Anatomy of an Attack  Understanding the means and motivation of your enemies                                              ...
Whoami• Director of Security Research @ Alert Logic  – Manage investigations  – Responsible for “0day” coverage  – Vulnera...
AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
If you know your enemies and know yourself, you will not beimperiled in a hundred battles…                                ...
The Actors• Hacktivists        – Anonymous, LulzSec etc…• Cyber Criminals        – Impact 73% of online users1• Government...
Traditional AttacksHacker Profile   – Talented individual   – Young, boredMotivation   – To prove a point   – Curiosity   ...
Modern Attack ProfileHacker Profile   – Organized Crime   – Dedicated teams who are paid   – Teams often work for criminal...
Cybercrime MarketThe Numbers       – Global computer crime market estimated         to be $7B in 20102       – Russia resp...
RolesRole                    DescriptionMalware Developers      Develop kits to control owned systems and steal dataRootki...
Crime PaysStolen Assets/Criminal Activity          PayoutCredit Card Details                      $5-10, expected $1-2 pos...
AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
Hacking 101• The 3 Questions  – What do I have  – What do I know  – What is my target?• The Process  – Reconnaissance  – D...
The World is YoursMy Skills   – P2P networking   – Defacing websitesThe Plan   – Get paid distributing malware
How it Works – The Business Model                       Register With                   Cybercrime Group      2           ...
What do I get?Malware likely based on TDSS   – First widely used x64 rootkit for Windows Vista and Windows 7   – Kernel mo...
The Final TouchesBinary Modification Tool   Anti-Virus Bypass
Delivery/Attack Surface                               Infection Method                                         Difficulty ...
AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
Open SMB        shares/ Weak        Passwords                                        Web App Vulnerability      Netbios Op...
AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
Limit Your Exposure                             Lifecycle of a ThreatRisk                Patch is                   Releas...
Tools or Expert Help?
Remember the Questions…• 3 Questions  – What do I have  – What do I know  – What is my target?• Penetration testing helps
Defending UsersAV Isn’t Enough   – Malware evolves ahead of AV signatures   – 60% of malware is undetected by AVEducation ...
Key Takeaways0day is rarely the average users weak pointTools are not always the solutionFocus on your attack surface, not...
Next GenerationMobile Devices   –   Full blown operating systems with IP stacks   –   Security posture like OS’s in the 90...
Q&A      jnorman@alertlogic.com      @spoofyroot      http://www.alertlogic.com/blog
Anatomy of an Attack
Anatomy of an Attack
Anatomy of an Attack
Anatomy of an Attack
Anatomy of an Attack
Upcoming SlideShare
Loading in …5
×

Anatomy of an Attack

596 views

Published on

Cyber Crime intro along with some perspectives on how to look at risk vs vulnerabilities

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
596
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • hello!my name is JM and i am on the research team at alert logictoday we’ll be talking about how organized groups have come to dominate the computer crime scene
  • first i’m going to cover the differences between the attackers at work today vs. what we saw 5 years agothen we’ll talk about how modern organizations are structured and how they operate,finally we’ll look at what you need to do to minimize your risk as an IT manager and also as a user with your own data to protect.
  • this is a quote from the art of warhighly regarded, but w/comp crime landscape, optimisticthe idea is the same... in order to defend against skilled & highly motiv. attackers,your security team needs to know what they’re up against,as well as having an realistic understanding of their own capabilities and limitationsraise your hand if you have ever had your credit card number stolen?ok...who has ever exposed patient or customer information as a result of a network intrusion?haha, it’s ok no one ever wants to admit that in public... hahahathat sort of thing can seriously damage a company’s reputation, like we’re seeing now with Sony.S: everyone is familiar w/the stereotypical hacker
  • You have 3 primary groups of actors to worry about.. This is not an exhaustive list but does account for the majority of malcious activity
  • young student, bored, maybe problems with authoritythink it’s cool, looking for a challenge, out defacing websites of organizations they disagree withunlikematthewbroderick, none of the guys i knew who were writing dos viruses at 16 ever had a girl in their bedroomskorgo, sasser, mostly static payload built & released to run its courseS: things have changed a lot since then
  • overwhelming majority of attacks are carried out by professional teams who do it for a livingonly goal is to control as many computers as they can to steal as much data as possiblethey can use or sell wholesalenot making noise, not defacing websitesremain undetected as long as possibletarget vulns in client appsS: it’s working really well
  • business is booming, 7B last year, russia 1/3 and growing 35% per yearw/that growth the business models evolve like the legit IT industryppl are taking on specialized roles either to limit personal risk or maximize profit within the context of their personal situation.This is a business and like any other business the goal is to make as much money possible while spending the least amount of money
  • MW Dev – build custom C&C software w/dev kits to embed it in 3rd party executablesppl would want to installDistributors – equiv to the corner drug dealer, lower on the food chain, not the most skilled, these are the guys in direct contact with the target systems when you find malware on a system, it was often put there by a distributor who didn’t actually write itHosting providers – liberal AUP, often only up for a short period of time before they are shutdown unless hosted in safe haven countriesS: so how much money are these guys making?
  • Credit cards – influenced by supply/demand, Sony PSN +70M cards stolen, if majority are valid & dumped on market, would push prices way downExploit packs cover multiple vulns, price based on ageAffiliate programs – in the same way banner ads, browser toolbars affiliate programs developed in the 90’s with pay-per-view and pay-per-click models, malware install affiliate programs have sprung upSegue: I’m a young unemployed ukranian guy & i want in on the action
  • first i’m going to cover the differences between the attackers at work today vs. what we saw 5 years agothen we’ll talk about how modern organizations are structured and how they operate,finally we’ll look at what you need to do to minimize your risk as an IT manager and also as a user with your own data to protect.
  • Hacking is really about answering 3 questions and each time you get to a new step you repeat the process .. More on this later in our example
  • This is a screenshot of the old Dogma Millions website. This has since been taken down but you can see from the graphics the msg they send.Work for us & you can drive your own Porsche SUV on a blue water beach with Victoria’s Secret modelsSegue: unfortunately the English language sites aren’t as creative...
  • Payperinstall.com is a clearinghouse for pay per install groupsyou sign up with a affiliate, they provide a custom set of executables embedded with your affiliate IDfor every US machine you get the malware installed on, you get a dollar10,000 machines = $10,000
  • PPI – lower rate, always paid per install, similar to pay-per-click banner advertisingAlternatively, programs where you simply take a cut of the revenue generated from selling the stolen data. The potential payout is higher here, but the risk of your affiliate skimming is high too.
  • reputation is important – you can’t call the police if your affiliate doesn’t pay out or they are obviously skimming
  • Once you have your malware packs, you have a # of choices of how to get it installed.
  • So now that you have everything you have to find the most effective way to spread your malware.
  • This is a high level network diagram of an actual client which is a major hospital . The data is from a recent investigation of the compromise that was completed last week.. So lets see how this compares to the previous scienario I mentioned above..
  • Ok so now I gave you the spill on the actors.. How do you handle this situation.
  • This is a lifecycle model for a vulnerability taken from a grad students thesis . One of the common mistakes users make is focus their defenses heavily on 0day attacks. But this diagram shows that the most commonly exploited vulnerabilities are actually patched flaws that have been in the wild for quite some time. Publicly known vulnerabilitys are your actual risk
  • left 2 columns are publishedvulns from oldest to newest, 2003 to 2010columns on the right are examples of exploit packs and which vulns they targetMost of these vulnerably are old and have assigned CVE’s
  • Tools are a critical part of your defense, but they are useless without expertise and guidance.Simply having a firewall and an IDS device will not do much in the face of today’s attackers if you don’t have the people in place with the expertise to interpret what the tools are telling you.
  • Tools are a critical part of your defense, but they are useless without expertise and guidance.Simply having a firewall and an IDS device will not do much in the face of today’s attackers if you don’t have the people in place with the expertise to interpret what the tools are telling you.
  • Education – sounds extremely basic but some people don’t knowBrowsing – browsers are complex pieces of software & they all have holes, The majority of owned desktop systems I’ve seen were used by avid IE usersI use firefox, automatic updates and a number of plugins that improve your security like NoScript and RequestPolicythese tools can defeat CSRF and some XSS attacks even though the webapps you use are vulnerable.Filtering web proxies
  • Cell phones are big brothers wet dream. Can track users within a few meters and running full blown operating systemsIn fact Verizon just changed their TOS so they can sell your location data
  • Anatomy of an Attack

    1. 1. Anatomy of an Attack Understanding the means and motivation of your enemies Johnathan Norman Director of Security Research Alert Logic
    2. 2. Whoami• Director of Security Research @ Alert Logic – Manage investigations – Responsible for “0day” coverage – Vulnerability analysis and discovery• Exploit Developer• 10+ years monitoring networks• Winner of a few CTF’s – Netwars All-Star challenge
    3. 3. AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
    4. 4. If you know your enemies and know yourself, you will not beimperiled in a hundred battles… - Sun Tzu
    5. 5. The Actors• Hacktivists – Anonymous, LulzSec etc…• Cyber Criminals – Impact 73% of online users1• Government – Stuxnet anyone?1 Norton Cyber Crime Report 2010
    6. 6. Traditional AttacksHacker Profile – Talented individual – Young, boredMotivation – To prove a point – Curiosity – CredibilityAttack Methods – Worms targeting memory vulns in network services – Attack payload not usually customized
    7. 7. Modern Attack ProfileHacker Profile – Organized Crime – Dedicated teams who are paid – Teams often work for criminal organizations as a careerMotivation – Targeted attack for financial gain – Desire anonymityAttack Methods – Vulnerable web applications – Client side applications – Malware used to keep control
    8. 8. Cybercrime MarketThe Numbers – Global computer crime market estimated to be $7B in 20102 – Russia responsible for $2.5B – Growing ~35% per year overallInteresting Trends – Increase of specialization of participants – On-Demand and Pay-Per-Use services – Developing C2C market2Group-IB Report - 2010
    9. 9. RolesRole DescriptionMalware Developers Develop kits to control owned systems and steal dataRootkit Developers Develop advanced software to hide presence of malwareTraditional Hackers Search for vulns, write and sell exploits to pack vendorsDistributors Find ways to install malware kits on as many victims as possibleHosting Providers Hosting with few restrictionsMisc Tools Developers Executable packers and obfuscatorsOrganization Leaders Assemble teams and influence PPI prices per country
    10. 10. Crime PaysStolen Assets/Criminal Activity PayoutCredit Card Details $5-10, expected $1-2 post PSNBank Credentials $80-$700Bank Transfers 10% to 40% of amount transferredSocial Security Numbers $30-500Day Exploits $5000 - $100,000Exploits for published vulnerabilities $5000 – $50,000Exploit Packs $200 – $5,000Malware Pay-Per-Install Up to $1.50 for US victims, $0.15-0.60 for other countries
    11. 11. AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
    12. 12. Hacking 101• The 3 Questions – What do I have – What do I know – What is my target?• The Process – Reconnaissance – Discovery – Mapping – Exploit
    13. 13. The World is YoursMy Skills – P2P networking – Defacing websitesThe Plan – Get paid distributing malware
    14. 14. How it Works – The Business Model Register With Cybercrime Group 2 Data Sold Wholesale 5 BLACK MARKET Purchase Malware Pack CYBERCRIME GROUP1 6 Payment Made 4 Infected Users Send Data to Group DISTRIBUTOR Infect Users, P2P 3 seeding, XSS VICTIMS
    15. 15. What do I get?Malware likely based on TDSS – First widely used x64 rootkit for Windows Vista and Windows 7 – Kernel mode rootkit – Modified binaries generated on-demand to avoid AV detectionChoosing an Affiliate – Pay-Per-Install model – Reputation – Claim up to US $7000 per day – Phone support provided with personal account manager
    16. 16. The Final TouchesBinary Modification Tool Anti-Virus Bypass
    17. 17. Delivery/Attack Surface Infection Method Difficulty Effectiveness Websites Easy Good P2P Networks Easy Medium SPAM Easy Medium Paid Ads Medium Medium Phishing Easy Poor Traditional Network Exploit Difficult Poor Blackhat SEO Medium Medium Cross Site Scripting ‐ Most sites are vulnerable ‐ Easy to find and users trust the websites SQL Injection ‐ Easy to find ‐ Very commonSource: Veracode State of Software Security Report, April 2011
    18. 18. AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
    19. 19. Open SMB shares/ Weak Passwords Web App Vulnerability Netbios OpenRDP Spear phishing
    20. 20. AgendaOld & New EnemiesThinking like the attackerReal world exampleBest Practices
    21. 21. Limit Your Exposure Lifecycle of a ThreatRisk Patch is Released RISK = Vulnerabilities x Assets x Threats Risk Reduction Framework OBJECTIVE -> REDUCE RISK # of Vulnerable Limit Exposure Assets Policy Review Patch Management Vulnerability Scanning Monitor Be Aware of Known Vulnerabilities Risk Threshold Daily IDS/Log Data Review Know your network! Educate Users Awareness Training Time Management Focus on Security Exploit is PublicVulnerability Automated Passé Discovered Exploit
    22. 22. Tools or Expert Help?
    23. 23. Remember the Questions…• 3 Questions – What do I have – What do I know – What is my target?• Penetration testing helps
    24. 24. Defending UsersAV Isn’t Enough – Malware evolves ahead of AV signatures – 60% of malware is undetected by AVEducation – At least half of the executables on P2P network infected – Don’t install software from untrusted sources – Safe browsing – Flash drives
    25. 25. Key Takeaways0day is rarely the average users weak pointTools are not always the solutionFocus on your attack surface, not the latest newsAntivirus will not save you! educate users
    26. 26. Next GenerationMobile Devices – Full blown operating systems with IP stacks – Security posture like OS’s in the 90’s – High-speed 4G Internet connectivity – get owned faster! – Malware in Android market (50+ apps) – Users connect to the office wifi
    27. 27. Q&A jnorman@alertlogic.com @spoofyroot http://www.alertlogic.com/blog

    ×