Tag Archives: Aamir Lakhani

May 16, 2013

SSL Strip – Breaking Secure Websites

Aamir Lakhani wrote a overview of how to perform a ssl strip attack. The original post can be found HERE

SSLSTRIP LAB

Before beginning the lab, make sure you have Backtrack 5 R3 VM imported into VMWare Player/Workstation/Server/Fusion, or what ever Virtual machine environment you have chosen to utilize.

The following is an excerpt from the VMWare “Getting started with VMWare Player” VMWare Player 4.0 user guide.

Import an Open Virtualization Format Virtual Machine

You can import an Open Virtualization Format (OVF) virtual machine and run it in Player. Player converts the virtual machine from OVF format to VMware runtime (.vmx) format. You can import both .ovf and .ova files.

OVF is a platform-independent, efficient, extensible, and open packaging and distribution format for virtual machines. For example, you can import OVF virtual machines exported from VMware FusionTM into Player. You can import OVF 1.0 and later files only.

You can also use the standalone OVF Tool to convert an OVF virtual machine to VMware runtime format. The standalone version of the OVF Tool is installed in the Player installation directory under OVFTool. See the OVF Tool User Guide on the VMware Web site for information on using the OVF Tool.

Procedure

In Player, select File > Open a Virtual Machine.
Browse to the .ovf or .ova file and click Open.
Type a name for the virtual machine, type or browse to the directory for the virtual machine files, and click Import. Player performs OVF specification conformance and virtual hardware compliance checks. A status bar indicates the progress of the import process.
If the import fails, click Retry to try again, or click Cancel to cancel the import.

If you retry the import, Player relaxes the OVF specification conformance and virtual hardware compliance checks and you might not be able to use the virtual machine in Player.

After Player successfully imports the OVF virtual machine, the virtual machine appears in the virtual machine library.

Your Lab

In this Lab, we are using Virtual Machine based attack hosts. The Hosts are Linux based Backtrack 5 R3 (based on Ubuntu Linux). The reason for using backtrack is that all of the modules, and associated dependencies for this lab are preloaded with the distribution. The module dependencies for SSLStrip are (these are already loaded with Backtrack):

Python >= 2.5 (apt-get install python)
The python “twisted-web” module (apt-get install python-twisted-web)

Additionally to utilize SSLSTRIP you need (Again already in Backtrack):

Arpspoof or Ettercap (this lab we use Arpspoof, Ettercap has issues with wireless)
IPChains / IPtables
Netstat

Additionally when using backtrack or any Ubuntu distribution, it is a good idea to run APT to updates the existing packages. Backtrack has several custom distribution resources pre configured.

#Use this command to update: apt-get update && apt-get upgrade -y && apt-get dist-upgrade –y

Getting Started

Once your Backtrack virtual machine is installed and booted use the following credentials to log in:

Username: root
Password: toor

Start the desktop environment by issuing the startx command from the terminal session:

Note: It is not mandatory that you utilize a GUI desktop. But for the purposes of this lab it is recommended. Those not as familiar working in a Linux command shell will likely find it simpler to switch between the multiple terminal windows needed to perform the upcoming operations.

You should now see an environment similar to the following:

For the purposes of this LAB we will only be using a single interface, your virtual machine might be configured with multiple Ethernet interfaces. We will need to check if there are multiple (virtual) Ethernet interface enabled.

In the upper left hand corner of the desktop click on the Xterm link.

When see a terminal window open on the desktop you are ready to continue.

Use ifconfig to determine what interfaces are on the virtual machine.

Ifconfig | grep “eth”

This command will filter out all the miscellaneous and just show us the Ethernet interfaces, like below.

If we do indeed have more then one interface enabled issue the command ifdown with the interface name to disable it. If there is an interface named eth1 like shown above issue the command:

Ifdown eth1

The output should be like what is shown below.

Continue reading →

Rating: 5.0/5 (1 vote cast)

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

Network reconnaissance
Network interior malware proliferation
Command and control traffic
Data ex-filtration

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading →

Rating: 0.0/5 (0 votes cast)

PART 2 “The Attack” – THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Last year Aamir Lakhani and Joseph Muniz developed a fake identity known as Emily Williams with the purpose of compromising a specific target using social media. We created Emily Williams based on research from Robin Sage, which showcased how a fake identity could obtain sensitive information from social media resources. We wondered if a similar approach could be used for targeted attacks and developed Emily Williams for that purpose. More information on developing Emily Williams via Part 1 of this project can be found HERE.

Emily Williams and Robin Sage

This Part 2 post explains WHY the Emily Williams project is important to understand. Yes, it was humorous watching people endorse a fake person’s technical abilities and receive job offers based on a posted IT background (or possibly just because Emily is attractive) however those are not the worst outcomes from social media threats. Part 1 concluded with our lovely Emily Williams having friends with multiple parties from our target such as Human Resources, IT Support, Engineering and Executive Leadership. People were sharing information and considering Emily Williams an employee based on the profile we created. The information alone was very valuable however that was just the beginning.

Stage 3 focused on obtaining access to host systems through social media. There are many options to do this such as the very popular Blackhole exploit kit however we did not want to use any method that could potentially harm our target’s system based on personal ethics. Blackhole is the most prevalent web threat seen today leveraging a malicious payload that we felt wasn’t safe for our target’s systems. We chose to use The Browser Exploitation Framework (BeEF) based on our feeling that compromising browsers was not as evil as using malware.

Blackhole Exploit Kit Screenshot

Browser Exploitation Framework (BeEF) Screenshot

BeEF leverages browser vulnerabilities to assess the security posture of a target. BeEF “hooks” targets as beachheads for launching direct command modules. Different browsers have various vulnerabilities, which means the more vulnerable a browser is, the more unique attack vectors become available to the hacker. We installed Backtrack 5R3 on a server and developed a BeEF hooking server that was public facing. We tested systems by accessing our BeEF server, hooking systems and launched commands such as taking a screen shot capture. More on building a BeEF system can be found HERE.

The next step was luring employees of the target to our BeEF system. There are many methods hackers accomplish this such as offering free media sites (IE download music, movies, etc. … see more on why this is risky behavior HERE), phishing emails and fake URLs designed to look and feel like something else. We decided to post virtual holiday cards on Emily William’s social media pages and direct invites to specific targets. The goal was having a user click the holiday card, wait for the card to pop up and have our system probe the browser for vulnerabilities during the waiting period. Once we hooked the target, we would look for passwords and insider information to gain access to the target agency. We launched three campaigns targeting systems during Thanksgiving, Christmas and New Years. We were able to figure out domain credentials to create an inside email address for Emily Williams, VPN passwords to gain internal access and other methods to compromise our target.

Our research demonstrated a few points. First off, people are trusting and male dominated industries like IT are even more trusting of women. Second, social media can be used as a means to compromise targets if users are not educated on common attacks and proper use of public facing network resources. The risk extends beyond data leakage since many people that use social media also use the same systems for internal use while at work. Finally, we demonstrated how easy it is to carry out what many consider an advanced persistent threat (APT) meaning we chose our target and bypassed standard security technology. We believe our methods were not very sophisticated compared to the real threats that target people using today’s public Internet yet we were very successful with our goal of compromising a specific target. Security is an extremely important investment and needs to include education around proper use of social media (more on this HERE) as well as protection from insider threats.

I hate to drop a plug however I recently took a job at Lancope based on their technologies’ ability to detect insider threats.

Rating: 4.7/5 (3 votes cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as Aamir Lakhani, Access Control, BeEF, blackhat, blackhole, Cisco, cloudcentrics, Compliance, Data Loss Prevention, digital life, DLP, emily, Emily Williams, facebook, facebook hacking, fake facebook, hacking, hacking people, Home, Joey, Joey Muniz, joseph, joseph muniz, LanCope, linkedin, linkedin endorsing, mobile, mobile device, Muniz, netflow, part 2, part2, pen testing, Penetration Testing, Robin Sage, Security, social engineering, Social Engineering Training, social network secuirty, social pentest, Stealth Watch, The Browser Exploitation Framework, williams

February 11, 2013

THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Disclaimer: This post has been modified to exclude specific subjects not approved for public viewing

Emily Williams and Robin Sage

Emily Williams and Robin Sage don’t exist in the real world. They are fake social network accounts designed to obtain sensitive information. Robin Sage was created in late 2009 to obtain information from intelligence on US military personnel. Her story was presented at the Black Hat hacker conference upsetting many people by exposing the type of sensitive data provided over social networks. Joey Muniz and Aamir Lakhani decided to go one-step further and ask the hard question: “what else can happen outside of data being leaked over social networks”. We decided to find out using Emily Williams.

NOTE: The research presented is real. Many people reading this are friends with Emily and probably mad at us. We have informed anybody attacked so if you haven’t heard from us, you are just social network friends with Emily.

Emily’s Real Employer

Emily Williams was created in November 2011 for Facebook and LinkedIn. Our goal was to pick a specific target and see how far we could penetrate the target using social networks as the entry point for infiltration. The plan was to build up a social network with key personal and launch attacks from Facebook and LinkedIn that compromised systems using social networks. From there, we could gain entry into the network and more or less capture the flag. The research was made public with the goal of educating employees about security around social networks as well as the current potential threats that could target people like you. We had executive approval before conducting the experiment.

Social Network Findings

The first step was creating the Facebook and LinkedIn accounts. We found a non technical female employee from the restaurant industry (that happened to be a few blocks from our target) to volunteer pictures for Emily’s appearance. We developed a fake social security number, residence and other areas that may be searched to make Emily seem real. We gave Emily an IT background from the University of Texas and updated her profile with a matching employment background.

Social Engineer Using Facebook Profile Info

User Flags Emily

Step two was building up friends prior to networking with our target audience. We decided to pick on Joey Muniz’s friends figuring if they flagged her as fake, they wouldn’t inform anybody from our target audience. Within hours we had over 100 friends using manual adding methods. We found very little resistance to accepting her as a friend however one individual not only denied her friend request but also posted to his friends a warning about Emily without actually calling her out. Another funny story was a friend ask “Do I know you?” and by simply replying with information from his social profile, we had him say he remember her. The lesson learned is think about what you post because it could be used against you!

Job Offer Based On Profile Info

Once we had a decent number of friends, we updated her status as a new employee to our target with a technical engineering title. From there, we start adding potential targets starting with sales and mid level technical staff as well as our partners with the target. We not only grew our friends from the organizations, we also started receiving job offers, meeting requests and congratulations on the new job with our target. As our target audience friend number grew, we started moving up the rank eventually capturing people from Human Resources and Engineering who would be responsible for hiring Emily if she existed. We moved all the way up to executive leadership and happy to say our President denied her friend request based on looking for her name is the corporate directory. We have a lot of respect for his diligence.

Can You Trust LinkedIn Endorsing?

At this point we have networked with our target audience and have enough key members linked to perform attacks. Part 2 of this story will feature how we leveraged the social network to obtain access to the network. Consider part 2 the answer to WHY Robin Sage and Emily Williams are a risk for organizations. Stay tuned for part two and again for those involved, don’t worry we didn’t do anything bad to you unless we told you. Oh and thanks for helping us prove our point about the dangers of social networks!

Article written and research conducted by:

Joey Muniz

Blog: www.thesecurityblogger.com

Aamir Lakhani

Blog: www.cloudcentrics.com

Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as Aamir Lakhani, Access Control, advanced persistent threat, APT, backtrack, BeEF, blackhat, Cisco, cloudcentrics, Compliance, Data Loss Prevention, digital life, DLP, emily, Emily Williams, facebook, facebook hacking, fake facebook, hacking, hacking people, hacking wwt, Home, insider threat, Joey, Joey Muniz, joseph, joseph muniz, LanCope, linkedin, linkedin endorsing, mobile, mobile device, Muniz, netflow, part 1, pen testing, Penetration Testing, Robin Sage, Security, social engineering, Social Engineering Training, social media, social network secuirty, social pentest, Stealth Watch, The Browser Exploitation Framework, williams

January 2, 2013

Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

This blog is typically dedicated to security topics however I thought I would share about two cool gadgets I’ve been using to a live healthier lifestyle. Check them out and make 2013 a healthier year for you.

Zombies, Run!

I love playing soccer but HATE running as a form of exercise. The problem I have is my mind concentrates on how uncomfortable I feel. I can run for miles on the soccer field but not around the neighborhood.

Zombies, Run! makes running fun. It’s an iPhone / Android app that puts you in the middle of a Zombie apocalypse. There are too many Zombies to shoot so “runners” like you have to go out and gather supplies without weapons. You start a mission and run like your normally would wearing headphones and listening to music. The app plays music off your mobile device playlist and periodically interrupts with radio transmissions from an operator updating you on your mission status. You also pick up virtual supplies while running to bring back to base. Your actual running route doesn’t matter however the distance and pace determines how you do. You can also use this app on a treadmill.

That’s all cool however the real fun is randomly Zombies will chase you. Zombies, Run! uses your GPS to track your speed and warns you to run faster as zombies approach. You start hearing Zombies moaning over your music as they get close which really makes you push yourself. The app will start beeping when Zombies are nearby and prompt you every mile about your pace.

photo Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

Run Log shows when Zombies attacked, virtual things I picked up and radio transmissions

List of missions I’ve completed and not unlocked Continue reading →

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as Aamir Lakhani, android, Android health, health, health technology, healthier lifestyle, iPhone, iPhone health, Jawbone, jawbone up, Joey, Joey Muniz, joseph, joseph muniz, Lakhani, LanCope, Muniz, Run!, zombies, Zomebies

December 3, 2012

Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

“My buddy Aamir Lakhani is developing a iOS security class and recently posted about hacking iOS devices. This is a very popular subject and want to share this. Also shout out to Tom Bedwell for his assistance with the research. You can find the original posting at www.cloudcentrics.com”

iOS devices can be booted with their own kernel and micro operating systems instead of approved Apple firmware. When iOS devices are loaded with a micro kernel, you can run attacks such as bypassing the passcode, decrypting passwords, copying file systems, viewing emails and much more. The following guide describes how to create a RAM DISK, however it may not function precisely as a step-by-step instruction set, since each system is unique and requires some level of customization.

Note: If you run in to trouble when creating a RAM DISK due to unique OS configurations and code versions, don’t despair.

If you want to take the easy way

Download: http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip

- and then complete step 11 then proceed to step 20.

Now let the real fun begin

IMPORTANT: Watch the word wrap. Many commands are single line and may be wrapped on multiple lines.

Step 1: Uninstall file system readers

If you have a system tool such as MacFuse or Tuxera, uninstall the program before starting and reboot your machine.

Step 2: Install Xcode from the Mac App Store

Step 3: Download and install Xcode Command Line Tools:

1. Download Xcode from the Apple App Store
2. Launch Xcode and go to preferences
3. Install Xcode Command Line tools and Simulators

Step 4: Open the Terminal App.

Make sure you are in your home directory. In my case the home directory is /Users/alakhani
Continue reading →

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Penetration / Hacking

Tagged as 802.1x, Aamir Lakhani, apple, Apple firmware, apple security, breaking iOS, Breaking Passcodes, Breaking Passwords, Breaking Pins, end point management, Fuse, hacking, hacking apple devices, hacking passwords, hacking phones, hacking tools, Home, http://www.cloudcentrics.com/, iOS, iOS firmware, iOS kernel, iOS SDK, iPhone, iPhone 5, jail breakable iOS, jailbreak, jailbreaking phones, Joey, Joey Muniz, joseph, joseph muniz, Mercurial, micro operating systems, mobile, mobile device, mobile device management, mobile device security, mobile endpoints, Mobile phone security, Muniz, network security, Python, RAM DISK, redsnow, Security, USB Multiplexing, wireless hacking, wireless security, World Wide Technology, world wide technology inc., wwt, Xcode

October 31, 2012

Cool Tool : FOCA – Network Intelligence Reconnaissance using metadata

My buddy Aamir Lakhani posted about a really cool metadata tool called FOCA. The original post can be found HERE. Below is Aamir’s post about FOCA.

I would like to introduce you to one of my favorite network reconnaissance tools. It is called FOCA.

Did you know every time you create a document such as PowerPoint presentation, Microsoft Word document, or PDFs, metadata is left in the document?

What is metadata? metadata is data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected. metadata can be useful to attackers because it contains useful information about the system where the file was created such as:

Name of user logged into the system
Software that created the document
OS of the system that created the document

FOCA is a security audit tool that will examine metadata from domains. It uses search engines to find files on domains, or you can use your own local files.

The first step to use FOCA is to download it.

FOCA can be downloaded at: http://www.informatica64.com/DownloadFOCA (use Google Translate)
You will need to give your email address at the bottom of the screen. You will receive an email with the download link. You will also receive updates on when FOCA is updated.

Using FOCA

FOCA is a Windows only tool. When you install FOCA you may be asked to install .NET Framework or other decencies. Continue reading →

Rating: 4.0/5 (1 vote cast)

802.1X Challenges For Department of Defense

Aamir Lakhani wrote a fantastic post on 802.1x for DOD. You can find the original posting at www.cloudcentrics.com

The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network. Network port protection lock down restricts anonymous access and prevents these “attacks”.

When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.

A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated. NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.

What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.

How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. Continue reading →

Rating: 4.0/5 (1 vote cast)

3 Comments

Filed under Network Admission Control

Tagged as 802.1x, aamir, Aamir Lakhani, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, CAM, CAS, certificate authority, ChapCrack, Cisco, Cisco NAC, Clean Access, cloud centrics technology, Compliance, Department of Defense, DISA, dod, EAP, EAP-TLS, EAP-TTLS, Guest Server, Home, Identity Services Engine, IEEE, ISE, ISE1.0, ISE1.1, ISE1.1.1, ISE1.1MR, Joey, Joey Muniz, joseph, joseph muniz, Lakhani, mandates, military standards for networks, MS-CHAPv2, Muniz, NAC, NAC appliance, network access control, Network port protection, network security, PEAP, PNAC, prime, Profiler, Radius, RADIUS Cisco, Security, supplicant, V-7542, wireless security, World Wide Technology, world wide technology inc., wwt

July 25, 2012

RSA NetWitness: An Anatomy Of An Attack

Here is a post from my friend Aamir Lakhani’s blog about RSA NetWitness. The original can be found at Cloud Centrics (http://www.cloudcentrics.com/). Really good post on NetWitness.

RSA NetWitness

RSA NetWitness is a unique solution that captures, store and analyze network data traffic. This gives you the able to see exactly what comes in and goes out of the network in real time . In simple terms, RSA offers to you a Network CCTV. Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flows through the network into its original format according to its own type or application. This helps you strengthen your security measures by taking appropriate action. On top of that, since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected.

RSA NetWitness delivers an innovative fusion of hundreds of log data sources with external threat intelligence to enterprises; enabling extraordinary broad and high-speed visibility into the critical information needed to help detect targeted, dynamic and stealthy attack techniques.

Why is it important?

NetWitness records all network activity. The benefits of this forensic analysis cannot be matched by any other product. NetWitness will truly allow you to investigate what happened on the network.

More importantly, since NetWitness sees and records everything on the network, it is very easy for the product to detect threats as they are occurring. This gives administrators an opportunity to stop attacks before they cause damage on the network.

Recording all network activity with forensic accuracy and analyzing current threats in real time provides situational awareness and insight for threats on existing infrastructure devices. Typically, when systems are discovered to be compromised, the systems are imaged, and software is reinstalled. However, many people don’t actually figure out the root cause of the problem. How did the system originally get compromised and what measures should be used to prevent it from happening again? In addition, if one machine is compromised, chances are high that others will be as well.

Why are these attacks difficult to detect? The answer is that these threats originate from the inside, or trusted areas of the network. The most common network threats involve a failure in internal security. This includes APTs, Botnets, Phishing attacks, social network information leakage, and product patches.

Security fails and systems get breached because many people do not take the threat seriously or make an effort to learn about it. It takes a proactive approach to be secure and protected against threats.

Furthermore, many organizations have processes in place that actually do more harm than good. These procedures that are supposed to help an organization’s security posture degrade it instead. This is partly to do with people and attitude, but also partly to do with outdated ways of thinking about security mixed with inadequate technologies.

Anatomy of an attack

Here is an example: Zeus was a popular attack last year that stole and spread through internal networks. Zeus is a Trojan horse that steals banking information by Man-in-the-browser, keystroke logging and Form Grabbing. Zeus spread mainly through drive-by downloads and phishing schemes.

Zeus was successful because it was a well-crafted phishing attack. Victims received an email that looked interesting to them. They were instructed to download a report from what appeared to be a legitimate website. In reality, the report was a Trojan horse that allowed attackers to control the victim’s system. The hosting website was in China.

A capture (report) from NetWitness showed that the originating server of Zeus went to a command and control server in China. The program that the user downloaded allowed attackers from the Chinese server to have control of the users’ system. From that point on, it was trivial for them to exploit other systems on the users’ network.

Most anti-virus agents did not detect Zeus. Later, Zeus disabled anti-virus agents using a variety of schemes – mostly by redireiting anti-virus updates to a 127.0.0.1 IP address.

Since NetWitness recorded all network traffic, it recorded what systems were compromised, communications with systems in China, and what was being transferring. When internal systems initiate a connection and transfer files, NetWitness captures that traffic.

NetWitness is the only security tool that provides complete visibility on a network. It shows when attacks are occurring in real-time and gives an organization the ability to detect and stop those attacks.

Rating: 5.0/5 (2 votes cast)

3 Comments

Filed under Security Management & Analysis

Tagged as Aamir Lakhani, advanced persistent threat, APT, botnets, CCTV, Cloud Centrics, Compliance, Continuous Controls Monitoring, continuous monitoring, Continuous Monitoring Architecture, Continuous Monitoring Solution, Data Loss Prevention, data traffic, DLP, EMC security, end point management, forensics, Home, http://www.cloudcentrics.com/, information leakage, Informer, Investigator, Joey, Joey Muniz, joseph, joseph muniz, keyloggers, lan security, malware, malware defense, Muniz, NetWitness, NetWitness Investigator, network forensic, network forensics, network security, nextgen, pen testing, Penetration Testing, phishing, phishing attack, phishing defense, RSA, Security, Security Information And Event Management, SEM, SIEM Technology, siemlink, SIM, Spectrum, trojan horse, visualize, World Wide Technology, world wide technology inc., wwt

Tag Archives: Aamir Lakhani

SSL Strip – Breaking Secure Websites

Situational Awareness For Cyber Threat Defense

Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll