dissection of a Cyber- Espionage attack

More documents

Recommendations

Info

The target: the moat without water How to develop a good network segmentation and be breached The environment is a Microsoft AD Forest with a pyramidal structure. #RSAC • The root AD trusts several subdomains each with its proper set of AD servers. • The forest is regulated with different level of trust. • The «Secret» and «NATO» networks are physically separated entities were people can access only through dedicated machines. • Under no circumstances a user from standard AD structure can access Secret networks.
The target: the moat without water How to develop a good network segmentation and be breached Patching policies are 15 days behind Microsoft releases. #RSAC All other applications are patched and upgraded based on internal CERT approval. The reason for the delay is due to the need to verify the consistency and the impact of upgrade/patch against production environment. During the investigation we have discovered that, in the Data Center, two AD servers related to trusted subdomains, were not properly patched since November 2014 due to the swap from a maintenance contractor to another. The lack of the patch MS14-068 is a key to understand how deep and how hard they have been breached.
Page 1 and 2: SESSION ID: CTT-W08 Evolving Threat
Page 3 and 4: Agenda What we discuss today Today
Page 5: The target: the moat without water
Page 9 and 10: The attack strategy How they break-
Page 11 and 12: Attack Overview: End of First Wave
Page 13 and 14: Attack Overview: End of Second Wave
Page 15 and 16: The attack strategy The infection p
Page 17 and 18: Pwning the core: CVE-2015-1701 AKA
Page 19 and 20: Patient Zero How the victim discove
Page 21 and 22: Patient Zero consequences How the a
Page 23 and 24: What we can bring to the table? #RS
Page 25 and 26: Actionable IoCs What our methodolog
Page 27 and 28: Investigation: first step The Custo
Page 29 and 30: Our investigation Our approach tail
Page 31 and 32: APT 28 Tools APT 28 Tools seen in t
Page 33 and 34: APT 28 Tools CORESHELL ATTRIBUTION
Page 35 and 36: APT 28 Tools EVILTOSS ATTRIBUTION B
Page 37 and 38: APT 28 Tools CHOPSTICK CHOPSTICK i
Page 39 and 40: The attack strategy IOC: C2 list T
Page 41 and 42: Conclusion What I can suggest It i
Page 43 and 44: #RSAC

dissection of a Cyber- Espionage attack

Create successful ePaper yourself

Delete template?

Save as template?