Your SlideShare is downloading. ×
Trends in network security   feinstein - informatica64
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Trends in network security feinstein - informatica64


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Harvey Mudd College, Claremont, California USA Co-op with Aerospace Corporation, El Segundo, California USA (2000) Federally Funded Research & Development Corporation (FFRDC) Supports national security, civil and commercial space programs Graduate of FBI Citizens’ Academy
  • ARPA renamed to DARPA in March 1972 Renamed ARPA again in February 1993 Renamed DARPA again in March 1996
  • Hawala – today, “probably used mostly for migrant workers’ remittances to their countries of origin” Chart source: International Monetary Fund, Pony Express – 1860-1861; 2,000 miles from Missouri to Sacramento, California; 190 stations spaced at roughly 10 mile intervals (about the maximum distance a horse could run at full gallop). Riders carried along a mochila and changed horses at each station. Replaced by the telegraph.
  • Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install.
  • Krebs on Security blog, written by Brian Krebs formerly of the Washington Post Formerly wrote Security Fix blog for the Washington Post “ Computer Crooks Steal $100,000 from Ill. Town”, 2010-04-06 “ Online Thieves Take $205,000 Bite Out of Missouri Dental Practice”, 2010-03-30 “ Organized Crooks Hit NJ Town, Ark. Utility”, 2010-03-22
  • Avalanche is fast-flux hosting network similar to Asprox
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • Transcript

    • 1. Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠
      • Friday, April 23 rd , 2010 Informática64 Móstoles, Spain
    • 2. Introduction
    • 3. Who Am I?
      • Native of Atlanta, Georgia USA
      • 12 years old, dial-up UNIX shell, telneting around the world
      • Professional software developer as a teenager
      • Bachelor of Science in Computer Science (c. Economics), 2001
        • Harvey Mudd College, Claremont, California USA
      • Author of RFC 4765 and RFC 4767
      • Software Engineer at a series of security start-ups, 2001 – 2006
      • Joined SecureWorks in 2006
      • Certified Information Systems Security Professional (CISSP)
      • SANS Global Information Assurance Certified Forensics Analyst (GCFA)
    • 4. Who is SecureWorks?
      • Market leading provider of information security services
        • Managed Security Services Provider (MSSP)
        • Security and Risk Consulting (SRC)
      • Over 2,700 clients worldwide, including more than 10% of Fortune 500
      • Suite of managed information and network security services
        • Security Information Management (SIM) On Demand
        • Log Monitoring
        • Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS)
        • Threat Intelligence
        • Firewall
        • Host IPS
        • Vulnerability Scanning
        • Web Application Scanning
        • Log Retention
        • Encrypted Email
    • 5. Agenda
    • 6. Agenda
      • Computer Networks
      • Vulnerability Trends of 2009
      • Malware Trends of 2009
      • Information Disclosure
      • Aurora
      • Other Trends
      • The New .CN
      • Mariposa / ButterflyBot
      • Conclusion
      • Q & A
    • 7. From Mainframes to Today’s Internet
    • 8. The Development of Computer Networks
      • Advanced Research Projects Agency (ARPA)
        • Established in 1958 after Soviet launch of Sputnik satellite in 1957
        • Later renamed the Defense Advanced Research Projects Agency (DARPA)
        • Directly manages a $3.2B budget
      • ARPANET developed by ARPA for US Department of Defense (DoD)
        • Development work began in 1969
    • 9. Decentralization of Computing Power
      • Mainframes gave way to Personal Computers (PCs)
      • Development of Local Area Networks (LANs)
      • Dial-up Internet
      • Broadband Internet
    • 10. ARPANET, circa March 1977
    • 11. Map of Internet Routers (2005), Opte Project
    • 12. Map of Online Communities, xkcd #256
      • , Spring 2007
    • 13. Some (Much) Older Networks to Remember
      • Hawala
      • Pony Express
      Source: International Monetary Fund
    • 14. Network Security
    • 15. The Network as an Attack Surface
      • Concept of Threat Modeling
      • Concept of an Attack Surface
      • Local Attacks vs. Remote Attacks
      • Common Vulnerability Scoring System (CVSS) version 2
        • Exploitability metrics
        • Access Vector: Local, Adjacent Network, Network
      • Widespread adoption of Firewalls
      • Widespread adoption of the Web
      • Web 2.0
    • 16. Vulnerability Trends of 2009
    • 17. 2009 Vulnerability Trends
      • Vulnerabilities disclosed for document readers and editors soared.
        • Office documents including spreadsheets and presentations
        • Portable Document Format (PDF) documents – the dubious champ
        • Favorite vector of “Spear Phishers”, including “Operation Aurora”
      • The appearance of new malicious Web links has skyrocketed globally in the past year.
        • Phishing, Malvertisements, Fake-AV, etc.
        • A large number of sophisticated web-attack toolkits are available for sale.
        • CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit!
      • Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game.
        • Attackers are shifting their geographical profiles due to various pressures
        • Lots and lots of money to be made
    • 18. Vulnerability Metrics for 2H 2009
    • 19. Malware Trends of 2009
    • 20. 2009 Malware Trends
      • Malware authors and operators innovated
        • Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7
        • Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits
        • Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use
      • Better prepared for takedowns and other countermeasures
        • Lessons learned from the days of The RBN
      • Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services
        • DNS double and triple-flux technologies
    • 21. 2009 Malware Trends
      • Man in the browser/endpoint
      • Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries
      • Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use
        • High-dollar Commercial OLB creds - compromised
        • Challenge secret questions – compromised
        • IP Geo-location - compromised
        • Email out-of-band - compromised
        • Hardware token - compromised
        • Device fingerprinting - compromised
        • Dual approver - compromised
        • SMS out-of-band - compromised
    • 22. 2009 Malware Trends
      • Compromised web pages frequently vehicle of choice for mass malware distribution
        • Hence, most servers are compromised in order to compromise client
        • Those clients may then be used to compromise servers inside the enterprise! (Aurora!)
      • Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts
      • Sophisticated software development
        • Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate.
        • For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.
    • 23. 2009 Malware Trends
      • Greater efficiency and targeting
      • Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009.
      • Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8
        • Smaller number of malicious programs means that users are less likely to notice an attack.
      • Operators learning valuable business lessons
        • Operate 24/7 network of login-interceptors for high-value accounts
        • Operators are singling out SMBs that tend to have cash on hand and no real IT
        • Extremely sophisticated and profitable money-mule/laundering infrastructure now exists
    • 24.  
    • 25. Contemporary ACH / Wire Fraud
      • Automated Clearing House (ACH)
      • 1 - 4 victims / day
      • Average take $100,000 / victim
      • $500K - $1M/week
      • $100M attempted in 2009
      • $40M+ unrecovered
      • > All US bank robberies combined
      • Losses borne by victims due to ACH rules
      • ALL done by ONE Eastern European crew
    • 26. Recent ACH Fraud Cases
      • XXXX County - $415,000
      • XXXX Corp - $447,000
      • XXXX Energy - $200,000
      • XXXX Construction - $588,000
      • XXXX Industrial - $1,200,000
      • XXXX School District - $117,000
      • XXXX XXXX School - $150,000
      • XXXX University - $189,000
    • 27. Source: myNetWatchman
    • 28. Source: myNetWatchman
    • 29. Source: myNetWatchman
    • 30. Information Disclosure: Lessons from Airplanes and ATMs
    • 31. Information Disclosure
      • Failing to redact documents correctly
      • Not removing document metadata
      • Not sanitizing hard drives and other media
      • Unencrypted data
    • 32. Information Disclosure
      • TSA published a SOP manual with sensitive information redacted
    • 33. Information Disclosure
      • The TSA added black bars on top of text and images to prevent it from being seen
    • 34. Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”
    • 35. Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]
    • 36. Information Disclosure
      • 40% of hard drives purchased from eBay contain personal information
        • 36% Financial data
        • 21% Emails
        • 11% Corporate Documents
        • [source: Kessler International]
      • Wipe drives before they leave your control
      • There are several bootable programs that will wipe all media attached to a computer
      • DBAN – Darik’s Boot and Nuke
    • 37. Information Disclosure
      • A security researcher purchased an ATM via Craig’s List
      • He found 1,000 debit card numbers stored in the machine
      • Who has access to your data?
      • What are their controls on it?
    • 38.
      • Imperva notified of a SQL injection flaw on Dec 4 th
      • fixed the problem over the weekend
      • The database stored passwords in plaintext
      • A hacker disclosed that he had copied the entire database before the flaw was fixed
      Information Disclosure
    • 39. Information Disclosure
      • The database contains the usernames and passwords for over 32 million account
      • Included in the database were also passwords for partner websites
      • This is a classic example of where defense in depth would have offered superior protection
    • 40. Aurora
    • 41. Background: Titan Rain intrusion set
      • An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way
      • Titan Rain was one such intrusion set
        • Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003
        • Labeled as Chinese in origin
        • Nature of and identities of adversaries unknown
    • 42. Background: Advanced Persistent Threat (APT)
      • Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks.
      • Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome.
      • Does not typically refer to things like ZeuS
    • 43. Aurora
      • Publicly disclosed hacking incident inside Google and other major companies
      • Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware”
      • Titan Rain, GhostNet
      • Grown bolder over time
    • 44. Aurora
      • In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain.
      • The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs
        • Social-engineering using methods similar to Fake-AV campaigns was also used
      • Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside
    • 45. Aurora
      • “ Aurora” is taken directly from strings within some custom software components of the attack
        • Debug symbol file path in custom code
    • 46. Aurora
      • Known samples of main backdoor trojan used in attacks no older than 2009
      • Attack may have been in works for some time
        • Custom modules in Aurora codebase with timestamps as old as May 2006
        • Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV
    • 47. Aurora
      • With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now
      • Compiler leaves many clues in a binary
        • PE resource section may reveal language code
        • Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact
    • 48. Aurora
      • Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese
    • 49. Aurora
      • Partial JavaScript code used to exploit Google
        • If only they were using Chrome…
    • 50. New Details Emerge
      • April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia”
        • “ Cyberattack on Google Said to Hit Password System”, John Markoff
      • Aurora had access to “Moma”, Google’s internal employee database
      • May have used information from Moma to target the individual developers working on Gaia
      • Source code exfiltrated to Rackspace servers, and then onto ???
    • 51. Other Trends
    • 52. Other Trends
      • Social engineering
        • Phishing / Spearphishing
          • E.g., Rogue AV
          • Hybrid attacks
          • Targeted verticals and enterprises
          • Advanced Trojans
      • Social Networks (Facebook, Twitter)
        • Trusted relationships
        • Superb ROI platform for URL-based attacks
      • Botnet sophistication and innovation
        • Spread of infection by reputable or legit websites
        • continuously evolving attacks and malware methods
      • Threats come more from organized crime
        • However, involvement of state actors has finally come to the forefront
    • 53. Other Trends
      • 0-day black market
        • Premium paid for 0-days
        • Tipping Point has heard of governments offering $1 million for a good one
        • Good guys can’t compete at those prices
        • ‘ Aurora’ used an IE 0-day that it had developed
      • Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules
      • Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations
      • Global cooperation in these cases is still in its infancy
    • 54. Other Trends
      • Clients vs. Servers
        • For the moment, the pendulum has swung away from servers
        • Servers are now more likely to be compromised as a means to compromise a large number of clients
        • While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside
        • The weakest-link rule is true now more than ever
    • 55. The new .CN
    • 56. The new .CN
      • In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names
      • The new restrictions consisted of:
        • Webmasters to submit paper application and show ID when registering a domain name
        • Business license if applicable
        • Have to submit the information within 5 days or risk losing the domain
      • Continued to monitor domains hosting malicious executables and have noticed an interesting trend
      • Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement
    • 57. The new .CN
    • 58. The new .CN
      • .RU domains have also seen an increase since the .CN registration requirements were announced.
      • RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st
    • 59. The new .CN
    • 60. Mariposa / ButterflyBot
    • 61. Mariposa / ButterflyBot
      • Publicly sold botnet kit called “BFBOT”
        • Distributed as binary “builder” kit, full source code is not available
        • Author has since “retired”, but perhaps not
      • Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot
      • Uses console-based master control program
        • Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development
    • 62. Mariposa / ButterflyBot
      • Named after a domain that it was contacting
        • butterfly [dot] sinip [dot] es
      • Initially discovered early 2009
      • Sold on
        • “ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)”
        • The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”
    • 63. Commercial Market for ButterflyBot Source: Panda Security
    • 64. ButterflyBot Capabilities
      • Information Theft
        • Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing)
        • Mozilla Firefox (stored passwords stealing)
      • Downloader
        • Download files via HTTP and execute them on the infected computer
      • DDoS
        • TCP SYN or UDP packet flooding
      • Propagation
        • MSN Instant Messenger
        • USB autorun
        • Copying itself to well-known P2P application download directories
      • VNC Server Scan
        • Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access.
    • 65. ButterflyBot Console Source: Symantec
    • 66. ButterflyBot Master Client Source: Panda Security
    • 67. ButterflyBot Configuration Tool Source: Panda Security
    • 68. Mariposa Takedown
      • Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries
      • Botmasters made money by allowing other cybercrooks to utilize parts of the botnet
        • This lead to a variety of malware being installed
          • Advanced keyloggers
          • Various Banking trojans
          • RATs (Remote access Trojans)
          • Fake AV
    • 69. Mariposa Takedown
      • Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested
        • “ netkairo” of Balmaseda age 31
        • “ jonyloleante” of Molina de Segura age 30
        • “ ostiator“ of Santiago de Compostela age 25
      • Action taken on domains December 23, 2009 at 1700 Spanish time
        • US FBI and Spanish Civil Guard
        • Believed that suspects would be less able to react due to Christmas holiday and time with family
      • Suspects unknown, using VPNs from Swedish provider Relakks
      • During counter attack, “netkairo” make a fatal mistake
        • Did not use VPN, revealed IP address in Spain
        • IP provided to Civil Guard
    • 70. Mariposa Takedown
      • “ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain
      • Digital forensics of seized computers lead to 2 further arrests in Spain
      • Cases in front of Judge Garzón of the National Court
    • 71. Conclusion
    • 72. Conclusion
      • Defenders remain at a significant disadvantage
      • Must attack both sides of the risk vs. reward equation
      • Closer cooperation is needed between security community and law enforcement
      • Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem
        • Attractive ROI of Social Engineering
    • 73. Q & A
    • 74. Special Thanks
      • Chema Alonso & Informática64
      • Maite Villalba and the Universidad Europea de Madrid
      • You, my audience!