Think-Like-A-Hacker-Presentation

How to Think Like a Hacker: Lessons Learned & Best Practices

Jointly hosted by: PRESENTERS

BRIAN KIRK ANNIE BRINK

DIRECTOR BUSINESS DEVELOPMENT Digital Operations Digital Operations And Cybersecurity And Cybersecurity

Direct: 864.242.2606 Direct: 864.242.2685 [email protected] [email protected]

ANONYMOUS

INTERNATIONAL Hacktivist / Activist Internet Vigilante (IN) FAMOUS HACKING GROUPS i WHO ARE WE DEFENDING AGAINST AGAIN? i

State Sponsored Organized • Cyber war, state Crime secrets, industrial Hacktivist espionage • Economic gain • Highly sophisticated • Statement • Significant technical • Nearly unlimited Criminal • Relentless, resources and resources capabilities emotionally • Advanced persistent • Vandalism committed • Established threats Recreational • Limited technical • Vast networks syndicates capabilities • Adware, crimeware, • Fame and notoriety • Targeted attacks IP theft • Limited technical resources • Known exploits

INCREASING RESOURCES AND SOPHISTICATION The expansion of attacker types, their resources, and their sophistication IN THE NEWS i ANYTHING DIFFERENT THIS YEAR? i TRENDING THREATS i

A type of malware that prevents or limits users from accessing their Ransomware system, either by locking the system's screen or by locking the users' files unless a ransom is paid

Business Email Attack through corporate email systems on individuals who have access Compromise and means to conduct fraudulent financial transactions

Incident where information is stolen or taken from an Office 365 O365 Data Breach email system without the knowledge or authorization of the system’s owner A LOOK INTO THE CURRENT STATE OF THE INDUSTRY i

• A 238% increase in cyber attacks against banks is linked to COVID-19 - ZDNET.COM

• As of May 2nd, the FBI is showing an increase of 800% reported cyber crimes to their divisions – entrepreneur.com

• Coronavirus may be the largest-ever global security threat. - thenextweb.com

• Anyone know of any schools recently impacted by cybersecurity problems? WHY ARE ATTACKS SO SUCCESSFUL? i

• Lack of understanding of risk: Organizations do not think they are a target for cybercrime • Lack of funding: Budget for information technology is limited, and security is an overall fraction because… • UPTIME is considered the most important metric (and rightfully so) • Lack of knowledge about real world threats and methods to prevent them ALL ORGANIZATIONS ARE TARGETS i

• Nearly half of all cyberattacks are committed against small businesses. • 60 percent of small companies that suffer a cyberattack are out of business within six months, according to the U.S. National Cyber Security Alliance. • Cisco security experts explain that small/midmarket businesses are more inclined to pay ransoms to adversaries so that they can quickly resume normal operations after a ransomware attack. They simply can’t afford the downtime and lack of access to critical data — including customer data. HOW SOME TARGETS ARE ACQUIRED BY CRIMINALS i

Attacks are initially driven through automated ‘bots’ which either automate spam messages or scan the internet for vulnerabilities and carry out large portions of cyber attacks without any human interaction.

Live Security Test Performed in Late 2018

Fake finance server placed online +15 seconds + 2 days with known software Automated bot exploits known Hacker returns to vulnerabilities vulnerabilities remove system data

+2 hours + 5 mins Automated bot discovers and Automated bot traverses system, scans system catalogs data, and goes quiet HOW RANSOMWARE WORKS i HOW RANSOMWARE WORKS i

76% of attacks typically happen during the night or on weekends HOW RANSOMWARE WORKS – A NEW WRINKLE i

Starting in late 2019, a hybrid variety of cyber attack has emerged, in which traditional ransomware tactics are combined with data exfiltration. Attackers notify their victims that if they fail to pay the ransom demand, not only will data on the infected systems remain encrypted, but the attackers will expose highly sensitive data to the public as well. HOW RANSOMWARE WORKS – A NEW WRINKLE i

The only way to know that exfiltrated data is safe from misuse is to know that it was protected by strong, persistent encryption before it was exfiltrated. Encryption isn't a complete answer—firewalls, antimalware, and then some, will continue to be necessary—but by locking down its highest- value data in advance, an organization can protect itself against the worst consequences of this emerging threat. HOW ATTACKS HAPPEN (BEC) i

Bogus Invoice Scheme From Third Party

Internal Email Account Compromise

High Ranking Executive Scheme Cybersecurity: Where to Start WHAT SHOULD BUSINESSES BE DOING? i

Define what risks are acceptable to your organization: A risk assessment is a non- technical consideration that most organizations overlook when considering cybersecurity. It is important for every organization to determine their greatest area of risk to profitability.

Develop an Incident Response Plan (and test it): One area often overlooked by many organizations is the ability to recover from a serious incident (physical, weather related, cyber, etc.). The risks associated with many cybersecurity threats can be mitigated by having a mature Incident Response Plan that meets a recovery time pre-approved by executive management. WHAT SHOULD BUSINESSES BE DOING? i

Secure your backups: Do you think Garmin had a backup? Of course they did. Make sure you have an OFFLINE backup…tape or cloud….something attackers can’t reach if they gain administrative access to your network.

Develop a ‘Defense in Depth’ strategy: If you spend much time with cybersecurity professionals, you will often hear the term “defense in depth”. This terminology is used to define a process where organizations do not trust one technology, control, or even IT provider to secure their organization.

Test your team: Trust but verify is a well known mantra in the security industry. You should trust your information technology team but verify they are protecting your organization from known risks. WAYS TO MEASURE CYBER PROGRAM EFFECTIVENESS i PROGRAM ASSESSMENT WAYS TO MEASURE CYBER PROGRAM EFFECTIVENESS i PROGRAM ASSESSMENT PENETRATION TESTING i

Key Capabilities Example Tools

• Apply custom OSINT inventory to domains, systems, and employees • Recon-NG Reconnaissance • Evaluate internet / social media footprint of key employees • Shodan/dnsdumpster • Perform passive reconnaissance and external footprinting • Custom Scripts

• Identify live hosts, their services and service versions • NMAP Masscan Active Scanning • Discover web applications running on each system • Nikto/Wpscan • Create a target list and approach • Directory Scanner/Custom Scripts

• Determine risk and likelihood of attack success • Custom Code Exploitation • Develop and manually execute custom exploits • Metasploit • If in-scope, perform user based attacks using social engineering toolkit • Social Engineer Toolkit (SET)

• Use local tools and expertise to move laterally and escalate privileges • Local tools such as PowerShell or Bash Post Exploitation • Assess if accounts can be enumerated or password hashes extracted • Custom scripts in Python or JS • Attempt to script exploit to evaluate data exfiltration capabilities • Metasploit/Core Impact

• Final Report containing all the above steps • Overview of each issue with a risk score Reporting • Screen Shots and POC code • Remediation steps OPEN SOURCE INTELLIGENCE (OSINT) REVIEW i

OSINT reports are useful as they give your company insight into the types and amounts of information that has been gathered and stored on the Internet about your organization. The review is performed without directly engaging the Customer network or systems, utilizing a range of effective open source gathering tools to collect information. The goal of this report is to assist your team in improving its cybersecurity posture. • This assessment utilizes gathering techniques based on the Penetration Testing Execution Standard (PTES) methodology. This approach is designed to mimic the intelligence gathering actions of computer attackers looking to identify security vulnerabilities against an organization. • We analyze impact of publicly exposed user credentials from recent high profile security breaches against the user base since credential reuse can result in data breaches, system compromises, and loss of data. • This assessment will use open source information to discover lists of known exploitable weaknesses in your network and hosts, along with unauthorized routes into the target network. Disclaimer

This material was used by Elliott Davis during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis. Thank you!

Brian Kirk [email protected] 864.242.2606