This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!
Main points covered:
• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.
Presenter:
Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.
Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE
2. Summary
2
Security faults are common across different technologies
To preempt these common issues, it is most effective to view systems from
an attacker’s point of view
An attacker’s view point leads to better informed security decisions than a
checklist approach since knowing about common hacking methods prunes
the design space to the most effective security controls
Developing an attacker’s perspective involves threat modeling and keeping
up-to-date with hacking knowledge
This presentation provides both a framework for reasoning about effective
security and plenty of hacking examples of everyday technology
4. The ‘OODA’ Loop
4
Situational Awareness generated
from sensor data
Analysis of inputs such as:
– Endpoint detection
– Log analysis
– Previous actions
What is the best action to execute?
– Do you apply restrictions?
– Maybe you monitor further?
– Perhaps begin deep analysis?
How is this best done?
Analyze the input data and apply
filters to go from data to knowledge
Produce action plans
Order these by effectiveness
Decide on success/fail criteria – how
will you measure this?
Execute the action
Take note of outcome:
– Success/Fail?
Output of actions to be input for
next loop
The OODA loop is a model for decision making that originated from within the USAF for training fighter pilots. Its relevance to
security is well known, and we will begin by summarizing it here:
5. Common approaches to security (High Level)
5
Do not read their pentest reports
Security Assessment
Risk Management
Security Awareness
Things people do right What people get wrong
‘Ostrich’ approach to Assessment
Outcomes
– Missing Patches
– Ignoring configuration advice
– Assessments do not translate to
meaningful action
‘Fortress Mentality’
– ‘Building higher walls is the best’
– No thought towards ‘detection in depth’
to complement ‘defense in depth’
Lack of incident support
– Blaming users over seeing an
opportunity to improve procedures
– Not taking the opportunities to
empower users to help and act
Read their pentest reports
Regular assessments
– Penetration tests
– Code reviews
– Readiness assessments
Consider their Threat model
– Risk assessment
– Attack surface identification and threat
management
– The ‘OODA Loop’
Good security awareness
– Developer awareness
– NoC/SoC readiness
– End-User awareness
– CSIRT/CERT with adequate powers and
procedures
Pentest Reports
7. Overview of de Bono’s ‘Six Thinking Hats’ describing six modalities used in critical thinking
7
Red Hat - Emotions
Intuitive or instinctive ‘gut
reactions’
Statements of emotional
feeling
White Hat - Information
What are the facts?
Considering purely what
information is available
Yellow Hat - Optimism
Logic applied to identifying
benefits & seeking harmony
Sees the bright/sunny side of
a situation
Green Hat - Creativity
Statements of provocation
and investigation
Following instinct on an idea
Creative, ‘out of the box’
thinking
Black Hat - Discernment
Logic applied to identifying
reasons to be cautious and
conservative
Practical, realistic approach
Blue Hat – Managing
What is the subject?
What are we thinking about?
What is the goal?
Look at the big picture
Security design should optimally adopt adversarial thinking.
A useful framework for such critical thinking is de Bono’s Thinking Hats method:
8. Introducing ‘Hacker Vision’ – developing the idea of a ‘Security Hat’
8
‘Features’ as tools
Determine what features are of interest to
an attacker, e.g.
– User functionality e.g. search
– Admin functionality
– Developer functionality
As questions around this
– E.g. can a ‘password reset’ functionality
be abused arbitrarily?
Repurposing technology
Can your product’s purpose be changed?
Can the product be maliciously monetized?
Ask questions relating to the shift of your
products to some other use, e.g.
– Can a product be used as a Bitcoin
miner? How about a Botnet node?
– Can an API function be used to abuse
integrity, confidentiality or availability?
Control Bypass
Identify potential opportunities for control
bypass
Ask questions relating to the readiness of
such controls, e.g.
– How hard is that padlock to lockpick?
– How secure are your users’ passwords?
– Are we doing 2FA correctly?
– How do you define and enforce trust?
Monitoring and Notification
In addition to assessing the coverage of your
protection, assess how well your notification
works
Question more about time-to-notice an
attack, e.g.
– If someone disabled a door lock, how
long would it take for you to notice?
– What if someone added a DA acct?
Core Idea – Pursuing the adversarial view involves asking a number of questions:
9. Relevance of Hacker Vision in multiple fields of security within an organization
9
Attack
Surface
Threat
Modelling
Assessments
Maintenance
Greater visibility
of a defender’s
security posture
by adopting a
more pointed
adversarial
assessment view
Exposes data about weaknesses in an attack surface
Demonstrates to a defender how effective currently active
controls are
Shows a defender how to better rank identified threats
Demonstrates what controls may be more appropriate
Allows better definition of security assessments
Allows a defender to relativize assessment results
– Can see what is an immediate vs. longer term concern
Exposes where improvements can be made
– In SDLC, patch management, incident response and
management, etc.
Benefits
15. The Bluetooth SmartLocks are easily reverse engineered and hacked
15
Smarth Locks use a basic BLE
management protocol
The communications over BLE
between the lock and a
smartphone are easily
intercepted and reverse
engineered
Admin functionality (e.g.
changing passcodes) was
conducted in the clear
See Anthony Rose and Ben
Ramsay‘s DEFCON 24 slides:
17. Common magnetic lock installation errors
17
Magnetic Lock
On Keypad side of door meaning an attacker has access to
the locking mechanism
Can interfere with lock wiring or even removal of the
restrictive parts of lock
Disassembly on the left shows the potential for abuse
– The central nut can be removed to dislodge the
magnetic plate from the mounting bracket
– The lower cover can be removed to essentially unscrew
the mounting bracket from the door
– The wiring can be accessed meaning power can be cut
from the electromagnet
Additionally, worn keypads can also be a source of
information about a lock
– See Bruce Schneier‘s blog:
20. Messy wiring and unattended USB ports – would you spot a LANTurtle?
20
Messy wiring
Would you notice a malicious network
implant?
21. Further examples – Malicious USB devices: DigiSpark and BadUSB
21
DigiSpark – a small, inexpensive Arduino-like
microcontroller capable of emulating USB devices such as
keyboards and mice. Can be used for malicious injection of
scripts by posing as a USB keyboard, but capable of typing
at great speed.
BadUSB - An ingenious attack devised by SRLabs
researchers Karsten Nohl and Jakob Lell. The essence of this
attack is to repurpose a standard, off-the-shelf USB flash
drive to become a malicious network device, hijacking the
victim’s network traffic.
22. Malicious ‘Sub-Domain’ pivot and exploitation methodology via a Pass-the-Hash attack
22
‘Sub-Domain’ for your attacker
If one client gets compromised, so are all the
others
– Attackers will use a ‘Pass the Hash’ attack
to exploit other clients
Common Local Admin (LA) Password
Functionally, LA is no different from Domain
Admin or Enterprise Admin
Can do the same actions on client
machines; the difference is their scope
Attacker
C3
C1 C5
C2 C4
Domain Admin logged in on C3
Attacker then compromises C3
to get DA Auth Token
(for a token impersonation attack)
LA Password 1
LA Password 2
25. IP Cameras and IoT devices may pose more of a threat than may first be apparent
25
Small Linux Servers
Tend to run very out of date software
Badly maintained by both device and
component (SoC/uC) manufacturers
Cloud services – exposed and
vulnerable to various attacks
– https://srlabs.de/bites/cloud-
cameras/
Mirai – botnet spread by weak telnet
credentials
Nov 2016 TR-069 exploit – permitted
spread of malware to vulnerable D-
Link routers
27. Conclusions
27
Better secured productsSeeing through ‘Hacker Vision’
Improve your awareness of gaps in
your endpoint protection
Adopt a dynamic adversarial mindset
and apply it to your security
Keep up to date with hacking trends,
knowledge, and research
Improve your assessment criteria by
means of this knowledge
Identify where the ‘low hanging fruit’ is
for your threat model
Gives better coverage of your endpoint
attack surface
Reveals things that are lax, or not fit for
purpose
Shows what fixes will be effective in situ
Can shine a light on what is working
well
Better assessment planning and
security awareness in a team
…but it is no substitute for appropriate, professional security assessments and
well thought out security planning!
28. SRLabs Template v12
ISO 27032 Training Courses
ISO/IEC 27032 Introduction
1 Day Course
ISO/IEC 27032 Foundation
2 Days Course
ISO/IEC 27032 Lead Implementer
5 Days Course
ISO/IEC 27032 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-iec-27032-training-courses| www.pecb.com/events