Cyber Security 101: Back to the Basics

Shah H. Sheikh – Founder / Sr. Cyber Security Consultant / Advisor MEng CISSP CISA CISM CRISC CCSK CPSA (CREST UK)

E: [email protected] https://www.linkedin.com/in/shahsheikh/ AGENDA

• Introduction to Cyber Security 101 • The Cyber Incidents and Breaches that made the headlines • Types of Cyber Threats and Threat Actors in the Region • Facts and Figures – Cyber Security • Industries impacted by cyber threats and its implication • Overview on Local Regulation and Industry Standards • The Cyber Security MYTHS and how we need to go back to the BASICS – 101 • Q&A

CYBER SECURITY 101

“By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity” Source: Gartner

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”

Stephane Nappo CYBER SECURITY 101 What is Cyber Security?

• Protection of mission and business critical assets in the form of logical security controls (this is not physical security) to ensure no adverse impact of any kind to the business.

Why is it important?

• Globalized Digital Data – Every organization has digital information data, many enterprises trade and carry business transactions online, each and every enterprise is connected to the internet in one form or another – cyber security threats can materialize from external and internal boundaries. Critical Infrastructure needs to be protected…. Today’s Security Situation

• Cybersecurity is getting worse, not better • Damages expected to double to $6 trillion by 20211 • New threats easily evade outdated security models • Investment continues in redundant, ineffective solutions • Business & consumer confidence is declining • 66% of businesses have experience a data breach2 • Average annual costs = $9.5M, up 21%3 • 64% of US consumers experienced data theft4

“Despite more and more money spent on security each year, our collective problems continue to worsen” - 451 Research

1. Cybersecurity Ventures Report, 2. Thales Security, 3. 451 Research, 4. Pew Research

Ransomware Bad Rabbit variant

Sophisticated Fileless Attacks Apache Struts Equifax vulnerability

Linux DNS Server • Massive increase in quantity and damage caused System-D memory attack • Fileless techniques bypass conventional security Linux Stack Exploits Linux Clash Stack Guard flaw • Advanced attacks have become mainstream Industrial Control Industroyer • High-value, critical infrastructure increasingly at risk System attack

Petya & EternalBlue exploit NotPetya of SMBv1 flaw

Shell Exploited Linux BASH North Korean banking SWIFT Massive scale SMB Shock Shell vulnerability theft from Bangladesh WannaCry ransomware exploit

Syrian Electronic Spear phishing against Exploited SSL Breached by Precursor to Heartbleed OPM Adylkuzz Army Middle East nations vulnerability Chinese hackers WannaCry

EternalBlue DoublePulsar EternalRomance Targeted Iranian Leaks of Shadow Ongoing leaks StuxNET Snowden nuclear program NSA toolkits Brokers of NSA toolkits DewDrop Orangutan Reticulum EternalRock

2010 2012 2014 2016 2017 Attacks Massive Scale Leaks & Tools Cyber Incident Dwell Time

106 days in Middle East in Y2016 175 days in Middle East in Y2017 Cyber Threat Actors Y2018-2021 Predictions

1 Artificial Intelligence (AI) will be weaponized to create mass scale attacks.

2 Large Scale Massive Data Breaches will continue. IoT ty

Crypto-jacking and malware created to perform cryptocurrency mining 3 will significantly rise.

4 File-less Attacks will continue to rise and increase in severity that target the memory of endpoint / devices.

Y2018-2021 Predictions

4 Cyber-Physical Attacks on National Critical Infrastructure will prevail and bring down city wide infrastructure.

5 Key government elections will be hacked causing civil unrest.

Laws and Regulations will be stricter leaving organizations no choice but to 6 take cybersecurity seriously. Board members or C-level executives will be on legal trial for negligence due to a data breach Industry Verticals National Mandate for Cyber Security

NESA / SIA DESC ADSSSA Story Time …

We were involved in an internal cyber security penetration test exercise for a large enterprise IT environment – RED TEAMING. Our goal was to demonstrate to the executive management team, that we can physically ‘hack’ into the customer IT environment and ”PWN” the infrastructure – thereby simulating what a real threat actor would do.

We were given 5 days to accomplish this task. Phase 1: RECON.&.DISCOVERY

• Phase one was performing a recon and discovery activity of the target facility (Tower Block) and if time permits to ethically intrude;

• Reception (Sign-In with Emirates ID) • Receptionist calls the client to confirm meeting • Access Card to enter Security Controlled Turnstile • Access the relevant floor to meet your client • Next to the receptionist was a directory of all floors and tenants in the building • Our target was any one of the following departments; • Supply Chain / Procurement • Finance • HR Phase 2: STAGE.&.LAUNCH

• After being given the necessary information post-recon phase, it was time to stage and launch the attack. Our RED TEAM went in to deliver a fake RFP response to the procurement team;

• The delivery man had a ‘stammer’ (our expert pen-tester) and left his wallet in the car • After much deliberation the receptionist “human empathy” allowed the delivery man to bypass all checks (exception: filling in visitor log book) and was given the go-ahead with the security guard opening the turnstiles. • The pen-tester accessed the floor where the procurement department were located

Phase 2: STAGE.&.LAUNCH

1 Identify Network Access Port (obtain network access) • Data VLAN (not possible – NAC was deployed and enforced) • VoIP VLAN (possible – access to the VOIP network but restricted to VOIP network only) • Disconnected a MFP – got access by SPOOFING the MAC Address (sticker on the back panel) • Printer Network on the same User Data Network

2 With DHCP we got the IP address and DNS servers • Scanning and Recon Activities on the endpoints and servers • Identified multiple MFPs across the same network • MFP had a default web interface; • Status Page • Admin Panel (password protected) • Bruteforced in 2 minutes • MFP was integrated with 3rd party Print Management Suite • We obtained the IP address of the 3rd party Print Management Suite and exploited a vulnerable input registration form leading to SQLi to obtain admin credentials • Once logged into the PMS as admin, we discovered it was integrated with corporate Active Directory • The web application was poorly developed – the AD LDAP string was encoded in the HTML source • We obtained the SERVICE ACCCOUNT used by this 3rd party PMS Phase 3: EXPLOIT.&.INSTALL

3 We were now able to make LDAP queries to the AD • Enumerated all Domain Users and Domain Computers • Identify all privileges given to the SERVICE ACCOUNT for the 3rd party PMS • One of them was remote access (RDP) to a server

4 We continued with RDP to that server using the compromised SERVICE account (still NO DOMAIN ADMIN yet) • Once logged in with POWERSHELL we executed MIMIKATZ to DUMP passwords in memory (sysadmin) • Create a domain admin privileged user • We obtained SAM and SYSTEM file to obtain local admin password HASH • We performed PASS-THE-HASH attack on all servers including Domain Controller • We performed the same attack vector on endpoints / devices and obtained all the local password HASH • With Anti-Virus / Anti-Malware protection • No Administrative Privileges • No Removable Media • We installed a ‘dummy’ fake process on one machine to make an encrypted call-back to our cloud (“HOOK”)

Phase 4: PERSIST Once call-back was successful, the compromised machine was now “hooked” and in our control and we could 5 then send remote instruction and continued with the penetration test offsite. Persistence and lateral movement now prevails. All of this took one day….

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

Abraham Lincoln Security is a Process not an Appliance … Cyber Security Myths….

• If I have an Anti-Virus solution I am protected… • Small and Medium Enterprises / Business are not real targets… • Only certain industries are prone to cyber-attacks • I have never been breached before … • A strong password is sufficient to protect me … • Cyber threats originate from the outside • Cyber security is the responsibility of IT … • You will know right away if your endpoint device is infected…. • Complete cyber security can be achieved …