INVASION!

Fish AKA Barry van Kampen

Synopsis

It is 04:30 AM, you are awakened by a text message, and your friendly IDS is telling you a bunch of disallowed systems are trying to connect to the internet. Within a few seconds you’re awake, adrenaline pumping through your body; the disallowed connections aren’t usual warnings like the truckload of false positives you handled yesterday. Apparently, the alerts were not so ‘false’ after all. It’s going to be a long, long day…

Intrusion is one of the first phases in the so-called network invasion, this story tells you about what could happen after the first intrusion, what you could do, and what you shouldn’t do.

—- —- —- —- —-

Everywhere you go there are hacks, and everybody gets hacked eventually.

Invasion is a step beyond being hacked.

The information your company holds could be stolen and sold.

WTF is network Invasion?

Who’s invading

• Hackers & crackers (hackers aren’t the bad guys)
• Organized crime
• People who can make money from it

How to get invaded

• Hack is being made
• A first system is being owned
• Level 2 attack
  • Further exploitation
• Hack into the inner network
• Setup communications
  • To transport information out
• Maintain access
  • Wait for the good info, sell it, use it, …

Ways to get invaded

• Zero days
• Targeted attacks
• Printers
  • Multi-function devices
• Insecure wireless
• Wardialing – Modem access
• Custom/Prepped Hardware
  • Certified pre-owned

Not all attacks have to be bleeding edge or highly technical… old modem attacks, physical access, and social engineering do it just as well.

Maintaining access –> custom or purpose written malware/trojans. Custom written code is worth the investment if an attacker can make money from the attack.

Causes

• Patch Management / LCM
• Faulty code
  • Application vulnerabilities
  • SQLinjection etc…
• Human Error
  • Configuration issues
• Response
  • IDS False Positives
  • Real attacks can get lost in amongst a flood of False Positives
• It can start at home!
  • Password stealing
  • See recent Facebook attack

Detection

• Strange patterns
  • Many companies have logs and monitoring, but fail to do full analysis
  • Not much trend analysis
• System Maintenance
  • Log checking –> People don’t check their logs enough
  • SSH brute-force on your external IP is to be expected
  • SSH brute-force on your internal network is bad!
• IDSs are providing alerts
  • Mixed amongst other false positives

Incident Response

Gathering information from different sources can be a problem. Communication is key, but you don’t know which communication channels are still secure.

If the team is too large, maybe somebody in the loop, is also involved with the attack. Keep things need to know. Give heads up to other teams, but don’t provide more information than is required to achieve the task.

What to do?

Response based actions

• Find the source and method of attack, monitor, block, fix
  • Check network traffic
  • Use Anti-malware software
    • Can’t help against custom attacks
  • Apply software control
    • White-lists
    • Information flows

The Big Search

• Search for changes on the network
  • Check file systems
  • File integrity
    • Must have hashes of known good files
    • Do comparison using trusted binary
  • Blacklist checks
  • Whitelist checks

Full Reinstall

• Reinstall it all!
  • Not practical
• Risk reduction
• Have to be sure you solved the issue
  • Is the invasion gone
  • Is the flaw fixed

Be pro-active = being prepared

Incident response policy should be in place

• A team with guru’s
• Mandate to do what is required
• External contracts / contacts
  • Ability and permission to reach out to trusted 3rd parties
• IR is the first part of forensics
• Legal!
  • Be sure of legal issues
  • Speak to legal department if you have one

To be more pro-active

• Vuln assessments and audits
• Check and double check patch management
• Change management
• Monitoring and followup

Improve architecture to reduce risk

• Multiple firewalls, from different vendors
• IDS monitoring
• WAF
• Monitoring of load on servers and networks

Goal here is to make it hard to get through to the soft core.

Honeypots

A good source of information on who’s attacking you, but not legal in all countries (can be seen as tempting attackers).

Links :

• Plumbercon/Ninjacon Synopsis –> http://plumbercon.org/schedule/59
• Fish Twitter –> http://twitter.com/fish_
• Facebook Senior Engineer Hacked by his Colleagues –> LINK