Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Β
Dan Guido SOURCE Boston 2011
1. The Exploit Intelligence Project
Dan Guido
SOURCE Boston, 04/20/2011
https://www.isecpartners.com
2. Intro and Agenda
ο I work for iSEC Partners
ο NYC, Seattle, SF β specialize in Application Security
ο I donβt have a product to sell you
ο Today, Iβm going to be sharing data and my analysis
of attacker capabilities and methods
ο An informed defense is more effective and less costly
ο EIP shows that intelligence-driven, threat-focused
approaches to security are practical and effective
2
3. WARNING!
The commentary is really important for
this talk.
If youβre a reporter, please contact me and
Iβll be happy to provide that commentary
for any section youβre interested in:
dguido@isecpartners.com
3
4. We Have An Analysis Problem
Or, youβre counting the wrong beans!
5. Letβs Talk About Vulnerabilities
5
*IBM X-Force 2010 Trend and Risk Report
10. Wheel of Vulnerability Fortune
10
*Secunia: The Security Exposure of Software Portfolios
11. Where or how were massively exploited
vulnerabilities first discovered in 2010?
6
5
4
3
2
1
0
Targeted ZDI Prominent Personal Known Discovered
Attacks Researcher Website Behavior by Malware
11
12. Google Chrome is Insecure!
12
*Bit 9 Research Report: Top Vulnerable Apps β 2010
14. Are we doing something wrong?
Yes, youβre doing it backwards!
15. We Have to Start at Attacks
1. 2. 3.
ο Where do bad guys get their info from?
ο How do bad guys view the new vulns that come out?
ο How effective are my defenses against this attacker?
15
16. Maslowβs Internet Threat Hierarchy
# of Attacks Data Lost
APT IP
Targeted $$$
Mass Banking
Credentials
Malware
18. Kill Chain Model
ο Systematic model for evaluating intrusions
ο Helps us objectively evaluate attacker capabilities
ο Align defense to specific processes an attacker takes
ο Typically used as a model to defend against APT
ο Evolves beyond response at point of compromise
ο Assumes unfixable vulnerabilities
ο First described by Mike Cloppert
18
27. Process Overview
Recon Millions of Infected Sites
Existing defenses attack
Weaponize Thousands of Vulnerabilities the most robust aspects of
mass malware operations
Delivery Thousands of IPs
The last point that you
Exploit <100 Exploits
have control of your data
Install Millions of Malware Samples
C2 Thousands of IPs
Actions N/A 27
40. Java, Round Two
ο 11-09 β ZDI publishes 2nd batch of Java vulns
ο CVE-2009-3867
ο 01-10 β Three kits integrate 1st and 2nd vulns
ο CVE-2008-5353 and CVE-2009-3867
ο 04-10 β 3rd batch of researcher disclosures
ο CVE-2010-0886, CVE-2010-0840, CVE-2010-0842
ο Back and forth between researchers/malware keeps
interest in Java running high
40
41. From April 2010 onwards, new Java exploits are
added to almost all popular exploit kits
41
42. Java Today
ο Popularity
ο 11 out of 15 kits include at least one Java exploit (73%)
ο 7 out of 15 kits include more than one (46%)
ο Where did this trend come from?
ο Who followed who? The malware or research community?
ο Why can we even compare these two groups together?
ο What is next?
ο Java and Flash will continue to be a pain point
ο Quickest path to install malware in IE and Firefox
42
43. The New Trend: more exploits are being rapidly
repurposed from targeted attack campaigns in 2010-2011
6
5
4
3
2
1
0
Targeted ZDI Prominent Personal Known Silent Patch
Attacks Researcher Website Behavior
43
45. Optimized Defense
ο Jan 1, 2009 β what can we put in place to mitigate all
exploits for the next two years?
ο Restrictions: no patching allowed
ο 2009 recap
ο Internet Explorer 7, Firefox 3.0
ο Adobe Reader 9
ο Java, Quicktime, Flash, Office 2007
ο Windows XP SP3
ο Dataset represents 27 exploits
45
46. Slice and Dice
Memory
Logic
Corruption
(8)
(19)
Partition exploits based on mitigation options
46
47. 19 Memory Corruption Exploits
ο 5 unique targets
ο IE, Flash, Reader, Java, Firefox, Opera
ο Do I have my sysadmins adhere to patch schedules or
have them test and enable DEP in four applications?
ο Patch schedules: Monthly, Quarterly, Ad-hoc
ο Two years: 60+ patches in these apps
ο I choose Data Execution Prevention (DEP)
ο Good choice! It mitigates 14 exploits.
47
48. 8 Logic Flaws
ο 4 unique targets
ο Java, Reader, IE, Firefox, FoxIt
ο Do we have a business case to justify getting
repeatedly compromised by mass malware?
ο No? Remove Java from the Internet Zone in IE
ο Configure Reader to prompt on JS execution
ο βDisallow opening of non-PDF file attachmentsβ
ο This leaves two exploits, one in IE and one in FF
48
49. Most Severe Exploits 2009-2010
IE Help Center XSS
Firefox SessionStore
Reader libTIFF
Reader CoolType SING
Flash (IE) newfunction
Quicktime (IE) _Marshaled_pUnk
Java getSoundBank
49
50. Enhanced Mitigation Experience Toolkit
ο Microsoft utility that adds obstacles to exploitation
ο On XP: DEP, SEHOP, Null Page, Heap Spray, EAT filter
ο Distributed as an MSI, controlled via CLI or Registry
ο Apply it to one application at a time
ο Harden legacy applications
ο Temporary protections against known zero-day
ο Permanent protections against highly targeted apps
ο http://blogs.technet.com/cfs-
file.ashx/__key/CommunityServer-Components-
PostAttachments/00-03-35-03-78/Users-Guide.pdf
50
51. Most Severe Exploits 2009-2010
IE Help Center XSS
Firefox SessionStore
The Firefox exploit is only in one kit. We can
make an informed decision about the amount
of risk we are assuming.
51
52. Intelligence-Driven Mitigations
ο Easy mitigations (22 out of 27 exploits)
ο DEP on IE, Firefox, and Reader
ο No Java in the Internet Zone
ο Disallow opening of non-PDF file attachments
ο Hard mitigations (all the rest)
ο EMET on IE and Reader, the two most attacked apps
ο Upgrade to IE8 for that pesky Help Center XSS
ο Disallow Firefox, patch it, or accept the risk
ο Extremely limited susceptibility going forward
52
53. Taking It Further
ο Mass malware exploits are:
1. Result of users browsing internet sites
2. Shortest path to install malware w/ a single exploit
Google DEP Sandbox
Chrome Bypass Escape
Malicious DEP
IE8
HTML Bypass
IE7, Plugins,
Install
Java, Flash,
SpyEye
etc.
53
*DDZ β Memory Corruption, Exploitation and You
55. Google Chrome Frame
ο Internet sites standardized around HTML/JS
ο This is why you donβt need IE6 or IE7 at home
ο For internet sites, add HTTP header w/ Bluecoat
ο Browser is sandboxed
ο Uses auto-updated Google version of Flash
ο No other plugins are loaded
ο Maintain whitelist of internet sites that need IE
ο Typically, established vendor relationships
ο All intranet websites will load with IE as usual
ο Seamless to the user, mitigates all exploits in use
55
56. Maslowβs Internet Threat Hierarchy
# of Attacks Data Lost
APT IP
Targeted $$$
Now youβre ready to defend against Banking
more advanced attackers Credentials
57. Intelligence-Driven Conclusions
ο Donβt wait to act with Flash and Java
ο Pay attention to targeted attack disclosures in 2011
ο Force malware authors to use multiple exploits
ο Seriously consider Google Chrome Frame
ο Are your consultants/MSSPs/scanners evaluating
vulnerabilities the same way that attackers are?
ο Intelligence-Driven Response
ο Informed defense is more effective and less costly
ο Threat-focused security is practical
ο Attack data is necessary to adequately model your risk
57
58. Thanks
ο Rcecoder, Mila Parkour, Francois Paget, Adam Meyers
ο Exploit Pack Table on Contagio Dump & Exploit Kit Source
ο Mike Cloppert and Dino Dai Zovi
ο Inspiration, ideas, and encouragement
ο Chris Clark
ο Getting started with the research process at iSEC
ο John Matherly
ο Creating SHODAN and fixing my bugs
ο Dean De Beer
ο ThreatGRID data, screenshots, and background material
58
59. References and Q&A
ο Updates with more data at SummerCon, 6/10
ο Related Presentations (online)
ο Memory Corruption, Exploitation, and You β DDZ
ο Intelligence-Driven Response to APT β M. Cloppert
ο Any Mandiant Presentation
ο Related Presentations (at SOURCE)
ο 2011 Verizon Data Breach Report, Hutton
ο Fuel for Pwnage, Diaz and Mieres
ο Dino Dai Zovi Keynote
ο dguido@isecpartners.com
59
61. Frequently Asked Question #1
ο Q: What do you think about network detections?
ο A: Apply the same analysis process (kill chain) to the
adversary you care about and determine major
source of overlaps in intrusions. You may find better
indicators than simply IP addresses.
ο ie., βHey, all the malicious domains attacking me are
registered with the same whois data.β
ο or, βAll the domains that compromise me have low
TTL values in common.β
ο See some of Mike Cloppertβs writings
ο See ThreatGRID when it comes out
61
62. Frequently Asked Question #2
ο Q: How can we keep up with this data? You did a
point in time assessment, but I want this going
forward.
ο A: This analysis process and data should be picked up
by the security industry and used effectively. AV
companies have been doing you a disservice by not
doing this in the past. They should start now.
62
63. Frequently Asked Question #3
ο Q: Arenβt you cheating by saying we should use EMET to mitigate past
exploits?
ο A:
ο If we were smart enough to enable mitigations like DEP, we would have had
a solid 1.5 years where we werenβt affected by mass malware mem
corruption exploits at all, buying us a huge amount of time to investigate
other mitigations techniques.
ο The exploits that EMET was needed for came after the tool was released in
Oct 2009. If you had someone performing this analysis, you could have
observed the exploits that bypassed DEP and responded the same way I did.
Intelligence gathering is not a static process, we have to continue collecting
and responding to new information.
ο There are more ways to use this intelligence. For instance, since we know
that Flash and targeted attacks are so rapidly incorporated into mass
exploitation campaigns, we would have known on April 11th that CVE-2011-
0611 would be a significant issue. The patch came out on April 15th, but I
doubt many orgs patched over the weekend or enabled other mitigating
options before it was massively exploited on April 18th. With this data in
hand, they would have realized the seriousness of the original event on the
11th.
63
64. Frequently Asked Question #4
ο Q: Future analysis?
ο A:
ο How [exactly] do researcher disclosures correlate with
massive exploitation?
ο Are the number of bugs exploited as zero-day
increasing? Why?
ο Do researchers follow zero-day disclosure trends or
vice-versa?
ο Exactly how much exploit code is modified from public
PoCβs before being integrated into a kit?
ο Expect new results some time in June
64