How Im going to own your organization in just a few days. - RazorEQX`

Derbycon 2013

Description: “How Im going to own your organization in just a few days.

So many organizations are wasting money on outdated APT tools and massive budgets on heavily defended perimeters driven by the domain practices of old school security practitioners and greedy vendors just makes me laugh.

Im going to be vague in my example for obvious reasons.

1. First I spend a few hours on google and LinkedIn and find targets of opportunity at xyz company that I think could get me a human that will fall into a trap with an old trick called a phishing attack. Everyone likes to join groups with similar interests as others in their field. One group on LinkedIn called “”People with Top Secret Clearances”", or Security Professional, executive administrative assistants… etc.. you get the point.

2. I find a few names at the xyz company im looking to score on and make a few phone calls.

“”Hi im such and such vendor and I would like to speak to Mr. Ed about a new product we are offering”". Of course hes not going to take my call but if I ask nicely im sure i’ll get an email address or even better his assistant if I already didn’t have that from LinkedIn not to mention his whole staff.. LinkedIn is so helpful. I also now have the naming convention for your organization just in case I want to email a few other targets…. First initial . lastname @xyz.com

3. I find a nice root kit like Zbot or ZeroAccess. But im going to add just a little extra payload which has a couple extra features to accomplish one goal, jump to the first host I can find which will allow me to make a harmless ssl connection to an innocent ISP dhcp address to pull in more small programs i’ll need. Your probably not cracking ssl at your organization so you have no idea why this newly owned computer is talking to x.x.x.x address.

The nice thing is this program is already coded so I dont even need to write it. Google is your friend for code.

4. So i send my well crafted phishing attack and Betty Sue, Mr Ed’s executive assistant, sure enough she clicks on the link and gets the ZeroAccess infection. She also gets my dll injected payload which immediately looks for netstat connections and uses some unpatached java exploit or flash update service or even an open share to immediately hop to the first host it finds in the cache of connections.

5. At this point i dont have any egress connections from the original host except for the ZeroAccess cnc calls for droppers… but i now own another machine.

6. Meanwhile in the background IT has detected the ZeroAccess infection on Betty’s computer and ordered it to be reimaged or worse scanned with some malware tool and cleaned and returned to service because she just cant afford to lose the data on the client.

7. Over the next few days me and my little program (which i can update at will) can use various techniques to find cache from this or any other host on your network as I work my way around till I find the right client or server with the data im looking for and using that same ssl connection send my payload home.

8. Few days later your company financials or accounts and passwords, network IP addresses of critical systems show up on pastebin or in the media or sold off to the highest bidder.

Lessons learned:

1. Crack SSL and understand your egress traffic. Get a SEIM for event correlation.

2. Dont take a crimeware kit for face value. You might have missed the APT you’ve been looking for.

3. Stop wasting money on tools that are always one step behind the adversary and always promising “”that feature is in the next release”" bulllshit.

4. COLLABORATE with other organizations in your industry. This is priceless information. What activity are you both seeing, and put two and two together.

5. RSS research feeds are your friend. Pull out indicators you can use for detection tools. These groups are already doing the hard part for you. XOR, Obfuscation, identifying fake registra’s selling domains to crimeware organizations.. etc.

6. Most important of all. Have a damn good disaster recovery plan. Know what and how your going to recover from this type of breech when it finally hits your organization.”

B

io: “Over 20 years of professional experience in most aspects of Information Technology, in a wide range of industries and disciplines; specializing in IT Security and Audit for the last 10 years

Specialties: Malware Reverse Engineering, Penetration Testing, Offensive Security, Network forensics, Advanced Persistent Threat Tools and detection. Defensive Networking Realist.

Experience:

JP Morgan Chase

SBC

AT&T

Nationwide Insurance

US Army Ranger 85″

Back to Derbycon 2013 video list