Download as PDF, PPTX
GreyNoise - Mass Exploitation
- 1. © 2022 GreyNoiseIntelligence Inc K N O W M O R E N O I S E
- 2. © 2022 GreyNoiseIntelligence Inc Andrew Morris Founder, CEO GreyNoise Prior: R&D @ Endgame (Elastic), Red Team Operator @ KCG (ManTech) + Intrepidus (NCC Group) Twitter - @andrew___morris Email - andrew@greynoise.io Introduction
- 3. © 2022 GreyNoiseIntelligence Inc Agenda - Background - Problems - Our Observations at GreyNoise - Solutions / Conclusion - Q & A
- 4. © 2022 GreyNoiseIntelligence Inc - An imperfect explanation of network service hacking: - Attacker uses knowledge of network service vulnerabilities/misconfigurations to gain unauthorized access to computers belonging to their target(s) - Defender defend by a combination of hardening network services against attacks (pre-emptive) and finding and eradicating adversaries once they break in (reactive) - The internet is growing in surface area and complexity, which means attack surface is growing as well - Attackers leverage automation just as much as defenders - “Mass exploitation” is on the rise Background
- 5. © 2022 GreyNoiseIntelligence Inc Definitions “Mass exploitation” == compromising lots of computers at scale using known software vulnerabilities prior to the defenders applying software patches/fixes “Scan-and-exploit” has become a leading cause of initial access for adversaries and the timelines for defenders has never been tighter than right now A large programmable distributed honeypot network can serve as an early warning system for internet bystanders (we do this at GreyNoise) The priority needs to be on warning defenders and making quick block decisions to buy time for defenders, as far upstream as humanly possible
- 6. ©2022 GreyNoise IntelligenceInc The Internet is Super Noisy Internet noise is like spam for the internet • It’s made up of scans and attacks from thousands of unique IP addresses per day… • …generated by hundreds of thousands of bots, crawlers, and automated attack infrastructure… • …triggering thousands of alerts that need to be manually analyzed by security teams. The Internet noise is, at best, distracting, and at worst, malicious This background image shows internet scanning of the entire internet by source IPv4 address, Jan-21 to Feb-22. Each pixel in this photo is a group of 256 IPs.; the “brightness” of each pixel is how many IPs in that group have been observed by GreyNoise.
- 7. ©2022 GreyNoise IntelligenceInc “Mass Exploit” occurrences are increasing in frequency Source: https://shellsharks.com/designer-vulnerabilities and GreyNoise analysis; IBM X-Force Threat Intelligence Index 2022 Critical vulnerabilities in widely deployed software are being disclosed and exploited at scale more frequently than ever before. “Mass exploitation” made up 45% of all infection vectors in 2021 IBM
- 8. © 2022 GreyNoiseIntelligence Inc Why is Mass Exploitation getting worse?
- 9. © 2022 GreyNoiseIntelligence Inc Hacking in the 90’s - “Tight, Surgical Access” Hacking in the 20’s - “Scaled Assembly Line”
- 10. © 2022 GreyNoiseIntelligence Inc Threat model creep But now: ● $ASSET can increasingly refer to “every host on the entire internet” ● SOMEONE does AN EXPLOIT to THE ENTIRE INTERNET resulting in CHAOS ● In other words it’s everyone’s problem and everybody needs to care
- 11. © 2022 GreyNoiseIntelligence Inc ● In December, 2021 the world became aware of a critical vulnerability in Log4J ● Mass-exploitation started within days of disclosure ● For a period of time, the only action that could be taken was finding compromised devices and blocking offending IPs Log4J - CVE-2021-44228
- 12. © 2022 GreyNoiseIntelligence Inc Use Cases (or, the “why”) - “Is this weird/malicious IP scanning/attacking everyone or just us?” - “Who’s exploiting what vulnerabilities on the internet?” - “Block bad IPs that are attacking me” Technology (or, the “what”) - Huge, distributed network of honeypot sensors - Running lots of different areas of the internet and in various countries - Sensor traffic is analyzed by a dedicated research team - Insights go to customers and product users How we do it at GreyNoise
- 13. © 2022 GreyNoiseIntelligence Inc Vulnerabilities we’ve identified mass exploitation of: - Log4J - Microsoft Exchange (many) - Atlassian Confluence - FortiOS/Fortinet - VMWare - F5 Big IP …and over 800 others Identifying Mass Exploitation
- 14. © 2022 GreyNoiseIntelligence Inc - “Whack-a-mole” shows a surprising amount of promise - 1) Run fake versions of lots of software at massive scale - 2) Signature & fingerprint networks that are mass-exploiting the vulnerability - 3) Preemptively alert the world on confirmed exploitation citations - 4) Temporarily block as many offending IPs as possible Defending Against Mass Exploitation
- 15. © 2022 GreyNoiseIntelligence Inc Blocked Host (guessable credentials) Mean Time to Compromise Unblocked Host (guessable credentials) Mean Time to Compromise 19 Minutes 4 Days 6 Hours ● 32 compromises/day ● 206 compromise attempts/hour ● 4 compromises/day ● 35 compromise attempts/hour “Whack a mole” results
- 16. © 2022 GreyNoiseIntelligence Inc Conclusions - Mass exploitation will continue to get worse - A large, well-designed, distributed programmable sensor network can consistently provide situational awareness and increased response time without access to classified information or special access to internet telemetry - Speed is of the essence: Same day weaponization of vulnerabilities warrants same-day response - Complete prevention is infeasible. Prioritize alerting, triage, and pre-emptive blocking of offending IPs (as far upstream as possible) to minimize damage
- 17. © 2022 GreyNoiseIntelligence Inc Q & A Create a free account at https://greynoise.io