It’s not just you. The frequency of severe vulnerabilities in internet-facing enterprise software being massively exploited at scale has increased drastically. The amount of time between disclosure and exploitation of these vulnerabilities has been reduced to near-zero, leaving defenders with less time to react and respond. While combating internet-wide opportunistic exploitation is a sprawling and complex problem, there is both an art and a science to staying ahead of large exploitation events such as Log4J.
In this talk we will share insights and challenges from operating a huge, shifting, adaptive, distributed sensor network listening to internet background noise and opportunistic exploitation traffic over the past four years. We will give a blunt state of the universe on mass exploitation. We will share patterns and unexplainable phenomena we’ve experienced across billions of internet scans. And we will make recommendations to defenders for preparing for the next time the cyber hits the fan.
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Haylee Mills, Splunk
Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.
Architecting your WebRTC application for scalability, Arin SimeAlan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
Architecting your WebRTC application for scalability
Arin Sime, CEO/Founder at WebRTC.ventures and AgilityFeat, & Alberto González Trastoy, CTO at WebRTC.ventures | Software/Telecom Engineer.
There are many ways to architecture your live video application with WebRTC. Open Source and CPaaS media servers are one consideration, but far from the only decision you’ll need to make.
In this session we will give an update on the most popular media servers to consider as well as go deeper into scalability with topics such as deployment using kubernetes/docker, persistence when using multiple SFU/MCU servers, and optimizations available with WebRTC for better performance.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain
more insight into the state of threat hunting in security
operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many
responses included “unknown” and “advanced” when
describing threats, indicating the respondents understand
the challenges and fear those emerging threats.
Read the full report here.
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Haylee Mills, Splunk
Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.
Architecting your WebRTC application for scalability, Arin SimeAlan Quayle
TADSummit 2022 8/9 Nov Aveiro Portugal
Architecting your WebRTC application for scalability
Arin Sime, CEO/Founder at WebRTC.ventures and AgilityFeat, & Alberto González Trastoy, CTO at WebRTC.ventures | Software/Telecom Engineer.
There are many ways to architecture your live video application with WebRTC. Open Source and CPaaS media servers are one consideration, but far from the only decision you’ll need to make.
In this session we will give an update on the most popular media servers to consider as well as go deeper into scalability with topics such as deployment using kubernetes/docker, persistence when using multiple SFU/MCU servers, and optimizations available with WebRTC for better performance.
Threat hunting - Every day is hunting seasonBen Boyd
Breakout Presentation by Ben Boyd during the 2018 Nebraska Cybersecurity Conference.
Introduction to Threat Hunting and helpful steps for building a Threat Hunting Program of any size, from small to massive.
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
HELK offers another approach for advanced cyber-hunting analytics, focusing on the importance of data documentation, quality, and modeling when developing analytics and making sense of disparate data sources inside the contested environment.
Zero Trust Best Practices for KubernetesNGINX, Inc.
on-demand: https://www.nginx.com/resources/webinars/zero-trust-best-practices-for-kubernetes/
With adoption of containers, clouds, and distributed deployments, traditional perimeter-based security models no longer work. The sophistication and number of cybersecurity attacks is growing exponentially and Kubernetes carries significant risks of threat exposure if not properly secured.
In this webinar, we explore the benefits of adopting a Zero Trust model to secure your Kubernetes infrastructure. Our presenters will share seven best practices to help you achieve your security goals, solving the most common Kubernetes security challenges in the most efficient way.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Enterprise Digital Forensics and Secuiryt with Open Source tools: Automate Audits, Cyber Forensics and incident response with Velociraptor and Ansible AWX
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
HELK offers another approach for advanced cyber-hunting analytics, focusing on the importance of data documentation, quality, and modeling when developing analytics and making sense of disparate data sources inside the contested environment.
Zero Trust Best Practices for KubernetesNGINX, Inc.
on-demand: https://www.nginx.com/resources/webinars/zero-trust-best-practices-for-kubernetes/
With adoption of containers, clouds, and distributed deployments, traditional perimeter-based security models no longer work. The sophistication and number of cybersecurity attacks is growing exponentially and Kubernetes carries significant risks of threat exposure if not properly secured.
In this webinar, we explore the benefits of adopting a Zero Trust model to secure your Kubernetes infrastructure. Our presenters will share seven best practices to help you achieve your security goals, solving the most common Kubernetes security challenges in the most efficient way.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Nominum Data Science Security Report, Fall 2016Brian Metzger
Nominum’s “Data Revelations” analyzes some of the biggest cyberthreats impacting organizations and individuals today, including ransomware, DDoS, mobile malware and IoT-based attacks. Since DNS is the launch point for over 90% of cyberattacks, it offers a superior vantage point from which to examine, understand, thwart and proactively prevent threats. By applying machine learning, artificial intelligence, natural language processing and neural networks, Nominum Data Science is able to predict and prevent some of the most sophisticated and dangerous cyberthreats to ever hit the internet.
This session will discuss the main cyber threats for 2019 by including security public and private sector experts. After an overview of the top cybersecurity industry predictions for the coming year, the panel will discuss effective solutions and roadmaps needed as we head into the 2020s.
Main points covered:
• What are the top cyber threats facing enterprises in 2019?
• What do the major cybersecurity vendors believe will happen in the next few years?
• What is being done to prepare for daily cyber-attacks facing enterprises?
• What projects are leading Chief Information Security Officers (CISOs) and Chief Risk Officers (CROs) implementing now?
Presenters:
Our first presenter for this session is Maria S. Thompson, State Chief Risk and Security Officer for the State of North Carolina. Maria brings to the State over 20 years of experience in Information Technology and cybersecurity. Maria’s personal honors include receiving the 2007 National Security Agency’s prestigious Rowlett Award for individual achievement in Information Assurance. Additionally, she received the 2008 Office of Secretary of Defense Certificate of Excellence for the implementation of an IA strategy for the Information Assurance Workforce. Most recently, Maria was selected as a winner of one of the 2018 Triangle Business Journal Women in Business award and State Scoop’s 50th Award State Cybersecurity Leader
The second presenter is Dan Lohrmann is an internationally recognized cybersecurity leader, technologist and author. Starting his career at NSA, Lohrmann has served global organizations in the public and private sectors in many leadership capacities. As a top Michigan Government technology executive for seventeen years, Dan was national CSO of the Year, Public Official of the Year and a Computerworld Premier 100 IT Leader. He is currently CSO & Chief Strategist at Security Mentor, where he advises global and local corporations and governments on cybersecurity and technology infrastructure strategies and security culture change. He has been a keynote speaker at security conferences from South Africa to Europe and Washington D.C. to Moscow.
Recorded Webinar: https://youtu.be/IHAAXQ30zBk
Cybercrime is nothing new. What is different now is the intimacy, reach and size of those attacks. There are hundreds of billions in losses each year. This unsettling state of affairs has created a binary world with really only two kinds of companies: those that have been hacked and admit it, and those that have been hacked and don't admit it or don’t know it yet. Worse yet, for the vast majority of individuals, very few of us have been untouched whether we know it or not.
In NTT i³’s book “CyberCrime: Radically Rethinking the Global Threat,” Rich Boyer, Chief Architect for Security and Dr. Kenji Takahashi, VP Product Management for Security examine the current arms race between cybercriminals and their diverse and agile toolkits and the radically new approaches to cybersecurity that the enterprise must adopt to compete and win.
AI: The New Player in Cybersecurity (Nov. 08, 2023)Takeshi Takahashi
These slides outline how AI is influencing cybersecurity.
Note that they were used in the keynote speech at the event "Defense and Security 2023" held in Thailand on November 8, 2023.
Cyber crime is an activity done using computers and internet. We can say that it is an unlawful acts wherein the computer either a tool or target or both.
The internet is growing rapidly. It has given rise to new opportunities in every field we can think of be it entertainment, business, sports or education.
There’re two sides to a coin. Internet also has it’s own disadvantages is cyber crime- illegal activity committed on the internet.
Info Session on Cybersecurity & Cybersecurity Study JamsGDSCCVR
In an era where digital threats are ever-evolving, understanding the fundamentals of cybersecurity is crucial.
Highlights of the Event:
💡 Google Cybersecurity Certification Scholarship.
🎭 Cloning and Phishing Demystified
🚨 Unravelling the Depths of Database Breaches
🛡️ Digital safety 101
🧼 Self-Check for Cyber Hygiene
⏺️ Event Details:
Date: 18th December 2023
Time: 6:00 PM to 7:00 PM
Venue: Online
Time is now changing faster, it was started with Green Revolution, White Revolution and now it’s time for Data Revolutions. It means Cyber War; in today’s world AI is replacing human beings. A research says that more than 80% work is depending upon AI. Due to this cyber crimes and threats are also increased.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
In this presentation, we will discuss using GreyNoise, a geographically and logically distributed system of passive Internet scan traffic collector nodes, to identify statistical anomalies in global opportunistic Internet scan traffic and correlate these anomalies with publicly disclosed vulnerabilities, large-scale DDoS attacks, and other newsworthy events. We will discuss establishing (and identifying any deviations away from) a “standard” baseline of Internet scan traffic. We will discuss successes and failures of different methods employed over the past six months. We will explore open questions and future work on automated anomaly detection of Internet scan traffic. Finally, we will provide raw data and a challenge as an exercise to the attendees.
The last five to ten years has seen massive advancements in open source Internet-wide mass-scan tooling, on-demand cloud computing, and high speed Internet connectivity. This has lead to a massive influx of different groups mass-scanning all four billion IP address in the IPv4 space on a constant basis. Information security researchers, cyber security companies, search engines, and criminals scan the Internet for various different benign and nefarious reasons (such as the WannaCry ransomware and multiple MongoDB, ElasticSearch, and Memcached ransomware variants). It is increasingly difficult to differentiate between scan/attack traffic targeting your organization specifically and opportunistic mass-scan background radiation packets.
Grey Noise is a system that records and analyzes all the collective omnidirectional background noise of the Internet, performs enrichments and analytics, and makes the data available to researchers for free. Traffic is collected by a large network of geographically and logically diverse “listener” servers distributed around different data centers belonging to different cloud providers and ISPs around the world.
In this talk I will candidly discuss motivations for developing the system, a technical deep dive on the architecture, data pipeline, and analytics, observations and analysis of the traffic collected by the system, business impacts for network operators, pitfalls and lessons learned, and the vision for the system moving forward.
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
3. Founder and CEO
GreyNoise Intelligence
@Andrew___Morris
andrew@greynoise.io
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
ANDREW MORRIS
4. 1. Intro & Background
1. Part I - What Is The Problem?
2. Part II - Our Solution To The Problem
1. Part III - Things We’ve Observed
2. Summary & Recap
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
6. Every other month, a really bad
vulnerability is identified,
disclosed, weaponized, and
exploited at scale around the
internet, in some piece of
common perimeter-facing
software and nobody has any
idea what to do about it.
Scanning and exploiting vulnerabilities jumped up to the top
infection vector in 2020 with a 35% share, surpassing phishing
which was the top vector in 2019.
Source: https://www.ibm.com/security/data-breach/threat-intelligence
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
35% of initial infections,
according to IBM
“Scan-and-exploit” top infection vector in 2020
IN PLAIN TERMS…
8. ● Vulnerability
research has
evolved
○ Tooling and
development has
improved
○ Attack surface has
increased
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
HERE’S WHY WE’RE HERE
Mass scanning +
vulnerability
research
=
mass exploitation
dying to happen
● Mass scanning
has evolved
○ Tooling is better
(Masscan, Zmap,
etc)
○ Recyclable IPs are a
thing (cloud)
○ The Internet is
literally faster
9. We used to think about bad guys hacking
systems on the internet following this pattern:
Find
Vulnerabilities
Scan Target,
Enumerate,
Profile
Identify
Target
Profit
Operate
Exploit
Vulnerabilities
HACKING IN THE 90’s
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
10. Today more closely resembles an assembly line:
Compromise
Lots of Hosts
Scan Target
Internet
Identify
Target a viable
Vulnerability
Profit
Trade Accesses or
Operate
Exploit Deconflict
Accesses
HACKING IN THE 20’s
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
11. But now:
○ $ASSET can increasingly refer to
0.0.0.0/0
○ SOMEONE does
AN EXPLOIT to
THE ENTIRE INTERNET resulting in
SHELLS AND CHAOS
THREAT MODEL CREEP
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
To quote Bruce Potter at
some point a few years
ago:
○ $ACTOR does
$ACTION to
$ASSET resulting in
$OUTCOME because
$MOTIVATION
12. On a daily basis, every individual routable IP on the
Internet sees:
~3,000 unsolicited pings from…
~1,000 distinct IP addresses
Each /24 receives about 46mb of unsolicited network
data from ~200,000 IP addresses from SYNs alone
Why so much scanning?
● BAD: Credential stuffing, proxy checking, brute
forces, exploit vulnerabilities, etc
● GOOD: Web search, asset discovery, third party
risk, security research
The internet is just really noisy, man.
Source: GreyNoise Intelligence
WHAT IS INTERNET
BACKGROUND NOISE?
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
Internet scanning of the internet by source IPv4 address, Jan-21 to
Feb-22. Each pixel in this photo is a group of 256 IPs.; the
“brightness” of each pixel is how many IPs in that group have been
observed by GreyNoise.
13. ● Alpha Strike Labs
● GoogleBot
● BinaryEdge.io
● Project Sonar
● Bitsight
● Censys
● ShadowServer.org
● cyber.casa
● ONYPHE
● InterneTTL
● BingBot
● Yandex Search Engine
● Cortex Xpanse
● ipip.net
● Shodan.io
● IPinfo.io
● Cloud System Networks
● Net Systems Research
● OpenIntel.nl
● Facebook Crawler
● AdScore
● Ahrefs
● Intrinsec
● DomainTools
● CriminalIP
● BLEXBot
● Arbor Observatory
● Technical University of Munich
● Mail.RU
● Palo Alto Crawler
● Petalbot
● Caida
● LeakIX
● Quadmetrics.com
● Archive.org
● Moz DotBot
● RWTH AACHEN University
● VeriSign
● Bit Discovery
● Project25499
● Applebot
● CyberGreen
● ESET
● FH Muenster University
● Knoq
● Mojeek
● SecurityTrails
● University of Colorado
SOME SOURCES OF “BENIGN”
INTERNET BACKGROUND NOISE
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
14. “[A] telescope monitoring a single IP address (a /32)
the average time to observe a host at 10 addresses
per second is over 13 years and the time to observe
with 95% likelihood is over 40 years.”
http://www.cs.unc.edu/~jeffay/courses/nidsS05/measurement/moore-telescopes04.pdf
2004
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
15. “[Masscan] can scan the entire Internet in under 5 minutes,
transmitting 10 million packets per second, from a single
machine.”
https://github.com/robertdavidgraham/masscan
2013
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
17. YES
Remotely
exploitable?
WILL CVE-BLAH-BLAH BE
“MASS EXPLOITED”?
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
Simple to exploit or
public POC?
YES
Running on the
internet?
YES
Widely
deployed?
YES
The CVE is likely to
be mass exploited
18. Defenders
○ “Are you kidding me?
Another one? Again?”
Software Vendors
○ “This makes people
afraid to run our
software”
WHO EXPERIENCES THE PAIN?
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
Cyber Security Vendors
○ “This is either an
opportunity to make
money, OR this makes us
look like idiots”
Hosting Providers
○ “Please stop popping
boxes from our network, we
can’t handle any more FBI
calls or abuse complaints”
19. WHY IS THIS PROBLEM HARD?
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
Trust
○ Lots of data is bad
○ Lack of filtering and
quality assurance
means nobody is willing
to make automated
decisions based on
someone else’s data
Money
○ Accidentally blocking
revenue-generating
users
Speed
○ There is a “time-to-get-
something-useful-to-say”
○ There is a “time-to-say-it”
○ If both do not happen prior
to an attack hitting the
perimeter, you lose the
race`
Scale issues
20. ● “Whack-a-mole”-style short term
blocking has surprisingly good
results.
○ Reduces successful attacks by
70%, but needs to be fast
○ Hunting is more straightforward
but obviously this means the
compromise has already
occurred
● More collective defense, more info
sharing from vendors and groups
who have good data
NEXT TIME THE SH*T
HITS THE FAN?
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
● Fewer well-intentioned security
researchers and vendors spraying
exploits around
● Assume every service on your
perimeter can suddenly become
vulnerable on very little notice
21. Super bad vulnerabilities are coming out every
other month, bad guys exploit them at scale, and
it’s a differently flavored dumpster fire every time
Stopping the vulns from existing seems unlikely, so
let’s try to detect and block before it hits a network
we care about
TL;DR
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
24. GreyNoise AttackerKB US CISA
201
March 2020-Present
639
June 2020-Present
377
Nov. 2021-Present
*United States Cybersecurity Infrastructure & Security Agency
CVES EXPLOITED IN THE WILD
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
25. ● Deploy a huge network of
sensors across the
internet
● “Listen” to internet
background noise
(scans/probes) and
internet background
exploitation
ONE WAY TO
SOLVE THE PROBLEM
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
● Make the sensors look like
lots of different software
● Fingerprint every exploit
request we find
● Temporarily block
offenders BEFORE an attack
lands on the perimeter
26. Years ago, someone with a
lot of money and a lot of
weird problems wanted to
know if the computers they
were running on the internet
were seeing a “normal”
amount of scans, or an
undue amount of attention. I
became obsessed and here
we are years later:
GreyNoise.
GREYNOISE ORIGIN STORY
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
27. ● Thousands of sensors - we operate
thousands of sensors (kinda like
honeypots) across the globe
○ Centrally managed
○ Distributed and geographically
diverse
○ What they masquerade as is
programmable
○ Every host is ephemeral
● Billions of events - as of March 2022
we’re processing and storing several
billion events per day
GREYNOISE TL;DR
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
● Tagging - we add and maintain
signatures on exploit, actor, and other
patterns using an internally developed
tagging engine and DSL
● Use cases - GreyNoise is useful for
several use-cases; one of the
increasingly popular use-cases is
protecting orgs from opportunistic
compromise
● Free data - we give away an insane
amount of free data. Seriously.
28. CHALLENGES
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
Speed Provider OpSec
Cost Automation Geography
Data / Scale Masqueraders / Fakers
29. ● Staying “in front of” the exploit is hard
● We only have a few minutes maximum to go from:
○ Malicious traffic hitting the first few sensors..
○ …classifying the traffic as XYZ exploit…
○ And finally pushing a “block decision”
● It isn’t enough to classify traffic correctly; you have
to classify correctly in time.
SPEED CHALLENGES
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
30. ● Major cloud providers are easy
○ AWS, Google, Azure, DigitalOcean…
● Language barriers
● Automation maturity
● Infrastructure reliability
● Cost
● GeoIP is fakeish
● No colos
SELECTING PROVIDERS
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
31. ● AWS is the standard for maturity
● API/Deployment Automation
● Minimum viable features
● Cost
○ Smallest instance
○ Many IPs to one instance
● Reliability
ELEVATING CLOUD PROVIDERS
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
32. ● Lacking financial automation
○ Pre-payment model
○ Remember to top up…
● IPs per host
○ One IP per host is expensive
○ Many IPs to one host is “expensive”
■ Indirect automation and complexity costs
COST CHALLENGES
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
33. ● Find the lowest common denominators for
deployment and automation
○ Templating/code generation
○ Custom Terraform providers
○ “metacloud”
● Testing is *really* hard
● No common standard
AUTOMATION CHALLENGES
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
34. ● Unreliable APIs
● Unreliable infrastructure
● Latency
● Debugging across multiple providers
RELIABILITY CHALLENGES
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
35. ● Do you have sensors in X country?
○ GeoIP is fake… sometimes
○ Ambiguous regions
● No colos
● Dependant on
○ Automation maturity, cost, reliability
● Do you know how hard it is to find cloud hosting providers in
most areas of the world???
● Once you hit a critical mass you can do cool stuff like…
identify all IPs that are specifically scanning Israel’s IP space…
GEOGRAPHICAL CHALLENGES
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
36. HERE ARE ALL THE IPS SPECIFICALLY
SCANNING/CRAWLING/ATTACKING
ISRAEL’S IP SPACE, & NOBODY ELSE’S
https://api.greynoise.io/datashots/bluehat/israel.csv
37. ● Account freezes
○ Russia, Ukraine, China
○ Photo verification (sorry Greg)
○ Vetting process
○ Flagged for churning sensors
● Typical big data/scaling challenges
● Shout out to the masqueraders
OTHER CHALLENGES
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
43. TIMELINE
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
October 04, 2021
Apache version update,
patch is GA
October 05, 2021
Apache discloses
vulnerability to CVE
September 29, 2021
Patch Submitted
October 03, 2021
GreyNoise observes first
internet-wide vuln scan
54. ● Interestingly, the first
huge wave came from
exclusively Tor nodes
● Most attempts at the
start were just stuffing the
Log4Shell string in
random places.
● Shortly after, custom
product-specific
payloads
LOG 4J
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
59. On any given day, 73% of IPs
responsible for opportunistic
scan/exploit noise were seen the
day before.
Only 27% are “new”.
60. ● Spoofed noise storms
● Bad guys acting like security companies that scan the internet
● Upstream blocks
● Just like bad guys, security companies think they’re super
sneaky 🤫
● Printjacking
WEIRD STUFF
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
64. Hypothesis:
● Blocking extremely fresh internet
background exploitation IPs will
meaningfully increases the
amount of time it takes for a
vulnerable host on the internet to
be compromised
“WHACK A MOLE” EXPERIMENT
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
Method:
● Stand up two identical
vulnerable hosts, open to the
internet, running poorly
credentialed services
○ SSH and telnet
○ admin/aSdmin
○ root/admin
● Measure time to first
compromise; total number of
compromises
65. 4 Days
6 Hours
19 Minutes
Blocked Host
Mean Time to Compromise
Unblocked Host
Mean Time to Compromise
● 32 compromises/day
● 206 compromise attempts/hour
● 4 compromises/day
● 35 compromise attempts/hour
“WHACK A MOLE” RESULTS
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
66. Tiny fast IP blocklists
(whack-a-mole) are
gross but they work
better than you’d expect
67. There is relatively little we can do to
prevent the next Log4J, but we can make it
suck less by centralizing information and
providing ready-use real-time block lists
STAYING AHEAD OF
THE NEXT LOG4J
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
72. This is live right now:
https://greynoise.io/
GREYNOISE
COMMUNITY TRENDS
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022
73. ● Internet mass exploitation is quantifiably getting worse. I expect this to continue.
● A huge, distributed, sensor system such as GreyNoise is effective at reducing opportunistic
compromises
● Running this huge sensor network has challenges but they’re all addressable
● Instead of hoping another Big Bad Vuln doesn’t happen, let’s prepare for when it does
CONCLUSION
Andrew Morris | Staying Ahead Of Internet Background Exploitation
BLUEHAT IL
2022