Presented by Oliver Pinson-Roxburgh, (www.alertlogic.com) at AWS User Group meetup, November '17
"As organisations continue to shift to cloud computing, new research reveals a significant consolidation of threats in specific layers of the computing model. Effective attackers, always seeking the weakest spots in network defenses, understand the changing attack landscape and have adapted their attack methods to this new paradigm. How do we evolve our security strategies to meet this challenge? In this session Oliver will discuss:
• Insights from the 2017 Cloud Security Report
• What the top 6 web attack types are that account for 75% of verified incidents
• Machine learning’s impact on detecting incidents and understanding attack progression
As well as a Live Cyber Hack Demo showing you the impact of implementing web applications that lack the correct security controls.
8. 8
Alert Logic Cloud Security Report 2017
550 DAYS
AUG 1, 2015 –JAN 31 2017
2,207,795
TOTAL TRUE POSITIVE SECURITY
INCIDENTS ANALYZED
32.5 MILLION
EVENTS DRIVING ESCALATED
INCIDENTS
147 PETABYTES
OF DATA ANALYZED
3807 CUSTOMERS
ANALYZED
452
INDUSTRIES ACROSS 3 CONTINENTS
9. 9
Web App Attacks – King of the Hill
WEB APP
ATTACK
Recon
5%
Server-side
Malware
2%
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55%
SECURITY INCIDENT TYPES ESCALATED
10. 10
Web App Attacks – King of the Hill
WEB APP
ATTACK
ute Force
16%
Recon
5%
Server-side
Malware
2%
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55% REMOTE
CODE
EXECUTION
22%
XXE
3%
APACHE
STRUTS
RCE
6%
WEB APP
ATTACK
RECON
5%
FILE
UPLOAD
6%
OTHER
4%
SECURITY INCIDENT TYPES ESCALATED
11. 11
Workload Environments Impact Incident Volumes
2.5x
more security incidents
observed in Hybrid vs
Public Cloud
51%
higher rate of
security incidents in
on premises vs Cloud
AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS
12. 12
Covering all layers of your stack is complex
Vulnerabilities
in
YOUR CODE
Vulnerabilities
in
YOUR
CONFIGS
Vulnerabilitie
s
YOU INHERIT
13. Today’s Attacks are Becoming More Complex
THE CYBER KILL CHAIN¹ THE IMPACT
Financial loss
Harm brand and reputation
Scrutiny from regulators
IDENTIFY
& RECON
INITIAL
ATTACK
COMMAND &
CONTROL
DISCOVER
& SPREAD
EXTRACT &
EXFILTRATE
• Attacks are multi-stage using multiple threat vectors
• Takes organizations months to identify they have been compromised
• 205 days on average before detection of compromise1
• Over two-thirds of organizations find out from a 3rd party they have been
compromised2
1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast
2 – M-Trends 2015: A View from the Front Lines
14. 14
Enter Machine Learning
Over nine months :
8-10% of the customers we
monitored were targeted by
actors with better-than-
average levels of skill and
determination
Each attack
had a High
degree of
complexity
Identified,
approx. 231
attacks
15. 15
Behind the Data
Web apps can be the final destination…or initial entry point
Perimeter AND Network
AND System /log-based
Detection defend your
hosts
see N / S / E / W in all of
your protected
environments
WAF blocking/virtual
patching, IDS, and log
monitoring as air cover as
you burn down your web
app vulnerabilities
• Redistribute malware directly / indirectly (exploit
kits / watering hole)
• Monetization through fraud (SEO, Coin Mining,
Spam)
• Entry point into Infrastructure
• Lateral movement, privilege escalation
• Steal data (exfiltration of information from
databases)
16. 16
Multi-stage Attacks
Time: Day 1
Event: Early stage recon event
Criticality: Medium
Time: Day 3
Event: SQL Injection recon
Criticality: Medium
Time: Day 4
Event: SQL table enumeration
Criticality: High
Time: Day 4
Event: Injection
Criticality: Critical
Situation: Multiple address spaces and disparate unrelated events over days
17. 17
Surgical Exfiltration
1 IP Address
Duration: 7 minutes
Surgical Exfiltration
1 IP Address
Duration: 2 minutes
Precision Recon
1 IP Address
Duration: 12 minutes
Precision Recon
1 IP Address
Duration: 8 minutes
Precision Recon
1 IP Address
Duration: 1 minute
Precision Recon
1 IP Address
Duration: 11 minutes
Sustained, Multi-stage Attack for Intellectual Property Theft
September2016 2017AprilOctober November December January February March
Jan 16th
Jan 3rd
Nov 2nd
Feb 6th
Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs)
Continuous General SQLi Testing (172 Unique IPs)
20. 20
Zoomed View of a Single SQLi Exfiltration Attempt
1) Tables belonging to specific owner
exist?
2) Enumerate table names for owner
3) Count the number of columns for a specific table of interest
4) Enumerate column names for
specific table
5) Count the rows of
data within the table
of interest
6) Enumerate column values from
specific table (exfiltration event)
Time
Attackspecificity
It took about 75 years for the telephone to connect 50 million people. Today a simple iPhone app Cn reach that milestone in a matter of days. In the past 10 years the rate of adoption of new technologies has accelerated at dizzying speed. Can we keep up with it all?
Ports, old school, quite easy to understand, tiered approach, firewalls between each
As we’ve transitioned from this model into a new one of APIs and interconnected services much of IT have been prepared for the new world order, security sometimes prefers to operate within these same patterns
In my previous role and since joining Alert Logic I’ve come to understand that often the from the security perspective the cloud kind of looked like this
Which I can empathise with, in my experience security and network teams alike are used to dealing in ports and directions. I know I have at times – though as a developer and architect we often deal more with the logical.
hence the need to express our security measures in other ways that relate to todays threats
Goal
Demonstrate why full-stack security is needed by showing how different vectors in each layer are attacked
show huge scope of growing attack surface – too much to cover in-house
Key Talking Pts
Why are web apps the #1 source of breaches? Because attackers can use any layer of the application and infrastructure stack to today gain access, build footholds, and laterally move within your system.
From the top of the stack
Web application attacks like SQL injection and cross-site scripting are hard to prevent and detect because they are look innocent to the host and network and use the application’s own functionality and flaws to trick the application into giving up control.
Ideally all applications would be carefully built according to all secure coding best practices. Of course most developers will say their apps are secure. Maybe so, but it’s also human nature to think we are better than we actually are. In one study, 94% of professors rated themselves above average relative to their peers.
If you look at the facts, the failure rate of applications to pass audits just fpr the OWASP Top 10 is 61%
Developers are in for a tough battle getting those numbers up since development cycles are only getting faster and web applications are getting more complex.
At the bottom of the stack
Will AWS hardening at the bottom of the stack get us off the hook?
Well from what we see at least exploits like Wannacry and NotPetya seem to be non-issues in the cloud.
But what we see in cloud infrastructure layers are cloud services being mis-configured by users, such as open S3 buckets leaving data up for grabs at Verizon, Republican National Committee and the World Wrestling Federation.
These are very easy mistakes to prevent, so why worry about them? There number of cloud services being configured on a given day is going up, and they are going faster, so less time to double check your work.
Not to mention the fact that new AWS services are being launched all the time, so there is a lot to learn.
All across the entire stack
We see applications being made of more and more components and APIs, each of which can have their own plug-ins and servlets, especially content management systems like Joomla, Magento, Wordpress & Drupal.
Quarterly scanning for compliance isn’t enough. Attackers can come out in droves as soon as they hear a patch has been released, racing to breach your system before you can find and fix it yourself. For example, after Joomla announced two patches for its systems in 2016 the number of exploits in the wild raced from a few hundred on the first day to over 27,000 in just 2 more days.
So, you need to protect all layers of the application stack from a variety of vectors, otherwise you are leaving a door open for attackers.
Trying to pull this all together yourself would mean not only tracking the growing number of vulnerabilities in your environment but also continuously developing your own signatures and rules and analytics for detection and blocking.
Discovery
What can you share about breaches you may have had? What might a shorter dwell time have meant to you?
Tips
Treat as a build slide: pace as if it were one slide with multiple builds
Kill Chain
Discuss what it is and how it relates to the anatomy of an attack
Discuss how we will show each stage of this being enacted as we run through the live hack
RevSlider Exploit
Discuss that we’re going to demonstrate an exploit in a popular Plugin as an example of what we’ve been discussing earlier in the presentation.
Show the Plugin in Action and what it is/does on the WP Site - https://vuldb.com/?id.76139