Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Benjamin Stephan EnCE CISSP CISA QSA PA-QSA PFI Director of Incident Management
Agenda
Discussion of Security Vulnerabilities by Layers End to End Scenario Dynamic Nature of Attacks Capturing Knowledge from Cyber Attacks Panel Discussion
Attack Avenues
Most resistance to 'Aurora' hack attacks futile, says report As many as 100 companies pwned!
-- The Register, March 1, 2010
Cyberespionage Attackers Buying Crimeware-Infected Machines "This is the warning: You'd better take all infections seriously,"
-- Darkreading.com September 16, 2011
Common SQL injection vulnerability on CMD + reuse of VERY Weak Passwords = Catastrophe for Prominent Computer Security Firm
Effectiveness (somewhat+)
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
Firewalls Access Control sys Acess Control Complex PSWD Encryption SPAM filter App FW Host FW Ntwk AV Identity Mgt IDS/IPS Policy net con RBL SPAM filter Surveillance Wireless encrypt Patch Mgt Host AV Badging Change/config net policy enforce rights mgt strong authent NAC Role authen Host policy enfmnt App config mgt Host IDS/UPS Manual Patches Host SPAM net monitor soft dev tools host anti SPAM data tracking host change/con app monitor digital signature one-time pswd wireless monitor DLP app signing auto integrity con anomaly detection biometrics keystroke monitor
Reverse Proxy
A reverse proxy is a type of attack where the connection between the protected environment and the attack originates from within the protected environment.
Common means of intrusion include phishing, XSS, USB device, etc. Once the malware is inside the network firewalls often not configured to look hard at outbound traffic Many reverse proxies leverage an SSL tunnel or IPSec tunnel to encapsulate the data
DNS traffic has become the silent killer for many attack profiles
DNS ports have been widely accepted as a default accept rule for firewalls so that DNS hosts can maintain updated records
Attackers are exploiting the DNS architecture by either poisoning the DNS host to control the flow of legitimate traffic or hiding command and control traffic in seemingly legitimate DNS traffic
*http://en.wikipedia.org/wiki/Antivirus
Files are individually benign in nature, but the combination of all 3 executing on a single system allows for compromise of sensitive data
AV is unable to aggregate analysis across these malware components and understand their relationship to each other
Historical Analysis
IDPS systems can not remember historical references. The analysis of data is limited to what is analyzed in that exact point in time Low / Slow Attack Vectors Very Difficult to See Aggregate and diversified attack vectors are not recognized Largely signature based technology
Indispensible tools for forensic analysis, Incident Response, post-mortem learning! Full or Partial Packet Analysis Variants can use Honeypots, VM Sandboxing techniques Analysis of malware extracted from data in transit Malware profiles and signatures updated regularly Detection of command and control traffic
In the current industry a network of over 10,000 nodes can be common place
Comprehensive Containment
Effectiveness (somewhat+)
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
Firewalls Access Control sys Acess Control Complex PSWD Encryption SPAM filter App FW Host FW Ntwk AV Identity Mgt IDS/IPS Policy net con RBL SPAM filter Surveillance Wireless encrypt Patch Mgt Host AV Badging Change/config net policy enforce rights mgt strong authent NAC Role authen Host policy enfmnt App config mgt Host IDS/UPS Manual Patches Host SPAM net monitor soft dev tools host anti SPAM data tracking host change/con app monitor digital signature one-time pswd wireless monitor DLP app signing auto integrity con anomaly detection biometrics keystroke monitor
AUTOMATED MALWARE ANALYSIS: Malware was delivered functionally decoupled, possibly in binary form vs. in one click format. Initial Link judged as OK, attack was multi-stage. HIDS: Things HIDS look for were not present here. Separate functional entities of malware produced no clear warnings or signature matches for the HIDS. AV: Signature based, difficult time with functionally decoupled malware, heuristics difficult to tune appropriately. Did not identify individual, decoupled malware agents as a threat or understand their relationship to each other. FILE INTEGRITY CHECKER: What if no system files are modified? E.g., code injected into memory of running process, file not modified on disk. Malware Trifecta searched non-system directories for target data, packaged, encrypted, transmitted.
In the end we must adapt in real time in order to truly protect against the attack
Stronger detection and protection measures Regular advanced training for critical personnel Understand what products you have and how to use them
Saturation
Detection
Time/Cost
Containment
Uncompromised endpoints
Scope of compromise
Resources
AFTER
scope
Thank You