Anatomy of an Exploit

Benjamin Stephan EnCE CISSP CISA QSA PA-QSA PFI Director of Incident Management

Introducing Our Presenter

Benjamin Stephan, Director Incident Management
Benjamin Stephan comes to FishNet Security with several years of experience in various technical roles. His experience as a security audit professional, senior forensic examiner, and administrator bolster his security expertise as Director of Incident Management. Most recently, Benjamin has maintained a focus on issues regarding digital forensics and breach analysis. He is capable of masterfully assessing both internal and external exposures, identification of critical evidence, and profiling an event based on digital forensics. Benjamin is also an expert at analysis of incident exposures to identify true cause or high risk vulnerabilities; and how to remediate threats in an environment to minimize the risk of continued exposure. In his current role as Director of Incident Management, Benjamin is active in multiple PCI PFI projects for Visa, MasterCard, American Express, and Discover. Benjamin also plays an active role in directing FishNet Securitys e-Discovery offerings. His background and experience with the e-Discovery Reference Model (EDRM), Federal Rules of Civil Procedures (FRCP), and advanced expertise in Electronically Stored Information (ESI) handling, provide the backbone of the delivery and methodology.

Agenda
Discussion of Security Vulnerabilities by Layers End to End Scenario Dynamic Nature of Attacks Capturing Knowledge from Cyber Attacks Panel Discussion

Layered Security Approach

Attack Avenues

Most resistance to 'Aurora' hack attacks futile, says report As many as 100 companies pwned!
-- The Register, March 1, 2010

Really? We didnt see him downloading the file server to disk?

(low-tech exfiltration du jour)

Cyberespionage Attackers Buying Crimeware-Infected Machines "This is the warning: You'd better take all infections seriously,"
-- Darkreading.com September 16, 2011

Common SQL injection vulnerability on CMD + reuse of VERY Weak Passwords = Catastrophe for Prominent Computer Security Firm

A Very Dynamic Problem, No Easy Answers

Lots of new/improved security technologies, yet lots of successful malware! Security product marketplace is packed with impressive tools. Too confusing? Attack tools and methodologies continuously morphing. Whos keeping up? Social Media, Mobile Devices Pandoras Box Reopened Old Dogs Still Bite Security basics more important than ever

The Layered Defense

For many years IT and Security professionals have known that Security in layers is the best approach to mitigating risk
Solid approach, yet most agencies have implemented layered security and successful compromises are still on the rise.

Why? Is something broken?

What will work?

Effectiveness (somewhat+)
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Effectiveness of Security Layers

Firewalls rated most effectiveat 86% DLP near the bottom, rated 38% effective

Multiple technologies must be layered for effective security

Firewalls Access Control sys Acess Control Complex PSWD Encryption SPAM filter App FW Host FW Ntwk AV Identity Mgt IDS/IPS Policy net con RBL SPAM filter Surveillance Wireless encrypt Patch Mgt Host AV Badging Change/config net policy enforce rights mgt strong authent NAC Role authen Host policy enfmnt App config mgt Host IDS/UPS Manual Patches Host SPAM net monitor soft dev tools host anti SPAM data tracking host change/con app monitor digital signature one-time pswd wireless monitor DLP app signing auto integrity con anomaly detection biometrics keystroke monitor

A Few Security Layers Examined

The following are highly common security layers adopted and leveraged by practically all Agencies:

Host A/V Firewall IDS/IPS

DPI/ Malware Analytics

Typically very effective, but

Common Firewall Functions

Primary and most important job is to enable the flow of specific traffic as directed by policy, blocking everything else Keeps state on sessions Application Aware can block some protocols, executable content Can identify, block anomalous use of protocols Can ~help mitigate DDoS attacks through throttling Block security threats from whitelisting approach versus a blacklisting
*http://en.wikipedia.org/wiki/Firewall_(computing)

Examples of Firewall Limitations

Out of Band Attack Vectors

Phishing
The nature of a phishing attack is to send fake or subversive emails to the end user. Firewalls are commonly configured to allow email traffic. However, they do not look at the contents of the traffic. So phishing emails are allowed to bypass without any resistance.

Infected USB Device

A Firewall sits on the network at the perimeter of the environment. The device only looks at data in transit on that network segment. Infected USB devices are attached to a host within the environment. The infected data physically bypasses the protection

Examples of Firewall Limitations

Reverse Proxy
A reverse proxy is a type of attack where the connection between the protected environment and the attack originates from within the protected environment.
Common means of intrusion include phishing, XSS, USB device, etc. Once the malware is inside the network firewalls often not configured to look hard at outbound traffic Many reverse proxies leverage an SSL tunnel or IPSec tunnel to encapsulate the data

Examples of Firewall Limitations

DNS traffic has become the silent killer for many attack profiles
DNS ports have been widely accepted as a default accept rule for firewalls so that DNS hosts can maintain updated records

Attackers are exploiting the DNS architecture by either poisoning the DNS host to control the flow of legitimate traffic or hiding command and control traffic in seemingly legitimate DNS traffic

Clear Host Antivirus (AV) Benefits

Prevent, detect, remove malware (worms, Trojans, etc.) Mitigate damage from known viruses Maintain an ongoing analysis of the state of the machine to help minimize the potential of an infection Protect against malicious files attached to emails Regular updates with new viruses and attack signatures

*http://en.wikipedia.org/wiki/Antivirus

Some Host Antivirus Limitations

Generally adheres to a reactive approach to security

Typically only as good as smart as what happened yesterday.

Effectiveness is dependent on updated signatures and libraries. If the virus is new/new variant then AV may not detect it. Updates take time to design, test, implement, and disseminate

Example: Trifecta Attack

(functionally decoupled malware)

An attack profile leveraging 3 separate files

Files are individually benign in nature, but the combination of all 3 executing on a single system allows for compromise of sensitive data

AV is unable to aggregate analysis across these malware components and understand their relationship to each other

Intrusion Detection Systems

Obvious Benefits
IDPS monitor network and/or system activities for malicious activity, policy violations Analysis of data within the network and not just on the perimeter Logging, reporting, SIEM integration Passive and active modes for threat mitigation Wide community of professionals contribute to signature pool

Some IDPS Limitations

Segmented Network Intrusion
A workstation (DBA) in a lower security state is compromised by malware. The malware obtains the credentials of the user and authenticates to a database in a sensitive network. The IDPS identifies the source, authentication, and traffic as legitimate.

Native Difficulties with Encryption

Encrypted traffic Encrypted payloads

Historical Analysis
IDPS systems can not remember historical references. The analysis of data is limited to what is analyzed in that exact point in time Low / Slow Attack Vectors Very Difficult to See Aggregate and diversified attack vectors are not recognized Largely signature based technology

Clear Benefits of DPI Systems

The evolution of attack mitigation requires the use of devices that are dedicated towards capture and in depth analysis of data in transit. Commonly referred to as Deep Packet Inspection.

Indispensible tools for forensic analysis, Incident Response, post-mortem learning! Full or Partial Packet Analysis Variants can use Honeypots, VM Sandboxing techniques Analysis of malware extracted from data in transit Malware profiles and signatures updated regularly Detection of command and control traffic

Some DPI Limitations

Volume of Data
Analyzing traffic on current networks can lead to extraordinary amounts of generated data Multi-Gig bandwidth + Retention Policy can mean terabytes or petabytes of data to manage Can be difficult to query of volumes of data quickly Typically blind to encryption (though workarounds exist) Elusive quarry + vast data stores changes needle in a haystack to find the insidious hay in the mountain of hay

DPI Limitations Continued

Unable to see attack origin if at host level Encryption often reduces analytical capability to L3 or L4 (similar to Netflow analysis) FPC solutions may offer little native correlative capability Most effective if you know exactly what youre looking for within a relatively narrow timeframe

Complex Data Architecture

Evolution of network complexity
5-10 years ago networks consisted of less than a dozen devices

In the current industry a network of over 10,000 nodes can be common place

Comprehensive Containment

Effectiveness (somewhat+)
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Effectiveness of Security Layers

Firewalls rated most effectiveat 86% DLP near the bottom, rated 38% effective

Multiple technologies must be layered for effective security

Firewalls Access Control sys Acess Control Complex PSWD Encryption SPAM filter App FW Host FW Ntwk AV Identity Mgt IDS/IPS Policy net con RBL SPAM filter Surveillance Wireless encrypt Patch Mgt Host AV Badging Change/config net policy enforce rights mgt strong authent NAC Role authen Host policy enfmnt App config mgt Host IDS/UPS Manual Patches Host SPAM net monitor soft dev tools host anti SPAM data tracking host change/con app monitor digital signature one-time pswd wireless monitor DLP app signing auto integrity con anomaly detection biometrics keystroke monitor

The Cumulative Effect:

An End to End Example

Malware Insertion & Data Exfiltration Via Malicious Website:

WEB FILTERING LAYER: Bypasses web filtering through DNS Fast Flux. FIREWALL: Little egress filtering for HTTP/HTTPS traffic. Attack form was a legitimate looking HTTP Get, possibly malicious link from Social Media site or Phishing campaign. Firewall blocks executables, but not binary content served through Active X, Flash, etc. No anomalous use of protocol to detect. Legitimate HTTP connection. IDPS: Mostly signature-based. Multi-stage threat provides no clear signature match. Did not provide analysis of SSL/IPSEC encrypted session. Efficacy limited with streaming protocols. NBAD: No indications of malware propagation from L4 analysis. Single, benign looking Client/Server session. No prominent bandwidth spike to indicate exfiltration.

AUTOMATED MALWARE ANALYSIS: Malware was delivered functionally decoupled, possibly in binary form vs. in one click format. Initial Link judged as OK, attack was multi-stage. HIDS: Things HIDS look for were not present here. Separate functional entities of malware produced no clear warnings or signature matches for the HIDS. AV: Signature based, difficult time with functionally decoupled malware, heuristics difficult to tune appropriately. Did not identify individual, decoupled malware agents as a threat or understand their relationship to each other. FILE INTEGRITY CHECKER: What if no system files are modified? E.g., code injected into memory of running process, file not modified on disk. Malware Trifecta searched non-system directories for target data, packaged, encrypted, transmitted.

RESULT: SOLID SECURITY INFRASTRUCTU RE, SUCCESSFUL COMPROMISE OF DATA

Dynamic Nature of Attacks

How Effective is each Layer?

Sophisticated Attacks Phone Home Indicate Success Areas Via DNS or HTTP Provide Inside Knowledge of Security Infrastructure Resilient, Adaptable, Learning

Attack Profile Pivoting

Protection against a Cyber Attack is like a physical lock. Each layer of security is a tumbler
Often we see attackers as cutting keys and trying them to see which one works When in reality we have to see that they are picking the lock Exploring multiple avenues to successful compromise

In the end we must adapt in real time in order to truly protect against the attack

The way we see security must change

Doveryai, no proveryai Change of Paradigm
IT Defense instead of IT Security Layers of defense Strategic defenses
Honey-pots Internal threat agents

Trust but verify

Stronger detection and protection measures Regular advanced training for critical personnel Understand what products you have and how to use them

Capturing Knowledge from Cyber Attacks

Learning From What Happened

Identify the common elements
Understand common malware, approaches

Deconstruct attack vectors

Log and alert review, forensic packet analysis, flow characteristics

Research, Research, Research

Continuing education first line of defense No AI yet. Highly skilled people still the best defense!

Train Security Systems AND Security Analysts

Established IR and forensic processes must translate to operational awareness Capture Analyst knowledge in machine policy

Establish, promote programs for INFORMATION SHARING

The Indispensible Human

Weakest Link, Greatest Asset Increasingly complex attacks, technology Scores of alert sources reporting in volumes Alerts require expert validation Skilled analysts must understand network/ application layer protocols in depth Intimate knowledge of your network is critical! If you dont know whats normal, then how can you Expert knowledge of chosen security tools is key Must be Evangelists of Security Awareness & Education

ROI of Cyber Defense Preparation

BEFORE
scope

1st Instance of threat

Saturation

Detection
Time/Cost

Containment

Uncompromised endpoints

Scope of compromise

Resources

AFTER

scope

Early exposure of known unknown Rapid response

Detection Containment
Time/Cost

1st Instance of threat

Fewer required resources Rapid remediation

Thank You