Modern threat modeling is a defensive response to understanding a threat so as to prepare yourself, your network, and your assets. This talk shows how threat modeling can be used as an offensive weapon. While traditional threat modeling looks at the attacker, the asset and the system – offensive threat modeling looks back at the defender to understand his tactics and expose weaknesses.
This talk focuses heavily (but not exclusively) on the human side of the defensive equation to get inside the mind of the defender. Combining expertise in intelligence gathering through social reconnaissance and various other methods of social engineering with expertise in traditional threat modeling and penetration testing – this talk yields a powerful new weapon in the attacker's toolbox.
The speakers will highlight the attack vectors used by nation states and organized groups in "APT" attacks, which encompass a holistic approach to fingerprinting and profiling targets (Posture and Position) to yield devastating results. In many cases, data culled from social media, supply chain, satellite imagery, property management, conference attendance, personal browsing predispositions, sales literature, even political campaign donations can be aggregated and prioritized to increase the likelihood of success. In one example, we show how "grey area" websites that allow users to sign up as "providers", once past their trivial validation, can obtain useful information about potential clients registered with the website. Information gleaned over many of these sites in cities where a target has a presence can be used to identify persons or organizations at risk of attack/blackmail.
Tactics taught will include social media monitoring of employee actions and locations (Position and Predisposition) to create near real-time actionable pretexting for social engineering attacks. Additional back channel attacks focus on employee home networks, allowing for successful network penetration of a company while never targeting the company directly (Predisposition, Posture, and Position). This is accomplished via psychological profiling and sentiment analysis of users, to deploy specific honeytraps for employees and their families (Predisposition) and reverse honeypots for target company InfoSec groups (Position) as adjunct attack vectors. Counterintelligence, misdirection, weaknesses of other attackers (if they exist and can be identified/created), and false flag attribution are utilized to increase effectiveness of the attack, tie up defenders, and minimize detection (Posture and Position). We will also show how to utilize social media poisoning, where we attempt to change both public and employee perception of the target, incentivizing attacks both externally and from within (Predisposition).
Much like a spy movie plot, this talk will provide the attacker with the necessary tools to know their target, control the situation more effectively, and have a greater chance at successfully reaching their goal. This talk is meant to be used to understand how the other side (the attackers) sees you (the defenders) in any scenario and what the defenders should expect … to formulate a solid defensive posture.
Žádné komentáře:
Okomentovat