Documente Academic
Documente Profesional
Documente Cultură
RATED S SECURITY
editing
Andrew Akers
Smash and Grab
Chapter One
evening. unknown location
“everybody has
vulnerabilities.
“let’s look at my
notes on this target.”
Notes
Lacks DNS and
reputation security
Standard DMZ
Skeleton IT staff
Poor patch management
Weak security defenses
Vulnerable to web attacks
Poor event monitoring
hmm
This will be
too easy.
No criminal records
Proficient technologist
Later over a secure irc channel 07:57 Mr Black - Hit the servers
without alarming the staff.
This is my
chance at the
big league.
good thing
they are a hospital
because after
my attack ...
there will be
bodies ...
hacking!
Our servers
are being hit by
something
it looks like
somebody is
trying to exploit
our servers.
good thing
our ips is
tuned for our
environment.
bye
felicia!
I heard we
were attacked.
are we okay?
Yes sir!
no
“We don’t have problem!
the manpower.
I’ll call cisco We Have You
services. Covered
www.xploitz.com
Don’t Do It!
Exploits are everywhere!
An exploit kit is a web server designed to identify and exploit
vulnerabilities in client machines. The goal is to deliver
something malicious such as a backdoor or ransomware.
Exploit kits can be rented online making it easy for non-technical attackers
to deliver technical attacks without understanding the details of how the
attack works.
Ransomware
Never stop the incident response at removing the
infection, or you may experience it AGAIN!!
Identifying ransomware means an attacker was able to breach your network and deliver malicious
software. Best practice is to identify and remediate infected machines, harden the network against the
attack method used, and blacklist any sources linked to the original attack!
Ransomware
Chapter Two
next day. unknown location
this hospital
will pay
anything for
their data.
I just need to
figure out how
to get to the
patient records
Notes
“let’s look at my notes on Various users and devices
this target.
Limited desktop security
Vulnerable to social engineering
Possibly flat network
High dollar data
Skeleton IT staff
Blind to Insider threats
Chaotic environment with revolving
customers and devices
Later over a secure irc channel
11:01 Mr Black - How can I get
money from this target fast?
I have just
the thing.
time to inform
the boss.
we have a
problem!
Cisco AMP is
showing multiple
hosts are
quarantining A
Malicious File.
glad we
stopped this
one from
Installing
doogie got
us infected
again!
Well this
isn’t a
surprise.
Dr. Howser
clicks
anything.
Looks like we
need to update all
endpoint system
Firepower Java ASAP!
updated our
Defenses.
I’ll check if
the malicious
source is
blocked.
Threat Removed.
We are Ready
if iT Happens
Again.
Glad my
hospital staff is
so rock solid.
Abusing a vulnerability to
achieve an outcome.
Result could be planting
a Remote Access Tool (RA
delivering Ransomware, T),
Crashing the system, etc
.
I can buy
my way into
the network.
let’s see
if mr. green is
available.
Once Inside
the HackMDS
network Mr. Brown Can
Identify and
connect to
other systems.
dr. howser’s
account has now
scanned the
hippa
network!
come to
daddy.
he must be
compromised.
dr. howser’s
system is no
longer a threat.
call dr.
howser.
now!
dr. howser,
you have
a call.
I have
not touched
a computer
all day.
don’t
worry.
we quarantined
all compromised
systems and reset
your login.
SILVER BULLET
There isn’t a silver bullet for providing
100% protection against cyber crime.
Sorry… we can’t promise that.
NOBODY CAN!
nse
r Threat Respo
The Cisco Cybe perience
inics give yo u hands-on ex
Cl DER
KER and DEFEN
as both ATTAC both
tt er understand
YOURSELF
so yo u ca n be
ber CAT AND
sides of the cy
MOUSE game.
giving
me inside
access.
Notes
People will click anything without thinking about it
Limited host security software that is
based on signatures
HackMDs not responsible for user’s home network
Compromised hosts can provide internal
access for outsiders
Social engineering is extremely effective
email
sent
let’s see if
dr. howser will
access my fake
website.
proven
football stats?
my team is
getting killed. malicious websites will scan a victim’s
systems for weaknesses such as flash
can’t hurt
and java vulnerabilities.
to see what
they say
dr. howser’s
java is out
of date.
I’ll exploit that
to place my
malware on
his system.
and use a
backdoor in my
planted malicious
software.
interesting
firepower
says one of
our users is
compromised.
hi boss.
dr howser’s
laptop has been
owned and
vpned into our
network.
$#@%!!
how did
this happen?
it auto
somebody quarantined
no need to
get him off the him.
remove him.
network! the network
saw the issue.
step away
from the
network sir.
THREAT RESPONDERS WANTED
Your EXCLUSIVE
training platform
for learning a range
of Cisco Security
products and
integrated solutions
*The Cyber Threat Response
LEAenRviroNnments get
• How
compromised
t discovered
• How breaches ge
ost
• How to respond m
VOUCHER effectively with Cisc
o security
CODE: products and solutio
ns
^^Un1z
EXPseEcuR IENCE
• Cyber rity attack
l lab
situations in a virtua
environment
APPLY TODAY!
CHER
• Play as both ATTA
and DEFENDER
CLIP and MAIL* to your Cisco Account
Manager TODAY to reserve your spot
and get your learn on!
Core Real-World
Hands On 8 Modules ks
Certification Attac
Name:
de Above
Use the Voucher Co
Address: IVE access!
to receive EXCLUS
b oriented,
Enjoy this unique la
City: State: and solution
hands-on learning
ic TODAY!
*or visit www.cisco.com/go/security demonstration clin
Attack The Branch
Chapter Five
later
branch offices
typically connect back
to the headquarters
over a trusted vpn
connection.
I can’t believe
I bet they have I haven’t owned
weak security this hospital yet.
policies at their
remote branches.
Notes
Security ops typically @HQ
Branch security is not as
important as HQ
Limited local IT resources
Scalability challenges
“let’s look at my notes on Branch tunnels back to HQ
this target. bypassing HQ security
Busy environment
Later over a secure irc channel
?!
Seeing some
weird activity at
our dc branch.
I need to grab
the team lead.
looks like
our branch is
being hit.
meraki uses
firepower ips
and amp.
we can enable
similar policies
to our hq in
all we need is to get
a few clicks.
somebody at the dc
branch to plug it in
and it will grab the
configuration
from the cloud.
hi boss.
what’s up?
later
no worries.
we just deployed
new security
from cisco.
now we are
blocking
the threat.
wow!
I just heard
about this attack
8 7 1 0 4 1 0 5 11 6 1 0 1
thirty minutes ago
and we already
CY BE R S TATE
“I’m going to get a
promotion for this!
deployed new sec? L O CKUP
mr black’s
team failed to
the takedown.
steal data
from hackmds.
981
089
CYB 799
107
01 ER
01031 S
L O C TAT
9 7 1 1 KUP E
7 9 11 4 TE
mr. White was
R S TA captured on video
CYBE KUP planting a malicious
LOC backdoor tool at
Mr. Orange’s remote a HackMDs dc
attack generated Branch Office.
logs, which cisco Talos
and HackMDS used
to identify
his location
until
66108
the next
11 7 1 0
adventure
CYBE 1
R S TA
LOCK TE
09 stay UP
1 6 1 1 111 4 1 secure!
831 AT E
R ST
CYBE CKUP
LO
Learn More
Firepower VPN
URL, IPS, and Breach security Encrypted communication
ESA CloudLock
Email security for cloud and Cloud application security
on-prem
ISE Threatgrid
Access control and security Threat analytics, detection
policy management and prevention
Meraki Talos
Cloud managed security, Security research and threat
network and collaboration intelligence
AMP WSA
Advanced breach detection Secure proxy, content control
for endpoint and network and security