360 likes | 734 Views
Threat landscape and hacking HP Tippingpoint. Miroslav Knapovsky CISSP, CEH 21.5. 201 4. Today’s agenda I promise almost no product slides in this presentation. Threat landscape Hacking techniques How HP ESP can help. Threat Landscape. Typical breachers. Capture. Infiltration.
E N D
Threat landscape and hacking HP Tippingpoint Miroslav Knapovsky CISSP, CEH 21.5.2014
Today’s agenda I promise almost no product slides in this presentation Threat landscape Hacking techniques How HP ESP can help
Typical breachers Capture Infiltration Exfiltration Discovery Research • External threats • White hat (limited threat) • Black hat • Grey hat • Script kiddie • Neophyte/n00b • Hacktivist • Nation state • Organized criminal gangs • Bots • Internal threats • Intentional • Unintentional Their ecosystem Our enterprise
Discovery part examples • Passive discovery tools • Google search hacking -http://www.exploit-db.com/google-dorks/ • The Harvester • FOCA • Maltego • SEAT – Search Engine Assessment Tool • Active discovery • NMAP/ZENMAP • Vulnerability scanning • Nessus • Nikto • OWASP ZAP • HP WebInspect
Passive discovery – The Harvester [+] Emails found: ………. Removed [+] Domains found:…….. Removed
Vulnerability scanning with HP WebInspect Benefits Support and Docs Zero day Vulnerabilities HTLM5 support Mobile site support AcuMonitor Service DOM-based XSS Maturity level Reporting Publish to TP/WAF
GeoLocation Filtering • What is it? • The ability to filter network traffic by source / destination country geography • Customer Value • Quickly put in place filters to restrict traffic to/from countries that may violate network policy • How it works • IP based, built on our Reputation engine • Geo database included on SMS, updated on TMC monthly, supports import of commercial databases from MaxMind • Flexible filter definitions, exceptions, filter prioritization
Physical access tools + LTE/3G modem Cheap Raspberry Middle Odroid Expensive PWN Plug
Think of a potential target and lock on it • Vulnerability scanning and “Proxy” vulnerability scanning • Combine with harvesting and social engineering • Keep in mind that people at fast on simple things… • Courier and forwarders are trusted, no one know why… • Gain physical access is mostly simple • The last hope
Create payload which Antivirus will not meet My favorite: Social-Engineer Toolkit Veil
Once You are inside (any previous technique) Hide Kill AV/FW Stay persistent
Patch the frequently called function Uroburos Example
Response: TippingPoint ATA Integration ATA Dev off SPAN port at perimeter, TP NGFW at Perimeter, IPS at Core, LAN internet Perimeter ATA Device NGFW Core LAN IPS IPS SMS
ATA Integration: Deployment Example 1: Malware detonated by ATA Device but infects “patient-zero” internet 1 Perimeter ATA Device NGFW Core LAN 1 IPS IPS SMS
ATA Integration: Deployment Example 2: ATA Device emits event to TippingPoint SMS internet 1 Perimeter ATA Device NGFW Core LAN 1 2 IPS IPS SMS
ATA Integration: Deployment Example 3: SMS updates policy to quarantine the infected host, block the malware source, CnC internet 1 Perimeter ATA Device NGFW Core LAN 1 3 2 3 IPS IPS 3 SMS
But Rainbow table always works… just need some processing power & SSD’s
Few secs physical access & FGDUMP.exe Administrator:500:NO PASSWORD*********************:NO PASSWORD*********************::: Guest:501:NO PASSWORD*********************:NO PASSWORD*********************::: mknapovsky:1000:NO PASSWORD*********************:9A05D45A7858DA1278D94A9GG8571285::: ___VMware_Conv_SA___:1845:NO PASSWORD*********************:NO PASSWORD*********************:::
Local network activities Scan networks & obtain network topology Find interesting hosts Try ARP Spoof and play Man in the Middle Sniffer and get the Hashes Move to another subnet or obtain credentials to higher layer Obtain data Clear even logs
Security Performance Suite HP Enterprise Security How HP ESP can help? HP Security Performance Suite Pillars Application Security SecurityIntelligence Network Security
Yes, HP ESP can helpInterested in Proof of concept test?email: knapovsky@hp.com