Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Industrial Engineering
  3. Systems Engineering

Thinking Like an Attacker: Eric Thayer Senior Engineer

advertisement 
Thinking Like an Attacker:
What does it take to attack a system
Eric Thayer
Senior Engineer
Assured Information Security (AIS)
153 Brooks Road
Rome, NY 13441
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Who are we?
 AIS is a security research
company primarily serving the
DoD
 Our mission is to analyze,
understand, characterize and
exploit cyber systems using
adversarial techniques
 Started as a group of hackers and
have maintained the mentality
since 2001
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Am I qualified to talk about this?
 Performing “Offensive Cyber” since 2002
◦ First AIS employee hired to perform red team assessments
◦ Offensive research could not be acknowledged at the time
◦ The term Cyber did not have the same meaning then
 System Administrator and Unix Security Admin for the DoD for five
years prior to that
◦ Developed security monitoring tools
◦ Participated in multiple incident response exercises
◦ Supported the Air Force Research Laboratory in Rome, NY
• Network Operations Center
• Defensive Information Warfare Laboratory
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
What is an attacker?
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
What drives an attacker?
 Curiosity
◦ How did they make that work
◦ What are they doing with this data
◦ Why do I have to do this this way
 The desire to make something do what it was not intended to do
◦ Circumvention of others protections
◦ “Outwitting” the designer or developer
 The challenge associated with successfully breaking a system
◦ The notoriety, satisfaction, and challenge of compromising a system
◦ Who doesn’t like to see things blow up?
 Money…
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
What is the role of an attacker?
 Attackers are responsible for the identification and disclosure of
vulnerabilities within a system through various means
◦ Funded research
◦ Interesting personal project
◦ The search for more money
 Provide insight into system design and security that is not always
evident to designers, developers, and users
◦ Security professionals view every target as a challenge
◦ The question of how could I break that is always in the back of their mind
 Serve as the “dark side” to help maintain the delicate balance
between good and evil
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
How do you become and attacker?
 First you must be able to ask the question “Why?”, or “How?”, or
even “What if?”
◦ Curiosity is the catalyst of all good findings
◦ Following up on those questions is how most of us got our start
 More importantly, you need a technical background with in depth
understanding of the basics of computing
◦
◦
◦
◦
◦
What’s going on inside the box
How is software designed and built
How does the systems design impact the operation
How are things talking to each other
What is the software development/maintenance process
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
What else do you need?
 An understanding of the foundations of security
◦ What are the basic types of vulnerabilities
◦ How are systems exploited
◦ What techniques are usually applied to analysis of a particular class of
target
◦ What is actually required to get code execution
◦ What measures are in place to prevent certain types of exploitation
 Respect your elders, you may not be the first one to show interest
a particular target
◦ Learn from the work of others and use their experience to feed your
curiosity
◦ Build on their foundation and use the tools and/or techniques they used to
help in your assessment
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
How does this apply to the IoT?
 Embedded platforms are becoming increasingly advanced
◦
◦
◦
◦
Full operating systems
Support for complex networking and communications protocols
Real time feedback/diagnostic interfaces
Feature rich user interfaces
 Lack of protection mechanisms in “closed” systems and networks
makes for a rich target environment
◦ Trusted relationships and communications between nodes
◦ Open, unauthenticated protocols
◦ Decreased security to allow for integration of components
 “Why does a _____ need to be secure, nobody would ever want to
attack that?”
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Great, lets attack something!
How?
 Develop an understanding of the target
◦ Analyze available documentation
◦ Review the design
◦ Interact with system and observe normal behavior
 Identify goals for the assessment
◦ Define what you are attempting to achieve
 Perform targeted system analysis
◦ Manual and scripted interaction with components, services, or interfaces
◦ Hardware/Software analysis
• Identify hardware functionality
• Extract software and determine behavior
• Identify the basic functionalities and features that may allow for exploitation
◦ Investigate design, development, and implementation weaknesses
 Develop “exploitation” techniques
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Understand your target
 To effectively exploit a target you must understand its behaviors
and limitations
 Define what the system is capable of
◦ How does it operate?
◦ How do components communicate with each other?
◦ What forms of access exist?
 Determine what functional features exist and identify how they can
be exercised
◦ Use the target system as user would
◦ Monitor behavior and interaction of components
◦ Identify a behavior of interest and develop more comprehensive tests
 Build an understanding based on observation
◦ Documentation
◦ Interaction
◦ Monitoring of behavior
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Define your goal
 What do we want to impact
◦
◦
◦
◦
◦
The system as a whole
Physical controllers connected to smart embedded systems
Servos and actuators
Blinky lights
The manufacturer’s reputation
 What is our driving force
◦
◦
◦
◦
◦
Intelligence
Theft
Profit
Personal harm
Just because I can
 What may have been done in this area before
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Achieving your goal
 Determine what it is that you want to do and the impact you want
to have
◦ Think about how you are going to achieve that goal and what information
you may need
◦ Interact with and monitor the system to collect the required data
 Identify the components of the system that may be useful in
helping you achieve our goal
◦ What dependencies may exist that could help exploitation
◦ Are certain components of the system weaker than others
◦ Do remote access/communications vectors exist
 Observe the system and refine your approach
◦ Trial and error is common practice
◦ Observe behavior and adjust accordingly
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Before performing the analysis
Things to remember before getting into the weeds
 Although the technique for every assessment is similar, the
process is driven by the understanding of the target
◦ The more you know about the system under the hood the easier the
assessment will be
◦ In depth knowledge and clearly defined goals will help focus the
assessment and manage scope
 Every target system will be different
◦ Remote access techniques will vary
◦ OS may be Linux based, it may not
◦ Exposed services could exist
 The purpose and design criteria for the system will set the bar for
protections
◦ Purposefully designed systems often present a hardened attack surface
◦ Integration of legacy systems often introduces security holes
◦ Multiple systems from various suppliers integrated into a single solution…
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Targeted system analysis
 Identify the basic features that may allow for exploitation
◦
◦
◦
◦
Network communications
Input processing
Exposed services
Software updates
 Interface with the target through the exposed interfaces and
observe the resultant output for anomalies
◦ Develop test cases to stress system operation
◦ Generate network data or program input to test functionality
◦ Manipulate data, timing, and sequencing
 Extract software and data and perform more in depth reverse
engineering
◦ Perform static and dynamic analysis
◦ Identify functional system blocks and interfaces
◦ Trace data flow
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Develop an exploit
 Exploitation is an art, not a science, initial attempts at generating
an effect don’t always work
◦ These are complex systems, there is often logic and preconditions that
must be met
◦ Understanding of the targets operation in certain scenarios may require
further investigation
◦ Educated trial, error, and observation are key to successful exploitation
 Exploitation is not limited to code execution, unintended use of
features can also be an exploit
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Now what?
 Define your goals based on what you know
◦ Learning is an iterative process
◦ As your knowledge of the target evolves, you will need to refine your goals
 Understand what has been done already
◦ Build upon what others have accomplished
◦ Learn from their mistakes
 Understand the potential issues associated with attacking any
system
◦ There are some things that just may not work
◦ Time, budget, and resources are most commonly your limiting factors
 Remember, an exploit does not have to provide a means to
execute code, but a severe vulnerability will have a much more
meaningful impact
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Can you hack it trivia
153 Brooks Road, Rome, NY | 315.336.3306 | http://ainfosec.com
Related documents
6th Graders will be researching Ancient Rome and creating a
6th Graders will be researching Ancient Rome and creating a
16 Guided List of Topics for Italy Visitor
16 Guided List of Topics for Italy Visitor
Download
advertisement