• Like

Keeping Bot Herders off Your Servers and Breaking the Lateral Kill Chain of Today’s Attackers

  • 694 views
Uploaded on

When it comes to malware we usually think of workstations and laptops because they are the systems rubbing shoulders with the unwashed masses on the Internet. They are the systems in the hands of …

When it comes to malware we usually think of workstations and laptops because they are the systems rubbing shoulders with the unwashed masses on the Internet. They are the systems in the hands of clueless end-users (aka “losers” by some of my less reverent colleagues). They are the systems running applications that download, parse and process file formats targeted by attackers such as Office documents, PDFs and image files.

Conventional wisdom says on the other hand that servers are much more isolated from the Internet. Also, servers are in the hands of security-conscious IT pros who refrain from dangerous activities like web browsing, file downloads or opening email. Even that servers don’t have dangerous applications like Office, Adobe Reader, Flash and other workstation applications installed.

But conventional wisdom isn’t accurate. Download this presentation to learn the 4 reasons for why Randy Franklin Smith from UltimateWindowsSecurity says that:

My own findings in recent IT audit engagements
A recent study about DNSChanger
An underground service that sells RDP access to Fortune 500 computers
The infamous lab system

Bot herders love servers because of their high computing power, connectivity and long term availability.

Attackers running APT attacks typically target workstations initially but then attempt to move horizontally through the network from one user and/or system to another until they reach their end target: usually a sensitive information cache on some a server. This is true in highly publicized attacks like the one awhile back on RSA SecurID and more recently with Adobe’s code signing server.

Learn how how application control is an important defense-in-depth measure that can provide detection and prevention of late-stage APT attacks. Lumension will talk briefly how their endpoint security suite addresses these risks.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
694
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
16
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Keeping Bot Herders off YourServers and Breaking the Lateral Kill Chain of Today’s Attackers © 2012 Monterey Technology Group Inc.
  • 2. Brought to you by www.lumension.comSpeaker  Chris Merritt –
  • 3. Preview of Key Points Malware isn’t just a workstation problem The facts Protecting servers with defense-in-depth© 2012 Monterey Technology Group Inc.
  • 4. Malware isn’t just a Workstation Problem My own findings in recent IT audit engagements A recent study about DNSChanger An underground service that sells RDP access to Fortune 500 computers© 2012 Monterey Technology Group Inc.
  • 5. My own findings in recent IT audit engagements  Finding servers with “workstation” software  Acrobat  Flash  Adobe Air  Office  Babylon© 2012 Monterey Technology Group Inc.
  • 6. My own findings in recent IT audit engagements  Finding servers with “workstation” software  Lab systems  Development environments  Un-firewalled systems on internal network© 2012 Monterey Technology Group Inc.
  • 7. A recent study about DNSChanger Krebs on security http://tinyurl.com/d45q9hj “More than two months after authorities shut down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and … at nearly 50 percent of all federal government agencies, new research shows.” This included servers© 2012 Monterey Technology Group Inc.
  • 8. An underground service that sells RDP access to Fortune 500 computers Service Sells Access to Fortune 500 Firms by Brian Krebs (http://krebsonsecurity.com/2012/10/service- sells-access-to-fortune-500-firms/) Russians selling access to private company servers in just $4 by Mohit Kumar (http://thehackernews.com/2012/10/russians- selling-access-to-private.html)© 2012 Monterey Technology Group Inc.
  • 9. Fact Malware isn’t just a workstation problem Additional layers of defense are needed beyond just AV© 2012 Monterey Technology Group Inc.
  • 10. Protecting Servers with Defense-in-Depth© 2012 Monterey Technology Group Inc.
  • 11. Written policy Acceptable reasons to logon interactively Prohibited activities Browsing internet Downloading files Opening files from Internet except software vetted for that server Installing any software except necessary for server’s role© 2012 Monterey Technology Group Inc.
  • 12. Use of jump boxes Reduce # of systems that anyone logs onto interactively Set up “jump boxes” Terminal Services All MMC snap-ins Restrict “Logon via remote desktop” user right Firewall Alert on interactive logons • Event ID 4624 with Logon type 10 or 2© 2012 Monterey Technology Group Inc.
  • 13. Monitoring New service Event IDs 4697 New process Event IDs 4688 Take into account maintenance windows© 2012 Monterey Technology Group Inc.
  • 14. Attack surface Vulnerability scan Any unnecessary features installed/activated? Unnecessary apps Firewall rules© 2012 Monterey Technology Group Inc.
  • 15. Centralized patch management 2 high profile software vendors automatic update infrastructures compromised Microsoft Adobe Don’t allow any systems, especially servers to automatically install software that appears to have come from vendor Control what goes on your systems© 2012 Monterey Technology Group Inc.
  • 16. Application inventory Find out what is running on your servers Lumension free application scanner Query security log for new process events and normalize logparser "select distinct EXTRACT_TOKEN(Strings, 5, |) into progs.txt from security where EventID=4688" -i evt -o tsv Important part of attack surface reduction© 2012 Monterey Technology Group Inc.
  • 17. Application control Take centralized control of what runs on your servers Application whitelisting is the single most direct and effective way to keep unwanted software off trusted systems Especially effective against lateral movement End user workstation -> admin -> server Even more so on systems where preceedings cannot be fully implemented© 2012 Monterey Technology Group Inc.
  • 18. Application control AppLocker only appropriate for large fleets of 100% identical systems Most workstations don’t fit that profile Definitely not servers Intelligent whitelisting much different than traditional whitelisting like AppLocker© 2012 Monterey Technology Group Inc.
  • 19. Brought to you by www.lumension.comSpeaker  Chris Merritt –
  • 20. Defense-in-Depth Security Keeps Bot Herders Off Your ServersChris MerrittDirector of Solution MarketingLumension source: http://commons.wikimedia.org/wiki/File:Botnet.svg
  • 21. Defense-in-Depth Against Server Threats Known Unknown Unwanted, Application Config. Physical Malware Malware Unlicensed, Vulns Vulns Infiltration Unsupported Applications AntiVirus X X Application Control X X X Patch &Remediation X X SecurityConfiguration XManagement Device Control X
  • 22. Lumension® Endpoint Management and Security Suite Total Endpoint Protection Endpoint Reporting Services Lumension® Patch and Remediation Lumension® AntiVirusEndpoint Operations Endpoint Security Lumension® Content Wizard Lumension® Application Control Lumension® Configuration Mgmt. Lumension® Device Control Lumension® Power Management Lumension® Disk Encryption Lumension® Endpoint Management Platform Single Server | Single Console | Scalable Architecture | Single, Modular Agent
  • 23. Lumension® Endpoint Management and Security Suite Total Endpoint Protection for Servers Server Reporting Services Lumension® Patch and Remediation Lumension® AntiVirusServer Operations Server Security Lumension® Content Wizard Lumension® Application Control Lumension® Configuration Mgmt. Lumension® Device Control Lumension® Endpoint Management Platform Single Server | Single Console | Scalable Architecture | Single, Modular Agent
  • 24. Lumension® Patch and Remediation Comprehensive and Secure Patch ManagementEndpoint Operations  Provides rapid, accurate and secure patch and configuration management for applications andEndpoint Operations Lumension® Patch and Remediation operating systems: Lumension® Content Wizard • Comprehensive support for multiple OS types (Windows, *nix, Apple), native applications, and Lumension® Configuration Mgmt. 3rd party applications Lumension® Power Management • Streamline and centralize management of heterogeneous environments • Visibility and control of all online or offline endpoints • Elevate security posture and proactively reduce risk • Save time and cost through automation
  • 25. Lumension® Content Wizard Cost-Effectively Streamline Endpoint ManagementEndpoint Operations  Simple, wizard-based policy creation and baseline enforcement – without add’l tools:Endpoint Operations Lumension® Patch and Remediation • Patch Creation Lumension® Content Wizard • Software Installs and Uninstalls Lumension® Configuration Mgmt. • Windows Security Policies Lumension® Power Management • Power Management Policies • NEW! Windows Firewall Policies
  • 26. Lumension® Security Configuration Mgmt.Prevent Configuration Drift and Ensure Policy ComplianceEndpoint Operations  Ensure that endpoint operating systems and applications are securely configured and in complianceEndpoint Operations Lumension® Patch and Remediation with industry best practices and regulatory standards: Lumension® Content Wizard • Security Configuration Management • Out-of-the-box Checklist Templates Lumension® Configuration Mgmt. • NIST Validated Solution Lumension® Power Management • Continuous Policy Assessment and Enforcement • Based on Open Standards for Easy Customization • Security Configuration and Posture Reporting
  • 27. Lumension® AntiVirus Multilayered Protection Against Malware Based on proven technology from industry Endpoint Security leader providing complete protection against known and unknown malware Lumension® AntiVirus Endpoint Security including viruses, worms, Trojans, spyware, Lumension® Application Control adware and more Lumension® Device Control Includes a breadth of analysis techniques from traditional signature matching to Lumension® Disk Encryption behavioral analysis to effectively protect against zero-day and evolving threats: • Antivirus (AV) protection (full signature matching) • DNA Matching (partial signature matching) • SandBox (behavioral analysis in an emulated environment) • Exploit Detection (find hidden/embedded malware) VB100 certified by VirusBulletin2
  • 28. Lumension® Application Contro Proactive Protection Against Malware and More Effective Endpoint Security: Block known Endpoint Security and unknown malware without signatures, and prevent exploitation of Lumension® AntiVirus Endpoint Security application / configuration vulnerabilities Lumension® Application Control Control the Unwanted: Real-time view of Lumension® Device Control all application inventory, ensuring only approved software is allowed to run, and Lumension® Disk Encryption denying / removing all unwanted applications Control the Unknown: Enforce, log and audit all endpoint application change while controlling end-users with Local Admin rights Flexible and Easy-To-Use: Unified solution workflow via single console with flexible trusted change management policy
  • 29. Lumension® Device Control Policy-Based Data Protection and Encryption Protect Data from Loss or Theft: Endpoint Security Centrally enforce usage policies of all endpoint ports and for all removable Lumension® AntiVirus Endpoint Security devices / media. Lumension® Application Control Increase Data Security: Define forced Lumension® Device Control encryption policy for data flows onto removable devices / media. Flexible Lumension® Disk Encryption exception management. Improve Compliance: Centrally encrypt removable devices / media to ensure data cannot be accessed if they are lost or stolen. Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.
  • 30. Next StepsFree Tools  http://www.lumension.com/Resources/Premium-Security-Tools.aspx  Application Scanner – see what applications are running on your servers  Device Scanner – see what removable devices are being used  Vulnerability Scanner – see what your OS / application risks areWhitepapers  Endpoint Management and Security Buyers Guide • http://www.lumension.com/Resources/WhitePapers/ Endpoint-Management-and-Security-Buyers-Guide.aspxFree Evaluation  http://www.lumension.com/ endpoint-management-security-suite/free-trial.aspx30
  • 31. Global Headquarters8660 East Hartford DriveSuite 300Scottsdale, AZ 852551.888.725.7828info@lumension.com