Webinar Abril 2017 - Vicente Madrigal - Cybersecurity PDF

Vicente Madrigal
Consulting Systems Engineer

CCIE Security, CISSP
The Top 4 Sources of Concern Which Security
Professionals Found in Defending Against a
Cyberattack
Mobile Devices Data in Public Cloud Cloud Infrastructure User Behavior

58% 57% 57% 57%
Percentage of respondents who find the category very and extremely challenging to defend
The Anatomy of a Security
Breach
Hacker Sends Spear Phishing Email
The Hacker creates and sends the Spear Phishing Email
TO: Jacob.Fuller@videoco.com Zone
FROM: Susan.Henry@gmail.com
SUBJECT: Interesting Article DNS
Hi Jacob,
Thought you might like this.
Internet Network
The Hacker crafts the Spearphishing
Very Interesting Article
Cheers,
Susan
email and spoofs the sender address

Subscribers UI
Hacker's PC to be an acquaintance of the
TO: Jacob.Fuller@videoco.com
employee to increase the employee's
The Admin PC Receives the Spearphishing Email
SUBJECT: Interesting Article
Hi Jacob, trust level.
Very Interesting Article The Video Admin receives a new mail
Cheers,
Firewall
Corp. Video Backend 172.16.11.0/24 The Spear Phishing email is sent and
Susan
Email VLAN 100 notification, then clicks it to retrieve the
Server DNS received
In addition,
by the Hacker
SPs Emailinserts
Server.
a web
.1 CAPTURE Spear Phishing email.
link directing the employee to an
.2 ENCODE
Hi Jacob,
Internal Network "interesting article". The article is
.3 ADSPLICE
Very Interesting Article
Cheers,
Susan
New Mail from Susan! delivered in PDF format and contains
.4 ENCAP
a malware payload designed to run
.5 PLAYOUT
Video PLAYOUT Administrator PC when the PDF document opens.
.6 DRM
The PC Sends DNS Request
After clicking the link, the PC attempts to find the IP of the Web Host
Zone
DNS Resolve www.letmein.com
IP=66.66.66.66
Response
DNS
Internet Network
Subscribers UI
Hacker's PC
The Corporate DNS server begins a
The Admin PC "recursive"
Receives DNS
thelookup process to
DNS Response
The Video Admin clicks on the link in
DNS Query
Resolve www.letmein.com
IP=66.66.66.66
Response
locate the authoritative DNS server for

Firewall
Corp. Video Backend 172.16.11.0/24 the Spear Phishing email triggering a
Email VLAN 100 the web server's domain. Upon
Server DNS DNS request process to locate the IP
.1 CAPTURE conclusion of this process, the
TO: Jacob.Fuller@videoco.com address of the links web server host.
SUBJECT: Interesting Article Internal Network
.2 ENCODE respective authoritative DNS server
Hi Jacob,
DNS Query www.letmein.com
Response
Thought
IP=66.66.66.66
you might like this.
Very Interesting Article .3 ADSPLICE will return the web server's IP address.
Cheers,
Susan
New Mail from Susan!
.4 ENCAP
.5 PLAYOUT
Video PLAYOUT Administrator PC
.6 DRM
The Browser Sends Web Request
Once DNS completes, the Browser attempts to load the page
WWW letmein.com
Zone
GET Very_Interesting_Article.pdf DNS
Internet Network
Subscribers UI
Hacker's PC
The Malware Server Receives the Web Request

Upon successful DNS resolution of the
Firewall
Corp. Video Backend 172.16.11.0/24 web server's host IP address, the
Email VLAN 100
Server DNS Video Admin's browser can contact the
.1 CAPTURE
web server host to load the document.
.2 ENCODE
SUBJECT:
WWW
Hi Jacob,
Interesting Article
letmein.com Internal Network
GET you
Thought Very_Interesting_Article.pdf
might like this.
Very Interesting Article .3 ADSPLICE
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
.6 DRM
The Malware Host Sends Infected PDF
The Malware Web Host creates and sends the infected PDF file
Zone
DNS
Internet Network
Subscribers UI
Hacker's PC
The Malware is Received by the Admin PC

The Malware Server prepares a
Firewall
Corp. Video Backend 172.16.11.0/24 custom Malware File specific to the
Email VLAN 100
Server DNS Admin's PC and Web Browser (Using
.1 CAPTURE
attributes in the Web Request)
.2 ENCODE
Hi Jacob,
Internal Network
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
.6 DRM
The PC is Compromised
The Malware executes and infects the Video Admin PC
Zone
New Bot Acquired
admin@videocorp.com
DNS
HTTPS:
DISK,
101101
NET,
110110
Internet Network
KEYS
010010
Subscribers UI
Hacker's PC
The Malware Bot "phones

gathers home"information
using
The
The Hacker
Malware The Admin
Receives
Receives thethe PC
Phone is now
Discovery
Home fully
Instructions
Notification
The
standard
from Hacker
browser
scanning
Web uses
auto
protocols
hardthe
launches
drives,
Encrypted
with
capturing
the PDF
Web
The
compromised.
Malware "detonates"
The Adminand Userbecomes
is
Firewall
Corp. Video Backend 172.16.11.0/24 channel
reader
Encryption.
keystrokes
totoload
Instruct
and
This
the
probing
makes
Malware
the Malware
network
theinfected
Bot to
Email VLAN 100 a
completely
new process unaware
running thatin the
the PC is fully
Server DNS discover
PDF
communications
resources
document.
server
(learned
system
The
to the
from
PDFHacker's
information
browser
readerPCis on
.1 CAPTURE background
under the controlon theofAdmin
a Hacker PC.on the
XFER,
RING the
vulnerable
invisible
cache,
localsecure
to
disk
to
most
a
and
shell
new
firewalls.
network.
history
"Zero-Day"Cisco's
and other
exploit.
HTTPS: PROBE,
RING
REPORT
Internal Network
.2 ENCODE Internet.
Hi Jacob,
NGFW can inspect encrypted traffic.
sources)
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
.6 DRM
The Malware Collects Information
The Malware executes the Hacker's instructions to discover details
Zone
DNS
Internet Network
Subscribers UI
Hacker's PC
The
TheMalware
MalwareKey Disk
Logger
Scan Finds
Captures HostUser
Names, Names,
IP
The Malware
Next, the Malware
first scans
creates
all aaccessible
"keyboard
Passwords
Addresses and Other Sensitive Information
disk storage
logger" process
for information
to capture any on system
Firewall Video Backend 172.16.11.0/24
Email Corp. administration
keystrokes typedactivity
in by(browser
the Video
DNS VLAN 100
Server .1 CAPTURE connections,
PLAYOUT Admin
SSH(usernames,
connections, FTP,
.2 ENCODE etc.)
passwords, etc.)
Hi Jacob,
Very Interesting Article S .3 ADSPLICE
Cheers, C
Susan A
.4 ENCAP
N
G O O D O N E 2
.5 PLAYOUT
.6 DRM
The Malware Performs Network Recon
The Malware probes the network for additional IP and Port info
Zone
DNS
Internet Network
Subscribers UI
Hacker's PC
The Malware Next, the Malware

Network Reconwill initiate a
Completes
"network reconnaissance" probing
Email Corp. process to locate Video Backend
DNS VLAN 100
Server .1 CAPTURE server resources and open port
.2 ENCODE information.
Hi Jacob,
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
.6 DRM
The Malware Sends Discovery Results
The Malware packages the results and delivers back to the Hacker
Zone
DNS
HTTPS:
101101
SET
PIVOT
110110
Internet Network
010010
Subscribers UI
Hacker's PC
The The Hacker

Hacker The Pivot essentially
Configures
Receives the Admin gives
Discovery
PC as the Hacker
Results
a Pivot
The
a direct
Hacker
connection
establishes
onto athe
"Pivot"
Internal
Firewall
Corp. Video Backend 172.16.11.0/24 The Malware consolidates the results
Email VLAN 100 through
Networktheby Admin
using the
PCcompromised
to the target PC
Server DNS and delivers to Hacker
.1 CAPTURE server
as a gateway.
systems.Very similar to the
101101
HTTPS: 110110
010010
.2 ENCODE function of a Remote Access VPN.
Hi Jacob,
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
Key Strokes ADMIN, GOODONE2 .6 DRM
Disk Scan Results BOOKMARKS, CONFIGS
Host Information CAPTURE, TRANSCODE,
The Hacker Creates an SSH Session
The Hacker creates admin SSH session to the Video PLAYOUT server
Zone
GOODONE
S SH ADMI2 N@P L AYOUT DNS
Internet Network
Subscribers UI
Hacker's PC
TheThe SSHSSH Session

Password Request
Response
with the
is Received
Stolen Admin
with the
User
The SSH Password The Hacker now hasisan
Request SSH terminal
Received
Stolen
NameAdmin
is Received
Password
The
session
Hacker
to the
creates
PLAYOUTan SSH
Server
Tunnel
via to
the
Email Corp. the
Pivot.
PLAYOUT
The Hacker
server
is connected
using the stolen
with
DNS VLAN 100
Server .1 CAPTURE admin
the administrative
credentials rights of the
.2 ENCODE compromised Video PLAYOUT Admin.
Hi Jacob,
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
Video PLAYOUT Administrator PC PASSWORD for ADMIN?:
.6 DRM
The Hacker Begins to Steal Data
The Hacker downloads files of interest to Hacker's PC
Zone
GET GALAXYWARS.VID DNS
**FILE TRANSFER**
**COMPLETE** Internet Network
Subscribers UI
Hacker's PC
The Hacker Begins to Receive Segments of the File of

The Hacker TheInitiates
Hacker has
the successfully
File Transfer
Interest
The Hacker, after perusing the file
downloaded the file(s) of interest. The
Firewall
Corp. Video Backend 172.16.11.0/24 system on the Video PLAYOUT Server,
Email VLAN 100 Hacker, depending on personal
Server DNS has identified an interesting file to
.1 CAPTURE agenda, can sell or post this
TO: Jacob.Fuller@videoco.com download.
.2 ENCODE information to public web sites.
Hi Jacob,
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
Video PLAYOUT Administrator PC GALAXYWARS.VID
.6 DRM
The Hacker Changes the PLAYOUT Content
The Hacker changes the PLAYOUT config to play the new content
Zone
PLAY
UPLOAD
SKULL.MP4
SKULL.MP4
SKULL.MP4 DNS
Internet Network
Subscribers UI
Hacker's PC
The Hacker Instructs The Hacker, having Server

the PLAYOUT administrative
to Play the
The Hacker's Content This Hacker
is nowhas an ideological
on the PLAYOUTagenda
Server
access
NewtoContent
the Video PLAYOUT Server,
Subscribers
to promote andthroughout
so decides
the to
SPs
upload
Firewall
Corp. Video Backend 172.16.11.0/24 can change configuration or content on
Email VLAN 100 coverage
new contentareato are
the now
PLAYOUT
viewingsystem
the
Server DNS the system. The Hacker now changes
.1 CAPTURE Hacker's
to substitute
content.
for normal broadcast or
TO: Jacob.Fuller@videoco.com the PLAYOUT content to be the newly
Internal Network
.2 ENCODE streaming content.
Hi Jacob,
uploaded ideological message content.
Cheers,
Susan
.4 ENCAP
.5 PLAYOUT
.6 DRM
The Hacker Continues to Breach
The Hacker continues to expand and compromise more systems
Zone
DNS
Internet Network
Subscribers UI
Hacker's PC The Hacker, having established a
foothold on the Internal Network, will
search for and compromise additional
Firewall
Corp. Video Backend 172.16.11.0/24 systems throughout the enterprise.
Email VLAN 100
Server DNS Likely targets would include C level
.1 CAPTURE
individuals, Finance individuals and
.2 ENCODE
Internal Network key infrastructure components such as
.3 ADSPLICE
Active Directory.
.4 ENCAP
.5 PLAYOUT
.6 DRM
CEO Finance AD

Webinar Abril 2017 - Vicente Madrigal - Cybersecurity PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Webinar Abril 2017 - Vicente Madrigal - Cybersecurity PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Vicente Madrigal

Consulting Systems Engineer

Mobile Devices Data in Public Cloud Cloud Infrastructure User Behavior

email and spoofs the sender address

locate the authoritative DNS server for

The Malware Server Receives the Web Request

The Malware is Received by the Admin PC

The Malware Bot "phones

The Malware Next, the Malware

The The Hacker

TheThe SSHSSH Session

The Hacker Begins to Receive Segments of the File of

The Hacker Instructs The Hacker, having Server

Das könnte Ihnen auch gefallen