Here are my quick notes from the BruCON 2016 conference. All the slides can be found here.

NO EASY BREACH:Challenges and Lessons Learned from an Epic Investigation

The attack started with a phishing email; the attack compromised more that 2 000 systems, 50 000 emails.

How the attack took place:

1. fast-paced attacher

• 10-25 systems infected every day.
• the attacker steal information every day.

response

• develop indicators to aid triage.
• focus on : lateral movements, pivoting, recon, new tools or back-doors.
• streamlined documentation.

lessons learned

• be fast and flexible.

2. stealthy attacks

• used anti-forensics techniques to hide endpoint and network activity.
• altered communication scheme + strong crypto.
• mass activity to obscure the real target.
• data theft using only legitimate us-based services – gmail, google drives, one drive.

response

• maximize the utility of trace forensics artifacts.
• some attacker behavior recovered from sdelete.
• took time and patience to filter out the network noise.
• deployed additional open-source tech

lessons learned

• improve visibility and don’t stop looking.
• map attacker activity ti potential data sources.
• network times provides reliable chronology.

3. rapidly evolving tactics

• seven unique persistence mechanism.
• seven distinct back-door families.
• minimal re-use of meta-data commonly tracked and shared as indicator.

response

•  fought to keep network visibility on all malware families.
• spent time analyzing system with unknown activity.
• create indicators for every stage of attack life-cycle.
• develop flexible & resilient indicators

lessons learned

• enhance and test your best indicators even when they’re working.

4. advanced attack techniques

• attacker leveraged PowerShell.
• used Windows Management Instrumentation.
• attacker used Kerberos tickets attacks which made tracking lateral movement difficult.

response

• searched for WMI persistence.
• identified evidence of attacker code in WMI repository.
• parsed out embedded scripts and malware.
• updated the environment to power shell 3.0 and enabled logging.
• turned attacker power shell usage from a threat to a benefit by logging and iocs to made findings attacker activity much easier.
• worked around Kerberos attacks: looked for remote Kerberos logons around the time of attacker activity.

Hacking KPN: Lessons from the trenches

The presentation was about 3 different vulnerabilities discovered by the kpn read team.

1. vulnerability linked to the Java de-serialisation vulnerability.
   1. the kpn team did a java deserialization burp plug-in fork
2. Citrix Netscaler
   1. Netscaler login vulnerabiilty
3. reverse-engineering cryptography from binary

New Adventures in Active Defense, Offensive Countermeasures and Hacking Back

The idea was that the security industry are doing the same things over and over again, very often as a defender we build very static walls. So the presenter propose to an “active defense”:

Active defense is not about :

• hacking back
• about one technical solution
• revenge

Active defense is about:

• have a range of solutions.

All the proposed solutions and demos are part of the advanced defense harbinger distribution which is a Linux distribution based on Ubuntu LTS that it comes with many tools aimed at active defense pre-installed and configured. Some demos of the following components:

• weblabyrinth
• honey ports
• honey badger
• jarcombiner