Hit by a Cyberattack: lesson learned. When you get hacked, how did it happen and what do you do? Rough side notes of a presentation for IFE, 8 december 2015.

1. Hit by a Cyberattack: lesson
learned
How are we hacked and what to do when it happens
IFE – 8 december 2015
Jan Guldentops ( j@ba.be )
BA N.V. ( http://www.ba.be )

2. Wie ben ik ?

Jan Guldentops (°1973)
• This year I'll be designing, building and securing server
and network infrastructure for 20 years.
• Founder of ULYSSIS (°1994), Better Access (°1996) en
BA (°2003)
• Open Source Fundamentalist (after hours )
• Strong practical, background in ICT security.
➢
Security consultant by accident
➢
1996 beroepskrediet

Pass a lot of my time in the lab ( R&D)

4. In Short:
COMMON SENSE
AS A SERVICE
(CAAS)

5. The question is not if you're
going to be hacked but
when...

6. So what goes wrong ?
How do you get hacked ?

7. The human factor
● Stupidity, laziness and ignorance

9. Amateurisme
● The successful hack implies that the current network setup and / or procedures at
DigiNotar are not sufficiently secure to prevent this kind of attack.
● The most critical servers contain malicious software that can normally be
detected by anti-virus software. The separation of critical components was not
functioning or was not in place. We have strong indications that the CA-servers,
although physically very securely placed in a tempest proof environment, were
accessible over the network from the management LAN.
● The network has been severely breached. All CA servers were members of one
Windows domain, which made it possible to access them all using one obtained
user/password combination. The password was not very strong and could
easily be brute-forced.
● The software installed on the public web servers was outdated and not patched.
● No antivirus protection was present on the investigated servers.
● An intrusion prevention system is operational. It is not clear at the moment why it
didn't block some of the outside web server attacks. No secure central network
logging is in place.

10. Social engineering
● If you want to know something,
just ask !
● People talk to much
● Your organization is leaking info :
– Google is your friend
– Stupid leaks : leaking confidential info
in references, etc.
● Key employees who are
passionate about their work often
tell you everything

11. Phishing
● You are thinking about :
● Blond, Ukrainian ladies who can tell from your e-
mail address you are the man of their live.
● Badly written or translated
● So obvious
● But what if a phishing expedion was custom
made to push your buttons ?

12. Spear Phishing
● Sinterklaas
● A custom built phishing
expedition :
– Surprise from Sinterklaas ;
– Well written e-mail
– Perfect house style
– Official url with a registered
certificate
● Send to 200+ it people
– 35% tried to fill in their
userid/password.
– Before the security-team blocked
the URL

13. I am not who I am
● We still use userid/password for authentication
● Bad passwords
● Badly managed password
● Unrealistic password policies
● One password for everything ;
● Clear text storage of passwords
● No one centralised user and role management

14. Tunnels
● Dozens of ways to set up
a return tunnel from the
inside of an organisation
● Openvpn, ssh, iodine ( ip-
over-dns), httptunnel, etc.
● Teamviewer, N-Able,
Logmein, etc.
● Hard to detect
● Usually accidents waiting
to happen

15. Others
● Bad software ;
● No structured updates ;
● Security bolton instead of by design ;
● Stuck in perimeter-security ;
● Bad system management
● Mobilization ;
● Bring your own device ;

16. The stakes have changed
● Globalization
● Cyberpunks versus mob
● Speed, damage
● Target :
● 70.000.000 personal data
● Exit security officer, CIO,
CEO
● Ashley Madison

17. So how do you know you are
hacked ?
● Obvious hacker :
● Defaces your website ;
● Send all your contacts stupid spam ;
● Uses all your cpu to mine bitcoins ;
● Attacks the whole world directly from your systems ;
● The discrete hacker ;
● Compromises your system and collects information
● Eg Belgacom hack
– Compromised since at least 2007 !

18. So how do you find these ?
● Integrity checks
● Host-based IDS
● Honeypot
● Network-based IDS
● Analyze your logs
● SIEM
● Monitor your infrastructure

19. What to do when you find
something strange ?

20. Don't panic!
● You're not the first to be hacked and certainly
not the last.
● Focus on analyzing the problems and securing
your environment.
● At least you know you are compromised...
● That's a good sign !

21. Handle the situation
● Collect a team to handle the security situation.
● These days there are cyber insurances
● AIG, Cyber contract, ADD, etc.
● This can be made up of internal staff and or
external consultants
● Draft a plan
● Execute it

22. Isolate or offline
● Get the compromised applications, machines,
account, data isolated and preferably offline.
● Take care no other parts of your environment
are infected.
● Literally or virtually pulling the etherne tcable or
power plug.
● Preserve as much data as you can
● Secure backups !

23. Collect data
● Collect as much data as you can :
● Log files ;
● Network traffic ;
● Forensic copies of compromised systems ;
– e.g Kali Linux
● You'll need this to analyze what happened,
what they took and who did it.
● Also legally important.

24. Find out what happened
● Analyze the attack, find out what happened
● Check what data and systems are
compromised
● Presume everything is compromised until you know
● Try to understand what happened
● Find out what the consequences are...

25. Disclose and communicate
● Disclose what
happened in a
structured, complete
way:
● To law enforcement ;
● To partners ;
● To employees ;
● To customers ;

26. Learn and adapt
● Learn from your mistakes :
● Change your security policy and procedures
● Learn from the hack and how your organization
responded to it
● Adapt
● It will happen again, so get more ready for it

27. Thank You
Contact us
016/29.80.45
016/29.80.46
www.ba.be / Twitter: batweets
Remy Toren
Vaartdijk 3/501
B-3018 Wijgmaal
j@ba.be
Twitter: JanGuldentops
http://be.linkedin.com/in/janguldentops/