1 / 23

Northumbria Uni

Northumbria Uni. Ethical Hacking 2014-01-16. $ whoami. Andrew Waite andrew.waite@onyx.net / @ infosanity Ex-System/Network admin for Newcastle DataCentre Degree placement from Northumbria Security Consultant – Day Job (not just a suit) Security Researcher – Spare time MASSIVE geek.

lynda
Download Presentation

Northumbria Uni

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Northumbria Uni Ethical Hacking 2014-01-16

  2. $whoami • Andrew Waite • andrew.waite@onyx.net/ @infosanity • Ex-System/Network admin for Newcastle DataCentre • Degree placement from Northumbria • Security Consultant – Day Job • (not just a suit) • Security Researcher – Spare time • MASSIVE geek

  3. Agenda – Defence (sorry) • Real World incidents & Issues • DDoS • Crypto-Locker • Organic growth • Foundations – Network Design • Uncommon (and cheap & easy) ways of detecting attack. • Or how to screw with the bad guys™ • Demo/Lab( $deity willing….)

  4. DDoS • Co-Location environment – What we do. • Case Studies (four) • First signs of trouble • Investigation • Solution Alternatives?

  5. Ransomeware • Typical (corporate) response to an infection? • Scenario 1 – Police Warning • Scenario 2 – Crypto-Locker (1st incident) • Scenario 3 – Zeus/Crypter(2nd incident) • Attempted Financial transactions

  6. Ransomeware – Police Warning http://nakedsecurity.sophos.com/2012/02/13/metropolitan-police-malware-warning/

  7. Ransomeware – Cryptolocker http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/

  8. Ransomeware – Defences? • Backup (specific to current threat) • Anti-virus • Yes, really • User Education • Logging, detection, intelligence gathering • Strong password infrastructure – 2FA

  9. Organic Growth Networks • If your network diagram looks like this:

  10. Network Design • Already discussed how to do it badly • DMZ / Perimeter • Separation • Geo-graphical • Function • User Base • BYOD/Guest • Resilience/Redundancy

  11. Network Design • Better, not perfect….

  12. Uncommon Defence – Honeypots • Take attackers attention from production systems • Easy identification of malicious activity • Intelligence lead defence • High vs Low interaction ‘pots • Research capabilities http://www.honeynet.org/about

  13. Honeypots – Honeyd • Old, but sill useful • Emulate network / hosts / services • Logging http://www.honeyd.org/

  14. Honeypots – LaBrea • Tarpit • Slow attackers to allow blue team time to work • Race condition on ARP requests • Careful! http://labrea.sourceforge.net/labrea-info.html

  15. Honeypots – Nepenthes / Dionaea • (primarily) emulates vulnerable Windows Services • Malware collection and attack flow analysis • Becoming less useful as attack patterns change http://dionaea.carnivore.it/

  16. Honeypots – Kippo • Unsecure SSH • (restricted) shell environment • Full Logging • And replay….. • http://iwatchedyourhack.org/ https://code.google.com/p/kippo/

  17. Honeypots – Glastopf(?) • Web Application Attack Vectors • Google hits • Provides vulnerable platforms based on attack requests http://glastopf.org/

  18. Honeypots – Thug • Client-side Attack vectors • Spam-traps etc. http://buffer.github.io/thug/

  19. Honeypots – Manual Honeytraps • Dummy DNS Entries • robots.txt • http://blog.spiderlabs.com/2013/08/setting-honeytraps-with-modsecurity-adding-fake-robotstxt-disallow-entries.html • Fake HTML comments • http://blog.spiderlabs.com/2014/01/setting-honeytraps-with-modsecurity-adding-fake-html-comments.html • Can get offensive – (IANAL……)

  20. Sandbox – Cuckoo • File / URL analysis • Great for research and/or incident response • Relies on virtualisation images • Install requirements..… http://www.cuckoosandbox.org/

  21. Honeypot identification • PenTest reports….. • Both tester and testee • Various tools • Dionaea - Nmap scripts • http://blog.prowling.nu/2012/04/detecting-dionaea-honeypot-using-nmap.html • Kippo – Metasploit SSH aux module • auxiliary/scanner/ssh/ssh_version

  22. Legal issues - Strike Back • IANAL!!!! • Personal thoughts only….. • Aggressive Network Self-Defense

  23. Demo / Lab • Keep your fingers crossed…..

More Related