Published on

Jarno Niemelän esitys "Kohdistetut hyökkäykset – mitä olemme oppineet?" Valtion IT-palvelukeskuksen Tietoturvallisuuden kevätseminaarissa 20.3.2013.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Protecting against computerizedcorporate espionage How to harden your corporate practicesJarno Niemeläjarno.niemela@f-secure.com twitter:@jarnomnProtecting the irreplaceable | f-secure.comProtecting the irreplaceable |
  2. 2. Typical Computerized Espionage CaseVictim gets an email or a message over some social network • The content looks like a regular business mail or a link • However it contains exploit code with a trojan payloadVictim reads a document or clicks link and the payload is executed • Payload connects back to attackers C&CnetworkS will mine computer for anything interesting py
  3. 3. What’s The Catch?This Sounds Like Any OtherMalwareNowadays, users are careful, they don’t open just anythingThus the catch is in getting users trustTo do this the spies study victimThus Facebook, Linkedin, Twitter, etc are spies favorite tools
  4. 4. Attack VectorsAttack over email attachmentAttack externally visible server and continue to internal networkAttack from supplier web pageUsing stolen user credentialsAttacks over business related files
  5. 5. Attacks Over EmailEmployee at Digital Bond received credible looking mail from his boss*Digitalbond is a SCADA security vendor, and thus has very interesting clients fromspy point of viewThe attachment actually was a ZIPfile which contained an EXEThe EXEwas a backdoor which was notdetected by any AV vendor [1] https:/ / www.digitalbond.com/ 2012/ 06/ 07/ spear-phishing-attempt/
  6. 6. Watering Hole: Attacks Over Business ContactsMany interesting targets are well protectedThus attackers may focus sites visited by a targetCS is a political think tank with very interesting members* RThe site was injected with 0-Day exploit for Internet ExplorerCS is just one example R • Aerospace parts suppliers • Industrial process optimization • Chinese language news sites that are hosted in US • Tibetan activist siteshttp:/ / freebeacon.com/ chinese-hackers-suspected-in-cyber-attack-on-council-on-foreign-relations/
  7. 7. C&CAfter successful attack the attacker needs to be able to talk to the payloadWhich means that he needs some way to communicate • HTTP C&C(simple domain, fast flux, compromised site) (s) • Skype, IR Messenger, ICQ, etc chat connections C, • Twitter, facebook, social networks • FTP Dropbox, file-leave, file sharing sites , • SMTP • Anything else that looks like regular user activity • For example embedding commands in JP or P is popular EG NG
  8. 8. Lateral MovementIn order to find interesting stuff attackers need to moveThis means they need to be able to take over other hostsTypical way for this is to crack user or admin password hashAfter attacker has the password he can use psexec or “at” commandto execute files on a remote systemsAlso remote login products commonly used by IT are frequenly used Another workstation Point of entry Psexec Backdoor executed Admin password hash
  9. 9. Data ExfiltrationAfter attacker has C&Che needs some way to get data outMost common approach is to use C&Cchannel and HTTPBut sometimes attackers get creative* • P “error pages” that contain encoded information and dumpster dive rint • Leak information in DNSqueries, payload 240 bytes per query • Leak info in ping ICMPpackages • Open VOIPconnection and emulate analog modem • Embed data in P or other image files and upload NG[http:/ / www.iamit.org/ blog/ 2012/ 01/ advanced-data-exfiltration/http:/ / www.blackhat.com/ presentations/ bh-dc-10/ P ercoco_Nicholas/ BlackHat-DC-2010-Percoco-Global-Security-R eport-2010-slides.pdfhttp:/ / www.kentonborn.com/ sites/ default/ files/ data_exfil.pdf
  10. 10. Protection: Get your basics rightAttackers are using malware, so basic defense takes you a long way*Harden workstations and serversHarden your network especially outgoing dataMake sure external servers contain only what is neededMake sure systems are up to date and well configuredUse security softwareUse gateway filteringDon’t have common admin account across systemshttp:/ / www.us-cert.gov/ control_systems/ pdf/ ICS -12-146-01A.pdf -TIP
  11. 11. Hardening NetworkPrevent lateral movement within your network• Isolate everything in network, no inbound to clients no outbound from server• Block remote execution and R from other than admin network segment DP• Allow user to login only to his workstationsIsolate email to approved business use only• Allow email only over company mail server• Don’t allow mail sending without user authenticationControl web traffic• Don’t allow any other outbound traffic except HTTP(s)• Allow HTTP only over company proxy (s)• If local law allows alert on unusually high amount of uploads from workstation
  12. 12. Hardening NetworkPrevent easy ways of contacting C&C• Don’t allow external DNSservers, don’t allow ping to external hosts• S up DNSwhite listing and landing page for unknown domains etDo these configurations also to laptop software firewalls • Common trick is to leak info when not in corporate network
  13. 13. DNSIs Botnets Achilles HeelBot is useless if it cannot connect to C&C • Provided that you are not facing exotic attack such as FlameBasically all bots do use domain names for C&CThus restricting DNSresolution will take you a long wayI am collecting a list of domains used by document exploits8953 domains out of 9035 do not belong in Alexa top1M list of domainsWhich means that restricting DNSresolution is very effective
  14. 14. Filter Content With Known ExploitsThere is no point in letting exploit content to reach it’s targetThus use web content scanning to kill known exploits • Flash, P Java, Office documents DF,F-Secure CSand ISproducts also have very good exploit detection
  15. 15. Make S Your AV Client Is Configured Right ureYou probably have read blogs about “AV being useless”Partly it is due for nothing being perfect 99%is not enoughBut in corporates it’s mainly due to using AV wrong• R time protection network is switched off eal• Behavioral heuristics are switched off• Which means about 80%of protection is disabledAV product needs to have a network connection
  16. 16. Harden Web Browsers And Other ClientSoftwareEven better than filtering exploits is to disable unneeded contentDisable types of content that users don’t need • Disable Java and ActiveX unless you need them for somethingBlock Flash, Javascript and videos from all unknown sites • Install no-script, use click to play similar blockingHarden office applications • Install office file validation [2] • Block ActiveX and Flash components in office documents [3]http:/ / www.microsoft.com/ download/ en/ details.aspx?displaylang=en&id=2807http:/ / blogs.technet.com/ b/ srd/ archive/ 2011/ 03/ 16/ blocking-exploit-attempts-of-the-recent-flash-0-day.aspx
  17. 17. Harden Client Application Memory HandlingEnhanced Mitigation Experience ToolkitHarden memory handling of any application that processes external data • Acrord32 and other P readers DF • Winzip,7Zip, etc • Excel, Powerpoint, Word, Outlook, Winword.exe • Exlorer.exe, iexplore.exe, Firefox, Chrome • Skype.exe • Wmplayer.exe, VLC, and any other video playerIt is possible to write exploits so that they bypass EMET • But then attacker has to knowingly try to circumvent EMET
  18. 18. Prevent Execution From Where There Are noExesUse Applocker to prevent execution from • %HOT%,%REMOVABLE%(US and other removable) B • c: Users US Documents ER • c: $Recycle.Bin • C: recovery • C: ProgramData • C: system volume information • %AP DATA%, make exceptions for Google, Eclipse, etc PAlternative approach is to allow only program files and windows dir. • Or even allow only signed files and make exceptions for others • But this can be rather high maintenance as all programs are not signed and or run exes from stupid locations (I am looking at you Google http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
  19. 19. Ok S Basics Are Done, The fun part begins oYou have to assume that attacker gets past your defensesPrevent access to sensitive information and systems • Buy time for detection systems to react • Minimize damage even if attack is not detectedDetect the breach • According to Trustwave there is average 156 days between initial breach and discovery • This is way too long, we need to lay traps for attackershttp:/ / www.blackhat.com/ presentations/ bh-dc-10/ Percoco_Nicholas/ BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf
  20. 20. Know What You Are ProtectingIntra web Document files • Customer Relations Info • Business plans, price offers, pricing, patent applications, HR • Any services that you have webified recordsActive directory Source code • User accounts • Files on developer desktops,Web servers source code repositories • Especially if you are subcontractor, Email files your customer might be the real target • Mergers, financial information before release, etc insider info
  21. 21. Protect Documents, Use Rights ManagementRights Management Services provides transparent document protectionWith R all protected documents are stored in encrypted form MS • To open a document Word/ Excel/ etc must request key from R server MS • If user has rights the server returns a keyThus if document is stolen it cannot be read• Also documents can be restricted by a person or a group• Third party vendors like GigaTrust can expand rights management to non-Microsoft documents and iP hone/ iP devices adhttp:/ / en.wikipedia.org/ wiki/ Rights_Management_Serviceshttp:/ / www.gigatrust.com/ desktop_client.shtml
  22. 22. Protect Your Internal Web ApplicationsMake attackers life a bit more difficult. Lock access only to a one browser • Use Kerberos authentication for all internal web pages • S client firewall to allow only correct browser to use HTTP Sto intra et / • Configure the intra server only to accept company custom user agentThus the attacker needs to take over the browser or fake it 100%Have log alerts for partially successful authentications • It’s very unlikely that attacker would get everything right
  23. 23. Protect External Web From Inside AttacksBeing attack vector at your customer will be bad for businessThus you have to protect your external serversIsolate external facing servers from internal networkDon’t do direct changes, use content management • Do all changes to CMSthat has auditing and change loggingDo automated consistency checks between CMSand server
  24. 24. Protect Your EmailMost recorded email thefts happen by stealing the mail filesIssue email certificates for all users, and lock the certs with password • Thus almost all critical email will have transparent encryption • And to read them spy has to be able to steal the certificateBlock or set warnings on programmatic access to mail clientAlso remember to control access to .P T, etc files S
  25. 25. Detect Breaches And Information LeaksEven if you fail at prevention, game is not lostS still has to be send the goods out of your network pyMost companies focus on preventing intrusionWhile what you should really focus is to prevent data from escaping
  26. 26. S Data Exfiltration Honeypots etCreate fake routes out of the company that give alarm if someone uses themFake smtp.company.com mail server that accepts mail but does not forwardCapture all HTTPtraffic that does not go through correct proxyCapture all DNStraffic that does not go to your DNSserverCapture all ping ICMPtraffic
  27. 27. How To Build HoneypotsAll you need is Linux IPTables or a good router, python and a spare serverRoute all unwanted traffic to honeypot serverCreate fake services with python that answer ok, log and send alarm email • HTTPexample http:/ / fragments.turtlemeat.com/ pythonwebserver.php • SMTPhttp:/ / muffinresearch.co.uk/ archives/ 2010/ 10/ 15/ fake-smtp- server-with-python/ • DNShttp:/ / code.activestate.com/ recipes/ 491264-mini-fake-dns-server/
  28. 28. Monitor Traffic That Is Allowed To Go ThroughDue to privacy reasons I don’t advice reading content, but justtraffic inspection will reveal if there is need to start investigationMonitor DNSqueries for unusual patterns • 10s of queries different subdomains in same domain • Queries to domains not in .fi or in Alexa top 1M spaceMonitor P requests (even if you are blocking it) ing • Normal users do not try to send frequent ping traffic to odd destinationsHTTPrequests that do not have company standard HTTPuser agent • Whitelist known self update destinations (apple, dell, google, etc)
  29. 29. ConclusionYou cannot trust that you can always prevent infectionsThus corporate security and defense in depth is a must • Whenever possible make data difficult for malware to steal • When that fails make data readable only in your environmentInvest in monitoring • When you know patterns of your valid users • S breaking the patterns will be detected py