Reusing Breach Data for Attack and Defence

and good afternoon can you hear me up the back no maybe ghetto guys my name's Edward Fowle I also go by the name of the fuzz and my talk is on we're using breach data from both an offensive standpoint but also just how we can also employ it from a a defensive standpoint just out of curiosity how many people here pen testers or bug bounty hunters or or what have you cool defenders boo teams excellent so there's there's a good mix actually probably more blue than red out here so just to give you a bit of background about myself so I've been working the security space now for for eight years mostly on the the offensive side I often

find myself diving between both both offense and and defense but mostly from the B side of you know thinking through how would you as a threat actor or or a threat do some sort of harm to an organization so I never on my own team in Sydney I have two staff a couple of support folk and I am looking at hiring sometime in the next 12 months so if you're interested to come up and say g'day but most of the work we do works on the depend testing space but it kind of has as I've had out of the last two and a half three years we've found ourselves stepping back a lot further in

terms of as opposed to just doing a simple test or a simple VA understanding what a lot of this understanding a lot of what the the actual threat means to the company or even coming back and rethinking true end and going through what's actually gonna make this someone's worst day so off the back that we've been doing a number of interesting pieces of research around the space especially around things like like reconnaissance and understanding our customers but also things around events that have been taking place such as breaches on top of us are also lecture at UNSW Canberra as well mostly in in the wild security space and Internet of Things which if you're actually looking

at going to university next year we've we will have Faraday cages they're so happy days so what are data breaches this is the definition I'm pretty sure I pulled it from Wikipedia or Captain James chopped and changed it but a data breach is an incident where a sensitive protected or confidential data has been viewed stolen unauthorised can be things like personal health information anything personally identifiable trade secrets or intellectual property now for the context of this talk the thing where we are looking at is really heavily going to be around things such as users and passwords but there's other pieces of data there as well that that's fairly interesting in and so just to go through

it there's been some form of disclosure or or occasional instances of disclosure since about 2005 so doing a bit of research on this the the first instance of this I believe was a while back and about oh five or it was actually yep this event took place we've lost a heap of data we then started seeing especially with the rise of one second 2010 we started seeing what more significant occurrences of this taking place they also start to become quite public and are now almost commonplace so we've already had this week the whole piece on on over the losing 57 million records and if you have all the screenshots on yes that's on your left

sorry my left I just flew in last night so if you have a look at the screenshot on your right we'll see any reach from information is beautiful doc that we're since about 2010 we've seen not only the the volume of these breaches increase but we've also seen the size of the content that's been disclosed increasing as well now what's also been a another piece it's been quite peculiar about these breaches is that knowledge of their events will become public long after the actual breach has taken place so LinkedIn for example and I'll reference LinkedIn here a lot just because from a a pen tester and and offensive security standpoint it's been an awesome breach to use that occurred

in 2012 but we didn't know anything about it until the beginning of 2016 so what some of the content we see in breaches such as this so emails phone numbers and other contact information is what's there and that's going to be the personally identifiable piece of associated an individual with that set of data will also start seeing things such as home address and contact details in there a lot but what's been really curious whoops now sites see a reduction in the number of credit cards that have have been publicly disclosed now if you go back to say the Stratfor breach in 2010 credit cards were in there a lot but a lot of people have now actually

sad decline of hey I probably shouldn't hold that sort of information anymore or it's actually cheaper to make it someone else's problem and outsource it things such as correspondence email addresses sms's or internal messaging systems within an application may also be present and that in itself may contain data but that usually takes a bit of time to analyze and every now and then will things see things such as scanned ID IDs IP addresses from points of origin or some sort of other context specific material so where's my interest and what have been some of my early observations for this so I originally started diving to this just because I really started having a bit of interest in some of the

data that was out there and I'm probably the first instance this was breach against the ABC in Australia back in 2013 going through it you could actually start to not only identified some of the passwords that were there being associated with well-known individuals but peculiar I started coming across that hey the two or three admin hashes that were in the system were in fact being sawed forward for cracking on a on a Russian forum and it was evident that the site had actually been breached long before so off the back of just this little bit of data it's like hey we've actually seen that someone probably beat beat Anonymous or whoever made claims to the hack about a year or two prior to it

I assume once I've been doing as well have been around the Ashley Madison Bri trove from about two years ago so things I've actually enjoyed looking at have been have been along the lines of correlating the addresses within Sydney and socioeconomic status so for example there were more fake accounts set up on the lower North Shore of Sydney than there were in say Western Sydney it's also been interesting correlating that data with your own personal with your own personal email addresses and and email addresses of people that you know that's that's curious to see who actually used their their real address but the the best one for me so far has actually probably been around the

LinkedIn breach I'm also because that's what most people in business have been using it's also been fairly accessible in the there's always for us there's always actually been an account that would be able to find but just as a general observation probably the the more the most significant disclosure I I believe that was out there was probably around Stratfor and that was more to do with the people Stratfor how does their clients and the the nature of that breach inanity outcome probably the large one of significance of families around Yahoo but I'll always come back linkedIn has for a very long time being very useful for identifying passwords and identifying password behaviors and I'll show that in

a sec but probably the most balancing one has in fact been though being out of websites so yeah just Ashley Madison is has a really rich bit of data of that that really points to some interesting some interesting behaviors by by a number of individuals so what actually really spurred my interest was in fact my own password being in the LinkedIn breach and being quite easy to to crack so this this was my password before anyone wants to go and try and use it I don't I actually went through every service I'd used in the five or ten years prior to this event to verify that I was no longer no longer using it I

think I found about two or three instances where I still was and this is kind of what sparked my interested well if if I'm doing this then surely someone's probably still doing this elsewhere say within their organization or within other services that they use as a part of their business so what some of the stuff that can be relevant to us when we're doing say a business-related penta so IP addresses and correlation with corporate proxies so Ashley Madison I'll come back to Ashley Madison is the example there you're it's actually quite easy to stop pulling out so he was a in one case we found so the one we actually used for correlating corporate proxies

was in fact the proxy for the Australian Parliament House where you could actually start going through and identifying not only IP address accounts that have been signing in from that IP address but we were then also able to align up with date of birth with people that we know are in that facility and off the back of that start extrapolating other data about them if you're able to start stitching together a number of data sources you could actually start identifying password sequences or behaviors so if one target we had a look at had managed to incorporate the word bounty in their password consistently and could simply just increment or decrement that number is required so it can also start

extrapolating a little bit of data on human and behavioral analysis such as logging times if it's there but a lot of that's going to be dependent on the sort of information you have the other one as well is around people who are maintaining the same password across multiple sites which is something that we consistently see in those will typically be our first targets but also the other one is well as use of this data in things such as blackmail or corporate espionage or or financial gain and I'll talk about an incident we dealt with a little earlier this year on that but things like adult web sites are incredibly powerful when you need to actually say that yes this person has

been using this web site we can then also correlate their reuse of the linked in their LinkedIn password with their Ashley Madison password and there's no way they can deny that they've been on these systems so what are some of the issues with with maintaining the sort of data so our purposes we're saying welcome I'm not a lawyer at the end of the day you're gaining and making views of information that has been thieved at some point in time and it's been disclosed by someone and it's it's it's somewhere out in the open but I always come back to said well how this is differ from from eternal blue or one acquires have eventually evolved into in

that someone was effectively able to use the code that was provided to create the eternal blue exploit and publicly use it do we also make use of that exact same exposure from a defensive standpoint and I understand how this works how we're gonna patch it and then off the back of that use it in a defensive in a defensive mechanism so it's been one of these peculiarities of yep I have data that has been stolen and has been disclosed but for me I always come back to this whole well we're using a firm a defensive standpoint of we're trying to help organizations not reuse what we're trying to help individuals within an organization not reuse their

password and this kind of leads to my next point we've already seen indicators that suggest this is already in use so does so if anyone has any visibility on on either on any points that have been used for it for logins if they've seen any credential has anyone seen any credential stuffing attacks in the last 12 months coming through any welcome to anyway yep yep so down the back there I've and this this also came a discussion point with a colleague of mine who runs an Australian film called casada where they were using some of the data that we had in fact gathered on email addresses relating to one of their customers the back of which they're

saying well we're able to correlate this with the LinkedIn breach someone appears to be consistently using that breach data in order to gain access to to two email accounts and interestingly enough Sam and I were talking about this last week and he was saying well we're already starting to see it again and it's typically occurring off several specific sites funnily enough in August 2017 my team and I got called in to a to an instant response this was by a couple of lawyers based in Brisbane who we're trying to understand how exactly this attack had occurred on one of their customers so these guys were were an Australian supplier resold goods in Australia and they had

this interesting piece of Correspondence from one of their US suppliers as the u.s. supply used office365 they did have to factor or thin abled and they were trying to establish how one of their account managers accounts had in fact been compromised and now there was no evidence of a social engineering attack there was no indication that there was any targeted attacks on that individuals local machine but I guess for us this was a case well the the simplest explanation is often the correct one and we said hey we'll look we've got all this breach data you know what what's this individuals email address off the back of which you were able to say well is this your password turns out it was

but what was procuring about that whole interaction wasn't so much the technical sophistication that had taken place it was I would say fairly operationally sophisticated in that the correspondence that was maintained was very specific the language that was used was consistent with the the victims actual method of talking via email and it turned into a hey we need you to update your payment details to send us a quarter of a million dollars to a new corporate bank account in Hong Kong so with very little sophistication this thread actor was able to impersonate someone getting access to their account and walk away with about a quarter of a million dollars Australian so in terms of how we get the the data that we use

for this breach correction in terms of how we get this breach data and organize it we try and opt so my team and I try and look forwards publicly available we is several sources and if you'd like I'm happy to provide the the links to some publicly available sources for the starter but the reason why we go for that public data is one it means that we're not actually trading in in information or we're not helping people profit from it but it's also this is the information that is out there and it's probably the information that's going to getting used and in terms of verifying authenticity now this is kind of a curious one I think for the the most

part and I was asking this question myself about two or three days ago of how authentic is some of the datasets we haven't in one sense it's kind of relevant because we wanted to actually store information that's going to be relevant for us but in another sense it's kind of one of those things that we've just got to say well we were not too fussed at this stage but it would be curious to sort of over time increase the the verification that what we have is true and accurate and it's actually a irrelevant risk now when it comes to managing some of the large data sets that we we do have when we're doing this

as a proof of concept we were just taking the raw data and just graphing it which took a lot of time so over time we've built out a database that we have we've got a simple API that plugs into a couple of other services that were we're getting up and running but this that takes a little bit of time to evolve and right now in its current form we're just using a very simple database structure with user names passwords and other interesting data that we have against individuals so when it comes for our attack sequence a lot of this is you know pretty comments for the pentesting stuff in that we try and understand who

the the organization is first and we try and enumerate everything associated with them so things such as web applications how they authenticating what's the network infrastructure they have in place cloud-based assets is another interesting one that I think is something that we overlooked from both a attack and defense standpoint off the back of this we then have to start mapping out social interactions and individual and individual personalities we also tend to identify some key players that interest us based on the target we're researching so whether it's c-level executives or people who are responsible for maintaining the accounts go to a greater level of detail in understanding who they are what their personal email addresses are and try and

establish as much as we can off the back of the the sort of breach data that we particularly maintain against those individuals and this kind of leads a bit more into into that from that technical domain into that sort of personal domain of getting an understanding of of both the staff but also evaluating third party so if you had a look previously the talk that I was delivering as her the instant response that my team and I had dealt with was around that third party interaction on the back while compromising one individual within a supplier the individuals that were looking to get a quarter million dollars out of Australian company were able to map out understand those interactions

and exploit them a username structures are also another interesting one to to understand and they're quite important when it comes to to undertaking an attack same-same with email addresses you also heard me before talking about how breach data will actually be quite dated so you think about your average Australian they typically move companies every two to three years so doing a simple domain search on your target organization may not in fact be enough and so if you started to map out LinkedIn profiles that are associated with your target company you then need to step back a little bit and start mapping out those individuals as well so at the back of that will usually come out

in a taxi at a tack surface that looks a lot like this so you'll usually have annexed a corporate environment that that you'll probably want to be looking at things like citrix applications a VPN random applications are always awesome on a on a company's network usually because someone's created them separate from the the tag company but also because they're usually not well maintained and they have their own their own place for authentication as a service platforms as I said before are also really peculiar targets and this is going from get this right going from left to right we start to fall into these gray areas of well what can we target and what is legitimate for us to to exploit even

though when we get to the the right-hand side and we're looking at individual and personal accounts targeting these will most certainly be out of scope because when you are engaged in a penetration test or a any sort of read to him for a a business exploiting those personal accounts is definitely beyond your scope but then there's this gray area rival are these as a service platforms owned by the business or are they owned by by the platform provider

but given that a lot of a lot of companies nowadays don't maintain their own infrastructure to mein plainly maintain these platforms on you know this is where the business is actually going to be getting done so when we start conducting attacks against platforms such as this things we start looking at do we have to change the user name do we then also have to validate if the the user name is correct or not if we can log-in buyers just into a simple password and then off the back this will have things like there's some direct password guessing against against the known password or a historical password and that use and I mean typically we will have say the last company we tested

I think we had about a hundred and twenty odd possible accounts we were just testing simply username and password combinations based on the users that we were able to map out and identify across about three or four different applications we then have small targeted password guessing so we started looking at c-level executives who had multiple accounts from existing breaches any different variations their passwords such as incrementing numbers changing seasons so on and so forth and then layering it a bit of automation with this is actually to be honest this is still something that we're working through mostly because a lot of the con requires that human interaction and that human analysis of understanding how an

individual behaves and what their thoughts are on on what their password is or or how they're going to have a password structure so just out of curiosity how how successful do you think my team and I have been on those sort of attacks who reckons more than fifty percent yeah yep so who reckons probably only every now and then yeah yep so to be honest we'll probably only get say out of a target list of a hundred and twenty and this is based off our last engagement of a target list of 120 individual accounts we had enumerated we only had access to two or three accounts which look it's actually fairly low but how how often we need to be successful

yeah just once so off the back of gaining access to one of these accounts the post exploitation scenarios who are going to be dependent on what you've compromised and what that means so for the most part it's and for most of our most of our our activities the thing that our customers are concerned about are the unauthorized access or modification of information so being able to gain access is probably the the more significant piece we we have there in in our taxes is that whole piece on espionage so being able to go through acquired data pillage it modify it change it update data and update things is usually the more significant attack but once again this will always come

back to what what are you trying to demonstrate and what are you trying to get out of it there will be some customers where we actually have to hold on any post exploitation scenarios for either a a a financial means or because the executives are quite sensitive about the activities you're taking especially if you're in their email INBOX we then have these assumed levels of trust which leads into a a suite of social engineering attacks so if you have access to someone's email inbox and there's no expectation that someone can can perform that there's all of a sudden this assumption that if you are within the environment you're go secure and from a social standpoint it becomes

quite easy to social engineer the the targets you're looking at finally there's this whole piece on persistence you you heard me talk about the incident response we had before we were looking at several weeks of someone maintaining access to that one email account developing their understanding before they actually conducted any sort of attacks and this wasn't as I said before this wasn't a technically sophisticated attack it was we're in the inbox we're learning their patterns of life we're understanding how and who they interact with and how that be used on our m4 for an attack so that's kind of where we look at things from an offensive standpoint but what about the existing security controls we have in

there so we're now talking about all these mandatory mandatory disclosure laws in Australia which will come into effect in in February in their current incarnation and some of the activities are already seen in this space my observations have been that a lot of it is fairly ineffective in terms of being able to support any follow-on defensive actions so when we look at two-factor authentication yeah that's going to stop an attack like like that Denis tracks I mean you'll probably still be able to validate so on Google for example that that the password is in fact valid but off the back of that all of a sudden that user may now have say an SMS give

us the here's you your second factor of authentication

password management applications are also fairly effective as long as they're employed correctly the whole speed and time of a password reset activity in a non technical domain is also fairly slow and so if all I need is that one little attack that I can exploit within fifteen minutes that's going to dislocate the defense and your ability to reset and prepare for or any follow-on events or say if I've already got access and you've just reset the password long I'm just going to maintain that session these are things that you probably want to conceptualize from a defensive standpoint finally have our been pound is an awesome source for identifying yes if your password was in in a breach but

I think for me the the thing that really rang home that really sort of came home for me was when I started to identify what data was in these breaches and what did the risk of that data mean for me as an individual and this is kind of why I talk about how we want to reorient a defense let's actually show people what's in in some of these data sets that other people have out there on them this is going to be far more effective from a defensive standpoint than saying have I been poned or doing a user awareness session actually saying hey is this your password are you still using this password anywhere else do you want

to change your password will actually be a far more effective way of capturing other users then here is a social injury engineering awareness campaign sit down and watch this video for the next 20 minutes and with that in mind incorporating that sort of data in the process of a user getting enrolled into an organization of hey what be previous email addresses ok cool don't use any of these any of these data sets and probably don't use Ashley Madison using your corporate account starts to sort of communicate the whole acceptable use policy in a little bit more detail than a 50 page PDF relying on things like ub keys or two-factor authentication so is you know

that's going to be a parent parcel business I think one of the things that's always been a disconnect is understanding the why and activities such as the ones where you are attempting to break in with some of these password with existing breach data is a it's an important part of that process also relying on a single point of or authentication as well whether it's Roth Active Directory will also help out because people are having to maintain twenty or thirty different passwords as I had about a year or two ago someone's going to have a different password that's sorry someone's still going to maintain the exact same password they've been using for the last ten years as an organization being able

to understand where all your applications are what the logins are how they're authenticating and what those represent from a risk standpoint and an attack surface will also kind of help with all right if there is another big breach what will this mean for us we'll also kind of help prepare the whole defensive piece other defensive practices as well within breach data things like like ensuring users aren't using their corporate accounts signing into the wrong apps showing that you actually have proper filtering policies out there so they're not access in the wrong locations and then that being an embarrassment to the the organization because or your proxy IP addresses in a site of ill repute and even how you

maintain information as well and understanding what that means will also that's just greatly in this process so that's I guess a very quick overview of of some of the stuff that my team and I've been playing with from an offensive standpoint and also how we've taken a lot of that data and not just gone how how we've owned you its employing this information so that defenders can and what the risks represent to them are does anyone have any questions on any of the things I've just talked about all that weighs I've got the lights right of me yep awesome guys look thanks for for attending and thanks for coming to base off [Applause]