Essential Steps in Attackers Incident Response Process

undefined
Attackers
Incident Response
Quick Intro
This is not comprehensive as an offensive guide
Pieces are missing to better fit the needs of this course
Some topics are still discussed that my not be directly relevant to IR
But you should know what you’re up against
Information Gathering
Threat Modeling/Vulnerability Analysis
Exploitation
Post-Exploitation
Incident Response
2
Information Gathering
Adversary is gathering information about your network
Often the longest phase of a security assessment
Passive Recon
Never touching the customer
Customer should have no idea you’re gathering info on them
Active Recon
Touching the customer/equipment
Customer could (should) know you’re gathering info on them.
Enumeration
Scans!
Incident Response
3
Passive Recon (OSINT)
So what are we looking for?
Anything that produces actionable intel
Electronic, Physical, Human
Targets
Organizational information
Employee information
Trust relationships
Everyone fails to realize:
What information they are releasing
What that information means
Networking Example.
Incident Response
4
OSINT Products
Electronic
Network Info
Remote access
Technologies
Defense
Source code
Archived data
Etc
Physical
Location
Floorplans
Badges
Cameras
Human
Personnel
Org Structure
Phone numbers
Job listings
Social networks
Corporate Relationships
Incident Response
5
Passive OSINT
Nslookup, dig, and DNS
Whois
Netcraft
Email harvesting
TheHarvester
MxToolbox
Google
Social networks
Shodan/Censys.io
Recon-ng
Incident Response
6
DNS
Maps names to addresses
How the Internet as we know it works
DNS Record types
A – address record. Name to IP address
CNAME – Canonical Name. Aliases
NS – Name server record
MX – Mail Exchange
TXT – Text record. Additional info
Forward vs Reverse
Zone Transfers
Not passive
Incident Response
7
Google Dorks
Usage
Directive:Term
site:dsu.edu
allintitle:index of
inurl:admin
Inurl:cgi-bin/status
filetype:pdf
Logon
Signin
Signon
Forgotpassword
Forgot
Reset
Incident Response
8
Active Recon
Less stealthy
Normal traffic
Think browsing websites normally
Only published domains
Port scanning
Vulnerability scanning
Attempted misuse of external application
Password recovery
Incident Response
9
Tunnels/Proxies
Any traffic that touches network should be tunneled
Using cloud services (AWS, Azure, GCP, etc)
Web browsing should go through a local proxy first
Burp, OWASP ZAP
Command line tools
Run from cloud instance
Run using proxychains
Incident Response
10
External Active Recon
Port scanning
Banner grabbing
SNMP Sweeps
Email enumeration
OWA? Zimbra?
DNS
Zone Transfers
Loud
Manual website review
Web app enumeration
Incident Response
11
External Recon Outputs
Network addresses
Targets
Topology
Ports
OS’s
Version info
Potential vulnerabilities
Possible defensive measures
Incident Response
12
Tools
Port scanning
Nmap
Masscan
Zmap
SNMP Enumeration
Onesixtyone
Snmpwalk
Snmpget/snmpset
Web
Burp
ZAP
Nikto
Dirbuster
Incident Response
13
Websites
Things to look for
Login pages
Forms
Hidden forms
Stats pages
Contacts
Presentations
Technical papers
Error messages
Incident Response
14
Threat Modeling/Vulnerability Analysis
Adversary is mapping vulnerabilities to exploits
This is really done on their side
Nothing that you’re going to see in your systems
…Except maybe determining vulnerable systems
Incident Response
15
Exploitation
Exploits traversing the network or hitting the border
Sometimes easy to see them
IDS’s may catch them
Signatures
Anomalies
Newer exploits or custom exploits may not get caught
No signatures for them
Some exploits just take advantage of poor configuration
Probably looks like mostly normal or legit traffic
Incident Response
16
Metasploit
Most common framework used
There are many others
Open source
Lots of moving pieces
Scanning through post-exploitation
Components
Console
Exploits
Auxiliary modules
Payloads
Incident Response
17
In simple terms..
Do recon.
Do some scanning.
Port scans
Vuln scans
Select a vuln -> Match it to an exploit
Select a payload
pwn
Incident Response
18
undefined
MSF DEMO
Lab
Post-Exploitation
Three P’s
Privilege Escalation
Pivoting
Persistence
Command and Control (C2)
Things can become difficult here
Covert Channels
Encryption
Who’s connecting to who?
Is it anomalous?
There’s so much of this data on modern networks…
Incident Response
20
Internal Recon
Local host
Situational awareness
Host info
Continued monitoring
Network
Active directory info
Network connected devices
Other machines maybe not publicly accessible
Internal servers
Not all servers live in the DMZ
But some might be accessible from where you land
Incident Response
21
Situational Awareness
What user context did we land in?
What other users use this machine?
Who else is logged in right now?
Is this machine on any other networks?
What processes are running?
What network connections is this box making?
Incident Response
22
Privilege Escalation
You don’t always land in privileged context
Secure environments will ensure this
Exploits
Privilege escalation exploits
Credentials
Finding creds in files
Services
Incident Response
23
Pivoting
Moving laterally across the network
Once you land on the network the local place will get boring fast…
Start moving around the networking to achieve our objective as an attacker
Domain controller
Sensitive data
Places to hide
Hopping to other networks
Incident Response
24
Persistence
Keeping hooks in the network
How do we get back in later?
What if the vulnerability is patched?
Ways to persist
Appinit DLLs
Services
Trojanized Binaries
DLL hijacking
Run key persistence
Linux SSH Keys
Startup Files and Login Scripts
Valid accounts
Web Shell
WMI Event Subscription
DLL Search Order Hijacking
Etc.
Incident Response
25
Command and Control (C2)
Once the attacker is this far your network is compromised
Likely at a privileged level
A LOT of recent developments here
We could build an entire workshop on this alone
Varying
Attacker needs to be able to control their persistence
Incident Response
26
Easy
Connecting directly out over a strange port
Especially if this is a server
Netstat output from a Windows machine
Incident Response
27
Hard, Harder
Get’s a little harder if we’re using ports that are normally used
HTTP? DNS? HTTPS???
With HTTPS now our traffic is encrypted
It likely already was with whatever tool being used
Let’s send all traffic from servers through a workstation
SMB
Let’s buy a domain and a certificate
Domain categorization
Domain reputation?
Incident Response
28
Hardest
Domain Fronting
Traffic is going to Google?
Red teams & pen testers always have scope, real actors don’t
Every time you talk about scope you are creating artificial limits
Attackers could compromise a third party site
Could be valid, commonly used, and even whitelisted
Incident Response
29
Slide Note
Embed
Share

Explore the crucial phases of Attackers Incident Response, starting from Information Gathering to Post-Exploitation techniques. Learn about Passive and Active Reconnaissance, OSINT resources, DNS fundamentals, and Google Dorks for reconnaissance. Gain insights into gathering actionable intelligence and understanding the significance of released information during security assessments. Enhance your Incident Response skills and prepare for potential threats effectively.


Uploaded on Oct 11, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Attackers Incident Response

  2. Quick Intro This is not comprehensive as an offensive guide Pieces are missing to better fit the needs of this course Some topics are still discussed that my not be directly relevant to IR But you should know what you re up against Information Gathering Threat Modeling/Vulnerability Analysis Exploitation Incident Response Post-Exploitation 2

  3. Information Gathering Adversary is gathering information about your network Often the longest phase of a security assessment Passive Recon Never touching the customer Customer should have no idea you re gathering info on them Active Recon Touching the customer/equipment Customer could (should) know you re gathering info on them. Incident Response Enumeration Scans! 3

  4. Passive Recon (OSINT) So what are we looking for? Anything that produces actionable intel Electronic, Physical, Human Targets Organizational information Employee information Trust relationships Incident Response Everyone fails to realize: What information they are releasing What that information means Networking Example. 4

  5. OSINT Products Electronic Network Info Physical Location Floorplans Badges Cameras Remote access Technologies Human Personnel Org Structure Phone numbers Job listings Social networks Corporate Relationships Defense Source code Archived data Incident Response Etc 5

  6. Passive OSINT Nslookup, dig, and DNS Whois Netcraft Email harvesting TheHarvester MxToolbox Google Social networks Incident Response Shodan/Censys.io Recon-ng 6

  7. DNS Maps names to addresses How the Internet as we know it works DNS Record types A address record. Name to IP address CNAME Canonical Name. Aliases NS Name server record MX Mail Exchange TXT Text record. Additional info Incident Response Forward vs Reverse Zone Transfers Not passive 7

  8. Google Dorks Usage Directive:Term Logon Signin site:dsu.edu Signon allintitle:index of Forgotpassword inurl:admin Forgot Inurl:cgi-bin/status Reset filetype:pdf Incident Response 8

  9. Active Recon Less stealthy Normal traffic Think browsing websites normally Only published domains Port scanning Vulnerability scanning Incident Response Attempted misuse of external application Password recovery 9

  10. Tunnels/Proxies Any traffic that touches network should be tunneled Using cloud services (AWS, Azure, GCP, etc) Web browsing should go through a local proxy first Burp, OWASP ZAP Command line tools Run from cloud instance Run using proxychains Incident Response 10

  11. External Active Recon Port scanning Banner grabbing SNMP Sweeps Email enumeration OWA? Zimbra? DNS Zone Transfers Loud Incident Response Manual website review Web app enumeration 11

  12. External Recon Outputs Network addresses Targets Topology Ports OS s Version info Potential vulnerabilities Possible defensive measures Incident Response 12

  13. Tools Port scanning Nmap Masscan Zmap SNMP Enumeration Onesixtyone Snmpwalk Snmpget/snmpset Web Burp ZAP Nikto Dirbuster Incident Response 13

  14. Websites Things to look for Login pages Forms Hidden forms Stats pages Contacts Presentations Technical papers Error messages Incident Response 14

  15. Threat Modeling/Vulnerability Analysis Adversary is mapping vulnerabilities to exploits This is really done on their side Nothing that you re going to see in your systems Except maybe determining vulnerable systems Incident Response 15

  16. Exploitation Exploits traversing the network or hitting the border Sometimes easy to see them IDS s may catch them Signatures Anomalies Newer exploits or custom exploits may not get caught No signatures for them Some exploits just take advantage of poor configuration Probably looks like mostly normal or legit traffic Incident Response 16

  17. Metasploit Most common framework used There are many others Open source Lots of moving pieces Scanning through post-exploitation Components Console Exploits Auxiliary modules Payloads Incident Response 17

  18. In simple terms.. Do recon. Do some scanning. Port scans Vuln scans Select a vuln -> Match it to an exploit Select a payload pwn Incident Response 18

  19. MSF DEMO Lab

  20. Post-Exploitation Three P s Privilege Escalation Pivoting Persistence Command and Control (C2) Things can become difficult here Covert Channels Encryption Who s connecting to who? Is it anomalous? There s so much of this data on modern networks Incident Response 20

  21. Internal Recon Local host Situational awareness Host info Continued monitoring Network Active directory info Network connected devices Other machines maybe not publicly accessible Internal servers Not all servers live in the DMZ But some might be accessible from where you land Incident Response 21

  22. Situational Awareness What user context did we land in? What other users use this machine? Who else is logged in right now? Is this machine on any other networks? What processes are running? What network connections is this box making? Incident Response 22

  23. Privilege Escalation You don t always land in privileged context Secure environments will ensure this Exploits Privilege escalation exploits Credentials Finding creds in files Services Incident Response 23

  24. Pivoting Moving laterally across the network Once you land on the network the local place will get boring fast Start moving around the networking to achieve our objective as an attacker Domain controller Sensitive data Places to hide Incident Response Hopping to other networks 24

  25. Persistence Keeping hooks in the network How do we get back in later? What if the vulnerability is patched? Ways to persist Appinit DLLs Services Trojanized Binaries DLL hijacking Run key persistence Linux SSH Keys Startup Files and Login Scripts Valid accounts Web Shell WMI Event Subscription DLL Search Order Hijacking Etc. Incident Response 25

  26. Command and Control (C2) Once the attacker is this far your network is compromised Likely at a privileged level A LOT of recent developments here We could build an entire workshop on this alone Varying Incident Response Attacker needs to be able to control their persistence 26

  27. Easy Connecting directly out over a strange port Especially if this is a server Netstat output from a Windows machine Incident Response 27

  28. Hard, Harder Get s a little harder if we re using ports that are normally used HTTP? DNS? HTTPS??? With HTTPS now our traffic is encrypted It likely already was with whatever tool being used Let s send all traffic from servers through a workstation SMB Incident Response Let s buy a domain and a certificate Domain categorization Domain reputation? 28

  29. Hardest Domain Fronting Traffic is going to Google? Red teams & pen testers always have scope, real actors don t Every time you talk about scope you are creating artificial limits Attackers could compromise a third party site Could be valid, commonly used, and even whitelisted Incident Response 29

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#