Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Profilo aziendale YOROI
November 26 2016 CodeMotion Milan
Marco Ramilli
Profilo aziendale YOROI
Cyber Analysts:
who they are,
what they do,
where they are !
Profilo aziendale YOROI
Agenda:
- Cyber Analysts: who they are!
- Cyber Analysts: what they do!
- Cyber Analysts: where th...
Profilo aziendale YOROI
Today’s Host
● PhD in Bologna Joint UCDavis
○ Cyber Security, Penetration Testing US Voting Machin...
Profilo aziendale YOROI
Who they are!
Nowadays is not a trivial topic:
● Deep Learning Machines
● Cognitive Computing
● Ma...
Profilo aziendale YOROI
Who they are!
Dark Avenger Mutation Algorithm (1993)
It could produce some decryptor cases
that ap...
Profilo aziendale YOROI
Who they are!
Super Simple Malware Evasion Technique.
Credits: https://www.exploit-db.com/34591
Profilo aziendale YOROI
Who they are!
Red Pill Approach
credits: A fistful of red-pills: How to
automatically generate pro...
Profilo aziendale YOROI
Who they are!
Profilo aziendale YOROI
What they do!
● Day 1, Morning. A phone call (from IT department) saying a server
is performing we...
Profilo aziendale YOROI
What they do!
Apport -> Intercepts crashes right when they happen the first time, gathers system i...
Profilo aziendale YOROI
What they do!
SubProcess … Why ?
/usr/bin/lls … What ?
Profilo aziendale YOROI
What they do!
SubProcess … Why ?
/usr/bin/lls … What ?
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
Connect to 198.216.87.22 ?
Profilo aziendale YOROI
What they do!
Ok, let’s intercept what it sends to 198 !
On the client side in the meanwhile ...
O...
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
Ok, we’ve got password exfiltration every crash dump and every
software update and m...
Profilo aziendale YOROI
What they do!
Et Voilà ! CVE-2014-3583
Profilo aziendale YOROI
What they do!
Ok, we know pretty much a lot of things about the intrusion even how
they get persis...
Profilo aziendale YOROI
What they do!
Here we go !
A nice SEH BOverflow on Windows
We need to asks for
another server Imag...
Profilo aziendale YOROI
What they do!
It was a quite original way to
penetrate a system… is it a new
fancy opportunistic w...
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
How “lls” landed here ?
Profilo aziendale YOROI
What they do!
Only 5 iterations ? - Let’s check it out !
Profilo aziendale YOROI
What they do!
A simple reminds on Linux passwords:
● schema: $id$salt$hashed
○ $1$ -> MD5
○ $2a$ -...
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
What they do!
Profilo aziendale YOROI
Where they are!
● Unfortunately there is not a full learning path to become Cyber
Security Analyst...
Profilo aziendale YOROI
Where they are ?
Profilo aziendale YOROI
We are Hiring !
www.yoroi.company
Nächste SlideShare
Wird geladen in …5
×

Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016

463 Aufrufe

Veröffentlicht am

Cyber security is one of the most challenging topic in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do ? What dificulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path ? Why is not enough an automated system ? Marco will talk about real experiences on the cyber analyst field.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016

  1. 1. Profilo aziendale YOROI November 26 2016 CodeMotion Milan Marco Ramilli
  2. 2. Profilo aziendale YOROI Cyber Analysts: who they are, what they do, where they are !
  3. 3. Profilo aziendale YOROI Agenda: - Cyber Analysts: who they are! - Cyber Analysts: what they do! - Cyber Analysts: where they are!
  4. 4. Profilo aziendale YOROI Today’s Host ● PhD in Bologna Joint UCDavis ○ Cyber Security, Penetration Testing US Voting Machines ○ Books and Publications ● NIST ○ OEVT ○ Penetration Testing methodologies to help US Democracy ● Palantir ○ Product Company ○ Intelligence Company ● Yoroi ○ One of the most extraordinary cyber security company founded in Europe (Hakin9)
  5. 5. Profilo aziendale YOROI Who they are! Nowadays is not a trivial topic: ● Deep Learning Machines ● Cognitive Computing ● Machine Learning Algorithms ● Neural Networks Undermine the Human side of Cyber Security Analysis. But could that technology really take off the human side of this job ?
  6. 6. Profilo aziendale YOROI Who they are! Dark Avenger Mutation Algorithm (1993) It could produce some decryptor cases that appeared only in about 5% or less of all cases. However, the engine had a couple of minor limitations that were enough to detect the virus reliably using an instruction size disassembler and a state machine. In fact, there is only one constant byte in an MtE decryptor, the 0x75 (JNZ), which is followed by a negative offset—and even that is placed at a variable location (at the end of the decryptor, whose length is not constant).
  7. 7. Profilo aziendale YOROI Who they are! Super Simple Malware Evasion Technique. Credits: https://www.exploit-db.com/34591
  8. 8. Profilo aziendale YOROI Who they are! Red Pill Approach credits: A fistful of red-pills: How to automatically generate procedures to detect CPU emulators
  9. 9. Profilo aziendale YOROI Who they are!
  10. 10. Profilo aziendale YOROI What they do! ● Day 1, Morning. A phone call (from IT department) saying a server is performing weird network requests. ● Day 1, Afternoon. A VMWare image is sent to Cyber Analyst email box he’ gotta run !
  11. 11. Profilo aziendale YOROI What they do! Apport -> Intercepts crashes right when they happen the first time, gathers system information and send back to developers stack traces and useful infos to fixt the crash package-data-downloader -> used by software installers such as dpkg and apt.
  12. 12. Profilo aziendale YOROI What they do! SubProcess … Why ? /usr/bin/lls … What ?
  13. 13. Profilo aziendale YOROI What they do! SubProcess … Why ? /usr/bin/lls … What ?
  14. 14. Profilo aziendale YOROI What they do!
  15. 15. Profilo aziendale YOROI What they do!
  16. 16. Profilo aziendale YOROI What they do! Connect to 198.216.87.22 ?
  17. 17. Profilo aziendale YOROI What they do! Ok, let’s intercept what it sends to 198 ! On the client side in the meanwhile ... Oh boy… really ?
  18. 18. Profilo aziendale YOROI What they do!
  19. 19. Profilo aziendale YOROI What they do! Ok, we’ve got password exfiltration every crash dump and every software update and machine control since ssh is available. But how they trigger persistence on a server ? Maybe attackers trigger crashes from outside ?
  20. 20. Profilo aziendale YOROI What they do! Et Voilà ! CVE-2014-3583
  21. 21. Profilo aziendale YOROI What they do! Ok, we know pretty much a lot of things about the intrusion even how they get persistence... But why the user reported a “strange behavior” ? Maybe attackers needed such a server as pivot server ? Oh..Oh !!
  22. 22. Profilo aziendale YOROI What they do! Here we go ! A nice SEH BOverflow on Windows We need to asks for another server Image ….. :D Ok not today...
  23. 23. Profilo aziendale YOROI What they do! It was a quite original way to penetrate a system… is it a new fancy opportunistic way ?
  24. 24. Profilo aziendale YOROI What they do!
  25. 25. Profilo aziendale YOROI What they do! How “lls” landed here ?
  26. 26. Profilo aziendale YOROI What they do! Only 5 iterations ? - Let’s check it out !
  27. 27. Profilo aziendale YOROI What they do! A simple reminds on Linux passwords: ● schema: $id$salt$hashed ○ $1$ -> MD5 ○ $2a$ -> Blowfish ○ $2y$ -> Blowfish (8-bit chars) ○ $5$ -> SHA-256 ○ $6$ -> SHA-512 ● !: account is password locked ● *: account is locked ● !!: no password set (RedHat)
  28. 28. Profilo aziendale YOROI What they do!
  29. 29. Profilo aziendale YOROI What they do!
  30. 30. Profilo aziendale YOROI Where they are! ● Unfortunately there is not a full learning path to become Cyber Security Analyst so far. ● There are a lot of classes on: ○ Reverse Engineer ○ Firmware Analyses ○ Forensic Analyses ○ Penetration Testing ○ Vulnerability Assessments ○ Secure Policy Assessment ○ . . . . . ● But a Cyber Security Analyst should be able to perform each of these actions + human interactions + strategic thinking + organization chart knowledge + problem solving
  31. 31. Profilo aziendale YOROI Where they are ?
  32. 32. Profilo aziendale YOROI We are Hiring ! www.yoroi.company

×