Weitere ähnliche Inhalte Ähnlich wie Red teaming in the cloud (20) Kürzlich hochgeladen (20) Red teaming in the cloud2. Slide 2 © First Base Technologies 2016
Founder and CEO - First Base Technologies LLP
• Engineer, IT and information security professional since 1969
• Fellow of the BCS, Chartered IT Professional, CISSP
• Senior Member of the Information Systems Security Association
• 15 Year+ Member of ISACA, ISACA Security Advisory Group
• Member of the Institute of Information Security Professionals
• Chair of white-hats.co.uk
• Chair of OTIS (Operational Technology and IoT Security)
• Member of ACM, IEEE, First Forensic Forum, Institute of Directors, Mensa
4. Slide 4 © First Base Technologies 2016
What was advanced
is now average
• Well planned, strategic
approach
• Automation assisted
manual attacks
• Social engineering,
especially phishing
• Sophisticated malware
• Clear objectives
• Lots of resources
The enemy
5. Slide 5 © First Base Technologies 2016
To counter these attacks,
we need threat-based
thinking
• Who is attacking what and how?
• Where do we know we are
vulnerable?
• What can we fix right now?
• Conduct a red team exercise
• Fix the problems we found
• Check our fixes work
• Wash, rinse, repeat
The defence
6. Slide 6 © First Base Technologies 2016
http://csrc.nist.gov/cyberframework/rfi_comments/040813_cba_part2.pdf
• Understand each
attacker’s capability,
motivation and
methodologies
• Analyse the likely impact
to help prioritise
• Design relevant scenarios
• Execute red team
exercises
• Assess protective controls
• Evaluate detective
controls
The method
7. Slide 7 © First Base Technologies 2016
The strategy
8. Slide 8 © First Base Technologies 2016
Cloud computing
metaphor:
For a user, the network
elements representing the
provider-rendered services
are invisible, as if obscured
by a cloud
https://en.wikipedia.org/wiki/Cloud_computing
Image by Sam Johnston (includes Computer.svg by Sasa Stefanovic)
9. Slide 9 © First Base Technologies 2016
What assets will
threat actors be
interested in?
• Money
• Intellectual property
• Identities
• Databases
• Intercepts
• Network access
• Control systems
10. Slide 10 © First Base Technologies 2016
What is the most
attractive approach?
(Needs to be: easiest,
cheapest, lowest risk, best
success rate …)
• Break into the cloud
• Infiltrate the provider
• Infiltrate the customer
• Intercept traffic
• Trick the user
11. Slide 11 © First Base Technologies 2016
What is the most
attractive approach?
(Needs to be: easiest,
cheapest, lowest risk, best
success rate …)
• Break into the cloud
• Infiltrate the provider
• Infiltrate the customer
• Intercept traffic
• Trick the user
12. Slide 12 © First Base Technologies 2016
Why is it the most
attractive approach?
• Login from anywhere
• Browser access
• Single factor
authentication
• No intruder detection
• No physical security
• Legitimate credentials
• Good chance of privilege
escalation
13. Slide 13 © First Base Technologies 2016
Example methodologies
• Spear phishing
• Social networking
• Watering hole attacks
• Telephone social engineering
• Theft of device
• USB device
• Charging points
• Public computers
• WiFi intercepts
How they think
14. Slide 14 © First Base Technologies 2016
• 4 registered domains
• 5 IP address ranges
• 72 Internet-facing hosts
• Scan revealed OWA in use
• LinkedIn search for relevant email addresses
• 400 email addresses identified
• Staff names and job titles analysed
• Emails sent to obtain responding email style and layout
Reconnaissance
15. Slide 15 © First Base Technologies 2016
• Convincing fake domain name available and purchased
• OWA site cloned onto fake domain for credential theft
• Large number of email addresses harvested as targets
• Design of real emails copied to facilitate spear phishing
• Names and job titles gathered as fake senders
• Genuine OWA will be used to test stolen credentials
(and gather further info)
Planning
16. Slide 16 © First Base Technologies 2016
• Email sent from IT manager, using fake domain address
• OWA cloned on to tester’s laptop, DNS set accordingly
• Email sent to three groups of 100 recipients
• Within a few minutes, 41 recipients entered credentials
• Credentials tested on legitimate OWA site
• Significant information gathered from each account
• Further emails can now be sent from legitimate addresses
Execution
17. Slide 17 © First Base Technologies 2016
Single-factor
authentication may not be
your best choice
• We cracked 48% of 9,569
passwords
• 98% of these passwords were
cracked within two hours
• The remaining 2% were
cracked over the course of
one week
Passwords – really?
18. Slide 18 © First Base Technologies 2016
Invest in your human
firewall
• Train your staff to recognise
social engineering attacks
• Explain the why and how of
passphrases
• Invest in continual
awareness campaigns
• Use every medium available
to spread the word
Enable your best defence
19. Peter Wood
Chief Executive Officer
First Base Technologies LLP
peter@firstbase.co.uk
www.firstbase.co.uk
twitter: @FBTechies
+44 (0)1273 454525
Need more information?