Shut the Front Door and the Back Door Too!
Transcription
Shut the Front Door and the Back Door Too!
Shut the Front Door and the Back Door Too! (How and Why Hackers Attack and What to Do About It) Jim Nitterauer Senior Systems Administrator A Little About Me • Senior Systems Administrator at AppRiver, LLC since 2006 • Is Responsible for global network deployment & security in 10 datacenters • Manages SecureTide global infrastructure • Filtering for more than 850,000 mailboxes • 600 plus servers • Manages SecureSurf global DNS infrastructure • Anycast DNS Security • 100 Plus servers • Founded Creative Data Concepts Limited, Inc. in 1994 • Founded GridSouth Networks, LLC in 2006 • President of Gulf Breeze Area Chamber of Commerce 2003 & 2004 • B.S Biology 1985 Ursinus College • M.S. Microbiology 1989 University of Alabama • Regular Black Hat and DEFCON attendee • Completed Sans 560 – Network Penetration Testing and Ethical Hacking Talk Overview • Review key security (data) breaches and network attacks that have occurred over the past 12 months (What Do Hackers Do?) • Discuss the major motivations driving these attacks (Why Do Malicious Hackers Hack?) • Outline the most common attack vectors in use (How Do Malicious Hackers Hack?) • What is FUD? • Learn how to uncover, mitigate and prevent common attacks (What Do I Do When Hackers Hack?) Recent Data Breach Summary • Timeline September 2013 – August 2014 – Total Reported Breaches – 259 – Total Identities Exposed – 598 million • Top Causes of Data Breaches – – – – Malicious Hackers – 53% Accidentally Made Public – 21% Theft or Loss of Computer or Drive – 20% Inside Theft – 6% Symantec Intelligence Report – August, 2014 Recent Data Breach Summary Symantec Intelligence Report – August, 2014 Recent Data Breach Timeline • Timeline September 2013 – August 2014 Symantec Intelligence Report – August, 2014 Recent Data Breach Top Ten Symantec Intelligence Report – August, 2014 Recent Data Breaches in the News http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Recent Data Breaches in the News • EBay – Hackers obtain a small number of employee login credentials – Use that info to access database containing user records in late February and early March – Data copied and posted for sale • Home Depot – Malware installed on POS systems across 2,200 stores – Syphoned credit card details of up to 56 million customers – May be same Russian group that hit Target, Sally Beauty, P.F. Chang’s, Neiman Marcus and Michael’s Recent Data Breached in the News • Adventura Hospital (Florida) – 82,000 patients impacted by third data breach in two years – Latest began just one day after previous breach had ended and lasted two years • JPMorgan Chase & Company – Break-in acknowledged 9/20/2014 – Details not provided – No fraudulent use of compromised data detected • Apple iCloud – Celebrity accounts hacked due to a flaw in iCloud Web API – Compromising photos copied and made available publically Recent Network Attacks • Destiny and Call of Duty Servers – Used by PlayStation and Xbox – Hit with DDoS attack by Lizard Squad • Silk Road 2.0 – Hit by sophisticated DDoS Attack – 9/20/2014 – Last February lost $2.6 million in bitcoin due to attack • Codespaces – June 2014 - Amazon cloud account hacked – All virtual servers and backups deleted – Business closed on the day of the attack • Spamhaus – Hit with 300 Gbps DNS amplification attack The Face of Cybercrime Today “The Web has become the new threat vector of choice by hackers and cyber criminals to distribute malware and perpetrate identity theft, financial fraud and corporate espionage.” -- IDC Malware • What is Malware? – Software or code that is executed on a computer without the knowledge or consent of the operator – Designed to • Assess and exploit security vulnerabilities in systems • Provide remote command and control access to unauthorized parties (botnet participation) • Distribute confidential or personal information to unauthorized parties – Distributed by multiple vectors – May permanently damage data • Ex. Ransomware Malware Top Ten - Windows Symantec Intelligence Report – August, 2014 Malware Top Ten - Mac Symantec Intelligence Report – August, 2014 Malware – Ransomware Trends Symantec Intelligence Report – August, 2014 Malware – Activity by Source (Bots) Symantec Intelligence Report – August, 2014 Vulnerabilities • What are Vulnerabilities? – Any design or coding flaw that exposes data or systems to potential exploitation or results in unexpected behavior or performance – Also called an attack surface – Requires three elements for exploitation • A susceptible system • Attacker access to the flaw • Attacker capable of exploiting the flaw – Not all vulnerabilities pose same level of risk – A “Zero Day” vulnerability usually refers to a software flaw that is exposed and exploited before the vendor is aware of the issue and can release a fix Vulnerabilities – Zero Day • Most Recent Zero Day Exploits – Bash shell environment variable manipulation (Shellshock) – Open SSL Heartbleed private SSL certificate disclosure (Memory scraping) – Microsoft Internet Explorer Use-after Free flash exploit • Excellent Resource – http://blog.beyondtrust.com/zd_threat Vulnerability Disclosure Timeline Symantec Intelligence Report – August, 2014 Vulnerabilities – Zero Day Symantec Intelligence Report – August, 2014 Vulnerabilities - Browser Symantec Intelligence Report – August, 2014 Vulnerabilities – Plug-in Symantec Intelligence Report – August, 2014 Mobile Threats • Mobile Threats – Place personal mobile devices at risk by • • • • • • • Tracking user activity Stealing personal information Creating backdoors Reconfiguring device Displaying annoyances Redirecting content Spamming – Many mobile devices are connected to corporate resources including email services Mobile Threat Classifications Symantec Intelligence Report – August, 2014 Social Media • Social Media (Twitter, Facebook, etc.) – – – – – – Fake offerings Manual Sharing Life jacking Comment Jacking Fake Apps Misleading news stories or links • Ultimately leads to attempted malware infection or attempt to steal credentials Social Media Symantec Intelligence Report – August, 2014 Email – Phishing, SPAM and Viruses • Email trends – Phishing rate down in August from 1 in 1290 to 1 in 1587 email messages – Global SPAM rate for August was 62.6 percent meaning 62 out of 100 messages were SPAM • AppRiver’s SecureTide customers see SPAM rates closer to 87.7% • More U.S. based customers – more valuable targets – One out of every 270 contained a virus – 3.2% of all email contained a malicious URL • AppRiver’s customer base sees a higher percentage of emails with malicious URLs • More U.S. based customers – more valuable targets Email – Phishing Rates Symantec Intelligence Report – August, 2014 Email – Global SPAM Rates Symantec Intelligence Report – August, 2014 Email – Viruses Per Message Symantec Intelligence Report – August, 2014 Email – Viruses Per Message • What does antivirus software protect against? – On average, less than 1% of all threats are due to virus infiltration Email – Messages w/ Malware URL Symantec Intelligence Report – August, 2014 Malicious Hackers • What they are NOT . . . – Some teenager hacking a Web site for bragging rights – A Script Kiddie – White Hat vs. Black Hat Malicious Hackers • What they ARE . . . – Well-trained experts with a plethora of tools at their disposal – Sell themselves to the highest bidder – Work for or are part of sophisticated criminal enterprises – Members of global activist networks • • • • Anonymous Syrian Electronic Army LulzSec Others Malicious Hacker Motivations • Making social statements – Hacktivism – Bring down specific targets based upon political views • Theft – Stealing data that can be resold for profit • Personal info – Credit Cards – SSNs – Medical Records • Corporate info – Financial info – Trade Secrets – Espionage Malicious Hackers Target • Three Basic Targets – Revenue • • • • What can they steal that can be sold? Steal items that have cash value (Bank transfers, Bitcoin) Access bank accounts Steal intellectual property – Reputation • Defile your Web site and other public resources • Smear you reputation • Degrade service – Upset customers – Break SLAs – Result in revenue loss Malicious Hackers Target – Resources • Own your network, servers and workstations – Continuous data gathering – Access higher level computing resources and data • Use these resources to attack others – Botnet participation – Anonymous proxy Malicious Hackers • Use a combination of attack vectors – Often the most visible attack is NOT the real attack • DDoS to create panic • Physical compromise occurs during chaos – Vectors include • Physical attacks • Social engineering • Network attacks (local and hosted resources) – Wired – Wireless Common Attack Mechanisms • Overall Process – Seven stages • • • • • • • Recon Lure Redirect Exploit Place malicious code Call home Data Theft Common Attack Mechanisms – Process much like a structured penetration test except that hackers • • • • Are not limited by budget Are not limited by “Rules of Engagement” Are not motivated to play by the rules Are not easily caught and prosecuted Web Sense - The Seven Stages of Advanced Threats and Data Theft - 2012 Common Attack Mechanisms • Information gathering – Publically available info • • • • • • • • • Web sites (Maltego) Google, Bing, etc. (Search Diggity Suite) Facebook, Twitter, Instagram, LinkedIn Dumpster diving Web file (document) metadata (ExifTool, FOCA, others) Internet Registries (ARIN, Network Solutions, GoDaddy, etc.) DNS Tools (DNSstuff.com, dnstools.com, dig) Job Postings Links (BiLE – BiLateral Link Extractor) Common Attack Mechanisms • Information gathering (continued) – Social Engineering • • • • Phishing Phone scams Social media profile impersonation Physical entry (break-in or tailgating) – Wireless network exploitation • • • • Man in the middle attack Open or WEP Protected Wi-Fi connected to corporate LAN Wireless Redirection attack Bluetooth or RFID scanning Common Attack Mechanisms • Information gathering (continued) – Public network analysis • • • • • • • Network scanning (nmap, Zenmap, masscan) Packet sniffing (Wireshark, TCPdump) Vulnerability scans (Nessus, Qualis) Web site exploitation (BeEF, metasploit) DNS poisoning DNS zone transfers Google Dorks (http://www.exploit-db.com/google-dorks/) – Rouge device placement • Compromised USB keys (ex. USB Rubber Ducky) • Rogue Wi-Fi sniffer (ex. Wi-Fi Pineapple) • Raspberry Pi device Common Attack Mechanisms • Exploitation Attacks – DDoS (Distributed Denial of Service) • • • • • SYN floods NTP Amplification DNS Amplification UDP floods Pings floods – SQL Injection • Attacks Web site to reveal back-end database info – Structure – Actual data • Can lead to Web site defacement or data poisoning Common Attack Mechanisms • Exploitation Attacks (continued) – Brute Force password cracking • Somewhat limited but can still be done – Remote key logging – Cross Site Scripting • Hijack user browser sessions • Gather credentials or hack accounts – BGP Hijacking • ISP starts announcing BGP routes for IP blocks they do NOT own • Upstream ISP allows advertisement through filter • Causes traffic redirection to rouge end points Common Attack Mechanisms • Exploitation Attacks (continued) – Client Side Exploitation • • • • • Breaching network Pivoting to workstation Gather more info to access additional resources Steal confidential data Tools – Metasploit, Armitage – Cain, John the Ripper, THC Hydra, Ophcrack, RainbowCrack – Netcat, Scapy Common Attack Mechanisms • Exploitation Attacks (continued) – Wireless Exploitation • • • • • Man in the Middle attack Fake access points (Impersonation) Router hacking based on known exploits DoS w/ radio interference WEP or WPA password cracking – Packet sniffing • Read unencrypted credentials • Ex. Wall of Sheep at DEFCON – Internet of Things (IoT) Hacks • Household devices (thermostats, TVs, DVD players, etc.) Common Attack Mechanisms • Exploitation Attacks (continued) – Ex: DNS Amplification • Recursive DNS resolvers respond to spoofed IP with large amounts of data • ~500 byte request in with up to 4096 byte response out • 4096/500 = 8.192 x amplification • Hundreds or thousands of open DNS resolvers hit and respond to victim IP all at once • Some attacks can have an amplification factor of over 60 • 5 Mbps cable modem could generate an attack of 3 Gbps • Consider a botnet network with thousands of members acting all at once Common Attack Mechanisms • Exploitation Attacks (continued) – DNS Amplification Attack Diagram Common Attack Mechanisms – Tools • Tools – Pre-built Linux distributions • • • • • • • Kali Linux Backtrack Linux (Deprecated) Pentoo Node Zero BlackBox Blackbuntu Others – All are open source and basically free http://www.blackmoreops.com/2014/02/03/notable-penetration-test-linuxdistributions-of-2014/ Common Attack Mechanisms - Tools • Information gathering tools (continued) – These distros already have most of the tools used regularly for penetration testing – They are maintained by various organizations • Ex: Kali maintained by Offensive Security – Easily updatable using normal Linux update processes • apt-get • yum – Have a wealth of public instruction available Proliferation of FUD • What is FUD? – Fear, Uncertainty and Doubt – Marketing technique first used by IBM in 1970s – Examples • Microsoft – Windows vs. OS/2 & other flavors of DOS • SCO vs. IBM – Accused IBM of giving away SCO code • Apple – iPhone jail breaking could allow hackers to crash cell towers • Recent FUD in the news • • • • NBC story regarding device hacking at Sochi Death of Windows XP Y2K Doomsday predictions LinkedIn and Yahoo security breaches Proliferation of FUD • So What is Wrong with FUD? – – – – Distracts us from acting upon facts Harms our reputation as IT professionals Overuse by the media desensitizes people Causes mistrust and skepticism • Can FUD be beneficial? – Can, for the short term, motivate people to take action – As facts become clear, FUD should be dramatically reduced Detecting, Mitigating & Preventing Attacks • Detecting Attacks – First, know what is normal! – Log everything and analyze • • • • • Local syslog Windows event logs AD DNS Logging Kiwi, BRO, PRTG Elastic Search (ELK) – Monitor critical devices, services, files, interfaces, etc.. • PRTG or Nagios • Netflow • Monitor port on Internet port to router for sniffing, IDS Detecting, Mitigating & Preventing Attacks • Detecting Attacks (continued) – Configure alerting • For abnormal behavior (slower or faster than normal responses, file sizes, etc..) • For abnormal system and resource usage • Track over time • Analyze trends – Deploy Honeypots • Kfsensor, Honeyd, Honeybot, HoneyDrive • Use that data to understand how your network is… – being exploited or owned – being attacked in hopes of being owned Detecting, Mitigating & Preventing Attacks • Detecting Attacks (continued) – Employ deep packet inspection • Security Onion – – – – – – Linux distro Snort Snorby BRO ELSA TCP Replay • Network Security Toolkit – Remote monitoring • Network paths • DNS Detecting, Mitigating & Preventing Attacks • Mitigating Attacks – Understand the attack • What does the data reveal? – – – – – Malware DDoS Data breach Physical compromise Web site compromise • How critical is the incident? – Determine the source and scope • Packet captures (Wireshark or TCP Dump) • DNS logging on AD controller • Use TCP Replay to analyze the data (Security Onion) Detecting, Mitigating & Preventing Attacks • Mitigating Attacks (continued) – Take steps to block the current attack • • • • • Port block Rate limit traffic IP block Web fix Isolate infected PC or server – Once blocked, do post mortem • Plug holes • Change policies • Patch, etc. Detecting, Mitigating & Preventing Attacks • Preventing Attacks – Know that there is no one “Silver Bullet” • If a vendor says they have a device that will solve all your problems, quickly show them the door • Security is a multi-layered approach • Design security from the outside in and inside out – Web site • • • • • Tight coding Limit information disclosure Secure customer PII DO NOT host site internally Test with Web application vulnerability testers Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – Email Services • Deploy robust SPAM and Virus filtering – Ex. SecureTide – Be sure it is an OFF SITE (cloud) service • DO NOT Host email internally • Configure archiving if compliance requires • Use an email encryption service when sending sensitive data – Ex. CypherPost Pro • Be sure all connections use SSL or TLS – No transferring credentials in clear text – POP3 and IMAP have both encrypted and non-encrypted ports – Know the difference and use encryption Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – Internet Connection • • • • • • • Deploy a next generation firewall and lock it down Get an SLA from your provider Deploy honeypots Monitor as discussed earlier Deploy IDS / IPS in line Vulnerability Assessments Use BGP Blackholes (Bogons, Spamhaus DROP) – VPN (Remote User Access) • Use PPTP or IPSEC VPN for all remote client access • Use 2 factor authentication – RSA Key (rotating code + PIN) – AD Authentication Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – VPN (continued) • Log all connections – Look for connection patterns – Same user, multiple locations – Connection Frequency • Require VPN connections always – No connection to corporate network from home or open Wi-Fi – No connection to corporate network from shared computers – Wireless • • • • Separate guest access from corporate Wi-Fi No connection to corporate LAN on guest Wi-Fi Use WPA2 / AES as minimum encryption (NO WEP) Scan for rogue access points Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – Physical Access • Know your vendors and repair techs – Have access policies – Require pre-arranged appointments – Accompany visitors when possible • Limit physical access – Doors – Elevators (easily hacked even w/ access control) – Set up trap areas between elevators and office entrances • Deploy cameras • Do weekly walk-throughs – Data rooms, closets, etc. – Investigate suspect devices Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – Physical Access (continued) • • • • • • Validate door locking schedule Deploy swipe locks Require ID badges Review surveillance videos regularly Question all unfamiliar visitors Enforce a visitor policy – LAN Protection • Firewall • VLAN – Separate by need to access – Enforce with access lists on firewall Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – LAN Protection (continued) • Implement NAP (Network Access Protection) – Limit device connections – By MAC and compliance profile – Enforce policies • Test and implement hard drive encryption • Enforce USB device policy • Implement DNS Malware Filtering – SecureSurf – No “whitelisting” for known infected content • Implement Content Filtering – Adjust restrictions based upon user activity – Adjust per department Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – LAN Protection (continued) • Enforce a clear Acceptable Use Policy • Monitor DNS logs • Set robust password policies – Required length, characters – Refresh regularly – expiration policy • Follow OS best security practices • Be proactive and glaringly anal about updates and patches • Set strict BYOD policies – Phones – Tablets – Laptops Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – Hardware Retirement • Implement a device wiping policy • Contract with a shredding company to destroy all defunct hardware – Educate Users • • • • Users are your weakest link! Computer users should have a minimum competency level Must ALWAYS be aware of the potential dangers Discuss and enforce Social Networking practices – Etiquette – Acceptable Use Detecting, Mitigating & Preventing Attacks • Preventing Attacks (continued) – Educate Your IT Staff • • • • • Subscribe to reputable data feeds Podcasts Take online courses Make use of open source security tools Collaborate with peers – SANS – Securing the Human – Bottom line – KNOW YOUR ENEMY Wrap Up • Q &A • Contact Info Jim Nitterauer jnitterauer@appriver.com @jnitterauer http://www.linkedin.com/in/gridsouth 850-932-5338 x6468