Shut the Front Door and the Back Door Too!

Transcription

Shut the Front Door and the Back Door Too!
Shut the Front Door and the
Back Door Too!
(How and Why Hackers Attack and What
to Do About It)
Jim Nitterauer
Senior Systems Administrator
A Little About Me
• Senior Systems Administrator at AppRiver, LLC since 2006
• Is Responsible for global network deployment & security in 10 datacenters
• Manages SecureTide global infrastructure
• Filtering for more than 850,000 mailboxes
• 600 plus servers
• Manages SecureSurf global DNS infrastructure
• Anycast DNS Security
• 100 Plus servers
• Founded Creative Data Concepts Limited, Inc. in 1994
• Founded GridSouth Networks, LLC in 2006
• President of Gulf Breeze Area Chamber of Commerce 2003 & 2004
• B.S Biology 1985 Ursinus College
• M.S. Microbiology 1989 University of Alabama
• Regular Black Hat and DEFCON attendee
• Completed Sans 560 – Network Penetration Testing and Ethical Hacking
Talk Overview
• Review key security (data) breaches and
network attacks that have occurred over the past
12 months (What Do Hackers Do?)
• Discuss the major motivations driving these
attacks (Why Do Malicious Hackers Hack?)
• Outline the most common attack vectors in use
(How Do Malicious Hackers Hack?)
• What is FUD?
• Learn how to uncover, mitigate and prevent
common attacks (What Do I Do When Hackers
Hack?)
Recent Data Breach Summary
• Timeline September 2013 – August 2014
– Total Reported Breaches – 259
– Total Identities Exposed – 598 million
• Top Causes of Data Breaches
–
–
–
–
Malicious Hackers – 53%
Accidentally Made Public – 21%
Theft or Loss of Computer or Drive – 20%
Inside Theft – 6%
Symantec Intelligence Report – August, 2014
Recent Data Breach Summary
Symantec Intelligence Report – August, 2014
Recent Data Breach Timeline
• Timeline September 2013 – August 2014
Symantec Intelligence Report – August, 2014
Recent Data Breach Top Ten
Symantec Intelligence Report – August, 2014
Recent Data Breaches in the News
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Recent Data Breaches in the News
• EBay
– Hackers obtain a small number of employee login credentials
– Use that info to access database containing user records in late
February and early March
– Data copied and posted for sale
• Home Depot
– Malware installed on POS systems across 2,200 stores
– Syphoned credit card details of up to 56 million customers
– May be same Russian group that hit Target, Sally Beauty, P.F.
Chang’s, Neiman Marcus and Michael’s
Recent Data Breached in the News
• Adventura Hospital (Florida)
– 82,000 patients impacted by third data breach in two years
– Latest began just one day after previous breach had ended and
lasted two years
• JPMorgan Chase & Company
– Break-in acknowledged 9/20/2014
– Details not provided
– No fraudulent use of compromised data detected
• Apple iCloud
– Celebrity accounts hacked due to a flaw in iCloud Web API
– Compromising photos copied and made available publically
Recent Network Attacks
• Destiny and Call of Duty Servers
– Used by PlayStation and Xbox
– Hit with DDoS attack by Lizard Squad
• Silk Road 2.0
– Hit by sophisticated DDoS Attack
– 9/20/2014
– Last February lost $2.6 million in bitcoin due to attack
• Codespaces
– June 2014 - Amazon cloud account hacked
– All virtual servers and backups deleted
– Business closed on the day of the attack
• Spamhaus
– Hit with 300 Gbps DNS amplification attack
The Face of Cybercrime Today
“The Web has become the new threat vector of choice by hackers and cyber criminals
to distribute malware and perpetrate identity theft, financial fraud and corporate
espionage.” -- IDC
Malware
• What is Malware?
– Software or code that is executed on a computer
without the knowledge or consent of the operator
– Designed to
• Assess and exploit security vulnerabilities in systems
• Provide remote command and control access to
unauthorized parties (botnet participation)
• Distribute confidential or personal information to
unauthorized parties
– Distributed by multiple vectors
– May permanently damage data
• Ex. Ransomware
Malware Top Ten - Windows
Symantec Intelligence Report – August, 2014
Malware Top Ten - Mac
Symantec Intelligence Report – August, 2014
Malware – Ransomware Trends
Symantec Intelligence Report – August, 2014
Malware – Activity by Source (Bots)
Symantec Intelligence Report – August, 2014
Vulnerabilities
• What are Vulnerabilities?
– Any design or coding flaw that exposes data or systems to
potential exploitation or results in unexpected behavior or
performance
– Also called an attack surface
– Requires three elements for exploitation
• A susceptible system
• Attacker access to the flaw
• Attacker capable of exploiting the flaw
– Not all vulnerabilities pose same level of risk
– A “Zero Day” vulnerability usually refers to a software flaw that is
exposed and exploited before the vendor is aware of the issue
and can release a fix
Vulnerabilities – Zero Day
• Most Recent Zero Day Exploits
– Bash shell environment variable manipulation
(Shellshock)
– Open SSL Heartbleed private SSL certificate
disclosure (Memory scraping)
– Microsoft Internet Explorer Use-after Free flash
exploit
• Excellent Resource
– http://blog.beyondtrust.com/zd_threat
Vulnerability Disclosure Timeline
Symantec Intelligence Report – August, 2014
Vulnerabilities – Zero Day
Symantec Intelligence Report – August, 2014
Vulnerabilities - Browser
Symantec Intelligence Report – August, 2014
Vulnerabilities – Plug-in
Symantec Intelligence Report – August, 2014
Mobile Threats
• Mobile Threats
– Place personal mobile devices at risk by
•
•
•
•
•
•
•
Tracking user activity
Stealing personal information
Creating backdoors
Reconfiguring device
Displaying annoyances
Redirecting content
Spamming
– Many mobile devices are connected to corporate
resources including email services
Mobile Threat Classifications
Symantec Intelligence Report – August, 2014
Social Media
• Social Media (Twitter, Facebook, etc.)
–
–
–
–
–
–
Fake offerings
Manual Sharing
Life jacking
Comment Jacking
Fake Apps
Misleading news stories or links
• Ultimately leads to attempted malware infection
or attempt to steal credentials
Social Media
Symantec Intelligence Report – August, 2014
Email – Phishing, SPAM and Viruses
• Email trends
– Phishing rate down in August from 1 in 1290 to 1 in
1587 email messages
– Global SPAM rate for August was 62.6 percent
meaning 62 out of 100 messages were SPAM
• AppRiver’s SecureTide customers see SPAM rates closer to
87.7%
• More U.S. based customers – more valuable targets
– One out of every 270 contained a virus
– 3.2% of all email contained a malicious URL
• AppRiver’s customer base sees a higher percentage of
emails with malicious URLs
• More U.S. based customers – more valuable targets
Email – Phishing Rates
Symantec Intelligence Report – August, 2014
Email – Global SPAM Rates
Symantec Intelligence Report – August, 2014
Email – Viruses Per Message
Symantec Intelligence Report – August, 2014
Email – Viruses Per Message
• What does antivirus software protect against?
– On average, less than 1% of all threats are due to
virus infiltration
Email – Messages w/ Malware URL
Symantec Intelligence Report – August, 2014
Malicious Hackers
• What they are NOT . . .
– Some teenager hacking a Web site for bragging rights
– A Script Kiddie
– White Hat vs. Black Hat
Malicious Hackers
• What they ARE . . .
– Well-trained experts with a plethora of tools at their
disposal
– Sell themselves to the highest bidder
– Work for or are part of sophisticated criminal
enterprises
– Members of global activist networks
•
•
•
•
Anonymous
Syrian Electronic Army
LulzSec
Others
Malicious Hacker Motivations
• Making social statements
– Hacktivism
– Bring down specific targets based upon political views
• Theft
– Stealing data that can be resold for profit
• Personal info
– Credit Cards
– SSNs
– Medical Records
• Corporate info
– Financial info
– Trade Secrets
– Espionage
Malicious Hackers Target
• Three Basic Targets
– Revenue
•
•
•
•
What can they steal that can be sold?
Steal items that have cash value (Bank transfers, Bitcoin)
Access bank accounts
Steal intellectual property
– Reputation
• Defile your Web site and other public resources
• Smear you reputation
• Degrade service
– Upset customers
– Break SLAs
– Result in revenue loss
Malicious Hackers Target
– Resources
• Own your network, servers and workstations
– Continuous data gathering
– Access higher level computing resources and data
• Use these resources to attack others
– Botnet participation
– Anonymous proxy
Malicious Hackers
• Use a combination of attack vectors
– Often the most visible attack is NOT the real attack
• DDoS to create panic
• Physical compromise occurs during chaos
– Vectors include
• Physical attacks
• Social engineering
• Network attacks (local and hosted resources)
– Wired
– Wireless
Common Attack Mechanisms
• Overall Process
– Seven stages
•
•
•
•
•
•
•
Recon
Lure
Redirect
Exploit
Place malicious code
Call home
Data Theft
Common Attack Mechanisms
– Process much like a structured penetration test
except that hackers
•
•
•
•
Are not limited by budget
Are not limited by “Rules of Engagement”
Are not motivated to play by the rules
Are not easily caught and prosecuted
Web Sense - The Seven Stages of Advanced Threats and Data Theft - 2012
Common Attack Mechanisms
• Information gathering
– Publically available info
•
•
•
•
•
•
•
•
•
Web sites (Maltego)
Google, Bing, etc. (Search Diggity Suite)
Facebook, Twitter, Instagram, LinkedIn
Dumpster diving
Web file (document) metadata (ExifTool, FOCA, others)
Internet Registries (ARIN, Network Solutions, GoDaddy, etc.)
DNS Tools (DNSstuff.com, dnstools.com, dig)
Job Postings
Links (BiLE – BiLateral Link Extractor)
Common Attack Mechanisms
• Information gathering (continued)
– Social Engineering
•
•
•
•
Phishing
Phone scams
Social media profile impersonation
Physical entry (break-in or tailgating)
– Wireless network exploitation
•
•
•
•
Man in the middle attack
Open or WEP Protected Wi-Fi connected to corporate LAN
Wireless Redirection attack
Bluetooth or RFID scanning
Common Attack Mechanisms
• Information gathering (continued)
– Public network analysis
•
•
•
•
•
•
•
Network scanning (nmap, Zenmap, masscan)
Packet sniffing (Wireshark, TCPdump)
Vulnerability scans (Nessus, Qualis)
Web site exploitation (BeEF, metasploit)
DNS poisoning
DNS zone transfers
Google Dorks (http://www.exploit-db.com/google-dorks/)
– Rouge device placement
• Compromised USB keys (ex. USB Rubber Ducky)
• Rogue Wi-Fi sniffer (ex. Wi-Fi Pineapple)
• Raspberry Pi device
Common Attack Mechanisms
• Exploitation Attacks
– DDoS (Distributed Denial of Service)
•
•
•
•
•
SYN floods
NTP Amplification
DNS Amplification
UDP floods
Pings floods
– SQL Injection
• Attacks Web site to reveal back-end database info
– Structure
– Actual data
• Can lead to Web site defacement or data poisoning
Common Attack Mechanisms
• Exploitation Attacks (continued)
– Brute Force password cracking
• Somewhat limited but can still be done
– Remote key logging
– Cross Site Scripting
• Hijack user browser sessions
• Gather credentials or hack accounts
– BGP Hijacking
• ISP starts announcing BGP routes for IP blocks they do NOT
own
• Upstream ISP allows advertisement through filter
• Causes traffic redirection to rouge end points
Common Attack Mechanisms
• Exploitation Attacks (continued)
– Client Side Exploitation
•
•
•
•
•
Breaching network
Pivoting to workstation
Gather more info to access additional resources
Steal confidential data
Tools
– Metasploit, Armitage
– Cain, John the Ripper, THC Hydra, Ophcrack, RainbowCrack
– Netcat, Scapy
Common Attack Mechanisms
• Exploitation Attacks (continued)
– Wireless Exploitation
•
•
•
•
•
Man in the Middle attack
Fake access points (Impersonation)
Router hacking based on known exploits
DoS w/ radio interference
WEP or WPA password cracking
– Packet sniffing
• Read unencrypted credentials
• Ex. Wall of Sheep at DEFCON
– Internet of Things (IoT) Hacks
• Household devices (thermostats, TVs, DVD players, etc.)
Common Attack Mechanisms
• Exploitation Attacks (continued)
– Ex: DNS Amplification
• Recursive DNS resolvers respond to spoofed IP with large
amounts of data
• ~500 byte request in with up to 4096 byte response out
• 4096/500 = 8.192 x amplification
• Hundreds or thousands of open DNS resolvers hit and
respond to victim IP all at once
• Some attacks can have an amplification factor of over 60
• 5 Mbps cable modem could generate an attack of 3 Gbps
• Consider a botnet network with thousands of members acting
all at once
Common Attack Mechanisms
• Exploitation Attacks (continued)
– DNS Amplification Attack Diagram
Common Attack Mechanisms – Tools
• Tools
– Pre-built Linux distributions
•
•
•
•
•
•
•
Kali Linux
Backtrack Linux (Deprecated)
Pentoo
Node Zero
BlackBox
Blackbuntu
Others
– All are open source and basically free
http://www.blackmoreops.com/2014/02/03/notable-penetration-test-linuxdistributions-of-2014/
Common Attack Mechanisms - Tools
• Information gathering tools (continued)
– These distros already have most of the tools used
regularly for penetration testing
– They are maintained by various organizations
• Ex: Kali maintained by Offensive Security
– Easily updatable using normal Linux update
processes
• apt-get
• yum
– Have a wealth of public instruction available
Proliferation of FUD
• What is FUD?
– Fear, Uncertainty and Doubt
– Marketing technique first used by IBM in 1970s
– Examples
• Microsoft – Windows vs. OS/2 & other flavors of DOS
• SCO vs. IBM – Accused IBM of giving away SCO code
• Apple – iPhone jail breaking could allow hackers to crash cell
towers
• Recent FUD in the news
•
•
•
•
NBC story regarding device hacking at Sochi
Death of Windows XP
Y2K Doomsday predictions
LinkedIn and Yahoo security breaches
Proliferation of FUD
• So What is Wrong with FUD?
–
–
–
–
Distracts us from acting upon facts
Harms our reputation as IT professionals
Overuse by the media desensitizes people
Causes mistrust and skepticism
• Can FUD be beneficial?
– Can, for the short term, motivate people to take action
– As facts become clear, FUD should be dramatically
reduced
Detecting, Mitigating & Preventing Attacks
• Detecting Attacks
– First, know what is normal!
– Log everything and analyze
•
•
•
•
•
Local syslog
Windows event logs
AD DNS Logging
Kiwi, BRO, PRTG
Elastic Search (ELK)
– Monitor critical devices, services, files, interfaces,
etc..
• PRTG or Nagios
• Netflow
• Monitor port on Internet port to router for sniffing, IDS
Detecting, Mitigating & Preventing Attacks
• Detecting Attacks (continued)
– Configure alerting
• For abnormal behavior (slower or faster than normal
responses, file sizes, etc..)
• For abnormal system and resource usage
• Track over time
• Analyze trends
– Deploy Honeypots
• Kfsensor, Honeyd, Honeybot, HoneyDrive
• Use that data to understand how your network is…
– being exploited or owned
– being attacked in hopes of being owned
Detecting, Mitigating & Preventing Attacks
• Detecting Attacks (continued)
– Employ deep packet inspection
• Security Onion
–
–
–
–
–
–
Linux distro
Snort
Snorby
BRO
ELSA
TCP Replay
• Network Security Toolkit
– Remote monitoring
• Network paths
• DNS
Detecting, Mitigating & Preventing Attacks
• Mitigating Attacks
– Understand the attack
• What does the data reveal?
–
–
–
–
–
Malware
DDoS
Data breach
Physical compromise
Web site compromise
• How critical is the incident?
– Determine the source and scope
• Packet captures (Wireshark or TCP Dump)
• DNS logging on AD controller
• Use TCP Replay to analyze the data (Security Onion)
Detecting, Mitigating & Preventing Attacks
• Mitigating Attacks (continued)
– Take steps to block the current attack
•
•
•
•
•
Port block
Rate limit traffic
IP block
Web fix
Isolate infected PC or server
– Once blocked, do post mortem
• Plug holes
• Change policies
• Patch, etc.
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks
– Know that there is no one “Silver Bullet”
• If a vendor says they have a device that will solve all your
problems, quickly show them the door
• Security is a multi-layered approach
• Design security from the outside in and inside out
– Web site
•
•
•
•
•
Tight coding
Limit information disclosure
Secure customer PII
DO NOT host site internally
Test with Web application vulnerability testers
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– Email Services
• Deploy robust SPAM and Virus filtering
– Ex. SecureTide
– Be sure it is an OFF SITE (cloud) service
• DO NOT Host email internally
• Configure archiving if compliance requires
• Use an email encryption service when sending sensitive data
– Ex. CypherPost Pro
• Be sure all connections use SSL or TLS
– No transferring credentials in clear text
– POP3 and IMAP have both encrypted and non-encrypted ports
– Know the difference and use encryption
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– Internet Connection
•
•
•
•
•
•
•
Deploy a next generation firewall and lock it down
Get an SLA from your provider
Deploy honeypots
Monitor as discussed earlier
Deploy IDS / IPS in line
Vulnerability Assessments
Use BGP Blackholes (Bogons, Spamhaus DROP)
– VPN (Remote User Access)
• Use PPTP or IPSEC VPN for all remote client access
• Use 2 factor authentication
– RSA Key (rotating code + PIN)
– AD Authentication
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– VPN (continued)
• Log all connections
– Look for connection patterns
– Same user, multiple locations
– Connection Frequency
• Require VPN connections always
– No connection to corporate network from home or open Wi-Fi
– No connection to corporate network from shared computers
– Wireless
•
•
•
•
Separate guest access from corporate Wi-Fi
No connection to corporate LAN on guest Wi-Fi
Use WPA2 / AES as minimum encryption (NO WEP)
Scan for rogue access points
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– Physical Access
• Know your vendors and repair techs
– Have access policies
– Require pre-arranged appointments
– Accompany visitors when possible
• Limit physical access
– Doors
– Elevators (easily hacked even w/ access control)
– Set up trap areas between elevators and office entrances
• Deploy cameras
• Do weekly walk-throughs
– Data rooms, closets, etc.
– Investigate suspect devices
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– Physical Access (continued)
•
•
•
•
•
•
Validate door locking schedule
Deploy swipe locks
Require ID badges
Review surveillance videos regularly
Question all unfamiliar visitors
Enforce a visitor policy
– LAN Protection
• Firewall
• VLAN
– Separate by need to access
– Enforce with access lists on firewall
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– LAN Protection (continued)
• Implement NAP (Network Access Protection)
– Limit device connections
– By MAC and compliance profile
– Enforce policies
• Test and implement hard drive encryption
• Enforce USB device policy
• Implement DNS Malware Filtering
– SecureSurf
– No “whitelisting” for known infected content
• Implement Content Filtering
– Adjust restrictions based upon user activity
– Adjust per department
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– LAN Protection (continued)
• Enforce a clear Acceptable Use Policy
• Monitor DNS logs
• Set robust password policies
– Required length, characters
– Refresh regularly – expiration policy
• Follow OS best security practices
• Be proactive and glaringly anal about updates and patches
• Set strict BYOD policies
– Phones
– Tablets
– Laptops
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– Hardware Retirement
• Implement a device wiping policy
• Contract with a shredding company to destroy all defunct
hardware
– Educate Users
•
•
•
•
Users are your weakest link!
Computer users should have a minimum competency level
Must ALWAYS be aware of the potential dangers
Discuss and enforce Social Networking practices
– Etiquette
– Acceptable Use
Detecting, Mitigating & Preventing Attacks
• Preventing Attacks (continued)
– Educate Your IT Staff
•
•
•
•
•
Subscribe to reputable data feeds
Podcasts
Take online courses
Make use of open source security tools
Collaborate with peers
– SANS – Securing the Human
– Bottom line – KNOW YOUR ENEMY
Wrap Up
• Q &A
• Contact Info Jim Nitterauer
jnitterauer@appriver.com
@jnitterauer
http://www.linkedin.com/in/gridsouth
850-932-5338 x6468