Anatomy of an Explout by Benjamin Stephan

Published on January 2017 | Categories: Documents | Downloads: 30 | Comments: 0 | Views: 197
of 38
Download PDF   Embed   Report

Comments

Content

Anatomy of an Exploit
Benjamin Stephan EnCE CISSP CISA QSA PA-QSA PFI Director of Incident Management

Introducing… Our Presenter
Benjamin Stephan, Director Incident Management
Benjamin Stephan comes to FishNet Security with several years of experience in various technical roles. His experience as a security audit professional, senior forensic examiner, and administrator bolster his security expertise as Director of Incident Management. Most recently, Benjamin has maintained a focus on issues regarding digital forensics and breach analysis. He is capable of masterfully assessing both internal and external exposures, identification of critical evidence, and profiling an event based on digital forensics. Benjamin is also an expert at analysis of incident exposures to identify true cause or high risk vulnerabilities; and how to remediate threats in an environment to minimize the risk of continued exposure. In his current role as Director of Incident Management, Benjamin is active in multiple PCI PFI projects for Visa, MasterCard, American Express, and Discover. Benjamin also plays an active role in directing FishNet Security’s e-Discovery offerings. His background and experience with the e-Discovery Reference Model (EDRM), Federal Rules of Civil Procedures (FRCP), and advanced expertise in Electronically Stored Information (ESI) handling, provide the backbone of the delivery and methodology.

Agenda
 Discussion of Security Vulnerabilities by Layers  End to End Scenario  Dynamic Nature of Attacks  Capturing Knowledge from Cyber Attacks  Panel Discussion

Layered Security Approach

Attack Avenues

Most resistance to 'Aurora' hack attacks futile, says report As many as 100 companies pwned!
-- The Register, March 1, 2010

Really? We didn’t see him downloading the file server to disk?
(low-tech exfiltration du jour)

Cyberespionage Attackers Buying Crimeware-Infected Machines "This is the warning: You'd better take all infections seriously,"
-- Darkreading.com September 16, 2011

Common SQL injection vulnerability on CMD + reuse of VERY Weak Passwords = Catastrophe for Prominent Computer Security Firm

A Very Dynamic Problem, No Easy Answers
Lots of new/improved security technologies, yet lots of successful malware! Security product marketplace is packed with impressive tools. Too confusing? Attack tools and methodologies continuously morphing. Who’s keeping up? Social Media, Mobile Devices – Pandora’s Box Reopened Old Dogs Still Bite – Security basics more important than ever

The Layered Defense
For many years IT and Security professionals have known that “Security in layers” is the best approach to mitigating risk…
Solid approach, yet most agencies have implemented layered security and successful compromises are still on the rise.

Why? Is something broken?
What will work?

Effectiveness (somewhat+)
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Effectiveness of Security Layers
Firewalls rated most effective…at 86% DLP near the bottom, rated 38% effective

Multiple technologies must be layered for effective security

Firewalls Access Control sys Acess Control Complex PSWD Encryption SPAM filter App FW Host FW Ntwk AV Identity Mgt IDS/IPS Policy net con RBL SPAM filter Surveillance Wireless encrypt Patch Mgt Host AV Badging Change/config net policy enforce rights mgt strong authent NAC Role authen Host policy enfmnt App config mgt Host IDS/UPS Manual Patches Host SPAM net monitor soft dev tools host anti SPAM data tracking host change/con app monitor digital signature one-time pswd wireless monitor DLP app signing auto integrity con anomaly detection biometrics keystroke monitor

A Few Security Layers Examined
The following are highly common security layers adopted and leveraged by practically all Agencies:

Host A/V Firewall IDS/IPS

DPI/ Malware Analytics

Typically very effective, but…

Common Firewall Functions
Primary and most important job is to enable the flow of specific traffic as directed by policy, blocking everything else Keeps state on sessions Application Aware – can block some protocols, executable content Can identify, block anomalous use of protocols Can ~help mitigate DDoS attacks through throttling Block security threats from whitelisting approach versus a blacklisting
*http://en.wikipedia.org/wiki/Firewall_(computing)

Examples of Firewall Limitations

Out of Band Attack Vectors
Phishing
• The nature of a phishing attack is to send fake or subversive emails to the end user. • Firewalls are commonly configured to allow email traffic. However, they do not look at the contents of the traffic. So phishing emails are allowed to bypass without any resistance.

Infected USB Device
• A Firewall sits on the network at the perimeter of the environment. The device only looks at data in transit on that network segment. • Infected USB devices are attached to a host within the environment. The infected data physically bypasses the protection

Examples of Firewall Limitations

Reverse Proxy
A reverse proxy is a type of attack where the connection between the protected environment and the attack originates from within the protected environment.
Common means of intrusion include phishing, XSS, USB device, etc. Once the malware is inside the network firewalls often not configured to look hard at outbound traffic Many reverse proxies leverage an SSL tunnel or IPSec tunnel to encapsulate the data

Examples of Firewall Limitations

DNS traffic has become the “silent killer” for many attack profiles
DNS ports have been widely accepted as a default “accept” rule for firewalls so that DNS hosts can maintain updated records

Attackers are exploiting the DNS architecture by either “poisoning” the DNS host to control the flow of legitimate traffic or hiding “command and control” traffic in seemingly legitimate DNS traffic

Clear Host Antivirus (AV) Benefits
Prevent, detect, remove malware (worms, Trojans, etc.) Mitigate damage from known viruses Maintain an ongoing analysis of the “state” of the machine to help minimize the potential of an infection Protect against malicious files attached to emails Regular updates with new viruses and attack signatures

*http://en.wikipedia.org/wiki/Antivirus

Some Host Antivirus Limitations
Generally adheres to a reactive approach to security

“Typically only as good as smart as what happened yesterday”.
Effectiveness is dependent on updated signatures and libraries. If the virus is new/new variant then AV may not detect it. Updates take time to design, test, implement, and disseminate

Example: Trifecta Attack

(functionally decoupled malware)

An attack profile leveraging 3 separate files

Files are individually benign in nature, but the combination of all 3 executing on a single system allows for compromise of sensitive data

AV is unable to aggregate analysis across these malware components and understand their relationship to each other

Intrusion Detection Systems
Obvious Benefits
IDPS monitor network and/or system activities for malicious activity, policy violations Analysis of data within the network and not just on the perimeter Logging, reporting, SIEM integration Passive and active modes for threat mitigation Wide community of professionals contribute to signature pool

Some IDPS Limitations
Segmented Network Intrusion
A workstation (DBA) in a lower security state is compromised by malware. The malware obtains the credentials of the user and authenticates to a database in a sensitive network. The IDPS identifies the source, authentication, and traffic as legitimate.

Native Difficulties with Encryption
Encrypted traffic Encrypted payloads

Historical Analysis
IDPS systems can not “remember” historical references. The analysis of data is limited to what is analyzed in that exact point in time Low / Slow Attack Vectors Very Difficult to See Aggregate and diversified attack vectors are not recognized Largely signature based technology

Clear Benefits of DPI Systems
The evolution of attack mitigation requires the use of devices that are dedicated towards capture and in depth analysis of data in transit. Commonly referred to as ‘Deep Packet Inspection’.

Indispensible tools for forensic analysis, Incident Response, post-mortem learning! Full or Partial Packet Analysis Variants can use Honeypots, VM Sandboxing techniques Analysis of malware extracted from data in transit Malware profiles and signatures updated regularly Detection of “command and control” traffic

Some DPI Limitations
Volume of Data
Analyzing traffic on current networks can lead to extraordinary amounts of generated data Multi-Gig bandwidth + Retention Policy can mean terabytes or petabytes of data to manage Can be difficult to query of volumes of data quickly Typically blind to encryption (though workarounds exist) Elusive quarry + vast data stores changes “needle in a haystack” to “find the insidious hay in the mountain of hay”

DPI Limitations Continued
Unable to see attack origin if at host level Encryption often reduces analytical capability to L3 or L4 (similar to Netflow analysis) FPC solutions may offer little native correlative capability Most effective if you know exactly what you’re looking for within a relatively narrow timeframe

Complex Data Architecture
Evolution of network complexity
5-10 years ago networks consisted of less than a dozen devices

In the current industry a network of over 10,000 nodes can be common place

Comprehensive Containment

Effectiveness (somewhat+)
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

Effectiveness of Security Layers
Firewalls rated most effective…at 86% DLP near the bottom, rated 38% effective

Multiple technologies must be layered for effective security

Firewalls Access Control sys Acess Control Complex PSWD Encryption SPAM filter App FW Host FW Ntwk AV Identity Mgt IDS/IPS Policy net con RBL SPAM filter Surveillance Wireless encrypt Patch Mgt Host AV Badging Change/config net policy enforce rights mgt strong authent NAC Role authen Host policy enfmnt App config mgt Host IDS/UPS Manual Patches Host SPAM net monitor soft dev tools host anti SPAM data tracking host change/con app monitor digital signature one-time pswd wireless monitor DLP app signing auto integrity con anomaly detection biometrics keystroke monitor

The Cumulative Effect:
An End to End Example

Malware Insertion & Data Exfiltration Via Malicious Website:
WEB FILTERING LAYER: Bypasses web filtering through DNS Fast Flux. FIREWALL: Little egress filtering for HTTP/HTTPS traffic. Attack form was a legitimate looking HTTP Get, possibly malicious link from Social Media site or Phishing campaign. Firewall blocks executables, but not binary content served through Active X, Flash, etc. No anomalous use of protocol to detect. Legitimate HTTP connection. IDPS: Mostly signature-based. Multi-stage threat provides no clear signature match. Did not provide analysis of SSL/IPSEC encrypted session. Efficacy limited with streaming protocols. NBAD: No indications of malware propagation from L4 analysis. Single, benign looking Client/Server session. No prominent bandwidth spike to indicate exfiltration.

AUTOMATED MALWARE ANALYSIS: Malware was delivered functionally decoupled, possibly in binary form vs. in ‘one click’ format. Initial Link judged as OK, attack was multi-stage. HIDS: Things HIDS look for were not present here. Separate functional entities of malware produced no clear warnings or signature matches for the HIDS. AV: Signature based, difficult time with functionally decoupled malware, heuristics difficult to tune appropriately. Did not identify individual, decoupled malware agents as a threat or understand their relationship to each other. FILE INTEGRITY CHECKER: What if no system files are modified? E.g., code injected into memory of running process, file not modified on disk. Malware Trifecta searched non-system directories for target data, packaged, encrypted, transmitted.

RESULT: SOLID SECURITY INFRASTRUCTU RE, SUCCESSFUL COMPROMISE OF DATA

Dynamic Nature of Attacks

How Effective is each Layer?
    Sophisticated Attacks Phone Home Indicate Success Areas Via DNS or HTTP Provide Inside Knowledge of Security Infrastructure Resilient, Adaptable, Learning

Attack Profile Pivoting
Protection against a Cyber Attack is like a physical lock. Each layer of security is a tumbler
Often we see attackers as “cutting keys” and trying them to see which one works When in reality we have to see that they are “picking the lock” Exploring multiple avenues to successful compromise

In the end we must adapt in real time in order to truly protect against the attack

The way we see security must change
“Doveryai, no proveryai” Change of Paradigm
“IT Defense” instead of “IT Security” Layers of defense Strategic defenses
• “Honey-pots” • Internal threat agents

Trust but verify

Stronger detection and protection measures Regular advanced training for critical personnel Understand what products you have and how to use them

Capturing Knowledge from Cyber Attacks

Learning From What Happened
 Identify the common elements
 Understand common malware, approaches

 Deconstruct attack vectors
 Log and alert review, forensic packet analysis, flow characteristics

 Research, Research, Research
 Continuing education first line of defense  No AI… yet. Highly skilled people still the best defense!

 Train Security Systems AND Security Analysts
 Established IR and forensic processes must translate to operational awareness  Capture Analyst knowledge in machine policy

 Establish, promote programs for INFORMATION SHARING

The Indispensible Human
Weakest Link, Greatest Asset  Increasingly complex attacks, technology  Scores of alert sources reporting in volumes  Alerts require expert validation  Skilled analysts must understand network/ application layer protocols in depth  Intimate knowledge of your network is critical!  If you don’t know what’s normal, then how can you…  Expert knowledge of chosen security tools is key  Must be Evangelists of Security Awareness & Education

ROI of Cyber Defense Preparation
BEFORE
scope

1st Instance of threat

Saturation

Detection
Time/Cost

Containment

Uncompromised endpoints

Scope of compromise

Resources

AFTER

scope

• Early exposure of known unknown • Rapid response
Detection Containment
Time/Cost

1st Instance of threat

• Fewer required resources • Rapid remediation

Thank You

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close