Opening Acts: How Attackers Get Their Big Breaks

okay so uh this presentation is called opening acts how attackers get their big breaks essentially it's a talk on initial vectors of compromise that we see at mandiant so I am Evan Peña um I'm a consultant at mandant before mandant I used to be on the Marine Corps red team um since I've been at M I've been at M for about two and a half years now I do a lot of incident response pen testing forensics things like that I'm originally from Texas uh graduated UTSA came over here got my masters from George Mason I've been working at Mand love it and that's pretty much the just to me this is Chuck hi I'm Chuck Willis

also from mandant this is how I was hoping to be dressed today if things had gone better when the series was Kansas City but uh such as life so I'm here with yall um basically uh my Mandy and I mostly do uh penetration testing and and application security work um I'm also a leader of the oos broken web apps project if you're not familiar with that it's a it's a VM with a bunch of web applications with uh security vulnerabilities check it out I'm also on Twitter with my my handle there if you want to follow me not that I tweet very much so uh next slide so just if you're not familiar with mandiant you're wondering who you

who we are well we're a we're a security company that uh was started here in the DC area and we've grown now to to various places um we at the beginning of this year got acquired by firey so we're now part of the the overall firey umbrella but we basically do incident response work and security testing things like that a lot of people know us from like our AP report and and stuff so definitely check us out and as we we'll say I'll say again at the end we're hiring so if you're you're interested check us out um so what we want to talk about today as as Evan mentioned is is really want to talk about the initial

vectors of compromise we get when we uh do incident response work at mandiant um a lot of times uh we feel like mandant goes out and talks about like persistence mechanisms that we see and the types of back doors that organizations are are having uh deployed on their Network by the attackers and uh so what we want to do in this uh presentation really talk about kind of how they got that initial entry into the environment so if you're U thinking of this um from the perspective of a Defender these are the things that you'd want to do in order to defend your network from from what real bad guys are doing um to to organizations uh if

you're more of like a penetration test or somebody like that then this is the kind of things you would probably want to work into your penetration testing methodology because this is what again real bad guys are doing so one of the things Mandan always Prides ourselves on is the security testing we do we try to make sure we're mimicking what the the real bad guys are doing as well and uh we have a section a slide at the end for questions and answers but feel free to throw your hand up if you got questions at any point we'll be happy to to answer those as well now I'm going to kick it back over to Evan thanks

Chuck so fishing uh this is one like very popular initial Vector compromise nothing new here everyone should know what fishing is by now and what's cool is that we're going to have a unique case study that most people probably haven't seen uh we've seen it in the wild and it's kind of a just unique scenario that I want to bring up so again like I said the most common attack Vector it's sometimes it's very targeted sometimes it's very Broad and they just Spam a whole bunch of users U sometimes they do it for uh initiating a back door on the compromised victim sometimes they do it to steal credentials it just depends on what the

motive is behind the attacker and who the attacker is so in this case study the industry that was targeted was pharmaceutical biotechnology and law firms you may be wondering like that's a pretty broad spectrum of of companies or Industries so how are they related I'll talk about that in a moment so the first thing is the fishing email was sent to the law firm with two attacks one was a malicious link that was sent to a spoofed uh ow page Outlook web access and essentially was just there to steal credentials and another was a malicious macro attached to a Word document that prompted uh user to put in credentials as well and then it would send an HTP

post request to an attacker owned server and then loging on the server I'll go through how that works here in a second so here's like the spoof to AA page as you can see this looks like a normal Outlook web access page a lot of people are familiar with this in the Enterprise because people go to them all the time but behind it is some PHP code that essentially will harvest the credentials between these two text boxes whenever they click on login the action will just essentially post the the data to itself and then redirect them back to the original OA page the actual legitimate one so it looks like they just failed to log in and then uh and then they'll log

in legitimately but these credentials will be stored on the attacker system so that's one way the second way that they were doing was they mimicked the standard Outlook prompt this is the standard one that most people are familiar with this is the spoof one that they created uh within a form in a macro Within A Word document so then they would send the word document to users they would Harvest credentials this is kind of the code behind it essentially it's the same thing as the OA but it's in VBA instead because it's again a macro so you have uh two variables user and pass it's then we call a function called upload post it will pass those

two variables to the function and then it will s an HTP post request to an attacker own server harvest the credentials cool so now sorry go ahead yeah I was just going to mention that I think what the attacker was trying to do in these cases is that they were taking advantage of the kind of normal um annoying Windows behavior of kind of occasionally logging you out of Outlook or logging you out of ow and so the idea is that the attacker would click on this link uh either an attachment or a link in the email and think that oh it's just Outlook acting up again and relog in basically is is kind of what they were

trying to accomplish here and it and it worked pretty well I think as far as they were able to to get some credentials yeah quite a few credentials again this is for the law firm so what do attackers do most the time when they harvest credentials from a particular organization nor really going to try to get into the infrastructure this is done through sslvpn uh maybe they try to get in through Citrix or whatever service portal they have externally in order to get into the internal Network that's generally the MMO for most attackers not this particular attacker so this particular attacker was targeting something else so what this attacker was doing is then they they accessed Outlook web access

they would look for existing email threads to the pharmaceutical and biot technology companies and they would say Hey you know we're targeting these industries we know that these clients are a particular client of that law firm let me search the existing emo threads and see which ones have attachments they would take those attachments like let's say it's a PDF file or Word document they would weaponize the attachments respond to all on the thread and say hey look we made some modifications to this attachment I want you to review it and it's coming from a legitimate Law Firm account you know it's coming from that legit uh mail server and it's going to existing clients so it looks extremely

safe and boom like they just like compromised a bunch of biotechnology and pharmaceutical companies that way so just kind of a unique spin on fishing it's just not something we normally see normally we see them trying to compromise that particular Target but they were trying to Pivot from that Target to their clients so it was a it was a pretty big deal so kind of how it worked you know you have the law firm you know you compromise a particular email account you start just Mass you know fishing from that particular account which looks legitimate with the malicious attachment and then the victim will then open the attachment and then it will install a back door because it's a you know

malicious attachment it's weaponized and then the C2 server will then communicate with that particular back door compromise that particular user of that company so how did we catch the attack this is what's really funny it was it's cuz it looks so legit and it's it's not unless it like looks suspicious which in this case it didn't we found it another way we this lady at the uh at the law firm was complaining that she wasn't getting a particular email from one of her friends and the email was like uh an article on on some hack that that was recent and she's like calling it up like hey my friend's been sent sent me this like 10 times and I haven't got this

email like what the heck is going on and what happen was the attacker created an Outlook rule within that particular uh inbox that essentially said anything with the subject line of like fishing or hacked or anything like that just send automatically send it to the trash so it it was kind of funny so like if it wasn't for this lady complaining about it like we probably wouldn't have uh they we we wouldn't have been called so essentially what he was trying to do here was cover his tracks like he doesn't want them to like identify all their users that there's a fishing you know campaign going on uh within that law firm so it's kind of funny but it

was a silly mistake at the same time cuz we caught it so now that we find that there's a compromise for that particular law firm uh we think now what do we do um so first thing that we did was look at exchange logs but not only on the law firm we also identified some of the victim organizations we did an incident response against one of the victim organizations and in the exchange log we confirmed that the particular Law Firm was the initial Vector of compromise for that victim organization and as you can see in the email logs uh exchange logs you got you know coming from the law firm it's going to a particular user in

that particular victim organization and you have time stance which is really important for incident response if you're timelining around a particular activity or event and then you also have an attachment so you have a file name that you can also sweep the environment for at Mand we use a lot of these these pieces of evidence to perform our incident response and this is a really nice piece of evidence just based on a particular log so now that we had this log we were able to go to the law firm and we were able to look at their exchange logs to identify every victim organization that got the email where it came from which users got it so then we

can notify their those particular victim organizations to determine if what they want to do about it but at least we did our due diligence and our duty to let them know about it so exchange logs really really important if you don't keep them I suggest you keep them at least for three months depending on your infrastructure and how much space you have but it's definitely really important especially if you identify activi such as this and again with exchange Lots you can identify every single user and your organization that got it and every single user that was it was sent out to so it's really important some uh funny facts uh we have a a a a report that sent out called MTR

every single year um this is just a fun fact from the MTR 2014 44% of all fishing emails were it related and they were attempting to impersonate a targeted company's it department and then 93% % of all fishing emails were sent on weekdays as you can see Wednesday is the most popular day to send a fishing email so if any of you guys are pentesters the attackers already did your research you want to send a fishing email do it on a Wednesday um another thing is that they're it related so some cool scenarios there's one that we've seen is uh you got like an IT guy he's sending an email to you know a bunch of users

let's just say 25 users and they say hey look we have this new uh compliance check that's a it's a browser compliance check we have to check all your plugins and add-ons within your browser so go to this link it will run the plug-in check but you have to put in your credentials in order to log in and obviously it's malicious but the caveat is that they say if you don't do this within five days we're going to disable your account so that automatically people get freaked out and they're like oh we have to do this compliance check or I'm going to you know my account's going to get disabled so we see a lot of attackers do

that it's very effective because people don't like to you know be unproductive so uh again it related you know fishing are the most popular that we see and usually done on Weds on Wednesdays so how can you protect against this obviously uh filtering Technologies are really popular generally these are like spam filters such as app River postini there's also Fire EX which is really really cool it's an appliance that's put in your infrastructure every single attachment or and or malicious link embedded in a body of a of a of a message it will take the attachment it will put it in a sandbox it will automatically do perform triage on it and this is Dynam like

Dynamic analysis on the particular binary so it'll determine what type of activity does in the example that I gave earlier on the uh Word document there's a malicious macro attached you know inside the particular uh uh Word document that sends an HTP post request that's like like a known bad thing so generally a signature is not going to be in place for that particular file but if you're doing Dynamic analysis and basic triage on the file that sort of activity will be detected so kind of unique technology there user education and Reporting messages extremely important uh that's always number one user awareness big big uh big strategy for that the ability to find and delete

messages going back to my exchange logs that's really important as well if you have the ability to identify everything that was compromised uh no identify file names so you can go remediate those particular users and those systems um that's something that's very important as well and the last thing I want to put an emphasis on is reducing the Imp so let's say for example a user gets compromised how fast would it take a particular attacker to get domain admin on that particular environment sometimes it doesn't take long at all because they have really crappy infrastructure and sometimes it could be very difficult in that the user does not have system level privileges on their system so you can't

dump credentials sometimes uh that particular user does not have any admin rights across any other system or sometimes that particular user has system level access on their system and there's like other credentials stored on the system or they use the same local admin password against like 100 systems so it's easy to move laterally but if you reduce all those like these are just basic security techniques you can reduce the impact of someone getting compromised and that way your whole infrastructure doesn't compromised if one guy does so just something to keep in mind and I'm going to pass it to Chuck to talk about know vulnerabilities okay thanks Evan yeah I was just going to mention on

that previous slide I I think a lot of people get really down on user education as far as they think you know users are are not going to be able to learn anything and uh and I think that that's potentially you know kind of part of the story but it's not the whole story I think that you need to have kind of that combination of technology and user education that you know you can't put all your your eggs in in one of either one of those baskets and uh but as also as Evan mentioned you know being able to reduce the impact is also pretty important so you know you want to do whatever you can to to prevent uh

somebody getting a getting a fishing email and and hopefully do the right thing when they get it but then if they do the wrong thing at least make it not so bad for your environment so it's really a three-pronged approach I suppose so uh what we wanted to talk about next is is really the other thing that we see uh as kind of one of the very common uh most common uh uh things uh uh initial entries into in networks is is really just kind of known vulnerability so this is not you know zero days this is not people going out and looking for custom application vulnerabilities this is just basic stuff I think 2014 was really a bit of an

anomaly from what we've seen in previous years because we had heart bleed and and shell shock come out um prior to that there was wasn't a lot of of of really like network accessible vulnerabilities that we were seeing in in like 2012 and 2013 um it was really that you would have there was some web application web server kind of things that you would see but besides that there wasn't usually a lot of Network Services that had any vulnerabilities on the internet um for the most part organizations have done pretty good job of kind of getting all that stuff off of the internet and uh if it's still on there it gets compromised at some point and and then gets off of

there for other reasons I suppose um but we are seeing attackers you know using um some of these known vulnerabilities in various ways so sometimes it's it's using just kind of publicly available exploits I mean even even things like metas sploit we'll see um sometimes it's more like custom exploit kits and then other times it's it's actually a an exploit that was more customized as far as something we haven't really seen anywhere else so it's uh um and the other thing we're seeing a lot of these days is is drive by download so this is where you know rather than being able to exploit things on the outside you're kind of exploiting things when they're

coming out from the inside so web browser is a very common Target here where you know somebody goes to some website it'll you know hit some sort of malware that'll try to exploit the client side Technologies on the on their or the web browser itself um generally with those it's it's difficult to Target specific organizations although we have seen some that appear to be kind of more generally targeted um so uh for example a couple maybe it was a year or so ago WTOP radio here in the DC area was compromised and was kind of serving malware and uh that was probably targeted towards people within the government in general at least CU they kind of knew that there was a lot of

government and government contractors that would be visiting that website um and then from there sometimes you'll see them uh pair down to to more specific targets once they kind of get the initial Vector so uh another another case study here was uh NBC's website was actually hosting some some uh some malware that was doing a drive by download um ultimately it was hosting the the redkit exploit kit that would exploit various browser plugins and stuff depending on kind of what was available and uh when you started looking into this uh I think this was not a case that Mand worked on I think this is something that we uh have kind of read about in the Open

Press so we can talk a little bit more specifics that uh there was a basically an iframe uh there was on the the HTTP there was was obfuscated just so we didn't accidentally click on this link while we were creating our slides uh but other than that I think that the URL is correct that's the I frame that we were seeing within the uh the actual web page that was being rendered on NBC's website and what we couldn't figure out is where it was coming from and so we kind of dug into some of the advertising Network um files and and that and we found that that was actually a JavaScript um so there was JavaScript that was added to a

uh to the ad Network that NBC was using and that uh the ad then was able to then create basically an iframe That Was Then pulling in other content that was actually the the redkit uh exploit so it's a very common thing that we see nowadays I think it uh you're seeing you kind of those attacks moving more towards the client side because the server side is more difficult um we're also seeing this sometimes being used in conjunction with fishing attacks where you would have a a a link that's sent that's not an attach not to an attachment or something like that it's just sent to a uh that would take you to a website that maybe would host some

malicious content so it's kind of a combination I suppose of these two vectors sure uh one thing to add on that is uh one for those of you who don't know iframe is essentially just an HTML object that renders another web page or renders something else within an within the the the web page you're on and then lastly if you look at the a JavaScript on there it's a document. essentially it's just JavaScript writing that particular iframe to the page in order to do that you have to modify the source code of that particular web page the only way you can do that is if you do it on the server itself so one thing that

was unique is they were wondering if the attacker actually compromised the web server itself uh which was hosted on the NBC stamp which was not actually the case so they're wondering like well how exactly did the attacker you know put this JavaScript on the page itself what ended up happening was there was a thirdparty advertis that uh hosted advertising content to the NBC's website and the attacker actually purchased advertising space through the third party Advertiser and put malicious code within the within the advertisement itself and the third party Advertiser didn't actually do their you know review on the code diligently and that's how that particular uh malicious content was stored on the page did you have a

question yeah the question for the recording here is just if we had a if we've seen an uptick in kind of these Watering Hole um exploit attacks um I think it's a little bit too early this year to tell um I think the like I said heart bleed and shell shock I think kind of diverted attackers towards those things I think um so um we're seeing we're seeing some of that but it's not uh it's more targeted generally than just this the I would consider more the watering hole is is where it's just you kind of arbitrarily kind of throwing stuff out there that's that sound right to you Evan okay good question though thank

you so uh everyone's heard of heart bleed I don't know this slide just kind of talks about what it is but the gist is you can you know use heart bleed to just get some random memory out of an SSL server and so this is a another case study that kind of talks about how we saw attackers using this as as part of uh one of the engagements we were working on so um one kind of caveat here is the attackers had been in this environment um and and it was uh kind of bad timing I suppose on on their case perhaps uh that it was right about the same time that we had done the

remediation event uh so so generally when we do an incident response we try to figure out you know everything that's going on within the environment you know where the attacker has different you know accounts that have been compromised and back doors placed things like that and then we have generally over a weekend what we call a remediation weekend and we'll they'll kind of disconnect the customer from the internet and then try to remediate all those things at once so change all the passwords generally do like a worldwide password change as well but especially on service accounts or other things that are have known to be compromised and then also go and try to clean up all the

back doors that are known and uh so this in this case the remediation weekend happened and then like a day or so later is when heart uh heart bleed came out so we had just kicked the attackers out of this environment and then they figured out like well okay well we're just going to get back in using heart plead so they uh we're going after an sslvpn concentrator so uh if you're not familiar that's basically a VPN that's running over the SSL protocol it's used open SSL so it's using uh it was vulnerable to heart bleed and uh they were able to to look at um because you can kind of read arbitrary memory using

Heartbleed they were able to read session identifiers that were for this um uh VPN so even though they had like two-factor authentication in place it was uh they because they were stealing these active sessions they were basically bypassing the whole authentication phase entirely and accessing the VPN as you know whatever user happened to be logged in so um that's I think kind of what this basically tells us so they were able once they were able to get the uh the active session tokens again bypassing the multiactor authenication they were then able to access the uh the environment so um how we were able to figure this out is kind of what we go through on this next slide um and it's

basically just looking at logs so they had uh the organization you know uh I think at the time the the VPN vendor may not even have known that their their device was vulnerable to this uh this attack but the organization had the deployed IDs signatures looking for heart plead type attacks which was good um and they also did have logs from their VPN just looking at kind of the sessions that were there and uh what they did see is a whole bunch of uh IDs alerts for heart bleed attacks so that kind of let them know that okay something somebody's at least trying to do something here uh and they saw that it was targeting specifically their VPN

devices which uh I think uh kind of LED them to go okay well let's go look at our VPN logs um and uh and that's basically kind of how we were able to to figure that out I think we'll uh in the next slide we'll go into a little bit more detail of how that works can anyone think as to why there were over 17,000 alerts on this that's a lot that's more than like an attacker where normally just you know do a couple session hijacks like this is quite a bit in the back money that's it 64 kilobytes of memory is not that much right so if you have to grab it a lot in order to get

like an actual you know legitimate session tokens from it good answer in the back yep so this is kind of going through what we found in the uh VPN logs so again we had these 17,000 IDs alerts that let us know something weird was going on and then uh within the VPN logs we saw that there were multiple users that had this kind of flip-flopping Behavior within their their VPN sessions so you were seeing the um the session kind of coming from the legitimate IP address uh from the the user had logged in with but then also this malicious IP address and the timestamps kind of lined up that okay this was all happening within seconds of each other maybe if it

was like a oneoff that you might be able to say well maybe it was somebody who was on like a network that was uh you know switching back and forth maybe between like a Wi-Fi and a mobile network or between different Wi-Fi networks or something but I think also the fact that we had this uh um malicious this one malicious IP address that was associated with multiple of these kind of weird behaviors along with it was also associated with all these IDs alerts was a was a pretty good indicator okay something bad's going on um and uh because we uh we also did some kind of you know rough goip kind of stuff and saw that they were you know

very different places so it's not like it was the same person or or some other you you you could maybe argue that you know you could perhaps see this type of behavior if it was like a branch office that was having weird network issues or something but that was not the case here and uh again the the time samps all kind of to matched up so that really let us know what was going on but the the good thing I guess is kind of what comes on the next slide here of kind of what the impact of this was so the there was because of this kind of flip-flopping Behavior within the VPN the neither the legitimate user or the

attacker were really able to get a good VPN session because the session was kind of valid in the sense that they had a valid session token but the responses from some of their traffic was getting sent back to the wrong location because the VPN was kind of Shifting back and forth between kind of what's the source IP address that the uh the VPN client is uh is on so uh so they weren't really able to to use it at least while the legitimate users were were using the session so in some cases I think uh users kind of got fed up because it was acting up and they just kind of walked away without uh logging out in which

case the attacker was UN aable to use the the VPN connection but in most cases they uh I think they were kind of frustrated with what was going on um but what we did see then is so the attacker said okay well we they were only able to get kind of little bits of connectivity they did know the environment pretty well and there were some accounts that that unfortunately were not able to be remediated during the remed ation weekend so they did have some credentials still so once they were able to get kind of a small window of having a backd door connection uh through this VPN um then they were able to go onto one of the systems that they

did have access to still and try to execute a back door on that internal system in order to get a a nice stable connection uh to be able to do all their their Badness but uh fortunately for us that the the client had act as part of the remediation weekend also implemented application white listing uh especially on those systems that that we couldn't cringe a passs for so they uh basically the attacker was not able to actually execute their back door and do anything on that infected system so in all a win for the good guys so uh so when it comes to to recommendations for for this sort of attack uh you really just need to

understand your infrastructure and and what kind of vulnerabilities might be there I think this year has definitely been eye- opening for a lot of people didn't realize you know how many places they had open SSL and and Bash deployed um and who knows what the next one will be like that uh that comes up it'll be something else entirely that we'll have to figure out where where they live and uh but as much as possible kind of knowing that stuff ahead of time will definitely help you as far as uh when you've got to push out patches quickly or or or Implement other safeguards um also being able to implement IDs signatures does help I mean a lot of

people uh get down on IDs systems because they can produce a lot of alerts and it can be a lot of noise but it can be useful in in some cases um especially when you're able to do kind of data um istics on it to see like you know this case we had 17,000 of these alerts so I think that would have kind of stood out from your normal background of of IDs alerts hopefully and uh and also uh again kind of like we talked about before with with other stuff you know being able to have logs I think really helps so this case we were able to identify exactly what happened because we had VPN logs so that's definitely one

of the most common kind of frustrations we have when we come in to do incident response work is just the the lack of good logging and we find that a lot of organizations either don't log stuff at all or they don't log for long enough or they're not logging enough details for for what we would want to really figure out what happened and I'll pass it back over to Heaven thanks Chuck so now I'm going to talk about custom application vulnerabilities um so these are usually known vulnerabilities and internet facing uh applications themselves sometimes you'll see a lot of custom applications that are built out there in their internet facing and it's pretty common if custom applications are built

security is not always implemented in the software development life cycle so it's not uncommon that there's vulnerabilities associated with those applications that are internet facing so uh definitely going to talk a little bit about that because this is a very common Vector that attackers use to gain access to the backend web server itself and depending on where that web server is placed could lead to an entire Enterprise compromise so in this case the victim was a financial services company the attacker identified of vulnerability on asp.net application and just so you know these are just URL encoded like you know uh URL encoded symbols so just to kind of like tell you what they mean you know percent 27 is a

tick and then percent 20 is a space and things like that so you can kind of follow along so these are IAS logs very very important when doing a investigation again going back on log emphasis you know logging is very very important when we do incident response investigations with this particular log we were able to identify SQL injection syntax with within this particular page we were able to identify a time stamp of when that happened and we were able to identify a source IP address these are very very important things when doing an instent response engagement so the first one is you can just kind of tell he just did a percent 27 which is a single tick

that's like usually an initial check to see if a particular parameter and a page is vulnerable uh this is like very very novel like this is basic stuff when you put a tick in sometimes you'll get the SQL and uh syntax error back displayed to the page not a blind SQL injection type of uh type of response so again very very common so again going back to custom applications sometimes they can be terrible in this particular case on our client uh it was terrible so um so he puts the single tick there shortly after that he I'm sure he identified it being vulnerable he does the whole 1 equals one to see if he can get all the

uh data back he did and then he moves on to do like a particular query to get the uh server name it works and then he uses XP CMD shell which is a stored procedure built into all Microsoft SQL uh databases everyone familiar with XP CMD show good good very very important tackers use it all the time it's gold so in this particular case he pings google.com so why would it attacker ping google.com for this particular uh server in my opinion the reason he would do it is because he wants to see if that particular web server has internet connectivity coming back out and the reason he would want to do that is probably because he wants to do like a

reverse HTTP shell reverse htps sh something like that what he didn't do was pipe it to a file so like this is not going to return anything back to the page so I don't know what the attacker was thinking in this particular case I left a legit log here just to show like sometimes attackers don't always have logic so if he would have piped it out to a text file for example he could have just done a get request on the text file within the web route and saw the results of that particular page he didn't do that whatever maybe he's amateur I don't know so sometimes we'll also see attackers that would would like Ping their own

server so some server that they control so that way they can just look at the on the server side to see if the the Ping comes back but again pinging Google isn't going to help you any because you're unless the attacker owns Google maybe he does so next you'll see the attacker uh writing he's echoing a particular eval statement to a text file which is essentially just him writing a particular shell to the to the to dis on the web route and this is a very common webshell that we see these days it's a it's it's it's a very it's what we call like a China Chopper it's it's pretty common so he pipes this out to a file

now he has a webshell on the particular system and now he can pretty much access the system you know he can run legit command line he can upload files you know do whatever he wants at that point he's likely going to upload a reverse shell then execute it and then he's going to get a full connectivity to the web server itself that's generally how it goes so um next I want to just emphasize again putting so Security in the software development life cycle what I just showed you is is nothing really new but it's still very valid we see huge companies all the time have custom applications internet facing that still are vulnerable to basic SQL injection

attacks so it's you know developers have a deadline and they're just going to try to meet that deadline as long as it works you know it's that's that's all they care about they don't really care about security and it's going to lead to something like that which is a compromise I want to go back to reducing the impact where is that web server stored is it stored in a DMZ is it stored on your Enterprise Network is it hosted by a third party and that really does matter and that if it's hosted by a third party it's not tied to your Enterprise probably won't matter that much maybe they can put data that's maybe part of your customer that would

be important if there's not really important data then maybe you can deprioritize the security of that particular application it just depends if it's on a DMZ that has direct ties like you know very laxed ACLS to your Enterprise Network maybe that's going to matter so just things to consider whenever you're you know hosting applications and putting data on it uh Integrity checking this is practical and not practical in some sense so let's say you have a very static uh page or you have a lot of static content that's not likely going to change that often on a web server you know you can probably implement Integrity checking to see if the md5 of those source files change

someone changed it maybe it was legit maybe it was not legit if it's not supposed to change that often it's something that's practical if you have a very Dynamic website it's not practical at all um and then lastly we have penetration testing on applications what I just showed you is like again very novel very basic stuff most pent testers will identify stuff like that and then also ensuring that your internet facing applications are maintained and that front it's not uncommon that these applications are built on Frameworks you'll hear things like jumla WordPress you know like tons of tons of Frameworks out there that people use a lot of times they have plugins or uh or add-ons or

functionality that's tied into the framework that are vulnerable sometimes and then they'll issue patches on them make sure those are maintained because it's public form after that and it's easy to do a quick Google dork or Google query for a particular string that most Frameworks will have if it's vulnerable to that it's easy to identify on the internet so very very important and now I'm going to talk about illegitimate legitimate access it's kind of funny so so this is essentially an attacker using a business partner or vendor to compromise another Network very similar to the law firm but slightly different in this particular case so they'll use accounts that they got also from uh external forms like pce

bin password dumps and things like that I'm sure a lot of you guys heard about the Adobe dump not too long ago uh there was like 152 million accounts leaked so the data that was within the Adobe leak was email addresses a triple Des encrypted password and a password hint so for you computer science people out there it's not that difficult to tie a domain so let's say you're looking for a domain orange.com and you there's like a thousand orange.com email addresses within that leak and then you can Harvest every single password that's say unique triple desk encrypted password so I can get all the same passwords throughout the entire the entire leak and then I can Harvest all the password

uh hints to to each for that particular unique triple Des encrypted password so let's say you get a th000 password hits for one triple D encrypted password it's not going to be that difficult to guess the password so it's like one basic way of of getting the password for a particular domain so then attackers use stuff like this to get a bunch of different uh passwords for email accounts associated with a particular company and it's not uncommon that they is you they do password use like how many times is that person going to use the P the same password for his email for his Adobe account for his Enterprise like you know active directory account

it's not uncommon so this this is just one vector attackers we use to get into environments as well and they'll use these credentials on external service portals like I mentioned earlier sslvpn uh Citrix if they're single factor it's free game y yeah I was going to mention on the Adobe leak one of the things that uh we've got a guy who's who's like spent uh several months now it seems like just pouring over that data in various ways and one of the things that he said is that there was uh I think you know hundreds if not thousands of of things that were in there where the password hint basically said work password so it

was pretty clear that you know if you knew where that person worked which might have been the same as the their email domain then it was pretty easy to to identify that that was something that had been reused and so I think the Adobe leak really does show that well I'm not a big fan of like Draconian like password change policies I think you need to have some sort of password expiration uh because it has been a couple years now I think from from when that data was was uh at least was originally from um even though it was leaked a little bit more recently so so I think that if you've got stuff that's

uh you know most Enterprises hopefully their passwords have expired since then and uh and that hopefully they would have been forced to change it but we do still run into some Enterprises that have no password expiration which is a bit unfortunate and going back to that again just emails tied to active directory accounts uh externally like password reuse Citrix if if it's if Citrix is single factor and you have legit credentials to get access to it it's it's not actually that hard to break out of Citrix and get access to the B backend citric server and for any of you who are pentesters out there if you guys have ever dumped creds from a citric

server it's it's almost like a gold mine there's a lot of existing sessions on citric servers from a lot of users you can get a lot of credentials from a citric server itself so again this is external facing it's generally tied to the internal Network you can get a lot more credentials if you if you break out of it it's a a very common attack Vector for attackers uh all the time so um lastly consider like like who you're providing access so like where is it possible to give outside system like an outside uh vendor or partner like access to the internal like what are your what are your uh external service portals is something to identify

identify all of those and then determine like what you can do with them so let's say Outlook web access most people would probably think like oh we don't have to implement two factor it's just like you know email but sometimes that can contain pii or they can use it again like going back to the law firm to compromise other customers or other victims within your organization and another cool thing to mention is sometimes it could be difficult to harvest emails externally so if you compromise one person and they get access to Outlook web access or their Outlook itself they have essentially an email address like list for the entire Global organization so so then you can

just go on a fishing campaign after that and you have everyone's email so it is actually pretty important to to keep Outlook with access to two- Factor authentication as well and same thing with Citrix VPN or any other service portal that you feel is sensitive to your organization okay and then lastly again monitor public password dumps because uh it's not again uncommon that attackers will use that to gain access to an environment using logi credentials so what I would do personally is I'd say whenever the Adobe the Adobe League came out I would scrape that particular data for all email addresses associated with my organization and I would reset those passwords depending on how many there

are so just something to note as well and I'm going to pass it to Chuck talk about other vectors okay yeah just uh one last I think section here and then we'll kind of wrap everything up so the the rest of this stuff is is some other things that we see that are definitely less common um but we do see them occasionally so I mean you will see sometimes we have you know malicious insiders or actual physical access being used to as an an initial Vector generally those are more in like big like multinational kind of companies um phone-based social engineering occasionally happens um but the the case study I want to talk about here is is about Mass malware because uh

so Mass malware is stuff that's not targeting a specific organization it's just generally kind of like your your common you know banking Trojans and things like that that are generally targeted more towards consumers you know trying to to attack uh individual users as opposed to Enterprises so this is again one of the examples from the uh from the M Trends report where we had a retail organization that ended up getting one of their um systems compromised by a common banking Trojan so the uh Trojan would kind of just look for you know try to find people logging into Chase or logging into Bank of America things like that um that didn't really happen here but what the bot owner did identify is

that hey this is actually a pretty important environment because it's a retailer and uh therefore you know rather than you know trying to exploit this myself cuz I don't really have that expertise I'm going to you know kind of hand give sell access over to to the Cyber criminals that actually do understand that stuff so that's that's definitely one of the interesting things we find in in some of our incident response work when you're dealing with uh people in like Eastern Europe and and Russia is that they are they are very good Bankers they understand the banking system and they understand how to get money out of organizations once you have access to the right people so you know

the but by giving access to to those people the the Cyber criminals are then able to to do kind of their normal stuff to to basically move laterally within the environment and and then um ultimately targeting like the financial systems within that organization so it uh it is this is I think definitely the most common of kind of the other you know miscellaneous scenarios that we'll see as is this kind of thing where you know you'll have more mass malware but then people realize that it's more targeted and that so it to me it always indicates something that it's like you know you don't want to just say well this is mass malare we can just ignore

it entirely because sometimes it's an indicator of uh of either other Badness to come or sometimes it's a a situation where attackers are as sophistic as they need to be so they may just be using very common you know back doors and Trojans and things like that because that's all they need to use in order to get into the environment or or to maintain their

persistence okay so just a quick summary of what we we've talked about today so if you've basically as uh as Evan talked about a few times I think you know defense in depth being able to reduce admin rights on people's environment you know really trying to that's more reducing the impact of the of um of exploitation uh which is certainly something you want to do and you'll also want to look at you know logging and stuff to to try to prevent uh you know to you can respond appropriately I guess to prevent you running into the situation where you you just can't figure out what happened but when it comes to actually you know preventing

the kind of things we've talked about here I think really the middle three bullets are probably the main ones you know you just having the security in the sdlc to to ensure that you know custom applications are dealt with properly user awareness training for for various reasons both on the kind of password reuse and the uh um uh fishing stuff and then I think patching you know patching again is one of those things that people think are is going to solve all your problems and it won't but you do need to do it I mean it's a it's a definitely a common uh Baseline of you need to make sure that you're getting patches out

appropriately and and other not just patches uh specifically but also security hardening you know that's done appropriately on on stuff especially that's internet exposed so and then just our last slide as I mentioned before we're hiring go to that URL talk to us afterwards and uh other than that we're basically at the end of our time here um we're happy to take a couple questions now and we're also happy to to talk offline afterwards as well so um yes

sir yeah the the question was asking about static code analysis as a as a way to prevent uh vulnerabilities or detect vulnerabilities in custom applications um we definitely see that happening in in some cases but I'm not sure how useful it is um it's static code analysis is something that I think provides you a lot of potential flaws in an application but it's hard to know what's the real flaws um that's that's been my experience with it so we we occasionally use it in conjunction with our penetration testing we do and I think it's good as a as a highly automated um solution but it's uh it's unfortunately not going to not it's not going to be the end all Beall um

yeah yep yeah it definitely provides uh provides some some level of protection for things yes um since you guys have more what's the time from initial

attack yeah the the question is just yeah how how long is it between the initial attack and and when it's discovered I'll let Evan answer that one on the MTR 2014 I don't know how I have this memorized but on MTR 2014 the average time with on investigations we have ment between when it was initially compromised and when they detected it was 229 days so yeah more than 6 months and the longest time was like over six years or something like that that was like was the most extreme case you had yeah and sometimes we we can't actually know when the initial Vector happened because if they don't have logs going back that far then we can

basically say it was before this period of time but we don't know when exactly so yeah it's definitely unfortunate in those situations yes

yeah the question was about the uh the Heartbleed case study and if we kind of had seen that Source IP address before um I don't think that we had I don't know if EV a few remember the answer to that one so on most of them they were not I think it was on one the NBI was the same from the initial compromise that we were investigating prior to so that was one factor and another thing is that we did attribution on the attacker prior to whenever we were doing the initial intig investigation we identified a country that it was coming from and the same like even the different IPS that we hadn't seen before

were from that same country so we could attribute it to the same Tech group any other questions yes one mention I've been the industry is a lot of access it's BEC and prevent that compies don't want to invest

in yes yeah the the question was just asking about the the the problems you run into with older applications that that aren't well maintained is that sometimes they require old browsers or old versions of java things like that to access them and uh yeah that certainly causes problems on both sides of it so yeah the the the application itself is probably not well secured if it's if it's out of date but then you're also potentially opening yourselves up to client side exploits um we we definitely run into that a lot with Java I think Java is making some improvements now where it's becoming you know it's less common to have it in the browser most

people don't use Java even those Enterprise applications aren't using Java within the browser they're just using it on the thick client side so I think definitely that the click to run um kind of uh policy that Oracle put into place now is definitely better but again that doesn't necessarily take take place if you're on uh more modern uh if you're on an older version of java it doesn't happen that way by default but I think browsers are starting to to make that with a default but uh yeah unfortunately we don't have a great solution to that one other than uh you know you just got to kind of get on your vendors to to get their stuff

together okay I think we're good I think we're out of time so but like I said we're happy to to talk to you guys after afterwards as well so feel free to come [Applause] up