corporate espionage n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CORPORATE ESPIONAGE PowerPoint Presentation
Download Presentation
CORPORATE ESPIONAGE

Loading in 2 Seconds...

play fullscreen
1 / 65

CORPORATE ESPIONAGE - PowerPoint PPT Presentation


  • 334 Views
  • Uploaded on

CORPORATE ESPIONAGE. James McFadyen and Jacolon Walker ( jtm ) (disable). Outline. Part I: Intro Corporate Espionage, Corporate Attitude Part II: Enterprise Security Technology The different technology Part II: Evasion techniques Can’t sto p me!. Part I. Introduction.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

CORPORATE ESPIONAGE


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. CORPORATE ESPIONAGE James McFadyen and Jacolon Walker (jtm) (disable)

    2. Outline • Part I: Intro • Corporate Espionage, Corporate Attitude • Part II: Enterprise Security Technology • The different technology • Part II: Evasion techniques • Can’t stop me!

    3. Part I Introduction

    4. “Corporate Espionage” • Not really, but… • Focuses on technology found in real business environments. • Considers the human element - the security analyst. • Discusses techniques used by attackers to evade detection and compromise protected networks. • This is NOT comprehensive – the purpose is to introduce the concepts.

    5. Corporate Attitude • Motivating factor for security is not security itself! • Business Continuity - $$$ • Compliance – PCI / HIPAA etc… • Management and executives do care about security, but things are often ignored if it does not directly affect their revenue stream or cause some compliance violation. • This fact is useful for attackers – comprehensive security is VERY difficult.

    6. S.O.C • Security Operations Center • Comprised of analysts who monitor for attacks in real time for scans, attacks, compromises, policy violations and infections. • 24/7 • Research and create signatures and policies for client networks • MSSP (Managed Security Service Provider) • Have many clients who outsource their security needs to the S.O.C

    7. Part ii Enterprise Security Technology

    8. Firewall • Software or hardware based • Controls incoming / outgoing network traffic • Firewalls today can handle routing / NAT • Hardware firewalls generally sit at network perimeter • Statefulpacket inspection: • Maintain information and context in a session • Stateless packet inspection: • Simpler filtering, does not keep track of active session • Rules define which traffic gets accepted and rejected. • Usually the first line of defense.

    9. Firewall • Hardware examples: • Cisco ASA • SonicWALL • Watchguard • Software examples: • pf • iptables • Windows Firewall

    10. Firewall

    11. IDS / HIDS • IDS: Intrusion Detection System • HIDS: Host based Intrusion Detection System • Appliance (software or hardware) that detectsmalicious traffic, or any traffic violating the defined policies. • Use keyword matching or content matching • Searching for something specific within a packet or session • Can also use regular expression matching in payload • Ex: content:”sEleCt”; pcre:”/^INSERT INTO” • Analyst would see the alerts based on priority • False positives

    12. IDS / HIDS • IDS • Snort • Suricata • HIDS • OSSEC

    13. IDS / HIDS

    14. IPS • Intrusion Prevention System • Similar to IDS, but also attempts to prevent the traffic from passing through the device. • Rule / Signature based • Like a firewall, the packets will be dropped. • Rules and signatures are more complex than that of a firewall.

    15. IPS • Sourcefire • TippingPoint • McAfee IPS • Fortinet • Secureworks

    16. Web Application Firewall • Software or hardware • Plugins or filters • Applies to HTTP sessions • Some vendors can handle HTTPS • Checks for web attacks such as XSS and SQL Injection • Content matching, regular expressions

    17. Web Application Firewall • Blue Coat • Barracuda • Trustwave • Imperva

    18. Log Analysis • Dynamic or static • Great forensics tools, but can be difficult to find security events in real time. • Regular expression searches • Keyword searches • Solution such as Splunk can allow analyst to search for events easily. • Pulls from logs, not network traffic • Splunk

    19. S.I.E.M • Security Information & Events Management • Normalizes and correlates network traffic to identify security events and reduce false positive • Pulls in log data from multiple types of devices • Identifies common attributes and associates different events where applicable • Alerts on actionable security events • Helpful in compliance reporting • Set complex rules to define expected behavior of a network.

    20. S.I.E.M • HAWK eyeCon • Nitro Security • ArcSight • RSA enVision • Q1 Labs

    21. Part III Evasion Techniques

    22. Tools • Useful tools: • hping3, firewalk, nmap, custom tools (scapy is great!), netcat, tcpdump, wireshark, fragroute • … so you discovered a firewall, now what?

    23. Evasion: Basics • Firewalls will drop packets that do not adhere to protocol specification • Ex: Sending a SYN ACK without first sending SYN is not how TCP works! • Tools like “xprobe” can be used to detect operating systems behind a firewall by using the TCP / UDP / ICMP protocols. This is ‘fingerprinting’. • Firewalls behave differently! • Firewalking: • Send TCP / UDP / ICMP packets and examine response • Window size, sequence numbers, type encode, etc…

    24. TCP Header structtcpheader { unsigned short intth_sport; unsigned short intth_dport; unsigned intth_seq; unsigned intth_ack; unsigned char th_x2:4, th_off:4; unsigned char th_flags; unsigned short intth_win; unsigned short intth_sum; unsigned short intth_urp; }; /* total tcp header length: 20 bytes (=160 bits) */

    25. UDP Header structudpheader { unsigned short intuh_sport; unsigned short intuh_dport; unsigned short intuh_len; unsigned short intuh_check; }; /* total udp header length: 8 bytes (=64 bits) */

    26. ICMP Header structicmpheader { unsigned char icmp_type; unsigned char icmp_code; unsigned short inticmp_cksum; /* The following data structures are ICMP type specific */ unsigned short inticmp_id; unsigned short inticmp_seq; }; /* total icmp header length: 8 bytes (=64 bits) */

    27. Evasion: Scan Techniques • Different Types of scans will produce different results • XMAS scan: FIN PSH URG flags set on TCP segment. • NULL scan: TCP flags are set to all 0 • FIN scan: FIN flag set on TCP segment • ACK scan: ACK flag set on TCP segment • SYN scan: SYN flag set • SYN ACK: SYN ACK flag set • FTP Bounce: uses another host to act as proxy • Zombie Scan: Use idle host on a network to hide real source address

    28. Evasion: Scan Techniques • Specify different source port • Some poorly configured systems may block packets from a certain source port • Default UNIX based firewalls can be bypassed with an XMAS or a NULL scan. • Inverted Technique – crafting malformed TCP packets • Closed ports will respond with RA (Reset Acknowledge) – RFC793

    29. Evasion: Fragmentation • Can be used to bypass Firewalls, IDS • Can also cause Denial of Service by exhausting resources • IP packet has a MTU (maximum transmission unit) that is smaller than the MTU of the current network it is traversing. • Can occur on ANY router the packet travels through • Destination host will reassemble the packet

    30. Evasion: Fragmentation • Fragments of packets must include: • Fragment ID # (IP ID) • Offset (multiple of 8 bytes) • Length of the data • MF flag – more fragments

    31. Evasion: Fragmentation • Fragment Offset • Fragment offset field maximum = 8191 (13 bits) • Max IP packet = 65535 bytes • Fragment offset * 8 = real offset

    32. Evasion: Fragmentation

    33. Evasion: Fragmentation • Sample tcpdump output ping.com > myhost.com: icmp: echo request (frag 21223:1480@0+) ping.com > myhost.com: (frag 21223:1480@1480+) ping.com > myhost.com: (frag 21223:1480@2960)

    34. Evasion: Fragmentation • Protocol header found in first fragment • Stateful packet filtering sees all fragments as one packet • Stateless sees each individually • Packet can have DF (don’t fragment) flag set, which tells routers that it cannot be fragmented. • Routers will respond with “unreachable – need to frag” message if DF flag is set and it needs to be fragmented. • ICMP error message returns MTU of the network which is useful in Path MTU discovery. • Can leverage this to discover MTU of a network • router.ru > mail.mysite.ru: icmp: host.ru unreachable – need to frag (mtu 308) (DF)

    35. Evasion: Fragmentation • Fragment packets with nmap: • nmap -f host • Specify MTU with nmap • nmap --mtu host

    36. Evasion: Source Routing • Loose Source Routing: • Use any intermediate gateway • This will cause different source IP which could potentially be whitelisted (trusted device). • Strict Source Routing: • Defining your own route for a network • Need to be on directly connected network

    37. Evading Snort Rules • Simple case: • A rule exists to pick up certain user agent • Simply change user agent.

    38. Snort Example Signatures • # jwalker • alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM AirOSadmin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/admin.cgi/"; http_uri; fast_pattern:only; content:".css HTTP/1."; http_raw_header; content:"Content-Type|3A| multipart/form-data"; http_header; reference:url,seclists.org/fulldisclosure/2011/Dec/419; classtype:trojan-activity; sid:2014041; rev:2;) • # jwalker • alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"DNS Query to msnsolution.nicaze.net"; content:"msnsolution|06|nicaze|03|net"; offset:12; fast_pattern; reference:md5,89332c92d0360095e2dda8385d400258; sid:10000500; rev:1;) • # jwalker • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET LOIC JavascriptDDoS Inbound"; flow:established,to_server; content:"GET /?id="; nocase; pcre:"/[0-9]{13}/"; content:"&msg="; nocase; detection_filter:trackby_src, count 100, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:10000101; rev:1;) • # jwalker • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET LOIC JavascriptDDoS Outbound"; flow:established,from_client; content:"GET /?id="; nocase; pcre:"/[0-9]{13}/"; content:"&msg="; nocase; detection_filter:trackby_src, count 100, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:10000102; rev:1;) • # jwalker • alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Combat Arms UDP DDoS"; detection_filter:trackby_src, count 10, seconds 30; dsize:1024<>2048; sid:10000103; rev:1;) • # jwalker • alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN FHScan core User-Agent Detect"; flow:to_server,established; content:"FHScan Core 1."; http_header; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; classtype:attempted-recon; sid:2014541; rev:4;) • # jwalker • alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01 00 00 33 03 00|"; distance:2; within:6; byte_test:1,>,51,32,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:3;)

    39. Snort Rule Example • Sample w3af signature: (envelope) – (alert, log, passive) (protocol) (usually defined as any) (anything coming inbound) (to our servers that are defined) (ports) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS(msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;) (message tag) defines what the signature name is (alert that pops up) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;) (rule) what to look for alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User Agent"; flow: established,to_server; content:"User-Agent|3a| w3af.sourceforge.net"; http_header; fast_pattern:only; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:12;)

    40. Snort Rule Example • Other tags – flow, content, reference, classtype, sid, rev • Classtype – different classes lump together alerts of similar priorities • sid: (signature ID) – can track signature through their life cycle on Emerging Threats or through Sourcefire. “rev” is the revision number for the signature ID. • Need to understand the HTTP headers!!

    41. Snort Rule Example • Attacker settings: • Snort Alerts:

    42. Snort Rules Example • User agent can be changed.. • Since it looks for that User Agent, this won’t be detected by that specific rule.

    43. MS08-067 • Extremely popular. • First attempt uses a meterpreter reverse TCP payload… • Success!