O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016

462 visualizações

Publicada em

Cyber security is one of the most challenging topic in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do ? What dificulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path ? Why is not enough an automated system ? Marco will talk about real experiences on the cyber analyst field.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - Codemotion Milan 2016

  1. 1. Profilo aziendale YOROI November 26 2016 CodeMotion Milan Marco Ramilli
  2. 2. Profilo aziendale YOROI Cyber Analysts: who they are, what they do, where they are !
  3. 3. Profilo aziendale YOROI Agenda: - Cyber Analysts: who they are! - Cyber Analysts: what they do! - Cyber Analysts: where they are!
  4. 4. Profilo aziendale YOROI Today’s Host ● PhD in Bologna Joint UCDavis ○ Cyber Security, Penetration Testing US Voting Machines ○ Books and Publications ● NIST ○ OEVT ○ Penetration Testing methodologies to help US Democracy ● Palantir ○ Product Company ○ Intelligence Company ● Yoroi ○ One of the most extraordinary cyber security company founded in Europe (Hakin9)
  5. 5. Profilo aziendale YOROI Who they are! Nowadays is not a trivial topic: ● Deep Learning Machines ● Cognitive Computing ● Machine Learning Algorithms ● Neural Networks Undermine the Human side of Cyber Security Analysis. But could that technology really take off the human side of this job ?
  6. 6. Profilo aziendale YOROI Who they are! Dark Avenger Mutation Algorithm (1993) It could produce some decryptor cases that appeared only in about 5% or less of all cases. However, the engine had a couple of minor limitations that were enough to detect the virus reliably using an instruction size disassembler and a state machine. In fact, there is only one constant byte in an MtE decryptor, the 0x75 (JNZ), which is followed by a negative offset—and even that is placed at a variable location (at the end of the decryptor, whose length is not constant).
  7. 7. Profilo aziendale YOROI Who they are! Super Simple Malware Evasion Technique. Credits: https://www.exploit-db.com/34591
  8. 8. Profilo aziendale YOROI Who they are! Red Pill Approach credits: A fistful of red-pills: How to automatically generate procedures to detect CPU emulators
  9. 9. Profilo aziendale YOROI Who they are!
  10. 10. Profilo aziendale YOROI What they do! ● Day 1, Morning. A phone call (from IT department) saying a server is performing weird network requests. ● Day 1, Afternoon. A VMWare image is sent to Cyber Analyst email box he’ gotta run !
  11. 11. Profilo aziendale YOROI What they do! Apport -> Intercepts crashes right when they happen the first time, gathers system information and send back to developers stack traces and useful infos to fixt the crash package-data-downloader -> used by software installers such as dpkg and apt.
  12. 12. Profilo aziendale YOROI What they do! SubProcess … Why ? /usr/bin/lls … What ?
  13. 13. Profilo aziendale YOROI What they do! SubProcess … Why ? /usr/bin/lls … What ?
  14. 14. Profilo aziendale YOROI What they do!
  15. 15. Profilo aziendale YOROI What they do!
  16. 16. Profilo aziendale YOROI What they do! Connect to 198.216.87.22 ?
  17. 17. Profilo aziendale YOROI What they do! Ok, let’s intercept what it sends to 198 ! On the client side in the meanwhile ... Oh boy… really ?
  18. 18. Profilo aziendale YOROI What they do!
  19. 19. Profilo aziendale YOROI What they do! Ok, we’ve got password exfiltration every crash dump and every software update and machine control since ssh is available. But how they trigger persistence on a server ? Maybe attackers trigger crashes from outside ?
  20. 20. Profilo aziendale YOROI What they do! Et Voilà ! CVE-2014-3583
  21. 21. Profilo aziendale YOROI What they do! Ok, we know pretty much a lot of things about the intrusion even how they get persistence... But why the user reported a “strange behavior” ? Maybe attackers needed such a server as pivot server ? Oh..Oh !!
  22. 22. Profilo aziendale YOROI What they do! Here we go ! A nice SEH BOverflow on Windows We need to asks for another server Image ….. :D Ok not today...
  23. 23. Profilo aziendale YOROI What they do! It was a quite original way to penetrate a system… is it a new fancy opportunistic way ?
  24. 24. Profilo aziendale YOROI What they do!
  25. 25. Profilo aziendale YOROI What they do! How “lls” landed here ?
  26. 26. Profilo aziendale YOROI What they do! Only 5 iterations ? - Let’s check it out !
  27. 27. Profilo aziendale YOROI What they do! A simple reminds on Linux passwords: ● schema: $id$salt$hashed ○ $1$ -> MD5 ○ $2a$ -> Blowfish ○ $2y$ -> Blowfish (8-bit chars) ○ $5$ -> SHA-256 ○ $6$ -> SHA-512 ● !: account is password locked ● *: account is locked ● !!: no password set (RedHat)
  28. 28. Profilo aziendale YOROI What they do!
  29. 29. Profilo aziendale YOROI What they do!
  30. 30. Profilo aziendale YOROI Where they are! ● Unfortunately there is not a full learning path to become Cyber Security Analyst so far. ● There are a lot of classes on: ○ Reverse Engineer ○ Firmware Analyses ○ Forensic Analyses ○ Penetration Testing ○ Vulnerability Assessments ○ Secure Policy Assessment ○ . . . . . ● But a Cyber Security Analyst should be able to perform each of these actions + human interactions + strategic thinking + organization chart knowledge + problem solving
  31. 31. Profilo aziendale YOROI Where they are ?
  32. 32. Profilo aziendale YOROI We are Hiring ! www.yoroi.company

×