370 likes | 390 Views
Anatomy of a Breach. Mark Lachniet mark.lachniet@cdw.com (847-968-0155). About The Speaker. Several terms on the board of the Michigan chapter of the High Technology Crime Investigation Association (MIHTCIA) Member of the Michigan Council of Private Investigators (MCPI)
E N D
Anatomy of a Breach Mark Lachniet mark.lachniet@cdw.com (847-968-0155)
About The Speaker • Several terms on the board of the Michigan chapter of the High Technology Crime Investigation Association (MIHTCIA) • Member of the Michigan Council of Private Investigators (MCPI) • Licensed Private Investigator in the State of Michigan #3701-205679 • Currently: Information Security Solutions Manager at CDW • Previous jobs: • Holt Public Schools (IT Director) • Sequoia / Analysts Intl. (Consultant) • Walsh College (instructor) • CDW (Security engineer that did actual work) • 15+ years in security consulting • Many tech certifications – CISA, CISSP, etc. | Security solutions
Information Security – We Are At War • “War is the continuation of politics by other means.” –Admiral Carl von Clausewitz, famous Prussian general and military theorist • Hacking is modern warfare, as well as modern crime • “Following the teachings of Sun Tzu, all warfare is asymmetric because one exploits an enemy’s strengths while attacking his weaknesses” -David L. Buffaloe, Association Of The United States Army • Hacking favors the agile and creative (but budget is good too) • “When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means — diplomatic, informational, military, and economic” - International Strategy for Cyberspace, The White House, 2011 • The US Military recognizes this and retains the right to respond with bombs | Security solutions
It’s not a matter of if but of when • “Companies have done a lot of things right, but it is not a matter of if but when they will come under attack. Attacks are becoming larger and more scalable, and because of the success of ransomware attacks that trend is likely to continue” -Alliance Manchester Business School • We are all at risk, and the risk is will be with us forever • “It is the doctrine of war not to assume the enemy will not come, but rather to rely on one’s readiness to meet him; not to presume that he will not attack ; but rather to make one’s self invincible” –Sun Tzu, The Art of War • All organizations have something that attackers want! • Personal information – to steal your money or to blackmail you (see: OPM breach) • Company information – to take your research and techniques and defeat you in the marketplace • Political information – to embarrass you or for political advocacy • Resources – to assist in attacking other targets, to create digital currency, digital contraband | Security solutions
THIS ISN’T OUR BIGGEST EXTERNAL THREAT… | Security solutions
OR THIS… | Security solutions
IT’S THIS! “Hackers are breaking the systems for profit. Before, it was about intellectual curiosity and pursuit of knowledge and thrill, and now hacking is big business.” -Kevin Mitnick | Security solutions
AND THIS! | Security solutions
THE PROBLEM IS ALSO OURSELVES – OUR EDUCATIONAL SYSTEM • “Educators are ‘failing computer science students by deprioritizing cybersecurity training’ and ‘are inadvertently contributing to the lack of cybersecurity readiness in the U.S.’” – CloudPassage, National Cybersecurity Institute • “Teaching cybersecurity is difficult in of itself. The technology, threats, and attack methods rapidly shift. It seems every eight to twelve months, the industry swings to an entirely new focus. A fellow security professional stated “if they are learning from a book, it is already outdated”. -McAfee | Security solutions
AND OUR COMPLEXITY • “When [the enemy] prepares everywhere he will be weak everywhere” -Sun Tzu, The Art of War Artificial Intelligence | Security solutions
Anatomy of a Breach – Target Selection • The following is my personal take, your mileage may vary • Target selection: • Opportunistic (they don’t care who you are, they just want your money/data/computing resources) • Ransomware • Credentials to other systems (banking, gmail, etc.) • Hoping to hit an interesting target • Targeted • Politically motivated / nation-state attacks • Access to research and development, financial plans • As a means to get at other organizations (3rd party) • Insider access (leaks, revenge, inappropriate use) • Opportunistic attacks can lead to targeted attacks | Security solutions
Anatomy of a Breach – The Attack • Opportunistic attacks: • Broad e-mail phishing attacks • Infected web sites (usually but not always shifty sites) • Internet scanning for insecure devices like IoT (shodan.io) • Attacks that target USB devices • Phone phishing (vishing?) campaigns • Targeted attacks: • Spear-phishing attacks • Focused Internet vulnerability scanning • Public document metadata scanning / OSINT • Password guessing (usually via webmail) • Water-cooler / third party attacks • Tricky attacks on specific applications (expensive and time consuming but usually not detected, such as SQL injection over SSL) | Security solutions
Anatomy of a Breach – Establishing Access • Once in a system the next steps will vary depending on the purpose • On local system: • Encrypt documents for ransomware • Establish persistence • Install keyloggers / trojans to collect credentials • Patch the original vulnerability • Install interactive remote access (outgoing SSH etc.) • Purge logs / remove evidence • Disable volume shadow copy • Copy password hashes for cracking and “pass the hash” | Security solutions
Anatomy of a Breach – Pivot and Exfiltrate • On other internal systems • Attempt to “pivot” access to other internal systems, usually using the user’s credential or that of the local admin user • Infect other internal systems and repeat • Discover interesting internal information that can be used • Boot-strap your nation-states R&D/manufacturing • Embarrass you • Install software on more systems, including partners • Exfiltrate data • Move the data off the network so it can be used • Often over encrypted tunnels / non-standard protocols, Hard to detect in large networks | Security solutions
My own experience • First indication of something odd was that for about the span of a day our telephones didn’t work • After they started working again we got some kind of automated AT&T message, didn’t think much of it • A few days later, I am asked by wife “did you just transfer all the money out of our savings account?” • Contacted credit union to inquire and was asked by a young clerk if I hadn’t recently authorized it, to which I said no, and was put on hold, came back saying they would look into it • Obtained a copy of the wire transfer, it is for an amount just below the account balance, wiring the money to what looks like a construction company in Illinois • The wire transfer had a copy of my signature from some source, but it was an old signature that I no longer use, at least 10 years old | Security solutions
My own experience • It turns out that the scammers had gotten AT&T to disconnect my phone line and connect it to them somehow • They then used a fax machine from my stolen “home phone” line to fax in the wire transfer (this number is what showed up on the fax machine’s caller ID) • The CU, as per procedure, called to verify the large amount • Unfortunately they verified it with the criminal that answered on my behalf on my phone number • Entered my info at http://www.ic3.gov/default.aspx (it didn’t help me but maybe it will help make a case some day) • My losses were too small for federal investigators, the MSP refused to take a report, so I ended up working with my township (a nice guy but very pessimistic about even getting results from telcos, and too late by that point) | Security solutions
My own experience • Put extra security and passwords on CU systems • Changed all my important passwords • Ended up being reimbursed through the CU’s insurance, but did not vigorously pursue law enforcement help due to the trail going cold and no firepower • Consider the amount of funding, planning and research that had to go into that attack, not to mention the amount of employee time • The attack wouldn’t have been possible without telephone tomfoolery! • Quite likely the scammers were from another country entirely and just using the Chicago company as a shell • All made possible with the Power Of Telco! | Security solutions
Financial Fraud • One case I’ve worked on deals with a fairly large financial fraud at a Michigan-based company • One of their computer workstations had been hacked, and the user of that workstation used it to log into a web banking system to process their regular payroll • The user was somehow directed away from the official banking web site to a phishing web site • The web site looked “different” to the user so they contacted the web banking company’s technical support. Their tech support was unable to determine the problem (which in this case was the wrong URL) and told them “it must be an I.T. problem on your end”) • The user then entered their user ID, password, and code from a two-factor authentication token into the site and did payroll • The next day they were contacted regarding what appeared to be fraud – their payroll (approximately $700,000) had been hijacked | Security solutions
Financial Fraud • This is especially troubling given the fact that two-factor authentication was used – these devices use a code that changes every few minutes, giving a very small window of opportunity to exploit • This implies to me that the criminals either had some very sophisticated software that could “automagically” log into the web banking system, or they had a fully staffed 24/7 NOC with people waiting for events • The criminals then changed the account numbers that the payroll was going to, and routed sums of approximately $9,000 to a number of different bank accounts ($10,000 is the cut off for OFAC reporting) • This also implies that the criminals were very well versed in the banking system, because they were smart enough to change all of the ACH numbers very quickly | Security solutions
Financial Fraud • According to at least one report, individuals who were looking for a job online were offered jobs as “ACH processors” by some shady Internet company • Their job was to open a bank account, wait for money to be deposited, and then withdraw the money as cash • They would then use a wire transfer service such as Western Union to wire transfer $4,000 each to a couple different people or accounts overseas, and keep $1,000 for their trouble. • Thus, the people who were doing the conversion of virtual to physical cash and were assisting in the crime were most likely unknowing dupes • They, themselves might find the info they provided to their “employer” (SSN, bank number) sold at a later date | Security solutions
Financial Fraud • I was then called in to help with incident response • We began by taking a forensic image of the user’s workstation using a firewire “write blocker” to preserve the integrity of the data • While that was happening, we worked on analyzing available log sources (there weren’t any, so we had to configure firewall logging) • We put a stop to all non-essential Internet access while we were investigating • We also began installing WebRoot Anti-Spyware software on a number of workstation – this turned up more infected machines • Using a firewall log analysis tool known as Sawmill, we were able to find other network activity that seemed suspicious (traffic to eastern Europe and Asia) and analyze those workstations for additional malware • FBI later came in and took an image of the workstation as well | Security solutions
Financial Fraud • We started drafting a list of recommendations to help them improve their overall security posture, and presented them to senior management, including: • Install Anti-Virus everywhere • Purchase an intrusion prevention module for the firewall • Implement Websense Internet content filtering • Etc. • Around this time I began performing a forensic investigation of the image copy of the computer workstation I had taken • These investigations can be very time consuming, even if all the time is not billable due to the amount of time required to do keyword searches, etc. This one took weeks. • Knowing the approximate date that machine was last “known good” (e.g. was last rebuilt) I was able to start looking at the computer workstations filesystem history | Security solutions
Financial Fraud • On the workstation I found six different pieces of malware that WebRoot had identified and removed • These were put into a quarantine directory, and then “wrapped” with some header information about the identification WebRoot had made • Aside from these pieces of malware, I manually found another 6 or so pieces of malicious software that their anti-virus or anti-spyware program was unable to find • I submitted these samples to an online service known as virustotal.com, which ran them through about 30 different AV programs • While only a portion of the AV programs identified each piece, it helped me identify what they were, and possibly what they did | Security solutions
Financial Fraud • I was able to see at least one source of infection – there was a malicious Adobe Acrobat PDF file • This file contained exploited the PDF reader program and executed javascript to download a number of different pieces of malware from a server in Russia (you could see the files being created in rapid succession) • One of those appeared to be a keylogger, as I found a number of data files that looked like partially encrypted keylog entries • The PDF file may have come in through e-mail, as there was a remnant of an outlook express file at that time, or may have come through browsing • Unfortunately, by the time I was making real progress with the case, the client wanted to control costs and asked me to stop investigating | Security solutions
Casino Security • I received a report that a casino surveillance department was accused of accessing files that they were not supposed to have access to • In casinos, there is a strong separation of duty between surveillance and the rest of the company • No fraternizing • Separate building entrance • Supposed to eat lunch separately • Etc., etc. to minimize the risk of collusion • In this case it was reported someone had “heard” that confidential HR files were unprotected, and had done some poking around in the HR files without approval | Security solutions
Casino Security • What had happened was that the organization had experienced a failure of the system that hosts their user and group file shares, and they were forced to rebuild the shares • After they restored the files, they then went about setting the access permissions on the files so that they should be appropriate • However, they forgot about one system – the Google Cache appliance – which had an AD login and was configured to index their file shares to facilitate searching • Normally the access rights for the cache were configured in accordance with the file shares, but as these were broken the appliance indexed all of the shares and provided access to the information | Security solutions
Casino Security • In this configuration, a user could search for a phase like “contract” and find an excerpt from an employee contract, and then either click on the “cached” link, or directly access the file • I imaged the computer using a write blocker, and started looking around on the computer, with a mandate of analyzing any office documents or scanned documents (images/pdf) that might be on the computer and appear to be inappropriate • The computer contained many casino incident reports, and I thought this would be a very interesting job – SURELY there was all kinds of exciting information in all those incident reports right? Surely there were people being naughty, with pictures! • Alas it turns out that the incident reports which I had to read were uniformly boring and mainly had to do with down on their luck people trying to bilk the casino or its customers | Security solutions
Casino Security • Performed an analysis of the computer using the “Net Analysis” browser history software (commercial) and Reg Ripper • Both tools turned up several UNC references to documents on the HR file share, and there was a copy of an employee contract sitting in the temporary Internet folder • Lessons learned: • Some of the jobs that you would think are incredibly interesting, are in fact really boring if you have to do them day after day • Beware caching appliances! They often cache things you wish they didn’t • Caching appliances often have credentials configured into them, often a domain ID for Active Directory or whatever is being used, and they need to be hardened | Security solutions
The Naughty Fireman • Was brought in to work on a civil action by a law firm representing a county government • The county’s fire department had an incident where a night-shift fire fighter was suspected of viewing pornography • This was complicated by the fact that the pornography was gay, and was discovered by a very religious supervisor • Wanted to fire the employee, but needed a solid case against him in case of a grievance process • I was provided with three computer workstation that were from the firehouse, and asked to analyze them • Imaged using a write blocker, and used Net Analysis HSTEXT to low-level scan the hard drive for Internet history | Security solutions
The Naughty Fireman • Discovered a lot of recreational browsing, starting with normal types of browsing about 3-6 months ago, and ending with very extensive use of gay.com • Could see browsing of gay.com singles ads, followed by URL’s that indicated account creation and setting up of a profile • Profile was cached on the local workstation, including a profile picture of the firefighter that appeared to show the fire house in the background (a recognizable poster) • Scanned the hard drive for naughty pictures like the one the supervisor thought he saw • The workstation had some personal pictures, but no pornography on it. However, the user directory seemed a little bit TOO clean, as if it was sanitized before being handed over | Security solutions
The Naughty Fireman • Decided to grab all the thumbs.db files on the system that were bigger than the default size and analyze them • Sure enough, thumbs.db had created thumbnails for about 15-20 pornographic pictures that were previously in the user’s document directory but had since been deleted and wiped (defragged?) • Was able to document these thumbnails for the lawyers, who presumably had a solid case to work with • Lessons learned: • Its really funny when your job includes getting paid to talk to expensive lawyers who repeatedly ask you if you found “a cock shot” • Thumbs.db doesn’t delete its old thumbnails, but hardly any non-technical people know this – great way to bust people • Sometimes our job involves hanging people out to dry that you actually have some sympathy for – for example in this case I discovered through workstation analysis that the guy had just come out of the closet, was getting divorced from his wife, was in the process of filing for bankruptcy and was getting fired from his job all in about one month | Security solutions
Higher Education • Received a call from a college in Michigan that they had an issue with malware on their workstations and wanted help investigating it • Had identified a possible suspect based on log entries and wanted verification • Student was using a laptop and flash drive that were university property • At the time I was engaged, the student still had his laptop and was attending class • I verified the log entries and agreed on their identification of individual • Advised them on seizing potential evidence and some forensic best practices • At that time they went to the student while he was in class and took his laptop and flash drive from him • Made a copy of his data to a new flash drive so he could retain his work | Security solutions
Higher Education • Student was visibly nervous, and tried to “move” his data rather than “copy” his data from the laptop and flash drive • Began a forensic analysis on flash drive and several machines • College interviewed student another time and he admitted to the hacking but stated that there was no “key loggers” to get passwords • I sat in an interview and asked technical questions about how it was done • Student admitted to writing his own malware, used Metasploit to attack other machines that were college issued • This was possible because the administrator password on all college laptops was the same • Used a “pass the hash” attack to distribute the malware • Went undetected for months until he made a mistake with a document showing up on desktop | Security solutions
Higher Education • Also used a home computer to receive the results of the malware • Law enforcement was involved – knock and talk • Student agreed to bring in his home computer for analysis (this turned out to be a mistake on his part – never waive a right!) • Performed additional forensic analysis and found hacking evidence not only of the college but also of his K12 school (he had graduated 2 years previously) and other wireless networks • Involved the K12 school • Also discovered what I believed to be child pornography • The pornography was found in the “swap” virtual memory file, indicating that it had recently been accessed • Created a report of findings, which was provided to the K12, College and law enforcement • At this point went into the void of law enforcement for about 2 years • In late 2013 got a request from law enforcement to resend report | Security solutions
Prevention Suggestions – A Too-Short List • Scan your network regularly with a vulnerability assessment tool like Tenable’s Nessus and fix high-priority issues • Identify unmanaged systems that might not be getting patched • Use network segmentation to stop devices from talking • Use permission segmentation to limit additional access • Users are NOT local admin, have minimal access to shares • Local admin / service account passwords are unique on each box • Use modern workstation security software on everything • Have outsiders perform penetration tests regularly • Analyze organizational practices and procedures • Assess the security of applications (especially anything with a SQL back-end that is public-facing) • Test phishing readiness and user education levels | Security solutions
Prevention Suggestions - Logging • Configure good logging systems – you may not have the person-power to detect an active attack but at least you have a chance of figuring it out retroactively | Security solutions
Contact Information • Q&A • E-Mail: marklac@cdw.com • Phone numbers below: | Security solutions