Successfully reported this slideshow.
To see things others can’t
Athens, April 10th, 2014
Marco Gioanola, Consulting Engineer
To see things others can’t
3	
  
Under the microscope: a well known example
Tim	
   Gjelten	
   of	
   NPR	
   reports	
   that	
   he	
   simply	
  ...
4	
  
5	
  
Some inconvenient questions
• How do you detect if one of your employees copies
all the documents from your file ser...
6	
  
Inconvenient answers
• How do you detect you have been compromised?
• Sometimes, you just don’t.
• Traditional secur...
7	
  
More inconvenient questions
• As I said, sometimes, you just don’t realize you
have been compromised until it’s too ...
8	
  
More inconvenient answers
9	
  
So you want to have a 200TB .pcap...
• You need packet capture infrastructure
• You need storage
• You need to be ab...
10	
  
A view from 30000 meters high
11	
  
A view from 30000 meters high
• We all know what a DDoS attack is, right?
•  digitalattackmap.com from Google
Ideas
A real world case
• Online gaming community
– 3 million registered users, 30.000
simultaneous players online
– Free platfo...
The damage and the first reactions
•  Attacks continued for weeks
•  Dropped from 3 to 2 million subscribers
•  Increased ...
Enter Arbor
•  The customer contacted us
•  Our reseller got in touch with the customer’s ISP
•  Installed trial
•  Visibi...
Analysis
15	
  
Analysis
16	
  
Volumetric attacks
•  Fine tuning of customer premise equipment blocked
all attacks;
•  Attackers escalated in size: 100Mb...
Cloud signaling
The	
  Internet	
  
Upstream	
  Provider	
  
Local	
  Provider	
  
Customer	
  Premises	
  miJgaJon	
  
IS...
Cloud signaling
The	
  Internet	
  
Upstream	
  Provider	
  
Local	
  Provider	
  
Customer	
  Premises	
  miJgaJon	
  
IS...
20	
  
The latest trend
• NTP-based amplification reflection attacks
• NTP traffic, global, 2013-2014
0	
  
25	
  
50	
  
75	
  
100	
  
125	
  
150	
  
175	
  
Dimension	
  in	
  Mbps	
  
1,297	
  
0	
  
250	
  
500	
  
750	
  
1,000	
  
1,250	
  
1,500	
  
Dimension	
  in	
  Mbps	
  
1,297	
  
2,640	
  
0	
  
2,500	
  
5,000	
  
7,500	
  
10,000	
  
12,500	
  
Dimension	
  in	
  Mbps	
  
1,297	
   2,640	
  
100,000	
  
191,000	
  
300,000	
  
0	
  
50,000	
  
100,000	
  
150,000	
  
200,000	
  
250,000	
  
3...
Stop attacks at the right place: build your arsenal
A	
  microscope,	
  to	
  see	
  the	
  
Jny	
  details	
  
A	
  movio...
...and most of all...
Build	
  a	
  team	
  of	
  experts	
  with	
  the	
  
right	
  mix	
  of	
  skills.	
  
Thank you
Marco Gioanola, Consulting Engineer, Arbor Networks
Upcoming SlideShare
Loading in …5
×

To see things others can't - APTs, Incident Response, DDoS

313 views

Published on

Some inconvinient questions about Advanced Threats and Incident Response; some data about DDoS attacks.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

To see things others can't - APTs, Incident Response, DDoS

  1. 1. To see things others can’t Athens, April 10th, 2014 Marco Gioanola, Consulting Engineer
  2. 2. To see things others can’t
  3. 3. 3   Under the microscope: a well known example Tim   Gjelten   of   NPR   reports   that   he   simply   downloaded   [the   documents]  off  the  company’s  internal  Top  Secret  net:   According  to  the  officials,  the  documents  Snowden  leaked  —   the   memoranda,   PowerPoint   slides,   agency   reports,   court   orders   and   opinions   —   had   all   been   stored   in   a   file-­‐sharing   locaJon  on  the  NSA’s  intranet  site.  The  documents  were  put   there  so  NSA  analysts  and  officials  could  read  them  online  and   discuss  them.   Snowden,  because  he  had  TS  clearance,  had  access  to  this  net.   Not  only  that,  but  his  job  descripJon  provided  him  cover  to  be   the  one  moving  documents  around  on  that  net.   “It’s  kind  of  brilliant,  if  you’re  him,”  an  official  said  to  Gjelten.   “His  job  was  to  do  what  he  did.  He  wasn’t  a  ghost.  He  wasn’t   that   clever.   He   did   his   job.   He   was   observed   [moving   documents],  but  it  was  his  job.”   Strangely   these   comments   are   in   direct   contrast   with   the   previous  NSA  narraJve,  which  painted  Snowden  as  a  brilliant   cyber   tacJcian   who   masked   his   movements   on   the   net   —   leaving  officials  clueless  as  to  what  he  took.   “If  they  can’t  tell  what  Snowden  took  so  many  months  later,   they   don’t   have   very   good   auditability   at   all,”   writes   Mike   Masnick.   “Furthermore,   this   raises   serious   quesJons   about   the  NSA’s  data  management  capabiliJes.”  
  4. 4. 4  
  5. 5. 5   Some inconvenient questions • How do you detect if one of your employees copies all the documents from your file server to his PC at home? –  He transfers them directly from your network via FTP –  He copies them from the file server to a USB disk connected to his PC •  How do you detect privileged users abusing encrypted channels (SSH, VPNs) for malicious activities? •  Does your firewall / IPS / IDS / Anti-Malware know what time it is?
  6. 6. 6   Inconvenient answers • How do you detect you have been compromised? • Sometimes, you just don’t. • Traditional security solutions are still necessary, but do not scale –  Antivirus –  End-point agents –  Network Access Control •  Behaviour Anomaly detection is key.
  7. 7. 7   More inconvenient questions • As I said, sometimes, you just don’t realize you have been compromised until it’s too late. • What is your incident response strategy? • How do you trace back the cause of the compromise? • How do you understand when and how the attack initially happened? • APT: –  Advanced = smart –  Persistent = long-lasting
  8. 8. 8   More inconvenient answers
  9. 9. 9   So you want to have a 200TB .pcap... • You need packet capture infrastructure • You need storage • You need to be able to apply today’s knowledge to last year’s traffic • You need power and intelligence
  10. 10. 10   A view from 30000 meters high
  11. 11. 11   A view from 30000 meters high • We all know what a DDoS attack is, right? •  digitalattackmap.com from Google Ideas
  12. 12. A real world case • Online gaming community – 3 million registered users, 30.000 simultaneous players online – Free platform with premium paying subscriptions – Repeatedly attacked at peak time (Saturday evening), causing players disconnections, lost points, complains, troubleshooting time, etc.
  13. 13. The damage and the first reactions •  Attacks continued for weeks •  Dropped from 3 to 2 million subscribers •  Increased ISP bandwidth from 20Mbps to 100Mbps •  Tried deploying firewalls, IPS •  No success •  Customers were moving to the competition, website risked being shut down for good.
  14. 14. Enter Arbor •  The customer contacted us •  Our reseller got in touch with the customer’s ISP •  Installed trial •  Visibility and basic protection achieved.
  15. 15. Analysis 15  
  16. 16. Analysis 16  
  17. 17. Volumetric attacks •  Fine tuning of customer premise equipment blocked all attacks; •  Attackers escalated in size: 100Mbps bandwidth congested in minutes. •  Need for upstream protection.
  18. 18. Cloud signaling The  Internet   Upstream  Provider   Local  Provider   Customer  Premises  miJgaJon   ISP-­‐based  miJgaJon   A_ackers  
  19. 19. Cloud signaling The  Internet   Upstream  Provider   Local  Provider   Customer  Premises  miJgaJon   ISP-­‐based  miJgaJon   A_ackers   Cloud  Signaling  Request  
  20. 20. 20   The latest trend • NTP-based amplification reflection attacks • NTP traffic, global, 2013-2014
  21. 21. 0   25   50   75   100   125   150   175   Dimension  in  Mbps  
  22. 22. 1,297   0   250   500   750   1,000   1,250   1,500   Dimension  in  Mbps  
  23. 23. 1,297   2,640   0   2,500   5,000   7,500   10,000   12,500   Dimension  in  Mbps  
  24. 24. 1,297   2,640   100,000   191,000   300,000   0   50,000   100,000   150,000   200,000   250,000   300,000   Dimension  in  Mbps  
  25. 25. Stop attacks at the right place: build your arsenal A  microscope,  to  see  the   Jny  details   A  moviola,  to  replay  what   happened   Behavior  analysis  to   detect  anomalies   levels,  to  get  the   complete  picture.   Inspec.on...   at   different  
  26. 26. ...and most of all... Build  a  team  of  experts  with  the   right  mix  of  skills.  
  27. 27. Thank you Marco Gioanola, Consulting Engineer, Arbor Networks

×