then be able to determine if the target is using IE, Firefox, or Chrome, and what operating system they’re running, and then leverage the appropriate Adobe Flash exploit to take over the user’s machine. From there, the RCS agent was inside and able to move to the next stage of the malicious operation.
7 An example of a Vietnamese-targeted campaign redirecting a non-targeted individual using IE to an advertisement. We were able to track this process by reverse engineering the files on the delivery server and JSON logs of “customer” communication. Digging deeper into the data, we were able to see when Hacking Team infiltrated a target (down to the last second), where they were located, what ISP they used, what operating system, and even which build of their browser was used to access the delivery server. For one target based in Egypt, we were able to see that they were using Chrome build 43.0.2357.130, which was released on June 22. Hacking Team infiltrated their system using the Flash exploit just six days later on June 28. This is both important, and amusing, considering Chrome is marketed as the most secure browser for the average user, but they were able to exploit it in a matter of days after the most recent update at the time.
8 Screenshot of the browser-detection script from an Egyptian campaign. What is also interesting about the attack is what we were able to glean about the delivery server itself, which was hosted at mynewsfeeds.info. (You may want to check your firewall and corporate proxies for this URL, in case your organization was targeted by Hacking Team!) We tracked the URL and WhoIs information to see where the team had registered it to. In fact, the registration information for their domain pointed to a rundown apartment complex in a bad neighborhood in Tel Aviv! However, the location and name associated with the WhoIs - David Cohen, the Israeli equivalent of “John Smith” - were an obvious misdirection. Not only did the team clone the techniques of Flame, which is attributed to Israel, but they also falsified their domain registration as if it were based in Israel.
9 One file we found related to the mynewsfeeds.info domain on VirusTotal.com was tmp_privesc, a binary which contains a privilege escalation exploit using an Adobe driver that is present on both Windows and Mac OSX operating systems. This could be the “smoking gun,” which allowed the usage of this exploit in the wild, and would allow us to identify it much more quickly on endpoints, which we will touch on more in a future write up. By leveraging Virus Total as one of our threat intelligence sources, we can apply machine learning and big data to cross examine the information from the data dump and better identify these tactics and tools when they are used again in the future. We also found it important to note that the mynewsfeeds.info domain only had a few hashes associated with it before the Hacking Team leak. However, since then more than a dozen have cropped up, and while these weren’t found to be harmful, they all include the hash of the newsfeeds domain embedded in them - likely a result of numerous groups now downloading, compiling and running the code themselves. The Cybereason platform was able to identify Hacking Team’s privilege escalation exploit in elevator.exe out of the box.
10 Taking a closer look at the Hacking Team attack operation allows us to gain a better understanding of how the existing threat landscape is going to evolve. In part one, we discussed why the Hacking Team leak is a game-changing event for cyber security, providing a brief overview of the tools the team used and distributed to their clients and the rather sophisticated tactics they deployed in order to sustain long- term operations. Now, we’ll be focusing on their actual attack process, from the infection workflow to their RCS agent operation, and the different infection processes that they utilized. The first thing to examine within Hacking Team’s attack process is how the infection server operates. View our flowchart on the next page for a visual of the process. The server first runs the visitor to the infected domain through a Mod_rewrite regular expression rule on the Apache httpd server to match the six character campaign ID to the appropriate exploit kit and payload in the predesignated ID directory /var/www/files/<campaignID>. If the campaign ID doesn’t match, the server automatically redirects the visitor to a 404 error. If it does, the script moves to step two.
11
12 Sample of the six character campaign IDs for a Windows-targeted attack. In step two, the script checks the hit counter for that campaign to ensure it equals zero - meaning that no one has been infected by the campaign yet. It also reviews the expiration date of that particular campaign. From what we have seen, all of Hacking Team’s campaigns were standardized with a one week expiration date from the time of campaign creation. This helpdesk ticket highlights the one week expiration on the infection server.
13 Sample of the infection server validation script from a Vietnamese attack campaign. If both the hit counter and expiration validate, the script then checks the user agent of the victim’s browser against the Browscap PHP library on the server to ensure it meets the campaign requirements, eg. Windows 7, Chrome build 43.0.2357.130. One interesting function of the infection server was Hacking Team’s xp_filter.py Python script, which would check the victim’s system to determine if they were running Windows XP or not and run a non-XP-based exploit, or a just serve a fake SWF file, empty.swf.
14 The XP filter Python script. The comments were written by Hacking Team. The script then “echoes” the content of the news payload into STDOUT, which is a hacky way that the script uses to send the payload through the webserver and from there to the victim. This is the base64 encoded and AES encrypted payload we referenced in our previous article, which contains the RCS agent and the team’s privilege escalation exploit. The shellcode executes the privilege escalation exploit first to gain NT AUTHORITYSYSTEM privileges in the SYSTEM shell, then executes the agent.exe for the RCS client. Trend Micro has an excellent write-up on the privilege escalation exploit. In addition to the Windows-based infection server, Hacking Team was also running an Android-based strategy, which utilized similar tactics but didn’t use the Flash exploit.
15 The final privilege escalation and payload delivery script. The payload delivery process is actually impressively sophisticated, and while some may argue that the tools and exploits were utilizing were not, their actual workflow was particularly creative. In addition, the sheer variety of delivery methods provide customers with a significantly amplified ability to gain access to their intended target(s).
16 Once the target(s) is infected, this is when the RCS agent goes to work. There were a vast array of modules the agent would load, depending on what Hacking Team’s customer requested, from recording webcam images, Skype calls or keystrokes to tracking financial transactions (including bitcoin and other cryptocurrencies) or pinpointing the target’s geographic position. Not to mention the mobile capabilities, such as sending invisible SMS messages that leveraged exploits in the phone’s SMS stack, thus executing Hacking Team’s agent on the phone that allowed the attackers to turn the microphone on, providing a live audio stream from the target’s phone. We will cover this more in a future write-up. The actual activities of the client and the information they sought are far less interesting than the varied attack strategy that Hacking Team used. The above is, of course, only a single attack process. Hacking Team provided a variety of solutions depending on what their customer needed, including variations better suited for nation-state level attacks. One example of this was the use of a network injector, a particularly nasty tool that would be plugged into an upstream or ISP backbone. Once active, the network injector would be able to identify the target(s) based on a customer defined rule set and wait for the victim to visit a specific URL, such as YouTube.com. Then, it would automatically redirect the victim to the team’s infection server instead. This resulted in the “the page you requested is being loaded” redirect screen.
17 This is the screen that targets would see while the exploit was being installed. However, Hacking Team used a wide variety of techniques to ensure infection. Another strategy, which could be used in conjunction with the network injector, was a tool called Melter. This allowed the customer to silently “melt” the RCS agent into the binary of other, benign software. While not new, when combined with the network injector, this allowed campaigns to target software downloads and ensure that the target(s) installed the client’s RCS agent alongside the piece of software they were intending to get. Of course, all of these strategies, on their own, are vulnerable to discovery, which is why Hacking Team also built an Anonymizer tool, which would randomize the attacker IP for each campaign in order to mask both the source and target(s) of the attack. The Anonymizer was Hacking Team’s own “private anonymization cloud” solution. This offered the ability for each customer to deploy their own virtual private servers (VPSs) that could be chained together for a anonymous proxy chain in order to eliminate tracing of the public-facing collectors run by each customer.
18 This is accomplished by passing the victim’s collected data through several anonymizing machines to the collector node which then passed the data back to the master node (C&C server). Below are a few examples of documentation on the Anonymizer tool, pulled directly from Hacking Team’s RCS 9.6 System Administrator Manual:
19 Of course, we want to stress once again that all of this source code is accessible by anyone now, so these capabilities have entered the wild, freely usable by any hackers, whether they are experts or novices. These exploitation abilities, combined with the the various reports on BGP hijacking attacks by Hacking Team (1, 2) have theoretically allowed hacking team to make everyone on the internet pass through their systems and infect them. So, what does this mean for you? We’ve been discussing the potential damage that the Hacking Team data dump has unleashed on the cybersecurity industry, but on an individual level it can be difficult to identify exactly what the risk factor is, and why, honestly, you should really care about it. Rather than bore you with more details of what Hacking Team was capable of doing and the tools and exploits the leak of their data released on the world, let’s delve directly into what this event means for businesses and organizations that need to protect themselves from future attacks. In our analysis of the Hacking Team data leakage we reviewed the tools and methodologies that they were using and selling.
20 The example we showed earlier was the attack that mimicked Flame, the hacking operation that targeted the Iranian nuclear weapons program in 2012. This capability to imitate a nation-state attack, as well as other strategies deployed by Hacking Team, were well documented in their data dump, accompanied by full explanations of the tactics and the exploits they used. This information is now readily available to anyone who downloads the leaked data - a game changing event that breaks the fragile cyber security status quo between hackers and defenders. The business implications here are that the overall threat landscape is already erupting with more advanced challenges and new threats to protect yourself from, with the guarantee of increased sophistication in future evolutions of cyber crime. This paints a rather bleak picture for cyber security, but all hope is not lost. Our ability to break down the methodologies used by the Hacking Team allows us to better anticipate a Hacking Team-based threat. The way the Hacking Team attack was built will assuredly be taken, changed and redistributed in the future, but by understanding the underlying principles of their malicious operation philosophy, we can be better prepared to identify these threats as well. This leak has provided us with the necessary information to enhance our security tools and detection platforms so that we can continue to proactively hunt for malicious activity inside any environment. While the Hacking Team leak introduces more advanced threats, it also brings a ray of hope for continuing to improve our tactics for mitigating these risks.
21 About Cybereason Cybereason was founded in 2012 by a team of ex-military cybersecurity experts to revolutionize detection and response to cyber attacks. The Cybereason Malop Hunting Engine identifies signature and non-signature based attacks using big data, behavioral analytics, and machine learning. The Incident Response console provides security teams with an at-your-fingertip view of the complete attack story, including the attack’s timeline, root cause, adversarial activity and tools, inbound and outbound communication used by the hackers, as well as affected endpoints and users. This eliminates the need for manual investigation and radically reduces response time for security teams. The platform is available as an on premise solution or a cloud-based service. Cybereason is privately held and headquartered in Boston, MA with offices in Tel Aviv, Israel. © All Rights Reserved. Cybereason 2015 222 Berkeley St., 13th Floor Boston, MA 02116 USA www.cybereason.com

Recommended

Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
Amit Serper
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 

Recommended

Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became t...
North Texas Chapter of the ISSA
 
Cybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection serverCybereason - behind the HackingTeam infection server
Cybereason - behind the HackingTeam infection server
Amit Serper
 
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance HealthcareAvoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Avoiding Sophisticated Targeted Breach Critical Guidance Healthcare
Cybereason
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
Cyren, Inc
 
Activated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint DataActivated Charcoal - Making Sense of Endpoint Data
Activated Charcoal - Making Sense of Endpoint Data
Greg Foss
 
Open Source Malware Lab
Open Source Malware LabOpen Source Malware Lab
Open Source Malware Lab
ThreatConnect
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
Cyren, Inc
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
Imperva
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
CODE BLUE
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
OWASP Delhi
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 
Hacking team
Hacking teamHacking team
Hacking team
Kamalesh Lunkad
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
DefconRussia
 

More Related Content

What's hot

[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Cyren, Inc
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Splunk
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
Greg Foss
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
Imperva
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
Cyren, Inc
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
CODE BLUE
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
OWASP Delhi
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
OpenDNS
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
Nipun Jaswal
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 

What's hot (20)

[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Webinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxingWebinar: Why evasive zero day attacks are killing traditional sandboxing
Webinar: Why evasive zero day attacks are killing traditional sandboxing
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen könnenWie Sie Ransomware aufspüren und was Sie dagegen machen können
Wie Sie Ransomware aufspüren und was Sie dagegen machen können
 
Threat Hunting with Splunk
Threat Hunting with Splunk Threat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Intelligence Field of Dreams
Threat Intelligence Field of DreamsThreat Intelligence Field of Dreams
Threat Intelligence Field of Dreams
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
 
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
What Happens Before the Kill Chain
What Happens Before the Kill Chain What Happens Before the Kill Chain
What Happens Before the Kill Chain
 
Hijacking Softwares for fun and profit
Hijacking Softwares for fun and profitHijacking Softwares for fun and profit
Hijacking Softwares for fun and profit
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 

Viewers also liked

Hacking team
Hacking teamHacking team
Hacking team
Kamalesh Lunkad
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
DefconRussia
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
Stephen Cobb
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Cybereason
 
APT Saldırıları
APT SaldırılarıAPT Saldırıları
APT Saldırıları
Alper Başaran
 
Computer Ethics and Legal Issues
Computer Ethics and Legal IssuesComputer Ethics and Legal Issues
Computer Ethics and Legal Issues
Kak Yong
 
OWASP kaynak kod analizi metodolojisi
OWASP kaynak kod analizi metodolojisiOWASP kaynak kod analizi metodolojisi
OWASP kaynak kod analizi metodolojisi
Alper Başaran
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
Mandy Suzanne
 

Viewers also liked (9)

Hacking team
Hacking teamHacking team
Hacking team
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise SecurityThe Hacking Team Hack: Lessons Learned for Enterprise Security
The Hacking Team Hack: Lessons Learned for Enterprise Security
 
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
Security Analytics: The Promise of Artificial Intelligence, Machine Learning,...
 
APT Saldırıları
APT SaldırılarıAPT Saldırıları
APT Saldırıları
 
Computer Ethics and Legal Issues
Computer Ethics and Legal IssuesComputer Ethics and Legal Issues
Computer Ethics and Legal Issues
 
OWASP kaynak kod analizi metodolojisi
OWASP kaynak kod analizi metodolojisiOWASP kaynak kod analizi metodolojisi
OWASP kaynak kod analizi metodolojisi
 
Slideshare ppt
Slideshare pptSlideshare ppt
Slideshare ppt
 

Similar to Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green

Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
Gavin Davey
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
Andreanne Clarke
 
Ethical hacking1
Ethical hacking1Ethical hacking1
Ethical hacking1
Faheen Ahmed
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
Tharindu Edirisinghe
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
Yasser Mohammed
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers
Sirius
 
Discovery of Compromised Machines
Discovery of Compromised MachinesDiscovery of Compromised Machines
Discovery of Compromised Machines
Anton Chuvakin
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
Kunal Sharma
 
On-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-SystemOn-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-System
Sarah Rudd
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept
*****Dominic A Ienco
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
21CT Inc.
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
Tiffany Sandoval
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquad
Josh Howell
 
Ananth3
Ananth3Ananth3
Ananth3
Shiva Krishna Chandra Shekar
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
Affine Analytics
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Nitheesh Adithyan
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
Felipe Prado
 
Ict Hacking
Ict HackingIct Hacking
Ict Hacking
Hafizra Mas
 
Ict H A C K I N G
Ict H A C K I N GIct H A C K I N G
Ict H A C K I N G
Hafizra Mas
 
Cyber Kill Chain.pdf
Cyber Kill Chain.pdfCyber Kill Chain.pdf
Cyber Kill Chain.pdf
AbeerPareek1
 

Similar to Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green (20)

Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Ethical hacking1
Ethical hacking1Ethical hacking1
Ethical hacking1
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers6 Ways to Deceive Cyber Attackers
6 Ways to Deceive Cyber Attackers
 
Discovery of Compromised Machines
Discovery of Compromised MachinesDiscovery of Compromised Machines
Discovery of Compromised Machines
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
On-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-SystemOn-Analyzing-a-Layered-Defense-System
On-Analyzing-a-Layered-Defense-System
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
4774.projectb.securitysquad
4774.projectb.securitysquad4774.projectb.securitysquad
4774.projectb.securitysquad
 
Ananth3
Ananth3Ananth3
Ananth3
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Secureview 2q 2011
Secureview 2q 2011Secureview 2q 2011
Secureview 2q 2011
 
Ict Hacking
Ict HackingIct Hacking
Ict Hacking
 
Ict H A C K I N G
Ict H A C K I N GIct H A C K I N G
Ict H A C K I N G
 
Cyber Kill Chain.pdf
Cyber Kill Chain.pdfCyber Kill Chain.pdf
Cyber Kill Chain.pdf
 

More from North Texas Chapter of the ISSA

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
North Texas Chapter of the ISSA
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
North Texas Chapter of the ISSA
 
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc groupNtxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
North Texas Chapter of the ISSA
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
North Texas Chapter of the ISSA
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
North Texas Chapter of the ISSA
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
North Texas Chapter of the ISSA
 

More from North Texas Chapter of the ISSA (20)

Purple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcuttPurple seven-ntxissacsc5 walcutt
Purple seven-ntxissacsc5 walcutt
 
Ntxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cepNtxissacsc5 yellow 7 protecting the cloud with cep
Ntxissacsc5 yellow 7 protecting the cloud with cep
 
Ntxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediationNtxissacsc5 gold 4 beyond detection and prevension remediation
Ntxissacsc5 gold 4 beyond detection and prevension remediation
 
Ntxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliencyNtxissacsc5 gold 1 mimecast e mail resiliency
Ntxissacsc5 gold 1 mimecast e mail resiliency
 
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
Ntxissacsc5 yellow 6-abusing protocols for dynamic addressing in space-jacenr...
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersenNtxissacsc5 yellow 1-beginnerslinux bill-petersen
Ntxissacsc5 yellow 1-beginnerslinux bill-petersen
 
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykesNtxissacsc5 red 6-diy-pentest-lab dustin-dykes
Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes
 
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc groupNtxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
Ntxissacsc5 red 1 &amp; 2 basic hacking tools ncc group
 
Ntxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompsonNtxissacsc5 purple 5-insider threat-_andy_thompson
Ntxissacsc5 purple 5-insider threat-_andy_thompson
 
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczulNtxissacsc5 purple 4-threat detection using machine learning-markszewczul
Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul
 
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptxNtxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
Ntxissacsc5 purple 3-cyber insurance essentials-shawn_tuma.pptx
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowiczNtxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz
 
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higginsNtxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins
 
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghanNtxissacsc5 blue 6-securityawareness-laurianna_callaghan
Ntxissacsc5 blue 6-securityawareness-laurianna_callaghan
 
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeqNtxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
Ntxissacsc5 blue 5-holistic approach to cybersecurity-abu_sadeq
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
 
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomeyNtxissacsc5 blue 2-herding cats and security tools-harold_toomey
Ntxissacsc5 blue 2-herding cats and security tools-harold_toomey
 

Recently uploaded

Supplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdfSupplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdf
gaydlc2513
 
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google CloudRadically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
ScyllaDB
 
Automation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI AutomationAutomation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI Automation
UiPathCommunity
 
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer ExperienceHow to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
Aggregage
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0
Neeraj Kumar Singh
 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
Larry Smarr
 
Leveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptxLeveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptx
petabridge
 
Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0
Neeraj Kumar Singh
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
gaydlc2513
 
Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2
DianaGray10
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes
 
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
dipikamodels1
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
ThousandEyes
 
Database Management Myths for Developers
Database Management Myths for DevelopersDatabase Management Myths for Developers
Database Management Myths for Developers
John Sterrett
 
Fuxnet [EN] .pdf
Fuxnet [EN] .pdfFuxnet [EN] .pdf
Fuxnet [EN] .pdf
Overkill Security
 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
ThousandEyes
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
Mydbops
 
Brightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentationBrightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentation
ILC- UK
 

Recently uploaded (20)

Supplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdfSupplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdf
 
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google CloudRadically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
Radically Outperforming DynamoDB @ Digital Turbine with SADA and Google Cloud
 
Automation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI AutomationAutomation Student Developers Session 3: Introduction to UI Automation
Automation Student Developers Session 3: Introduction to UI Automation
 
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer ExperienceHow to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0Chapter 1 - Fundamentals of Testing V4.0
Chapter 1 - Fundamentals of Testing V4.0
 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
 
Leveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptxLeveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptx
 
Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0Chapter 6 - Test Tools Considerations V4.0
Chapter 6 - Test Tools Considerations V4.0
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
 
Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2Communications Mining Series - Zero to Hero - Session 2
Communications Mining Series - Zero to Hero - Session 2
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
 
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
 
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
 
Database Management Myths for Developers
Database Management Myths for DevelopersDatabase Management Myths for Developers
Database Management Myths for Developers
 
Fuxnet [EN] .pdf
Fuxnet [EN] .pdfFuxnet [EN] .pdf
Fuxnet [EN] .pdf
 
Introduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER WebinarIntroduction to ThousandEyes AMER Webinar
Introduction to ThousandEyes AMER Webinar
 
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMySQL InnoDB Storage Engine: Deep Dive - Mydbops
MySQL InnoDB Storage Engine: Deep Dive - Mydbops
 
Brightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentationBrightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentation
 

Networking 2016-05-24 - Topic 1- Cybereason Lab Analysis by Brad Green

  • 1. DissectingtheHackingTeam's OperationMethods: WhatSecurityProfessionals NeedtoKnow By: Ian Muller, Senior Security Writer Amit Serper, Senior Security Researcher Alex Frazer, Security Researcher
  • 2. 2 The Cybereason philosophy is that the attack methodology matters much more than the exploits and tools that the hackers leverage, which is why we focus so much on malicious operations, or Malops. Exploits will be patched and tools will evolve and change, but attack methods and hacker behavior are more likely to remain the same over time. By analyzing this angle of a cyber attack, we are able to better recognize malicious behavior and react faster to a threat. The main idea behind this approach is that being able to identify malicious activity sooner will give you a leg up on an attacker. A zero day exploit by itself is a threat, but it’s only a method for the attackers to gain access to your system. Once they’re inside, the exploit becomes unimportant. By assessing the behavior and activity, rather than the file signatures and hashes, we can recognize the malicious operation before the attackers have enough time to start exfiltrating data. One example of this is one of the zero day exploits released in the recent Hacking Team data leak. Because of our focus on behavior, we were able to instantly identify the privilege escalation activity within our lab when testing it against our platform, without changing anything in our own system.
  • 3. 3 “The exploits themselves, while dangerous, aren't the most interesting thing here,” says Amit Serper, Senior Security Researcher. “Any antivirus can detect using signatures, the signatures always come after the damage had happened. It’s a game of cat and mouse out there. New exploit - patch; new exploit - patch; repeat. We at Cybereason actually made a paradigm shift long ago. That is why the company was founded and that is why we are able to catch zero days so quickly.” Penetration is inevitable, and it doesn’t matter which drivers or applications are vulnerable to an exploit. If you are able to detect abnormal activity in your environment and react to it as it occurs, you’ll be able to take a proactive stance against cyber attacks and stop hackers in their tracks.
  • 4. 4 In order to fully understand the Malop philosophy, we delve deeply into the Hacking Team data leak. With the public release of the Hacking Team’s secrets, our researchers took advantage of the ability to dig deeply into the minds behind their operational theater. For security researchers this information is a veritable gold mine, providing us with even more clues into the latest techniques and tactics hackers are using, and how easily they are able to maintain their attacks over time. Two of our security researchers recently sat down to examine the available data, and found some amazing details about Hacking Team's activities, victims... and even the hackers that in turn brought them down. This data dump is akin to the fall of the Soviet Union in a way. When the U.S.S.R. fell, global black markets were overflowing with Soviet weapons and, more importantly, knowledge of WMDs. This put more sophisticated weaponry and nuclear capabilities in the hands of the highest bidder, much like the Hacking Team leak has done. Except in this case the information is free, and none of the vendors whose products are exploitable, e.g. Adobe and Microsoft, were notified, amplifying the danger of the leak. The widespread availability of this data is going to empower hacking teams across the globe, providing them with much more sophisticated techniques to launch their own attacks. These newer operations will have a completely different signature than Hacking Team’s efforts, but because of how detailed the information on their delivery server is, with perfectly readable code and extremely detailed comments, we can assess the behavior these attacks will follow and more accurately and quickly identify these operations in the future.
  • 5. 5 What we want to look more closely at is how Hacking Team targeted their attacks, and the techniques they used to maintain such large-scale operations over extended periods of time. Hacking Team used a particular ingenious strategy for gaining access to victim machines. Firstly, the team’s operations mirrored that of the Flame malware discovered in 2012. Flame’s C&C server interface mimicked a news and adwords service, offering its “customers” - the term they used to refer to targets - a link to an “ad hosting” server, which then installed the malware. Many of its commands and protocols used news-related jargon to continue to fool detection tools and security analysts, and Hacking Team’s tactics followed the same strategy. Note the buzzwords, “news, adwords,” used in the code.
  • 6. 6 In fact, on Hacking Team’s delivery server, we found a base64 binary file titled “news,” which we discovered was their payload. When we de-scrambled the base64 file, we found a big data blob - an AES encoded binary - containing a multi-staged payload that runs a zero day exploit for privilege escalation. The payload then executes Hacking Team’s Remote Control System (RCS) agent, which is padded with random binary data, a common anti-virus avoidance tactic. Using a variety of standard and new techniques, such as phishing and watering hole attacks, potential targets would receive a link. Once the recipient clicked on the link, the infection server would immediately assess whether or not the machine was, in fact, a targeted recipient. If not, the script would automatically redirect them to a 404 error page or another homepage - something news or ad related (customer configurable) so as to not arouse suspicion. However, if the clicker was the intended target, the server would then profile their machine to determine their OS and browser. The server would then be able to determine if the target is using IE, Firefox, or Chrome, and what operating system they’re running, and then leverage the appropriate Adobe Flash exploit to take over the user’s machine. From there, the RCS agent was inside and able to move to the next stage of the malicious operation.
  • 7. 7 An example of a Vietnamese-targeted campaign redirecting a non-targeted individual using IE to an advertisement. We were able to track this process by reverse engineering the files on the delivery server and JSON logs of “customer” communication. Digging deeper into the data, we were able to see when Hacking Team infiltrated a target (down to the last second), where they were located, what ISP they used, what operating system, and even which build of their browser was used to access the delivery server. For one target based in Egypt, we were able to see that they were using Chrome build 43.0.2357.130, which was released on June 22. Hacking Team infiltrated their system using the Flash exploit just six days later on June 28. This is both important, and amusing, considering Chrome is marketed as the most secure browser for the average user, but they were able to exploit it in a matter of days after the most recent update at the time.
  • 8. 8 Screenshot of the browser-detection script from an Egyptian campaign. What is also interesting about the attack is what we were able to glean about the delivery server itself, which was hosted at mynewsfeeds.info. (You may want to check your firewall and corporate proxies for this URL, in case your organization was targeted by Hacking Team!) We tracked the URL and WhoIs information to see where the team had registered it to. In fact, the registration information for their domain pointed to a rundown apartment complex in a bad neighborhood in Tel Aviv! However, the location and name associated with the WhoIs - David Cohen, the Israeli equivalent of “John Smith” - were an obvious misdirection. Not only did the team clone the techniques of Flame, which is attributed to Israel, but they also falsified their domain registration as if it were based in Israel.
  • 9. 9 One file we found related to the mynewsfeeds.info domain on VirusTotal.com was tmp_privesc, a binary which contains a privilege escalation exploit using an Adobe driver that is present on both Windows and Mac OSX operating systems. This could be the “smoking gun,” which allowed the usage of this exploit in the wild, and would allow us to identify it much more quickly on endpoints, which we will touch on more in a future write up. By leveraging Virus Total as one of our threat intelligence sources, we can apply machine learning and big data to cross examine the information from the data dump and better identify these tactics and tools when they are used again in the future. We also found it important to note that the mynewsfeeds.info domain only had a few hashes associated with it before the Hacking Team leak. However, since then more than a dozen have cropped up, and while these weren’t found to be harmful, they all include the hash of the newsfeeds domain embedded in them - likely a result of numerous groups now downloading, compiling and running the code themselves. The Cybereason platform was able to identify Hacking Team’s privilege escalation exploit in elevator.exe out of the box.
  • 10. 10 Taking a closer look at the Hacking Team attack operation allows us to gain a better understanding of how the existing threat landscape is going to evolve. In part one, we discussed why the Hacking Team leak is a game-changing event for cyber security, providing a brief overview of the tools the team used and distributed to their clients and the rather sophisticated tactics they deployed in order to sustain long- term operations. Now, we’ll be focusing on their actual attack process, from the infection workflow to their RCS agent operation, and the different infection processes that they utilized. The first thing to examine within Hacking Team’s attack process is how the infection server operates. View our flowchart on the next page for a visual of the process. The server first runs the visitor to the infected domain through a Mod_rewrite regular expression rule on the Apache httpd server to match the six character campaign ID to the appropriate exploit kit and payload in the predesignated ID directory /var/www/files/<campaignID>. If the campaign ID doesn’t match, the server automatically redirects the visitor to a 404 error. If it does, the script moves to step two.
  • 11. 11
  • 12. 12 Sample of the six character campaign IDs for a Windows-targeted attack. In step two, the script checks the hit counter for that campaign to ensure it equals zero - meaning that no one has been infected by the campaign yet. It also reviews the expiration date of that particular campaign. From what we have seen, all of Hacking Team’s campaigns were standardized with a one week expiration date from the time of campaign creation. This helpdesk ticket highlights the one week expiration on the infection server.
  • 13. 13 Sample of the infection server validation script from a Vietnamese attack campaign. If both the hit counter and expiration validate, the script then checks the user agent of the victim’s browser against the Browscap PHP library on the server to ensure it meets the campaign requirements, eg. Windows 7, Chrome build 43.0.2357.130. One interesting function of the infection server was Hacking Team’s xp_filter.py Python script, which would check the victim’s system to determine if they were running Windows XP or not and run a non-XP-based exploit, or a just serve a fake SWF file, empty.swf.
  • 14. 14 The XP filter Python script. The comments were written by Hacking Team. The script then “echoes” the content of the news payload into STDOUT, which is a hacky way that the script uses to send the payload through the webserver and from there to the victim. This is the base64 encoded and AES encrypted payload we referenced in our previous article, which contains the RCS agent and the team’s privilege escalation exploit. The shellcode executes the privilege escalation exploit first to gain NT AUTHORITYSYSTEM privileges in the SYSTEM shell, then executes the agent.exe for the RCS client. Trend Micro has an excellent write-up on the privilege escalation exploit. In addition to the Windows-based infection server, Hacking Team was also running an Android-based strategy, which utilized similar tactics but didn’t use the Flash exploit.
  • 15. 15 The final privilege escalation and payload delivery script. The payload delivery process is actually impressively sophisticated, and while some may argue that the tools and exploits were utilizing were not, their actual workflow was particularly creative. In addition, the sheer variety of delivery methods provide customers with a significantly amplified ability to gain access to their intended target(s).
  • 16. 16 Once the target(s) is infected, this is when the RCS agent goes to work. There were a vast array of modules the agent would load, depending on what Hacking Team’s customer requested, from recording webcam images, Skype calls or keystrokes to tracking financial transactions (including bitcoin and other cryptocurrencies) or pinpointing the target’s geographic position. Not to mention the mobile capabilities, such as sending invisible SMS messages that leveraged exploits in the phone’s SMS stack, thus executing Hacking Team’s agent on the phone that allowed the attackers to turn the microphone on, providing a live audio stream from the target’s phone. We will cover this more in a future write-up. The actual activities of the client and the information they sought are far less interesting than the varied attack strategy that Hacking Team used. The above is, of course, only a single attack process. Hacking Team provided a variety of solutions depending on what their customer needed, including variations better suited for nation-state level attacks. One example of this was the use of a network injector, a particularly nasty tool that would be plugged into an upstream or ISP backbone. Once active, the network injector would be able to identify the target(s) based on a customer defined rule set and wait for the victim to visit a specific URL, such as YouTube.com. Then, it would automatically redirect the victim to the team’s infection server instead. This resulted in the “the page you requested is being loaded” redirect screen.
  • 17. 17 This is the screen that targets would see while the exploit was being installed. However, Hacking Team used a wide variety of techniques to ensure infection. Another strategy, which could be used in conjunction with the network injector, was a tool called Melter. This allowed the customer to silently “melt” the RCS agent into the binary of other, benign software. While not new, when combined with the network injector, this allowed campaigns to target software downloads and ensure that the target(s) installed the client’s RCS agent alongside the piece of software they were intending to get. Of course, all of these strategies, on their own, are vulnerable to discovery, which is why Hacking Team also built an Anonymizer tool, which would randomize the attacker IP for each campaign in order to mask both the source and target(s) of the attack. The Anonymizer was Hacking Team’s own “private anonymization cloud” solution. This offered the ability for each customer to deploy their own virtual private servers (VPSs) that could be chained together for a anonymous proxy chain in order to eliminate tracing of the public-facing collectors run by each customer.
  • 18. 18 This is accomplished by passing the victim’s collected data through several anonymizing machines to the collector node which then passed the data back to the master node (C&C server). Below are a few examples of documentation on the Anonymizer tool, pulled directly from Hacking Team’s RCS 9.6 System Administrator Manual:
  • 19. 19 Of course, we want to stress once again that all of this source code is accessible by anyone now, so these capabilities have entered the wild, freely usable by any hackers, whether they are experts or novices. These exploitation abilities, combined with the the various reports on BGP hijacking attacks by Hacking Team (1, 2) have theoretically allowed hacking team to make everyone on the internet pass through their systems and infect them. So, what does this mean for you? We’ve been discussing the potential damage that the Hacking Team data dump has unleashed on the cybersecurity industry, but on an individual level it can be difficult to identify exactly what the risk factor is, and why, honestly, you should really care about it. Rather than bore you with more details of what Hacking Team was capable of doing and the tools and exploits the leak of their data released on the world, let’s delve directly into what this event means for businesses and organizations that need to protect themselves from future attacks. In our analysis of the Hacking Team data leakage we reviewed the tools and methodologies that they were using and selling.
  • 20. 20 The example we showed earlier was the attack that mimicked Flame, the hacking operation that targeted the Iranian nuclear weapons program in 2012. This capability to imitate a nation-state attack, as well as other strategies deployed by Hacking Team, were well documented in their data dump, accompanied by full explanations of the tactics and the exploits they used. This information is now readily available to anyone who downloads the leaked data - a game changing event that breaks the fragile cyber security status quo between hackers and defenders. The business implications here are that the overall threat landscape is already erupting with more advanced challenges and new threats to protect yourself from, with the guarantee of increased sophistication in future evolutions of cyber crime. This paints a rather bleak picture for cyber security, but all hope is not lost. Our ability to break down the methodologies used by the Hacking Team allows us to better anticipate a Hacking Team-based threat. The way the Hacking Team attack was built will assuredly be taken, changed and redistributed in the future, but by understanding the underlying principles of their malicious operation philosophy, we can be better prepared to identify these threats as well. This leak has provided us with the necessary information to enhance our security tools and detection platforms so that we can continue to proactively hunt for malicious activity inside any environment. While the Hacking Team leak introduces more advanced threats, it also brings a ray of hope for continuing to improve our tactics for mitigating these risks.
  • 21. 21 About Cybereason Cybereason was founded in 2012 by a team of ex-military cybersecurity experts to revolutionize detection and response to cyber attacks. The Cybereason Malop Hunting Engine identifies signature and non-signature based attacks using big data, behavioral analytics, and machine learning. The Incident Response console provides security teams with an at-your-fingertip view of the complete attack story, including the attack’s timeline, root cause, adversarial activity and tools, inbound and outbound communication used by the hackers, as well as affected endpoints and users. This eliminates the need for manual investigation and radically reduces response time for security teams. The platform is available as an on premise solution or a cloud-based service. Cybereason is privately held and headquartered in Boston, MA with offices in Tel Aviv, Israel. © All Rights Reserved. Cybereason 2015 222 Berkeley St., 13th Floor Boston, MA 02116 USA www.cybereason.com
  翻译: