Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP.

Published byStone Quiett Modified over 9 years ago

Similar presentations

Presentation on theme: "Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP."— Presentation transcript:

1 Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP – UA String Address – e-mail Address – ipv4- addr File File - Path URI - URL Behavior File File - Path File - Name URI- Domain Name URI - URL HTTP - POST Email Header - Subject Email Header – X- Mailer Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Registry Key File File - Name URI – Domain Name URI – URL Hash – MD5 Hash – SHA1 Address – cidr Address – ipv4- addr Code – Binary Code Win Process Win Registry Key File File - Path File - Name URI – Domain Name URI - URL HTTP - GET HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Process Win Registry Key File URI – Domain Name URI - URL HTTP - GET HTTP - POST HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Registry Key Win Service File File - Path File - Name URI – Domain Name URI – URL Hash – MD5 Hash – SHA1 Address – ipv4- addr

2 Platform Strengths (example IDS Solution) ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP – UA String Address – e-mail Address – ipv4- addr File File - Path URI - URL Behavior File File - Path File - Name URI- Domain Name URI - URL HTTP - POST Email Header - Subject Email Header – X- Mailer Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Registry Key File File - Name URI – Domain Name URI – URL Hash – MD5 Hash – SHA1 Address – cidr Address – ipv4- addr Code – Binary Code Win Process Win Registry Key File File - Path File - Name URI – Domain Name URI - URL HTTP - GET HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Process Win Registry Key File URI – Domain Name URI - URL HTTP - GET HTTP - POST HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Registry Key Win Service File File - Path File - Name URI – Domain Name URI – URL Hash – MD5 Hash – SHA1 Address – ipv4- addr Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps

3 All Detection Platforms (aggregated view) ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP – UA String Address – e-mail Address – ipv4- addr File File - Path URI - URL Behavior File File - Path File - Name URI- Domain Name URI - URL HTTP - POST Email Header - Subject Email Header – X- Mailer Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Registry Key File File - Name URI – Domain Name URI – URL Hash – MD5 Hash – SHA1 Address – cidr Address – ipv4- addr Code – Binary Code Win Process Win Registry Key File File - Path File - Name URI – Domain Name URI - URL HTTP - GET HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Process Win Registry Key File URI – Domain Name URI - URL HTTP - GET HTTP - POST HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail Address – ipv4- addr Behavior Win Registry Key Win Service File File - Path File - Name URI – Domain Name URI – URL Hash – MD5 Hash – SHA1 Address – ipv4- addr Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps

4 Visibility Gaps by Threat Actor Recon Weaponization Deliver ExploitationInstallationC2 Act on Objectives HTTP – UA String File File - Path URI - URL Email Header - Subject Email Header – X-Mailer Hash – MD5 Hash – SHA1

5 Post-Incident Review (What did the actor do?) ( Why did it work?)(What should we do?) Kill ChainActor ActionActor ActionFailure ModeMitigation Action Reconnaissance Used commercial web scannerPotential gaps in threat tool & scanning capability Establish detection capability Weaponization SQL injection on vulnerable ASP page to gain admin user access Could not detect SSL traffic; vulnerable to SQL injection Explore Secure Development and Application Security Assessments Delivery Exploitation Installation IIS web service used to upload web shell Failure to restrict file upload types or configure web server to not execute uploaded files Explore Secure Development and Application Security Assessments Comm & Control Used web shell on initially compromised host Could not detect SSL traffic Actions on intent Accessed “id.txt” which held account information with admin access Management scripts failed to delete “id.txt” after running Scripts retired and environment scanned.

Download ppt "Detection Scenarios ReconWeaponizationDeliverExploitationInstallationC2 Act on Objectives File File - Name URI – Domain Name URI – URL HTTP - GET HTTP."

Similar presentations

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.

RSA Attack Analysis Karl F. Lutzen, CISSP S&T Information Security Officer.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
A Customisable Question and Answer Database Kate Lindsay.

A Customisable Question and Answer Database Kate Lindsay.
Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.

Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Simple Web SQLite Manager/Form/Report

Simple Web SQLite Manager/Form/Report
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Similar presentations

Ads by Google