Investigating PowerShell Attacks
Ryan Kazanciyan and Matt Hastings
Over the past two years, we've seen targeted attackers increasingly make use of PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you've got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you're not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features.
This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, and establishing persistence - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.
Evolution of Penetration Testers vs Attackers
Penetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against them, and thus the penetration testing industry was born. Back then if an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial onset of penetration testing was derived from real world attacks, and we evolved the penetration testing concept but then stopped a few years ago. We quit mimicking real attackers. Why did we do this? It isn’t because as an industry we didn’t want to continue to advance it, but it was because it became too difficult. Why so difficult? Because the times have changed, and people don’t just give out things like they used to (Attackers especially). True attackers find a vulnerability/exploit and they treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money. When money got involved the penetration testing industry went in a different direction than real world attacks. Yes our tools replicate “bad” things on networks, but they don’t replicate everything.
We will cover the not so common tactics, techniques, and procedures (TTP) scenarios from real world attacks and show the differences between true attackers and current penetration testers. This talk will focus on the binary and forensic aspects of these scenarios to show the significant differences of true attacks and penetration testers.
Me Code Pretty One Day: .NET Bug Hunting and Exploitation
Java isn't the only managed language with bugs. This talk will cover the current state of .NET reverse engineering and exploitation, including practical examples of both application-level and framework vulnerabilities. We'll cover the various strengths and weaknesses of .NET security features, including bypassing strong-name signing including the GAC. Finally, I will provide a short demo on how to modify the behavior of the .NET framework through DLL byte patching.
Microsoft Internet Explorer UAF Exploitation: Past, Present and Future
Over the last couple of years we’ve seen a rise of use-after-free zero day vulnerabilities being exploited in Microsoft Internet Explorer. Internet Explorer has a rich attack surface that allows attackers to maximize their return-on-investment. This talk focuses on the exploitation techniques that have been used in the past by attackers and sheds light on the future of UAF exploitation in MS IE.
I’ll begin by reviewing common techniques that have been used to exploit IE. Then I’ll discuss the mitigations introduced that made UAF exploitation harder. I’ll also talk about the introduction of Isolated Heap and how it changes UAF exploitation.
Finally I’ll will apply these exploitation techniques to CVE-2014-1776, and demonstrate an exploit.
Anatomy of a VoIP Hack and How to Prevent Them
As the popularity of VoIP continues to increase, individuals and businesses continue to suffer financial losses. Popular VoIP servers provide minimal security features and many compromises go completely undetected until fraud occurs. Using data from custom tools and live PBXs, this session will examine real-world attacks on SIP-based systems including technical details, the motivation of attackers, and what must be done to stop them.
Don’t Spill Your Candy in the Lobby: Managing the Corporate Infosec Risks From Open Source Intelligence (OSINT)
In the reconnaissance phase of an attack, the attackers will use tools to gather information about a target organization. We often worry about what architectural vulnerabilities they can discover with scanning tools. But Open Source Intelligence (OSINT) is just as valuable to attackers, since it can be used to launch successful social engineering attacks. (This is what I call “spilling your candy in the lobby” – lots of goodies for attackers to feast on.) But what can an attacker really learn about your organization from OSINT?
Most of the tools used by attackers are freely (or cheaply) available, and any security manager can use them to easily determine the visibility of corporate information that may be valuable to attackers. This management level session will identify the types of tools and methods used to exploit information made easily available by corporate employees, and will prescribe a process for thwarting attackers by minimizing the exposure of corporate OSINT to attackers.
Satirists, Supporters and the Real Deal: Identifying Extremists in a Sea of Social Media
With the widespread adoption of social media, in particular Twitter, by extremists around the globe there is increasing interest in how to identify and monitor them. Traditional approaches include keyword monitoring, text analytics or sentiment analysis, but in many cases these techniques are really only useful once the target group has already been identified in the first place. This talk will demonstrate a different approach, via automated image analysis, that can be used to rapidly establish a dataset to begin monitoring extremist groups on Twitter. The issues that go along with image vs. text analysis will also be discussed, including the challenges of creating a classifier for the computer vision non-expert.
Other technical topics will include solving six degrees of separation, graph exploration and how to stand up a Twitter intelligence gathering and analysis system in less than 30 minutes and for zero cost. Expect some Python.
Improving Scalable, Automated Baremetal Malware Analysis
Adam Allred and Paul Royal
The detection of virtualized malware analysis environments has become increasingly popular and commoditized. Sophisticated virtualization detection techniques are now available to any novice cyber criminal. As a result, multiple analysis environments have been crafted that attempt to address virtualization-based transparency shortcomings. One such response has involved the creation of baremetal malware analysis systems.
The challenge of baremetal malware analysis lies in the ability to reliably automate the processing of large volumes of malware despite reduced control over the analysis environment as compared to traditional virtualized systems. In this presentation we examine NVMTrace, an open source baremetal malware analysis framework. To improve the state of the art, we describe enhancements that both further increase the system's transparency and augment its reliability.
Two years of Applying ITSG-33: Report from the Trenches
As an IT security analyst, I have spent most of the past two years applying key processes and activities of ITSG-33 to real-life IT projects. From new infrastructure services to mission-critical business applications to changes to existing information systems, I had many opportunities to put ITSG-33 guidance to the test and measure how effective it can be at improving information system security in today’s Government of Canada IT landscape.
In this presentation, I will share with you my experience during the last two years of applying ITSG-33 guidance to support IT projects. Departmental security control profiles, departmental threat assessments, system-specific security controls, system security engineering, threat and risk assessments, security assurance, security assessment and authorization, and capability maturity are on the menu. I will talk about what I did, what worked and what didn’t and why, some lessons learned, and my thoughts on where organizations should go with ITSG-33 moving forward.
Rebuilding the Credibility of a Security Team
Many CISOs/CSO and Directors of Security Operations are facing the challenge of increased expectations, misplaced assumptions of responsibility and limited resources to deliver success. This leads to increased frustration within the security teams who are striving to protect their organizations. The rest of the organization often feels that the security team is either not delivering the results, or regard IT security as an unwanted, interfering overhead. Paul has been brought in multiple times to rebuild IT security organizations, and turn them into respected and valued teams that deliver results and are relied upon.
This presentation will show how Paul has been able to change the delivery model of the IT security teams, improving morale and efficiency, while simultaneously regaining the respect of other teams within the organizations including audit, IT service delivery, and the business leaders. He has delivered success within Fortune 5 companies, within critical infrastructure organizations and for multiple IT security delivery organizations.
SMASH the Status Quo to Increase National Cybersecurity
While security guidelines, frameworks, certifications, evaluations and other documentation often provides comprehensive direction of safeguards and controls, getting the guidance implemented by organizations at a national scale is difficult. Despite the availability of security guidance since the 80s, even large technology savvy organizations can find it challenging to implement the safeguards and controls required to address today’s evolving threats. These challenges become even more acute at the small to medium enterprise level where resource constraints can prevent the interpretation and application of even the shortest guidance documents. It’s high time that we shift the focus from developing documentation and move to actions that will have measurable impact on improving the overall assurance of national portions of cyberspace. Join John Weigelt, National Technology Officer for Microsoft Canada, as he explores how a bias for action can help improve national level cybersecurity in Canada.
The Changing Landscape for Retail Payments in Canada: From Money to E-Money
The retail payment landscape in Canada and elsewhere is changing rapidly as new technology and new business models are changing the way people pay for their purchases. In particular, people are substituting from cheques and cash to electronic means of payment as well as e-money and even cryptocurrencies. This presentation will discuss the evolution from money to e-payments and e-money. It will also examine the future of money and e-money; specifically, how important are factors such as speed and convenience, and security and fraud, in affecting people’s choice of payment instruments?
The Privacy Dilemma: Social Responsibility in the Age of Big Data
There has been a lot of conversation in Canada about how to protect privacy rights in an era of big data. Marketing companies, loyalty card providers and individual businesses are collecting personal information about their clients every day, and sometimes selling that information to third parties. Erin Kelly explores the controversy surrounding data collection and personal privacy. In her talk she will discuss:
- What data is being collected today and how can it be used?
- How Canada's privacy laws are hurting Canadian business
- Some controversies that have arisen - how could they have been better mitigated?
- Limiting the collection of personal data is not the answer - there are too many socially positive reasons to allow for the collection of personal data
- Explore ways to achieve both - allow for the collection of important information while protecting individual privacy
Using WEBINT to Identify Critical Infrastructure Risks
WEBINT analysis can identify the targeting trends and methodologies of both cyber state actors and hacktivists. Recent Recorded Future analysis identified multiple instances where hacktivist operations have opened the door for state directed attacks. This presentation will discuss how APTs can leverage exposed credentials and widely available exploits to target critical infrastructure.
Lost in Translation: Effective Communications for Information Security
As Information Security professionals, communications often take a back seat when our priorities range from keeping the lights on to delivering cutting-edge security technologies to protect our businesses. Not only is communicating with the non-technical something that many in Information Security and IT in general cringe at the very thought of, but it's also just another responsibility to pile on our plates. Nonetheless, communications with your employees, executive stakeholders, vendors and customers is invaluable to the continued security of your organization and should be treated as a priority. Enabling your employees to understand what they see in the news everyday, to grasp the impact of the new technologies you are rolling out and to proactively look for threats to your organization will only help strengthen the "weakest link." The ability to translate highly technical security language into layman's terms and having the patience to field questions from non-technical counterparts is an art and should be the primary focus of someone in your security organization.
Open-source Security in the Era of Heartbleed
Nelson Ko and Sherif Koussa
Recent zero-days in popular open-source software have led to a lot of controversy, an old debate fueled by the Heartbleed bug. The old question was: Is open-source software really more secure than closed-source? However, with open-source adoption rates on the rise in the enterprise especially in the Government sector, a new question emerges: How much trust can be put in open-source software and how does open-source software react to the ever-changing threat landscape? In the era of Cyber-espionage and the multitude of security tools, information is available to individuals, blackhats as well as state-sponsored agencies. The old mantra of: ³Given enough eyeballs, all bugs are shallow² does not hold firm anymore and the recent zero-days in OpenSSL are fine examples that we need more than this if we are to depend on open-source for business critical missions. Open-source was created collaboratively, so it only makes sense to secure it collaboratively. This session will go over the most used security models in popular open-source software as well the current emerging models. Finally, this session introduces Tiki Wiki CMS Groupware, the first open-source software to reach high assurance security using a crowd-funding approach. We will explore the approach, the process used to assess the security of the software and the process followed for remediation.
Cyber Threat: Wireless APT
Malicious cyber activities are growing both in number and in complexity.
Many advanced cyber attacks exist and the current trend is one of attackers exploiting 'low hanging fruit' cyber vulnerabilities of organizations since many are struggling to effectively implement comprehensive safeguards for their wired cyber systems. Many classified systems achieve high levels of security by being physically 'closed' to the outside world. Recently we have observed the advanced Threat Actor implanting wireless-based infiltration and exfiltration vectors as a technique for circumventing robust cyber defences and especially, closed or air-gapped systems. In order to facilitate an improved understanding of the implant-based wireless threat vectors in the cyber environment we propose to describe the Wireless Advanced Persistent Threat (WAPT). This WAPT description is an essential foundation for fostering a common understanding of the implanted wireless attack and exfiltration vector, the threat agent's tradecraft and for modeling and simulation of this little understood but unique and deadly cyber attack vector.