Your SlideShare is downloading. ×
Trends in network security   feinstein - informatica64
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Trends in network security feinstein - informatica64

7,337
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,337
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
52
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Harvey Mudd College, Claremont, California USA Co-op with Aerospace Corporation, El Segundo, California USA (2000) Federally Funded Research & Development Corporation (FFRDC) Supports national security, civil and commercial space programs Graduate of FBI Citizens’ Academy
  • ARPA renamed to DARPA in March 1972 Renamed ARPA again in February 1993 Renamed DARPA again in March 1996
  • Hawala – today, “probably used mostly for migrant workers’ remittances to their countries of origin” Chart source: International Monetary Fund, http://www.imf.org/external/pubs/ft/fandd/2002/12/elqorchi.htm Pony Express – 1860-1861; 2,000 miles from Missouri to Sacramento, California; 190 stations spaced at roughly 10 mile intervals (about the maximum distance a horse could run at full gallop). Riders carried along a mochila and changed horses at each station. Replaced by the telegraph.
  • Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install.
  • Krebs on Security blog, written by Brian Krebs formerly of the Washington Post http://www.krebsonsecurity.com/category/smallbizvictims/ Formerly wrote Security Fix blog for the Washington Post http://voices.washingtonpost.com/securityfix/small_business_victims/ “ Computer Crooks Steal $100,000 from Ill. Town”, 2010-04-06 http://krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/ “ Online Thieves Take $205,000 Bite Out of Missouri Dental Practice”, 2010-03-30 http://krebsonsecurity.com/2010/03/online-thieves-take-205000-bite-out-of-missouri-dental-practice/ “ Organized Crooks Hit NJ Town, Ark. Utility”, 2010-03-22 http://krebsonsecurity.com/2010/03/organized-crooks-hit-nj-town-arizona-utility/
  • Avalanche is fast-flux hosting network similar to Asprox
  • http://www.nytimes.com/2010/04/20/technology/20google.html
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • Reported in the October 2009 CTU Threat Intelligence webinar
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • http://www.symantec.com/connect/blogs/mariposa-butterfly-bot-kit
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • http://www.pandasecurity.com/homeusers/security-info/217587/information/ButterflyBot.A
  • Transcript

    • 1. Trends in Network Security Ben Feinstein, CISSP GCFA Director of Research SecureWorks Counter Threat Unit℠
      • Friday, April 23 rd , 2010 Informática64 Móstoles, Spain
    • 2. Introduction
    • 3. Who Am I?
      • Native of Atlanta, Georgia USA
      • 12 years old, dial-up UNIX shell, telneting around the world
      • Professional software developer as a teenager
      • Bachelor of Science in Computer Science (c. Economics), 2001
        • Harvey Mudd College, Claremont, California USA
      • Author of RFC 4765 and RFC 4767
      • Software Engineer at a series of security start-ups, 2001 – 2006
      • Joined SecureWorks in 2006
      • Certified Information Systems Security Professional (CISSP)
      • SANS Global Information Assurance Certified Forensics Analyst (GCFA)
    • 4. Who is SecureWorks?
      • Market leading provider of information security services
        • Managed Security Services Provider (MSSP)
        • Security and Risk Consulting (SRC)
      • Over 2,700 clients worldwide, including more than 10% of Fortune 500
      • Suite of managed information and network security services
        • Security Information Management (SIM) On Demand
        • Log Monitoring
        • Intrusion Prevention Systems (IPS) / Intrusion Detection Systems (IDS)
        • Threat Intelligence
        • Firewall
        • Host IPS
        • Vulnerability Scanning
        • Web Application Scanning
        • Log Retention
        • Encrypted Email
    • 5. Agenda
    • 6. Agenda
      • Computer Networks
      • Vulnerability Trends of 2009
      • Malware Trends of 2009
      • Information Disclosure
      • Aurora
      • Other Trends
      • The New .CN
      • Mariposa / ButterflyBot
      • Conclusion
      • Q & A
    • 7. From Mainframes to Today’s Internet
    • 8. The Development of Computer Networks
      • Advanced Research Projects Agency (ARPA)
        • Established in 1958 after Soviet launch of Sputnik satellite in 1957
        • Later renamed the Defense Advanced Research Projects Agency (DARPA)
        • Directly manages a $3.2B budget
      • ARPANET developed by ARPA for US Department of Defense (DoD)
        • Development work began in 1969
    • 9. Decentralization of Computing Power
      • Mainframes gave way to Personal Computers (PCs)
      • Development of Local Area Networks (LANs)
      • Dial-up Internet
      • Broadband Internet
    • 10. ARPANET, circa March 1977
    • 11. Map of Internet Routers (2005), Opte Project
      • http://www.opte.org/
    • 12. Map of Online Communities, xkcd #256
      • http://xkcd.com/256/ , Spring 2007
    • 13. Some (Much) Older Networks to Remember
      • Hawala
      • Pony Express
      Source: International Monetary Fund
    • 14. Network Security
    • 15. The Network as an Attack Surface
      • Concept of Threat Modeling
      • Concept of an Attack Surface
      • Local Attacks vs. Remote Attacks
      • Common Vulnerability Scoring System (CVSS) version 2
        • Exploitability metrics
        • Access Vector: Local, Adjacent Network, Network
      • Widespread adoption of Firewalls
      • Widespread adoption of the Web
      • Web 2.0
    • 16. Vulnerability Trends of 2009
    • 17. 2009 Vulnerability Trends
      • Vulnerabilities disclosed for document readers and editors soared.
        • Office documents including spreadsheets and presentations
        • Portable Document Format (PDF) documents – the dubious champ
        • Favorite vector of “Spear Phishers”, including “Operation Aurora”
      • The appearance of new malicious Web links has skyrocketed globally in the past year.
        • Phishing, Malvertisements, Fake-AV, etc.
        • A large number of sophisticated web-attack toolkits are available for sale.
        • CSS and SQLi attacks primarily used to redirect web-surfers to an attack-toolkit!
      • Phishing attacks via email increased dramatically in the second half of 2009, with activity coming from countries not previously been in the game.
        • Attackers are shifting their geographical profiles due to various pressures
        • Lots and lots of money to be made
    • 18. Vulnerability Metrics for 2H 2009
    • 19. Malware Trends of 2009
    • 20. 2009 Malware Trends
      • Malware authors and operators innovated
        • Koobface, Mariposa (Butterfly Bot), Zbot (ZeuS), and Mebroot increased compatibility with Vista and Windows 7
        • Complex and user friendly Banking Trojans (ZeuS, SpyEye, BlackEnergy2) are available as configurable kits
        • Sophisticated RATs (e.g. Aurora’s “Hydraq”) are also in use
      • Better prepared for takedowns and other countermeasures
        • Lessons learned from the days of The RBN
      • Taking advantage of “cloud” services – virtualized hosting environments, geographically distributed content delivery networks, and dynamic DNS services
        • DNS double and triple-flux technologies
    • 21. 2009 Malware Trends
      • Man in the browser/endpoint
      • Trojan Horse is used to intercept and manipulate calls between the main application’s executable (the browser) and its security mechanisms or libraries
      • Common objective of this attack is to cause financial fraud by manipulating transactions of Internet banking systems, even when other authentication factors are in use
        • High-dollar Commercial OLB creds - compromised
        • Challenge secret questions – compromised
        • IP Geo-location - compromised
        • Email out-of-band - compromised
        • Hardware token - compromised
        • Device fingerprinting - compromised
        • Dual approver - compromised
        • SMS out-of-band - compromised
    • 22. 2009 Malware Trends
      • Compromised web pages frequently vehicle of choice for mass malware distribution
        • Hence, most servers are compromised in order to compromise client
        • Those clients may then be used to compromise servers inside the enterprise! (Aurora!)
      • Drive-by downloads – malware code using everything from simple UU-encoding techniques to elaborate self-decoding JavaScripts
      • Sophisticated software development
        • Authors of malware kits (Trojan toolkits, web-attack toolkits, droppers, rootkits, etc.) are becoming very responsive to their client-base and are producing highly usable, modular and upgradeable software at a tremendous rate.
        • For instance, the BlackEnergy2 Trojan-builder kit has a fully modular plug-in architecture which allows for the separate sale of plug-ins for different purposes and designed to target specific PKI schemes, etc.
    • 23. 2009 Malware Trends
      • Greater efficiency and targeting
      • Dasient: 5.5 million web pages on 560,000 websites infected with malware Q4 2009.
      • Two years ago, infected web pages would infect users' computers with an average of at least a dozen pieces of malware; the most recent figures have that number falling to just 2.8
        • Smaller number of malicious programs means that users are less likely to notice an attack.
      • Operators learning valuable business lessons
        • Operate 24/7 network of login-interceptors for high-value accounts
        • Operators are singling out SMBs that tend to have cash on hand and no real IT
        • Extremely sophisticated and profitable money-mule/laundering infrastructure now exists
    • 24.  
    • 25. Contemporary ACH / Wire Fraud
      • Automated Clearing House (ACH)
      • 1 - 4 victims / day
      • Average take $100,000 / victim
      • $500K - $1M/week
      • $100M attempted in 2009
      • $40M+ unrecovered
      • > All US bank robberies combined
      • Losses borne by victims due to ACH rules
      • ALL done by ONE Eastern European crew
    • 26. Recent ACH Fraud Cases
      • XXXX County - $415,000
      • XXXX Corp - $447,000
      • XXXX Energy - $200,000
      • XXXX Construction - $588,000
      • XXXX Industrial - $1,200,000
      • XXXX School District - $117,000
      • XXXX XXXX School - $150,000
      • XXXX University - $189,000
    • 27. Source: myNetWatchman
    • 28. Source: myNetWatchman
    • 29. Source: myNetWatchman
    • 30. Information Disclosure: Lessons from Airplanes and ATMs
    • 31. Information Disclosure
      • Failing to redact documents correctly
      • Not removing document metadata
      • Not sanitizing hard drives and other media
      • Unencrypted data
    • 32. Information Disclosure
      • TSA published a SOP manual with sensitive information redacted
    • 33. Information Disclosure
      • The TSA added black bars on top of text and images to prevent it from being seen
    • 34. Information Disclosure The NSA specifically states that this will not work in their manual on redacting safely: Google: “Redact Confidence”
    • 35. Information Disclosure [Source: Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF]
    • 36. Information Disclosure
      • 40% of hard drives purchased from eBay contain personal information
        • 36% Financial data
        • 21% Emails
        • 11% Corporate Documents
        • [source: Kessler International]
      • Wipe drives before they leave your control
      • There are several bootable programs that will wipe all media attached to a computer
      • DBAN – Darik’s Boot and Nuke
    • 37. Information Disclosure
      • A security researcher purchased an ATM via Craig’s List
      • He found 1,000 debit card numbers stored in the machine
      • Who has access to your data?
      • What are their controls on it?
    • 38.
      • Imperva notified rockyou.com of a SQL injection flaw on Dec 4 th
      • Rockyou.com fixed the problem over the weekend
      • The database stored passwords in plaintext
      • A hacker disclosed that he had copied the entire database before the flaw was fixed
      Information Disclosure
    • 39. Information Disclosure
      • The database contains the usernames and passwords for over 32 million account
      • Included in the database were also passwords for partner websites
      • This is a classic example of where defense in depth would have offered superior protection
    • 40. Aurora
    • 41. Background: Titan Rain intrusion set
      • An intrusion set is a collection of evidence, data, artifacts, logs, malware samples or other items that is all related in some way
      • Titan Rain was one such intrusion set
        • Coordinated intrusions of US Gov’t & Defense Industrial Base, circa 2003
        • Labeled as Chinese in origin
        • Nature of and identities of adversaries unknown
    • 42. Background: Advanced Persistent Threat (APT)
      • Advanced: Adversary has capability to use anything from simple, public exploits to performing their own vulnerability discovery work and developing 0-day attacks.
      • Persistent: Adversary has well defined goals and objectives and is persistent at pursuing them. Adversary will try various avenues of attack, looking for one that will yield the desired outcome.
      • Does not typically refer to things like ZeuS
    • 43. Aurora
      • Publicly disclosed hacking incident inside Google and other major companies
      • Belief within infosec community that PRC has been waging a long term, persistent campaign of “espionage-by-malware”
      • Titan Rain, GhostNet
      • Grown bolder over time
    • 44. Aurora
      • In May of 2009 a number of actors in Mainland China began a targeted attack on Google and several other major US-Based corporations with the intent of exfiltrating sensitive data for political and financial gain.
      • The Aurora team used a privately-held IE-7 0-day exploit as well as an Adobe PDF vulnerability to infect workstations at Google and others with sophisticated RATs
        • Social-engineering using methods similar to Fake-AV campaigns was also used
      • Once the Aurora team had access to internal systems, they quickly compromised source-code repositories, email databases, and other extremely sensitive financial and operational data from the inside
    • 45. Aurora
      • “ Aurora” is taken directly from strings within some custom software components of the attack
        • Debug symbol file path in custom code
    • 46. Aurora
      • Known samples of main backdoor trojan used in attacks no older than 2009
      • Attack may have been in works for some time
        • Custom modules in Aurora codebase with timestamps as old as May 2006
        • Timeframe just after Titan Rain had blown up and PRC’s limited arsenal of mostly “COTS” trojans were being increasingly detected by commercial AV
    • 47. Aurora
      • With a completely original code base and its use restricted to highly targeted attacks, Hydraq seems to have escaped detection until now
      • Compiler leaves many clues in a binary
        • PE resource section may reveal language code
        • Aurora author was careful to either compile on English-language system, or to modify the language code in the binary after the fact
    • 48. Aurora
      • Peculiarities and origins of CRC algorithm used suggest author familiar w/ simplified Chinese
    • 49. Aurora
      • Partial JavaScript code used to exploit Google
        • If only they were using Chrome…
    • 50. New Details Emerge
      • April 19 – New York Times reported that Aurora stole source code to Google’s single sign-on (SSO) system “Gaia”
        • “ Cyberattack on Google Said to Hit Password System”, John Markoff
      • Aurora had access to “Moma”, Google’s internal employee database
      • May have used information from Moma to target the individual developers working on Gaia
      • Source code exfiltrated to Rackspace servers, and then onto ???
    • 51. Other Trends
    • 52. Other Trends
      • Social engineering
        • Phishing / Spearphishing
          • E.g., Rogue AV
          • Hybrid attacks
          • Targeted verticals and enterprises
          • Advanced Trojans
      • Social Networks (Facebook, Twitter)
        • Trusted relationships
        • Superb ROI platform for URL-based attacks
      • Botnet sophistication and innovation
        • Spread of infection by reputable or legit websites
        • continuously evolving attacks and malware methods
      • Threats come more from organized crime
        • However, involvement of state actors has finally come to the forefront
    • 53. Other Trends
      • 0-day black market
        • Premium paid for 0-days
        • Tipping Point has heard of governments offering $1 million for a good one
        • Good guys can’t compete at those prices
        • ‘ Aurora’ used an IE 0-day that it had developed
      • Weak economy in US fosters fraudsters’ recruitment of unwitting, desperate money mules
      • Weak economy abroad has led to a large number of highly skilled IT experts in desperate situations
      • Global cooperation in these cases is still in its infancy
    • 54. Other Trends
      • Clients vs. Servers
        • For the moment, the pendulum has swung away from servers
        • Servers are now more likely to be compromised as a means to compromise a large number of clients
        • While the very large financial database breaches do occur, they are now more likely to come from a compromised workstation with privileged access on the inside
        • The weakest-link rule is true now more than ever
    • 55. The new .CN
    • 56. The new .CN
      • In December 2009, published a bulletin regarding new restrictions on purchasing .CN ccTLD domain names
      • The new restrictions consisted of:
        • Webmasters to submit paper application and show ID when registering a domain name
        • Business license if applicable
        • Have to submit the information within 5 days or risk losing the domain
      • Continued to monitor domains hosting malicious executables and have noticed an interesting trend
      • Domains registered with a ccTLD of .CN have slightly declined where domains registered with a ccTLD of .IN have started to increase starting right around the timeframe of the CNNIC announcement
    • 57. The new .CN
    • 58. The new .CN
      • .RU domains have also seen an increase since the .CN registration requirements were announced.
      • RU-CENTER has stated they will implement rules similar to CNNIC starting April 1st
    • 59. The new .CN
    • 60. Mariposa / ButterflyBot
    • 61. Mariposa / ButterflyBot
      • Publicly sold botnet kit called “BFBOT”
        • Distributed as binary “builder” kit, full source code is not available
        • Author has since “retired”, but perhaps not
      • Very typical of generic botnet kits, e.g. Rbot, Agobot, Phatbot
      • Uses console-based master control program
        • Not likely to catch on with script kiddies due to complexity of setup/use and lack of new development
    • 62. Mariposa / ButterflyBot
      • Named after a domain that it was contacting
        • butterfly [dot] sinip [dot] es
      • Initially discovered early 2009
      • Sold on bfsecurity.net
        • “ Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods. (sic)”
        • The three spreaders are MSN, USB, and P2P. Listed P2P networks were “ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire. (sic)”
    • 63. Commercial Market for ButterflyBot Source: Panda Security
    • 64. ButterflyBot Capabilities
      • Information Theft
        • Steal data from Internet Explorer (protected storage and Autocomplete (IE 7+) password stealing)
        • Mozilla Firefox (stored passwords stealing)
      • Downloader
        • Download files via HTTP and execute them on the infected computer
      • DDoS
        • TCP SYN or UDP packet flooding
      • Propagation
        • MSN Instant Messenger
        • USB autorun
        • Copying itself to well-known P2P application download directories
      • VNC Server Scan
        • Scan for VNC (Virtual Network Computing) servers that may allow AUTHBYPASS or NOAUTH access.
    • 65. ButterflyBot Console Source: Symantec
    • 66. ButterflyBot Master Client Source: Panda Security
    • 67. ButterflyBot Configuration Tool Source: Panda Security
    • 68. Mariposa Takedown
      • Botnet size fluctuated between 500K and 1 million infected hosts spanning more then 190 countries
      • Botmasters made money by allowing other cybercrooks to utilize parts of the botnet
        • This lead to a variety of malware being installed
          • Advanced keyloggers
          • Various Banking trojans
          • RATs (Remote access Trojans)
          • Fake AV
    • 69. Mariposa Takedown
      • Due to a coordinated effort between law enforcement and the security community, three individuals were identified and arrested
        • “ netkairo” of Balmaseda age 31
        • “ jonyloleante” of Molina de Segura age 30
        • “ ostiator“ of Santiago de Compostela age 25
      • Action taken on domains December 23, 2009 at 1700 Spanish time
        • US FBI and Spanish Civil Guard
        • Believed that suspects would be less able to react due to Christmas holiday and time with family
      • Suspects unknown, using VPNs from Swedish provider Relakks
      • During counter attack, “netkairo” make a fatal mistake
        • Did not use VPN, revealed IP address in Spain
        • IP provided to Civil Guard
    • 70. Mariposa Takedown
      • “ netkairo” apprehended by agents of the Civil Guard on February 12, 2010 at his home in Balmaseda, Spain
      • Digital forensics of seized computers lead to 2 further arrests in Spain
      • Cases in front of Judge Garzón of the National Court
    • 71. Conclusion
    • 72. Conclusion
      • Defenders remain at a significant disadvantage
      • Must attack both sides of the risk vs. reward equation
      • Closer cooperation is needed between security community and law enforcement
      • Human weakness is arguably more important than technological vulnerabilities in today’s cyber crime ecosystem
        • Attractive ROI of Social Engineering
    • 73. Q & A
    • 74. Special Thanks
      • Chema Alonso & Informática64
      • Maite Villalba and the Universidad Europea de Madrid
      • You, my audience!

    ×