Saturday, February 1, 2014

Intro to Attacker Methodology

Attacker Methodology

A co-worker and I recently had the opportunity to go work with some of the aspiring infosec gurus at UW this week and so I'm putting all 3 parts of the lecture that we gave here online... so ... let's get started with some basic adversary methodology...

Background / assumptions: 

This is probably useful if you've never defended or broken into a network on your own before. The goal is that this is a primer to understanding malware, understanding what attackers are after and what they need to do with malware should help towards that overall level of understanding.

Attack Phases

Here are the basic phases of an attack, all of which are important in the real world:

Facebook recent RCE
  • OSINT
  • Initial Access
  • PrivEsc (Local)
  • Lateral Movement
  • PrivEsc (Network)
  • Persistence
  • Entrenchment

Competition networks

For working in a "game" network you'll only really need to worry about the following attacker phases (but I'd advise reading this whole thing - you can skip the rest of it if you're more TL/DR):

  • Lateral Movement
  • Persistence
  • Entrenchment
I wouldn't really worry beyond that scope in a game because there are almost always rules which allow for the Red Team to pre-compromise the network or you'll have to deal with a network that's riddled with semi-rediculous vulns like MS08-067, RPC-DCOM, or stuff that fits into the category of "easily remotely exploited with default Metasploit".

OSINT


Starting access level: No internal access to the network
End Goal: Targeting / Attack strategy and outline of network resources, identities, etc.
Attacker Steps: Use open and public resources to build out a picture of the target
  • Open Source Intelligence (OSINT)
  • Focus on identities (people), technology and the context and connections between them 
  • Connections
    • Connections are what ties the individuals and technologies together
      • Ex: The organization is hiring for a DBA position so the posting can be analyzed to find out more about the IT support group structure (other individuals) and the technology (type(s) of databases and web servers that are in the network
    • Groups, networks, organizations
  • Context
    • Context refers to the roles and responsibilities of the identities/people that are targets are
  • Technology
    • OSINT will should provide a background of what's in a target network and a start at how it's all connected together.

OSINT - in context - Phishing

  • A commonly used tactic is for attackers to try to get their hands on screenshots or snapshots of internal email or websites to build higher quality phishing or other social engineering content.

For more information on OSINT see:


Initial Access

Starting access level: No internal access
End Goal: Initial access in the network (running arbitrary code in the network)
Attacker Steps: Leverage OSINT information to target and gain access to the network
  • Social Engineering
    • TL/DR this is where you get people to do things that they probably shouldn't to get easy access to the network. This spans everything from getting users to give personal information to login information to just directly downloading and executing binaries
  • Targeted Attacks
    • While completely overused in industry, "targeted" means that the content of the attack is crafted for the target, this means a phishing, spearphishing, whaling, etc, piece of content mean to appear especially enticing or valid to the target
    • Really this is just about all attacks except for broadly used Exploit Kits (EK's) when used by bot herders
  • Remote Code Execution
    • Remote Code Execution vulnerabilities come in two main flavors:
      • Server-Side RCE
        • The old-school flavor (MS08-067, RPC-DCOM, etc) are mostly short-lived software vulnerabilities that crop up in environments that don't have good compliance / patch management and/or 3rd parties running remotely accessible services for a company
        • The slightly less old-school flavor are web-based vulnerabilities 
        • The newer vulnerabilities are those that result in code execution directly on the server through the service endpoint / exposed API surface. This would 
      • Client-Side RCE
        • These are vulnerabilities accessible either through a document format (usually delivered via email) or through a user agent
        • Attacks right now seem pretty fixated on 3rd party browser plugins, especially Oracle Java

For more information see:

Social Engineering


Web Vulnerabilities (RCE)


Server-Side Code Execution Bugs (new-school)


Client-Side RCE Bugs

No comments:

Post a Comment