Notes TASK May 25 2011

From Federal Burro of Information
Revision as of 22:15, 15 October 2011 by David (talk | contribs) (Created page with "== Exfiltration == * attackers don't user the front door. * Wholesale v retail ** we have seen wholesale attacks that affect common components. ** in the retail world we attack ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Exfiltration

  • attackers don't user the front door.
  • Wholesale v retail
    • we have seen wholesale attacks that affect common components.
    • in the retail world we attack those things that are specific to the target.
    • "one shot one kill"
  • the long game
  • need email address.
  • predictable email addresses.
  • PTO news later , getting
    • multigo - intel gathering
    • linked in google hacks
  • inference attack,
    • troop movements are an exmaple
  • http://samy.pl/peepmail/
  • profile the company and build a scenario
    • 10k filings
    • mergers and aquisitions
    • defence contractors
    • corp fileing, news, layoff
  • Fedex and UPS doesn't validate sedner address
  • register tuns of variations of your domain to protect against others registering variations
  • The speaker explained a scenario where he send training cds to staff that took over their computer. As part of the atttack he registered a variation of the targets company's name to gain validity in the eyes of the users.
    • DT to what end? are you just scaring peple ? is it possible to protect ?
    • DT are you tring to create twitching balls of anxiety?
    • DT how can a company possibly protect against this?
  • payload contruction
    • microsoft signed applet.
    • site loader , valid cert , valid domain, user clicks ok.
  • annoucing the hiring of a new exec
  • homographic attacks
  • utf8 domains
  • idn register with duplicate S in cyrillic.
  • multifactor foils this a bit, slows this down,
  • not all sigs get distributed in the GA data releaase.
  • pescrambler can be used to create exes that are hard to "understand", this works in the spear phishing scenario as there is no widespread knowledge of the behaviors.

C&C

  • listening on 443
  • some IPS can detect suspected traffic
  • you can use ie to handle the out bound connection for you.
  • exfiltration:
    • DNS DNS2tcp nstx , iodine
    • simple to detect , difficult to deter.
    • the best defence is dns whileisting.
  • cyber pompeii
    • no scanning
    • no escalating
    • password reuse.,
    • serivce accounts
    • general pilfering
  • gather data.
    • antivirus service account are great targets.
    • targets are patent pipeline, sourc econtrol
  • now what?
    • perimeters in perimeters
    • strong open processes
    • so more than any security product.
  • internal red teams, DIY,
    • jericho initiative ??
  • phish your own users and clients
  • how do you protect against invading the wrong people's privacy
    • policy: "wont' targets machines you don't own"
  • data destruction policy