Sunday, June 19, 2011

How does your network stand up to a determined attacker?

Attacks on large organizations (RSA[1][2], Google & Others [3], DuPont[4], Lockheed Martin[5]) have given us a glimpse into the underbelly of targeted attacks.

To be clear, every mom and pop shop should not live in fear of a targeted attack/industrial espionage threat but a lot of companies do face this threat. If you make something that would be cheaper to steal than reverse engineer or if beating your competitor to market means a profit for this year or not you’re in the zone for some entity to decide to come after you and take it.

Recently at BlackHat DC and Shmoocon, Sean Coyne and Ryan Kazanciyan from Mandiant gave a great talk titled “The Getaway” [6][7] and it covered some of the methodologies and tools that Mandiant felt was common enough to talk about in public. McAfee also released their “Night Dragon” paper [8] which discusses “APT” style attacks and techniques.







Image (modified) from: McAfee’s Global Energy Cyberattacks: “Night Dragon”

Step 1 is varied, typically some sort of client-side attack is involved but remote and web attacks are definitely a possibility (why waste your client-side 0day when Metasploit will get the job done).

Steps 2-5 are important as traditional penetration testing rarely delves into enough detail to adequately test detection and response once an attacker gains entry into a network or moving laterally in the network. Instead most companies focus on forcing their consultants into a guided test where they control the outcome via various scope restrictions or "goals" that don't represent things attackers typically go after.

Companies with something to lose need to sit down and ask themselves the hard questions of:

How educated are your users against social engineering and phishing attacks? (Does your program work?)

How far can an attacker go with a user level shell gained via Phishing or SE? (Do the fancy boxes and IDS analysts actually work?)

Do you know what data on your network is most important? (What makes you money?) If yes, can you identify the controls in place to protect it? When did you test those controls in real life and not just on paper?

Is that data properly protected? (Are you doing anything to protect it. Hint Windows permissions don’t count). Have you tried various exfiltration methods to see if they work?

When was the last time you allowed someone to try to get it? (Did you throw vulnerability scanner X at it and call it good or do you just laugh and say “yep if they got access we would be f**ked”?)



1.http://www.pcworld.com/businesscenter/article/222555/rsa_securid_hack_shows_danger_of_apts.html

2.http://blogs.rsa.com/rivner/anatomy-of-an-attack/

3.http://en.wikipedia.org/wiki/Operation_Aurora

4. http://www.bloomberg.com/news/2011-03-08/hacking-of-dupont-j-j-ge-were-google-type-attacks-that-weren-t-disclosed.html

5.http://www.informationweek.com/news/government/security/229700151

6.https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdf

7.https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdf

8.http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf




No comments:

Post a Comment