Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Attacker Techniques
Using Open Source Intelligence and Data
Abhisek Datta
Head, Security Products @ Appsecco
Attackers Attack What They See
Let's start with how attackers work
An attacker wants to hack a target and for this, will
perform a bunch of activities
1....
Asset Discovery
From Attacker’s Perspective
Your-Company.com
What Attacker Sees
• Your-Company.com
• Who is the registrar
• Where is it hosted
• Self-hosted or managed
e-mail service
• External help des...
What Attackers See – Subdomain Enumeration
• Your-Company.com
• Host-1
• Host-2
• Host-3
• Etc.
amass enum –passive –d
you...
What Attackers See – Email Enumeration
• Your-Company.com
• u1@your-company.com
• u2@your-company.com
• u3@your-company.co...
What Attackers See – Breached Credentials
• haveibeenpwned.com
• hacked-email.com
• etc.
What Attackers See – Breached Credentials
What Attackers See – Application Discovery
• Your-Company.com
• http://app1.your-company.com
• http://app2.your-company.co...
What Attackers See – Technology Discovery
• Your-Company.com
• App1 – Java/JavaEE
• App2 – NodeJS, AngularJS
• App3 – PHP
...
Domain
External
Services
Help Desk
Mailers
Email
Breached
Credentials
Hosts
Apps
Technologies
What Attackers See – Putting...
Real-life Breaches
Leveraging Internet Exposure Discovery Techniques
Invoice Fraud
Publicly Accessible Cloud
Storage Buckets
Sub-domain Take Over
Static site hosted on S3 and then forgot about it :)
Framework / Software
Vulnerabilities
Cloud Account Take Over
Automation at Scale
Using Docker, Kubernetes and Cloud Native Technologies
An Example AppSec Workflow
Domain
Hosts
Subdomain
Enumeration
CIDRASN Search
DNS
SPF, MX etc.
Port and
Service
Scanning
UR...
Data
Collection
Analysis
Inference
Further
Actions
How does it look like from Automation Perspective?
Security
Tools
Human...
Security
Tool
Workflow
Rules
Security
Automation
Automating AppSec Workflow
Driving the System – Events FTW!
API Service
HTTP POST
NATS
Write to NATS Message Queue
Scanners
(Client)
Minio Object
Sto...
• 3rd Party Tools are not in our control
• We need to be able to
• Receive input from NATS
• Run tool with tool specific c...
1. Package 3rd party tools as Docker containers
2. Add Tool Adapter binary and set as entrypoint
3. Write Kubernetes deplo...
Security Tool Dockerfile
Security Tool Kubernetes Spec (YAML)
Match Transform
Take
Action
Feedback Processor (Driving the System)
Feedback Processor - Example
• State management is difficult due to asynchronous
nature of the system
• NATS connection issue with preemptible nodes on...
How to
Contribute
1. Clone the repository from Github
2. Try out and report bugs
3. Add new security tools
4. Add feedback...
Questions?
abhisek@appsecco.com
That’s all for now..
https://appsecco.com
@abh1sek
github.com/abhisek
github.com/appsecco/...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker know everything about your organization? - Know ...
Nächste SlideShare
Wird geladen in …5
×

(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker know everything about your organization? - Know the Unknowns

655 Aufrufe

Veröffentlicht am

It is possible to create a comprehensive attack surface of any organizations just with open data available on the public internet It is possible to search vulnerable targets and compromise the targets. The organizations can be compromised without any RCE vulnerability. It is possible to create inhouse team to continuously monitor your attack surface and fix flaws before attackers find them.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker know everything about your organization? - Know the Unknowns

  1. 1. Attacker Techniques Using Open Source Intelligence and Data Abhisek Datta Head, Security Products @ Appsecco
  2. 2. Attackers Attack What They See
  3. 3. Let's start with how attackers work An attacker wants to hack a target and for this, will perform a bunch of activities 1. Online Attack Surfaces 2. Breached Credentials 3. Known Vulnerable Software 4. (Easy to?) exploit security vulnerabilities
  4. 4. Asset Discovery From Attacker’s Perspective
  5. 5. Your-Company.com What Attacker Sees
  6. 6. • Your-Company.com • Who is the registrar • Where is it hosted • Self-hosted or managed e-mail service • External help desk services • 3rd party services What Attackers See – Domain Enumeration whois whois your-company.com whois <IP> dig dig your-company.com NS dig @NS1 your-company.com MX dig @NS1 your-company.com TXT
  7. 7. What Attackers See – Subdomain Enumeration • Your-Company.com • Host-1 • Host-2 • Host-3 • Etc. amass enum –passive –d your-company.com amass intel –whois –d your-company.com
  8. 8. What Attackers See – Email Enumeration • Your-Company.com • u1@your-company.com • u2@your-company.com • u3@your-company.com • u4@your-company.com • Etc. Hunter.io theHarvester Many more …
  9. 9. What Attackers See – Breached Credentials
  10. 10. • haveibeenpwned.com • hacked-email.com • etc. What Attackers See – Breached Credentials
  11. 11. What Attackers See – Application Discovery • Your-Company.com • http://app1.your-company.com • http://app2.your-company.com • Etc. nmap –p 80,443,8080 -sV -A –iL hosts.txt
  12. 12. What Attackers See – Technology Discovery • Your-Company.com • App1 – Java/JavaEE • App2 – NodeJS, AngularJS • App3 – PHP • Etc. Wappalyzer npm i -g wappalyzer wappalyzer https://app1.your- company.com
  13. 13. Domain External Services Help Desk Mailers Email Breached Credentials Hosts Apps Technologies What Attackers See – Putting it all Together Unpatched Services App VulnerabilitiesCredential Spraying Ticket Trick Credential Spraying
  14. 14. Real-life Breaches Leveraging Internet Exposure Discovery Techniques
  15. 15. Invoice Fraud
  16. 16. Publicly Accessible Cloud Storage Buckets
  17. 17. Sub-domain Take Over Static site hosted on S3 and then forgot about it :)
  18. 18. Framework / Software Vulnerabilities
  19. 19. Cloud Account Take Over
  20. 20. Automation at Scale Using Docker, Kubernetes and Cloud Native Technologies
  21. 21. An Example AppSec Workflow Domain Hosts Subdomain Enumeration CIDRASN Search DNS SPF, MX etc. Port and Service Scanning URLs Technologies Cloud Infrastructure Emails Public Breach DB Query Password Spraying Application Security Scan
  22. 22. Data Collection Analysis Inference Further Actions How does it look like from Automation Perspective? Security Tools Human + Learning Systems Human + Learning Systems Feedback Loop
  23. 23. Security Tool Workflow Rules Security Automation Automating AppSec Workflow
  24. 24. Driving the System – Events FTW! API Service HTTP POST NATS Write to NATS Message Queue Scanners (Client) Minio Object Storage Persist Output Output Analysis and Feedback Alerting and Notification Tool Output Event
  25. 25. • 3rd Party Tools are not in our control • We need to be able to • Receive input from NATS • Run tool with tool specific command line • Receive output or check for error • Persist output to Minio The Tool Adapter (Pattern)
  26. 26. 1. Package 3rd party tools as Docker containers 2. Add Tool Adapter binary and set as entrypoint 3. Write Kubernetes deployment spec (YAML) 4. Deploy to Kubernetes 5. Write YAML rules for Feedback Processing Adding a Security Tool (3rd Party)
  27. 27. Security Tool Dockerfile
  28. 28. Security Tool Kubernetes Spec (YAML)
  29. 29. Match Transform Take Action Feedback Processor (Driving the System)
  30. 30. Feedback Processor - Example
  31. 31. • State management is difficult due to asynchronous nature of the system • NATS connection issue with preemptible nodes on GKE • Capacity planning and analysis • Cost analysis Challenges, Constraints and Things to do
  32. 32. How to Contribute 1. Clone the repository from Github 2. Try out and report bugs 3. Add new security tools 4. Add feedback processor rules 5. Submit PR github.com/appsecco/kubeseco
  33. 33. Questions? abhisek@appsecco.com That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek github.com/appsecco/kubeseco

×