Explore the top 10 compromise patterns observed in 2015-2016 and learn how to leverage non-traditional Internet datasets for effective detection. Dive into a comprehensive analysis of various security threats, including pre-owned acquisitions, third-party hosted marketing campaigns, cloud-based development environments, IT automation risks, and EU anti-US business regulatory attacks. Discover the dangers of malvertising, third-party web components, and the challenges of tracking internet assets for EU subsidiaries. Gain valuable insights into common security pitfalls, such as weak passwords, default configurations, and the exploitation of cloud-based systems. Understand the complexities of the advertising ecosystem and its large attack surface, as well as the increasing trend of targeted brand impersonation attacks. Learn how to identify and mitigate these risks to enhance your organization's cybersecurity posture.

Syllabus

Intro
Pre-owned acquisitions 8. 3rd party hosted marketing campaigns 9. Dev: new app our test system in the cloud 10. IT Automation: cloud backup or replication 11. EU anti-US business regulatory attacks
3rd Party hosted marketing campaigns Marketing budgets do not align with IT budgets. So when marketing is in a hurry... • Their creatives partners always offer hosting somewhere • Almost guaranteed to be expensive, on Wordpress, and insecure Set your stopwatch until it gets popped • #Infosec doesn't usually know where these systems are when marketing comes in a panic
Dev: new app/test system in cloud Everyone has new apps & tests systems going into the cloud, Github, etc.... Not in existing ASNS or IP space Can be hard to find until tied to public DNS records Often insecure or expose config files, hardcoded passwords • Become back doors into internal databases
IT Automation: cloud backup & replication IT decides to use Glacier or auto-replicate systems to the cloud for disaster recovery... • It doesn't tell security • It doesn't do security Default or weak passwords on accounts Default configs & passwords on app servers, CMSes, etc. • Within 48 hours an IP-trawling bot comes long and pops it, now you have a back door into Enterprise prod data..
EU anti-US privacy regulations Organization being hit with multiple six-figure fines for violating EU privacy regulations: • Org does not a centralized way to track new/changing Internet assets for EU subsidiaries • Impossible to track assets manually if franchise model • Existing assets can change • New assets crop up regularly
Malvertising: big bucket of badness Malvertising comprises a wide variety of attack types & targets - we have entire presentations on this, but highlights: . Most are shotgun/fake software attacks • Increasingly targeted/brand impersonation • Advanced actors can target employees • The advertising ecosystem is large & complex == large attack surface • Hard to assign accountability which makes this easy for the adversary to pull off
3rd Party Web Components Attackers like SEA increasingly target 3d Party infrastructure like CDNs and marketing widgets hosted offdomain. • Usually targeting 3rd parties embedded in the DOM, as JS or CDN cache • We usually don't know how they get in since we don't do vuln/pen - we are passively observing as a user • We just know when they show up inside the DOM & start doing bad things