Network Exploitation
CCTC - Networking
Outcomes
SKILL CCNE015: Communicate cyberspace operations methodologies
SKILL CCNE016: Define common frameworks for conducting cyberspace operations
SKILL CCNE017: Discuss methods to gain access
SKILL CCNE018: Describe network attacks
Cyber Threat Actors
Reference: SANS.org
- Cyber Criminals
- State Sponsored (Nation State)
- Hacktivist
- Insider Threats
Reference: JP3-12R
- Transnational Actor
- Individual Actors or Small Group
Threat Actions
- Malware
- Hacking
- Social Tactics
- Misuse
- Physical
- Error
- Environmental
The Cyber Kill Chain (Lockheed Martin)
Cyber Methodology
- Target Discovery 100+ hosts
- Footprinting, Scanning, Enumeration, Net Mapping
- Fingerprinting/Enumeration 5-10 hosts
- OS and Service Identification
- Port Scanning 1-2 hosts
- Identify all ports available
- Gaining Access 1 host
- Determine the vulnerability to use, test your tools in a controlled environment
- Privilege Escalation
- Post Exploitation
- Target Survey & Remote Forensics Analysis, Data Collection, Establish Persistence, Cover Tracks (cleanup)
Compromised Asset Characteristics
- Information Technology Assets
- Critical Information Assets
Information Technology Assets
- Physical Assets
- Network and System Specifications
Critical Information Assets
Critical Asset - Credentials
- Common means for stealing credentials:
- Social Engineering, reusing stolen passwords/shared credentials, brute force, security question reuse
- Credentials can provide adversary with:
- Remote Access - gain remote entry into networks using Virtual Private networks (VPN) or remote access protocols, like RDP and VNC
Preventing Credential Compromise
- Admin/Domain Admin Credentials
- Should not have the ability to alter or audit files
- Require secondary approval
- Access Controls
- Multi-factor authentication
Network Attack Strategies
- Social Engineering
- Phishing, Whaling, Watering Hole, Baiting, Pretexting
- DoS/DDoS
- Ping Flood, Ping of Death, Syn Flood, Smurf Attack
- Injection
- Web-based (SQL, XXS, FI), Code (SQL, XXS, OS, DE), Process (DLL, PE, etc.)
- Network Infrastructure Based
- Man in the Middle, Session Hijacking, Spoofing, Buffer Overflow, Bluetooth
- Malware
- Adware, Viruses, Worms, Polymorphic
Internal and External Exploitation
- Internal
- Less common, more options
- External
- Most common, easily detected
Exploit Components
- Exploitation Technique
- The goal is to divert the execution of the vulnerable program
- Payload
Privilege Escalation
- Types:
- Methods:
- Weak permissions on processes
- Sensitive Information in Shared Folders
Using Stolen Credentials
Movement within a network: Stolen credentials (especially domain admin credentials) can allow an attacker to move laterally within a network, or potentially deeper into higher security areas
Cloud Access: Cloud services that can be accessed via domain credentials allow an attacker to easily access valuable data, especially as organizations move information into the cloud
Persistence
- Allows for continued and future access to the exploited target by bypassing normal requirements
Exfiltration
- Exfiltration done via outbound connections are very common, and hard to counter at the perimeter since this is an area that has been created to focus on incoming threats
- Common protocols are used to mask data exfiltration:
- HTTP/HTTPS, FTP, and DNS blends into normal outbound network traffic, thus obfuscating the attacker's actions
- In-band
- Out-of-band
Collateral Effects
- Accidental:
- Effects when the attacker makes a mistake
- Attributed Actions, which may lead to criminal charges
- Purposeful:
- Effects wanted by the attacker
Collateral Effects
Ashley Madison:
- Responsibility claimed by the "Impact Team"
- Approx. 9.7 Gb of information posted on TOR
- Site source code posted MANY git repositories
- Little hard evidence released; not clear whether this was an insider or external hacking
What are some of the collateral effects?
Collateral Effects
Yahoo Hacking:
- Yahoo's hacking has been measured as the largest data breach in history
- 2014 hack: 500 million accounts, 2014 hack: up to 1 billion accounts
- Not disclosed until 2016
- Two Russian FSB officials indicted
- US has no extradition treaty with Russia
What are some of the collateral effects?
Collateral Effects
OPM Hack:
- Breached December 2014
- 21 Million current/former Fed. Employees' PII leaked
- China is suspected of the breach
- SF-86's...foreign contacts?
What are some of the collateral effects?