Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Accessibility of Hacker Tools and the Use of Behavioral Analytics

56 views

Published on

2013 ECTF presentation describing how the accessibility of criminal toolkits will create challenges traditional static-signature approaches cannot tackle.

  • Be the first to comment

  • Be the first to like this

Accessibility of Hacker Tools and the Use of Behavioral Analytics

  1. 1. 1© Copyright 2011 EMC Corporation. All rights reserved. Who are you, and why are we talking? – Tony Gambacorta – Head of Field Services for Silver Tail Systems (RSA) Today’s Goal: An interactive discussion of the trend toward refinement and accessibility of tools for online criminals, and how behavioral analytics can be an effective countermeasure
  2. 2. 2© Copyright 2011 EMC Corporation. All rights reserved. What is Silver Tail? Web Session Intelligence Software • Passively gathers session intelligence • Models observed behavior • Isolates the bad guys from the good guys • Real-time alerting and mitigation of threats • Visibility Investors
  3. 3. 3© Copyright 2011 EMC Corporation. All rights reserved. Web Session Intelligence V I E W E D I N A G G R E G AT E , U S E R S F O L L O W L I N E A R P AT T E R N S B A D G U Y S D E V I AT E F R O M T H E S E P AT T E R N S . S I M P L Y P U T: B A D G U Y S A C T D I F F E R E N T L Y T H A N G O O D G U Y S
  4. 4. 4© Copyright 2011 EMC Corporation. All rights reserved. Crowd v. User Behavioral Models Alice Bob Charlie Dan Hour 1 X Hour 2 X Hour 3 X X X X Hour 4 X 1.) Why is Bob not acting like everyone else? 2.) Why is Bob not acting like Bob?
  5. 5. 5© Copyright 2011 EMC Corporation. All rights reserved. Why is Bob not acting like everyone else? Comparison of one user’s behavior against that of his peers
  6. 6. 6© Copyright 2011 EMC Corporation. All rights reserved. Why is Bob not acting like Bob? Comparison of one user’s current activity against his past activity
  7. 7. 7© Copyright 2011 EMC Corporation. All rights reserved. This is weird, even for Bob… Applying both models provides a well-rounded view.
  8. 8. 8© Copyright 2011 EMC Corporation. All rights reserved. Refinement and Accessibility: Discussion and Case Studies
  9. 9. 9© Copyright 2011 EMC Corporation. All rights reserved. Refinement • Criminal tools are replaced as new defenses render them obsolete: • Attempts to thwart malware have lead to refinement, rather than replacement, of malware: Online Passwords Phishing Anti- Phishing Malware MFA Social Engineering Coordinated Malware
  10. 10. 10© Copyright 2011 EMC Corporation. All rights reserved. Accessibility • The Internet is doing what it was designed to do – Efficacious and efficient knowledge transfer • The bad guys are going with the flow – Sharing tools, processes and target intelligence • The good guys are going against the flow – Holding attack intelligence close to the vest • To understand what’s happening, think like a bad guy – How do I get the greatest result for the least amount of effort?
  11. 11. 11© Copyright 2011 EMC Corporation. All rights reserved. Understanding Accessibility is Critical The sophistication of the tool is not necessarily representative of the sophistication of the user.
  12. 12. 12© Copyright 2011 EMC Corporation. All rights reserved. Accessibility in Action: Opt-in DDoS • No special skills, and nothing to download • Very low “what-am-I-getting-myself-into” factor
  13. 13. 13© Copyright 2011 EMC Corporation. All rights reserved. HULK DDoS = Refinement + Accessibility • Most DDoS protections defend against carpet bombing, not surgical strikes • Spring 2012, Barry Shteiman releases HULK, a DDoS tool that exploits this vulnerability • HULK made sophisticated DDoS accessible to the masses • Barry put a gun on the sidewalk; it was only a matter of time before someone picked it up
  14. 14. 14© Copyright 2011 EMC Corporation. All rights reserved. Refinement + Accessibility = The Future As time goes on, the usability and accessibility of sophisticated tools will increase tool adoption, which will lead to more attacks. These attacks will take novel forms, but the inherent difference in behavior between good and bad actors will make them detectable. Let’s look at a few examples…
  15. 15. 15© Copyright 2011 EMC Corporation. All rights reserved. Case Study: Operation Ababil
  16. 16. 16© Copyright 2011 EMC Corporation. All rights reserved. Overview • September 18th, 2012: The Al Qassam Cyber Fighters (AQCF) threatens banks and posts demands • AQCF claims responsibility for HULK-style DDoS attacks launched from individual machines and hosted servers • Periodically AQCF issues a target list and demands on Pastebin • The attacks successfully disable customer-facing portions of banking web sites during peak periods of use
  17. 17. 17© Copyright 2011 EMC Corporation. All rights reserved. Operation Ababil: Attack-by-Numbers For this project you will need: 1. Coordinated control of servers and PCs 1. A tool capable of launching the attacks 1. A target list and means of communicating it
  18. 18. 18© Copyright 2011 EMC Corporation. All rights reserved. 1.) Coordinated control of servers and PCs… Compromised servers – itsoknoproblembro compromises PHP servers – Easily accessible (Google) Opt-in participants – AQCF claims they are in use… Malware-infected PCs – Purchase a kit for a few thousand USD and distribute it – Botnets can be bought or rented
  19. 19. 19© Copyright 2011 EMC Corporation. All rights reserved. 2.) A tool capable of launching the attacks… Once we have the Python script, porting it to JavaScript to create an opt-in attack platform is…
  20. 20. 20© Copyright 2011 EMC Corporation. All rights reserved. 3.) A target list and means of communicating it… 1. Build a list… 2. Browse the target sites for SSL-encrypted transactions 1. Open a free pastebin account and post your messages
  21. 21. 21© Copyright 2011 EMC Corporation. All rights reserved. Choosing our targets Just requesting this page will burn resources as the SSL session is established. Target portions of the site that involve database calls
  22. 22. 22© Copyright 2011 EMC Corporation. All rights reserved. Most DDoS defenses weren’t built for this The average DDoS attack throws haymakers; HULK bobs and weaves – User-Agent strings, referrers, and targets are constantly changed – Backend requests are valid, making filtering difficult – Instead of clogging the pipe, specific functional areas are targeted
  23. 23. 23© Copyright 2011 EMC Corporation. All rights reserved. Bad actors are inherently different • Normal users don’t: – Execute sub-second clicks – Change their User-Agent string with each click – Maniacally focus on specific functional areas – Have different referrers than their peers for the same page • HULK’s countermeasures make it vulnerable to behavioral analytics • Let’s take a look at what Silver Tail saw during a HULK attack at a major U.S.-based Financial Institution…
  24. 24. 24© Copyright 2011 EMC Corporation. All rights reserved. HULK Flows Signin Home View Account Make Transfer Confirm Transfer Forgot Password Secret Questions Change Password New Password Confirmed
  25. 25. 25© Copyright 2011 EMC Corporation. All rights reserved. What we learned: • ≈2.6 million hits were made to the login page in one hour. • 213,098 of those hits came from a single IP address. How we used it: • Knowing the login page is under attack, we next looked for threat clusters focused on that page. Silver Tail v. HULK Using Page Details to isolate the targeted page The login page is being hit 52 times more frequently than the subsequent landing page.
  26. 26. 26© Copyright 2011 EMC Corporation. All rights reserved. What we learned: • 43 IPs were clustered in this hour • Subsequent hours clustered as few as 1, and as many as 320 IPs per hour How we used it. • Threat cluster renamed to “DDoS” to speed future identification • Drilling into this cluster gave per-IP click data Silver Tail v. HULK Using Threat Clustering to isolate the bad actors
  27. 27. 27© Copyright 2011 EMC Corporation. All rights reserved. What we learned: • A single IP made 1.2M clicks in 12 hours • Average click delta was < 0.5 seconds • Traffic volumes varied between IPs; timing did not. How we used it: • Now that we know this is clearly not legitimate traffic, we can use the clickstream to see exactly what the bad actors are doing. Silver Tail v. HULK The Summary View gives a high level review of individual bad actors
  28. 28. 28© Copyright 2011 EMC Corporation. All rights reserved. What we learned: • The clicks are sub-second, and changing the User-Agent string with nearly every click. How we used it: • We have classified the attack, and can now write mitigation rules to thwart it. Silver Tail v. HULK The clickstream shows the pattern, and markers tell us where to look.
  29. 29. 29© Copyright 2011 EMC Corporation. All rights reserved. • In less than 5 minutes, Silver Tail gave the what, where, how and when of the attack. • Going forward, the customer will have three advantages: 1. Rules will catch HULK activity in real time 2. Using the named threat cluster, this pattern of behavior can be quickly recognized and mitigated should it recur 3. Using EDS and rules, an alert will be sent if any of the bad actor IP addresses show elevated behavior scores Silver Tail v. HULK Summary and next steps Page details reveal the target. Threat clustering isolates and groups the bad actors. Threat summary confirms traffic is not legitimate. Clickstream allows for rapid analysis of attack signature.
  30. 30. 30© Copyright 2011 EMC Corporation. All rights reserved. Silver Tail v. Operation Ababil Notes • The strengths of these attacks become weaknesses when behavioral analytics are in play • Real-time recognition and mitigation of the attacks is possible; we aren’t fighting the bogeyman • Because their actions are inherently different from valid traffic, future refinements of this attack will also be caught
  31. 31. 31© Copyright 2011 EMC Corporation. All rights reserved. Case Study: eCommerce Web Logic Abuse
  32. 32. 32© Copyright 2011 EMC Corporation. All rights reserved. Case Study: eCommerce Logic Abuse One of our analysts led training for an eCommerce customer that was interrupted by the customer’s head of operations. A graph that should look like this… Instead looked like this.
  33. 33. 33© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Logic Abuse The customer knew the “what”… • Omniture reported a revenue drop for affiliate orders Silver tail exposed the “how” in minutes… 1. Users added a sale item to their cart 2. A flaw allowed discounts to be stacked 3. Users stacked the next promotion in their cart 4. Inconsistent price floors were exploited 5. Sub-floor and negative value orders were accepted. Promo Code Abuse Cart Logic Flaw Broken Price Floors Staring at a $64K Loss in an Afternoon Silver Tail Saves the Day
  34. 34. 34© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Information Security What happened? • Brute force eCoupon code guessing on a regular schedule • High value codes stolen • Customer was blind to the activity How did we catch it? • Behavior scores • Cyclical spikes • Clickstream provided details Promo Code Guessing “High value customers have been complaining that their one-time use coupon codes don’t work.”
  35. 35. 35© Copyright 2011 EMC Corporation. All rights reserved. eCommerce Logic Abuse During the investigation of this issue, two distinct groups of actors were recognized: • An initial wave of high quantity orders from mass- registered accounts • A subsequent wave of “normal” users placing low quantity orders HTTP headers showed this second group frequently came directly from the domain of a Chinese-language web forum…
  36. 36. 36© Copyright 2011 EMC Corporation. All rights reserved. Where’d you learn that trick? Here’s how to double-dip coupon codes… Now: 1. Clear all cookies 2. Click rebate site to shop, add items to cart, and close all browser windows 3. Click the rebate site again to shop, go directly to cart to check out These sites have rebate offers
  37. 37. 37© Copyright 2011 EMC Corporation. All rights reserved. Where’d you learn that trick? Here’s how to get around the anti-fraud rules… You’ll need an American Express card You can get around the requirement for a US-based billing address by… Here’s a freight forwarder who’ll ship to a Hong Kong warehouse
  38. 38. 38© Copyright 2011 EMC Corporation. All rights reserved. Where’d you learn that trick? Here’s how I got a sales rep to push my order through… I’m having trouble with my AMEX card on your site Oh, but I have a lower price in my cart. Please use my saved cart to place the order. Not to worry, I can place this order from the backend
  39. 39. 39© Copyright 2011 EMC Corporation. All rights reserved. Wrap Up • Refinement and accessibility are lowering the barriers to entry to commit crime on the Internet • Modeling good behavior allows us to isolate the bad • The bad guys are sharing data- the good guys should too!
  40. 40. 40© Copyright 2011 EMC Corporation. All rights reserved. Appendix Additional Use Cases and Findings
  41. 41. 41© Copyright 2011 EMC Corporation. All rights reserved. Financial: Information Security What were they doing? – General reconnaissance – Probing for vulnerabilities What looked suspicious to us? – High velocity score (sub second clicks) – Modified user-agent strings – Alphabetically ordered page requests – Multiple password reset attempts – Requests for non-existent pages Jiggling Doorknobs: Detecting Vulnerability Probing
  42. 42. 42© Copyright 2011 EMC Corporation. All rights reserved. Financial Services: Fraud What where they doing? – Compromising accounts with malware – Creating a virtual account number (VAN) – Receiving a new line of credit – Maxing credit limit with fraudulent purchases What looked suspicious to us? – High MiM score – Fast clicks – Multiple IP addresses in one session – IPs traced to disparate geographies – User-agent variation Man-in-the-Middle Attack Detected With Scoring Clickstream shows different IPs, UA strings, and activities intermingled
  43. 43. 43© Copyright 2011 EMC Corporation. All rights reserved. Compromised Accounts: Financial Services What were they doing? – Stealing credentials – Spoofing mobile user agents What looked suspicious to us? – Cluster of IPs generated a high behavior score – Clickstream showed the same cookie being used by two devices Mobile Account Penetration Same Cookie Different UA Strings
  44. 44. 44© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Fraud – A Different Game What was happening? – 50% of chargebacks were auto- approved by existing solution – Customer had visibility into the “what” but not the “how” of order transactions – Difficulty: We can only look at 20 additional orders per day What looked suspicious to us? – High velocity scores – High behavior scores – Targeted sessions – Scripted sessions – Dry runs / testing Stolen Credit Cards Week Beginning Orders Cancelled Number of Items Value of Blocked Orders July 30th 30 59 $52,236.06 August 6th 37 57 $56,939.75 August 13th 38 53 $51,857.04 August 20th 22 39 $42,129.89 August 27th 32 74 $52,703.11 Total 158 282 $255,865.85
  45. 45. 45© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Information Security What was happening? – 15,000 login attempts against 11,300 users What looked suspicious to us? – Single IP had a high hit count to the login page – UserIDs entered alphabetically – ≈50% of hits were at sub-second deltas Compromised Accounts: Brute Force Guessing
  46. 46. 46© Copyright 2011 EMC Corporation. All rights reserved. Financial Services: Information Security • The net – Monitor for password guessing events – Alert on successful logins • The catch – 48,000 accounts successfully peeked • Now that we’ve got them… – 48,000 accounts loaded via EDS – Alert if high risk activity detected Compromised Accounts: Peeking Obtain Compromised Account List Validate a Subset Sell List and/or Initiate Transactions
  47. 47. 47© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Information Security What was happening? – Multiple login attempts with one password – Scripted variability What looked suspicious to us? – Spike in login page hits – Elevated behavior scores for sessions driving the spike Compromised Accounts: Horizontal Guessing
  48. 48. 48© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Information Security • High behavior scores on email-my- cart page • Chinese IPs sent 12 carts per minute • Clickstream showed spam messages Normal Users Don’t Email Their Carts 12 Times Per Minute. “We’d heard reports of spam, but figured someone was spoofing us.”
  49. 49. 49© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Information Security • Peaked at 330 page hits per day • 3,960 messages per week • Reporting raised visibility, opened budget for a fix Spam – How much are we talking? 0 200 400 600 800 1000 1200 Alerts Page Hits Messages
  50. 50. 50© Copyright 2011 EMC Corporation. All rights reserved. eCommerce: Information Security What happened? • Site performance problems • Item catalog time outs What we found: • Misconfigured site performance tool • Bursty pattern of 1.6M hits over 7 days Denial-of-Service: Self-Inflicted
  51. 51. 51© Copyright 2011 EMC Corporation. All rights reserved. THANK YOUTHANK YOU

×