This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'! Main points covered: • Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats. • How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness? • Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker. • Examples covered will include physical security, Network security, as well as IoT security. Presenter: Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements. Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE

1. 1

2. Summary
2
 Security faults are common across different technologies
 To preempt these common issues, it is most effective to view systems from
an attacker’s point of view
 An attacker’s view point leads to better informed security decisions than a
checklist approach since knowing about common hacking methods prunes
the design space to the most effective security controls
 Developing an attacker’s perspective involves threat modeling and keeping
up-to-date with hacking knowledge
 This presentation provides both a framework for reasoning about effective
security and plenty of hacking examples of everyday technology

3. Agenda and overview
3
1. Introduction
2. ‘Hacker Vision’: Seeing like your potential attacker
3. Examples – visual intuition pumps
− Physical examples
− Network examples
− IoT examples
4. Conclusions

4. The ‘OODA’ Loop
4
 Situational Awareness generated
from sensor data
 Analysis of inputs such as:
– Endpoint detection
– Log analysis
– Previous actions
 What is the best action to execute?
– Do you apply restrictions?
– Maybe you monitor further?
– Perhaps begin deep analysis?
 How is this best done?
 Analyze the input data and apply
filters to go from data to knowledge
 Produce action plans
 Order these by effectiveness
 Decide on success/fail criteria – how
will you measure this?
 Execute the action
 Take note of outcome:
– Success/Fail?
 Output of actions to be input for
next loop
The OODA loop is a model for decision making that originated from within the USAF for training fighter pilots. Its relevance to
security is well known, and we will begin by summarizing it here:

5. Common approaches to security (High Level)
5
 Do not read their pentest reports
Security Assessment
Risk Management
Security Awareness
Things people do right What people get wrong
 ‘Ostrich’ approach to Assessment
Outcomes
– Missing Patches
– Ignoring configuration advice
– Assessments do not translate to
meaningful action
 ‘Fortress Mentality’
– ‘Building higher walls is the best’
– No thought towards ‘detection in depth’
to complement ‘defense in depth’
 Lack of incident support
– Blaming users over seeing an
opportunity to improve procedures
– Not taking the opportunities to
empower users to help and act
 Read their pentest reports
 Regular assessments
– Penetration tests
– Code reviews
– Readiness assessments
 Consider their Threat model
– Risk assessment
– Attack surface identification and threat
management
– The ‘OODA Loop’
 Good security awareness
– Developer awareness
– NoC/SoC readiness
– End-User awareness
– CSIRT/CERT with adequate powers and
procedures
Pentest Reports

6. Agenda
1. Introduction
2. ‘Hacker Vision’
3. Examples
4. Conclusions
6

7. Overview of de Bono’s ‘Six Thinking Hats’ describing six modalities used in critical thinking
7
Red Hat - Emotions
 Intuitive or instinctive ‘gut
reactions’
 Statements of emotional
feeling
White Hat - Information
 What are the facts?
 Considering purely what
information is available
Yellow Hat - Optimism
 Logic applied to identifying
benefits & seeking harmony
 Sees the bright/sunny side of
a situation
Green Hat - Creativity
 Statements of provocation
and investigation
 Following instinct on an idea
 Creative, ‘out of the box’
thinking
Black Hat - Discernment
 Logic applied to identifying
reasons to be cautious and
conservative
 Practical, realistic approach
Blue Hat – Managing
 What is the subject?
 What are we thinking about?
 What is the goal?
 Look at the big picture
Security design should optimally adopt adversarial thinking.
A useful framework for such critical thinking is de Bono’s Thinking Hats method:

8. Introducing ‘Hacker Vision’ – developing the idea of a ‘Security Hat’
8
‘Features’ as tools
 Determine what features are of interest to
an attacker, e.g.
– User functionality e.g. search
– Admin functionality
– Developer functionality
 As questions around this
– E.g. can a ‘password reset’ functionality
be abused arbitrarily?
Repurposing technology
 Can your product’s purpose be changed?
 Can the product be maliciously monetized?
 Ask questions relating to the shift of your
products to some other use, e.g.
– Can a product be used as a Bitcoin
miner? How about a Botnet node?
– Can an API function be used to abuse
integrity, confidentiality or availability?
Control Bypass
 Identify potential opportunities for control
bypass
 Ask questions relating to the readiness of
such controls, e.g.
– How hard is that padlock to lockpick?
– How secure are your users’ passwords?
– Are we doing 2FA correctly?
– How do you define and enforce trust?
Monitoring and Notification
 In addition to assessing the coverage of your
protection, assess how well your notification
works
 Question more about time-to-notice an
attack, e.g.
– If someone disabled a door lock, how
long would it take for you to notice?
– What if someone added a DA acct?
Core Idea – Pursuing the adversarial view involves asking a number of questions:

9. Relevance of Hacker Vision in multiple fields of security within an organization
9
Attack
Surface
Threat
Modelling
Assessments
Maintenance
Greater visibility
of a defender’s
security posture
by adopting a
more pointed
adversarial
assessment view
 Exposes data about weaknesses in an attack surface
 Demonstrates to a defender how effective currently active
controls are
 Shows a defender how to better rank identified threats
 Demonstrates what controls may be more appropriate
 Allows better definition of security assessments
 Allows a defender to relativize assessment results
– Can see what is an immediate vs. longer term concern
 Exposes where improvements can be made
– In SDLC, patch management, incident response and
management, etc.
Benefits

10. Agenda and overview
10
1. Introduction
2. ‘Hacker Vision’: Seeing like your potential attacker
3. Examples – visual intuition pumps
− Physical examples
− Network examples
− IoT Examples
4. Conclusions

11. Trivial Example
11

12. Is there anything wrong with this padlock?
12

13. Padlock Evaluation – How easy is it to pick? In this case, very easy
13
Easily picked
 Making use of a simple, custom tool
 See YouTube video:

14. 14
Would you trust this SmartLock?

15. The Bluetooth SmartLocks are easily reverse engineered and hacked
15
Smarth Locks use a basic BLE
management protocol
 The communications over BLE
between the lock and a
smartphone are easily
intercepted and reverse
engineered
 Admin functionality (e.g.
changing passcodes) was
conducted in the clear
 See Anthony Rose and Ben
Ramsay‘s DEFCON 24 slides:

16. What is the issue with this door?
16

17. Common magnetic lock installation errors
17
Magnetic Lock
 On Keypad side of door meaning an attacker has access to
the locking mechanism
 Can interfere with lock wiring or even removal of the
restrictive parts of lock
 Disassembly on the left shows the potential for abuse
– The central nut can be removed to dislodge the
magnetic plate from the mounting bracket
– The lower cover can be removed to essentially unscrew
the mounting bracket from the door
– The wiring can be accessed meaning power can be cut
from the electromagnet
 Additionally, worn keypads can also be a source of
information about a lock
– See Bruce Schneier‘s blog:

18. Agenda and overview
18
1. Introduction
2. ‘Hacker Vision’: Seeing like your potential attacker
3. Examples – visual intuition pumps
− Physical examples
− Network examples
− IoT examples
4. Conclusions

19. 19

20. Messy wiring and unattended USB ports – would you spot a LANTurtle?
20
Messy wiring
 Would you notice a malicious network
implant?

21. Further examples – Malicious USB devices: DigiSpark and BadUSB
21
DigiSpark – a small, inexpensive Arduino-like
microcontroller capable of emulating USB devices such as
keyboards and mice. Can be used for malicious injection of
scripts by posing as a USB keyboard, but capable of typing
at great speed.
BadUSB - An ingenious attack devised by SRLabs
researchers Karsten Nohl and Jakob Lell. The essence of this
attack is to repurpose a standard, off-the-shelf USB flash
drive to become a malicious network device, hijacking the
victim’s network traffic.

22. Malicious ‘Sub-Domain’ pivot and exploitation methodology via a Pass-the-Hash attack
22
‘Sub-Domain’ for your attacker
 If one client gets compromised, so are all the
others
– Attackers will use a ‘Pass the Hash’ attack
to exploit other clients
Common Local Admin (LA) Password
 Functionally, LA is no different from Domain
Admin or Enterprise Admin
 Can do the same actions on client
machines; the difference is their scope
Attacker
C3
C1 C5
C2 C4
Domain Admin logged in on C3
Attacker then compromises C3
to get DA Auth Token
(for a token impersonation attack)
LA Password 1
LA Password 2

23. Agenda and overview
23
1. Introduction
2. ‘Hacker Vision’: Seeing like your potential attacker
3. Examples – visual intuition pumps
− Physical examples
− Network examples
− IoT examples
4. Conclusions

24. 24
Can you trust your IP Cameras?

25. IP Cameras and IoT devices may pose more of a threat than may first be apparent
25
Small Linux Servers
 Tend to run very out of date software
 Badly maintained by both device and
component (SoC/uC) manufacturers
 Cloud services – exposed and
vulnerable to various attacks
– https://srlabs.de/bites/cloud-
cameras/
 Mirai – botnet spread by weak telnet
credentials
 Nov 2016 TR-069 exploit – permitted
spread of malware to vulnerable D-
Link routers

26. Agenda
1. Introduction
2. ‘Hacker Vision’
3. Examples
4. Conclusions
26

27. Conclusions
27
Better secured productsSeeing through ‘Hacker Vision’
 Improve your awareness of gaps in
your endpoint protection
 Adopt a dynamic adversarial mindset
and apply it to your security
 Keep up to date with hacking trends,
knowledge, and research
 Improve your assessment criteria by
means of this knowledge
 Identify where the ‘low hanging fruit’ is
for your threat model
 Gives better coverage of your endpoint
attack surface
 Reveals things that are lax, or not fit for
purpose
 Shows what fixes will be effective in situ
 Can shine a light on what is working
well
 Better assessment planning and
security awareness in a team
…but it is no substitute for appropriate, professional security assessments and
well thought out security planning!

28. SRLabs Template v12
ISO 27032 Training Courses
 ISO/IEC 27032 Introduction
1 Day Course
 ISO/IEC 27032 Foundation
2 Days Course
 ISO/IEC 27032 Lead Implementer
5 Days Course
 ISO/IEC 27032 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-iec-27032-training-courses| www.pecb.com/events

29. SRLabs Template v12
THANK YOU
?
mark@srlabs.de
https://srlabs.de/
https://www.linkedin.com/in/mark-carney-5849163b/
+44 7906 634725
Questions?