Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should You Really Do to Protect Against It


Published on

News of the Flame attack has spread faster than wildfire. While the attack effected only a small number of Endpoints, Flame signifies a new level of cyber threat that all IT security professionals need to understand in-depth.

View these presentation slides by IT Security expert, Randy Franklin Smith, as he walks you through the fascinating nuts and bolts of Flame and explains the technical details about how it worked and what lessons can be learned.

• Learn the technical details about how Flame worked
• How Flame was more than just sophisticated encryption exploits
• Take away lessons on how to defend against APTs

Take an in-depth look into the entire attack which featured more than just encryption exploits. Randy explores social engineering, removable devices and more.

Published in: Travel, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should You Really Do to Protect Against It

  1. 1. © 2011 Monterey Technology Group Inc.
  2. 2. Brought to you bySpeaker  Chris Merritt - Director of Solution Marketing
  3. 3. Preview of Key Points How it worked Lessons learned© 2012 Monterey Technology Group Inc.
  4. 4. How Flame Worked 24 Command & Control Servers 84 Domain Names Internal Network© 2012 Monterey Technology Group Inc.
  5. 5. How Flame Worked Internal Network© 2012 Monterey Technology Group Inc.
  6. 6. How Flame Worked Flame’s 20MB of Capabilities • Bluetooth • Audio • USB • Backdoor accounts • Proxy server • Windows Update • Extendable modular architecture • File system search • Text summaries of interesting files • Logging • Trickle uploader • Anti-Malware aware Internal Network • Compression • SSL fallback to SSH© 2012 Monterey Technology Group Inc.
  7. 7. How Flame Worked Internal Network© 2012 Monterey Technology Group Inc.
  8. 8. How Flame Spread via WU 1. Flame activates on first computer (X) 2. Another computer (Y) wants to check for Windows Updates 3. Y defaults to automatic proxy server and broadcasts an NBNS request for WPAD (Web Proxy Auto-Discovery) 4. X answers back and spoofs itself as a proxy server 5. Y attempts to connect through X to Microsoft’s Windows update site and retrieve updates 6. X pretends to be Windows Update and sends back a bogus patch which contains Flame 7. But why does Y’s Windows Update validation logic trust the bogus patch?© 2012 Monterey Technology Group Inc.
  9. 9. How Flame Spread via WU 8. Flame signs the patch with a certificate that appears to be from Microsoft 9. The certificate was created from a Terminal Services Licensing Service CAL certificate 10. Then used to sign the patch 11. Why was it possible to do this?© 2012 Monterey Technology Group Inc.
  10. 10. The Incredible Part All possible because the bad guys pulled off a highly advanced cryptography trick Chosen prefix attack on the MD5 hash of certificate signature Real Fake TS Licensing Windows Update Certificate Certificate Signature from MS Certificate Authority© 2012 Monterey Technology Group Inc.
  11. 11. What Microsoft Did Wrong TS Licensing certs included code signing in the intended uses TS Licensing certs were ultimately signed by Microsoft’s Root CA Windows Update was looking for cert’s signed by Microsoft TS Licensing certs used MD5 This allowed the attackers to create a bogus certificate and forge signatures on bogus patches© 2012 Monterey Technology Group Inc.
  12. 12. Lessons learned MD5 was broken a long, long time ago Stop using technologies theoretically broken (intersection w/o stoplight syndrome) PKI is tricky Who do you trust and for what purposes? Good security still rules© 2012 Monterey Technology Group Inc.
  13. 13. Lessons learned  Good security still rules  Website categorization  Egress traffic analysis  Anti-malware  Whitelisting  Reduce attack surface • Turn off unneeded features like WPAD • Turn off bluetooth  Device control  Internally controlled patch management  Security log monitoring • New account reconciliation • New authentication packages© 2012 Monterey Technology Group Inc.
  14. 14. Bottom Line Endpoint security technologies really work Whitelisting Antimalware Device control Removable media Configuration management Internally controlled patch management© 2012 Monterey Technology Group Inc.
  15. 15. Brought to you bySpeaker  Chris Merritt - Director of Solution Marketing
  16. 16. Defense-in-DepthTools You Need toDisrupt SophisticatedAttacks like FlameChris MerrittDirector of Solution MarketingLumension
  17. 17. Integrated Defense-in-Depth Unify workflows and technologies to deliver enhanced endpoint operations and security management capabilitiesEndpoint Operations Intelligent Whitelisting Endpoint Security Patch Application Control Device Control Management Asset Configuration Trusted Anti-Virus / Change Disk Encryption Management Management Spyware Software Power Windows Firewall Management Management Management Reporting » Delivers Comprehensive Security Solution » Provides Proactive Target Hardening » Reduces Overall IT Cost and Burden17 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  18. 18. Lumension® Patch and Remediation Comprehensive and Secure Patch ManagementEndpoint Operations » Provides rapid, accurate and secure patch and configuration management for applications andEndpoint Operations Lumension® Patch and Remediation operating systems: Lumension® Content Wizard • Comprehensive support for multiple OS types Lumension® Configuration Mgmt. (Windows, *nix, Apple), native applications, and 3rd party applications Lumension® Power Management • Streamline and centralize management of heterogeneous environments • Visibility and control of all online or offline endpoints • Elevate security posture and proactively reduce risk • Save time and cost through automation18 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  19. 19. Lumension® Content Wizard Cost-Effectively Streamline Endpoint ManagementEndpoint Operations » Simple, wizard-based policy creation and baseline enforcement – without add’l tools:Endpoint Operations Lumension® Patch and Remediation • Patch Creation Lumension® Content Wizard • Software Installs and Uninstalls Lumension® Configuration Mgmt. • Windows Security Policies • Power Management Policies Lumension® Power Management • NEW! Windows Firewall Policies19 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  20. 20. Lumension® Security Configuration Mgmt.Prevent Configuration Drift and Ensure Policy ComplianceEndpoint Operations » Ensure that endpoint operating systems and applications are securely configured and inEndpoint Operations Lumension® Patch and Remediation compliance with industry best practices and Lumension® Content Wizard regulatory standards: Lumension® Configuration Mgmt. • Security Configuration Management • Out-of-the-box Checklist Templates Lumension® Power Management • NIST Validated Solution • Continuous Policy Assessment and Enforcement • Based on Open Standards for Easy Customization • Security Configuration and Posture Reporting20 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  21. 21. Lumension® Power Management Optimize Power Savings while Maintaining SecurityEndpoint Operations » Enhanced Wake-on-LAN relay architecture ensures systems are available for maintenanceEndpoint Operations Lumension® Patch and Remediation despite being powered down Lumension® Content Wizard » Monetizes Power Management Policies: Lumension® Configuration Mgmt. • Integrated Power Savings Reports Lumension® Power Management • Power Monitoring and Savings Calculator • Uptime Reports • Dashboard – Uptime or Savings Trends21 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  22. 22. Lumension® AntiVirus Multilayered Protection Against Malware» Based on proven technology from industry Endpoint Security leader providing complete protection against Lumension® AntiVirus known and unknown malware including viruses, Endpoint Security worms, Trojans, spyware, adware and more Lumension® Application Control» Includes a breadth of analysis techniques from Lumension® Device Control traditional signature matching to behavioral Lumension® Disk Encryption analysis to effectively protect against zero-day and evolving threats: • Antivirus (AV) protection (full signature matching) • DNA Matching (partial signature matching) • SandBox (behavioral analysis in an emulated environment) • Exploit Detection (find hidden/embedded malware)» VB100 certified by VirusBulletin22 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  23. 23. Lumension® Application Control Proactive Protection Against Malware and More» Effective Endpoint Security: Block known and Endpoint Security unknown malware without signatures, and Lumension® AntiVirus prevent exploitation of application / configuration Endpoint Security vulnerabilities Lumension® Application Control» Control the Unwanted: Real-time view of all Lumension® Device Control application inventory, ensuring only approved Lumension® Disk Encryption software is allowed to run, and denying / removing all unwanted applications» Control the Unknown: Enforce, log and audit all endpoint application change while controlling end-users with Local Admin rights» Flexible and Easy-To-Use: Unified solution workflow via single console with flexible trusted change management policy23 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  24. 24. Lumension® Device Control Policy-Based Data Protection and Encryption» Protect Data from Loss or Theft: Centrally Endpoint Security enforce usage policies of all endpoint ports and Lumension® AntiVirus for all removable devices / media. Endpoint Security Lumension® Application Control» Increase Data Security: Define forced encryption policy for data flows onto removable Lumension® Device Control devices / media. Flexible exception Lumension® Disk Encryption management.» Improve Compliance: Centrally encrypt removable devices / media to ensure data cannot be accessed if they are lost or stolen.» Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.24 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  25. 25. Lumension® Disk Encryption (powered by Sophos) Transparent Full Disk Encryption for PCs» Secures all data on endpoint harddrives Endpoint Security» Provides single sign-on to Windows Lumension® AntiVirus Endpoint Security» Enforces secure, user-friendly pre-boot Lumension® Application Control authentication (multi-factor, multi-user options) Lumension® Device Control» Quickly recovers forgotten passwords and data (local self-help, challenge / response, etc.) Lumension® Disk Encryption» Automated deployment, management and auditing via L.E.M.S.S. (integrated version)25 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  26. 26. Lumension® Endpoint Management and Security Suite Total Endpoint Protection Endpoint Operations Endpoint Reporting Services Lumension® Patch and Remediation Lumension® AntiVirus Endpoint Security Lumension® Content Wizard Lumension® Application Control Lumension® Configuration Mgmt. Lumension® Device Control Lumension® Power Management Lumension® Disk Encryption Lumension® Endpoint Management Platform» Comprehensive suite that unifies IT operational and security functions» Delivers a more effective defense-in-depth endpoint security solution» Simplifies endpoint system and agent management thru single console» Centralizes policy management and reporting» Expands operational and security visibility» Reduces technology complexity and integration costs» Flexible and modularly licensed best-of-breed application modules» Scalable and agile single-agent, single-server platform architecture26 PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION
  27. 27. Next Steps• Free Tools » » Application Scanner – see what applications are running on your network » Device Scanner – see what removable devices are being used » Vulnerability Scanner – see what your OS / application risks are• Whitepapers » Endpoint Management and Security Buyers Guide • Endpoint-Management-and-Security-Buyers-Guide.aspx• Free Evaluation » endpoint-management-security-suite/free-trial.aspx27
  28. 28. Global Headquarters8660 East Hartford DriveSuite 300Scottsdale, AZ