To see things others can't - APTs, Incident Response, DDoS
•
0 likes•369 views
Some inconvinient questions about Advanced Threats and Incident Response; some data about DDoS attacks.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to To see things others can't - APTs, Incident Response, DDoS
Similar to To see things others can't - APTs, Incident Response, DDoS (20)
Recently uploaded
Recently uploaded (20)
To see things others can't - APTs, Incident Response, DDoS
- 1. To see things others can’t Athens, April 10th, 2014 Marco Gioanola, Consulting Engineer
- 2. To see things others can’t
- 3. 3 Under the microscope: a well known example Tim Gjelten of NPR reports that he simply downloaded [the documents] off the company’s internal Top Secret net: According to the officials, the documents Snowden leaked — the memoranda, PowerPoint slides, agency reports, court orders and opinions — had all been stored in a file-‐sharing locaJon on the NSA’s intranet site. The documents were put there so NSA analysts and officials could read them online and discuss them. Snowden, because he had TS clearance, had access to this net. Not only that, but his job descripJon provided him cover to be the one moving documents around on that net. “It’s kind of brilliant, if you’re him,” an official said to Gjelten. “His job was to do what he did. He wasn’t a ghost. He wasn’t that clever. He did his job. He was observed [moving documents], but it was his job.” Strangely these comments are in direct contrast with the previous NSA narraJve, which painted Snowden as a brilliant cyber tacJcian who masked his movements on the net — leaving officials clueless as to what he took. “If they can’t tell what Snowden took so many months later, they don’t have very good auditability at all,” writes Mike Masnick. “Furthermore, this raises serious quesJons about the NSA’s data management capabiliJes.”
- 4. 4
- 5. 5 Some inconvenient questions • How do you detect if one of your employees copies all the documents from your file server to his PC at home? – He transfers them directly from your network via FTP – He copies them from the file server to a USB disk connected to his PC • How do you detect privileged users abusing encrypted channels (SSH, VPNs) for malicious activities? • Does your firewall / IPS / IDS / Anti-Malware know what time it is?
- 6. 6 Inconvenient answers • How do you detect you have been compromised? • Sometimes, you just don’t. • Traditional security solutions are still necessary, but do not scale – Antivirus – End-point agents – Network Access Control • Behaviour Anomaly detection is key.
- 7. 7 More inconvenient questions • As I said, sometimes, you just don’t realize you have been compromised until it’s too late. • What is your incident response strategy? • How do you trace back the cause of the compromise? • How do you understand when and how the attack initially happened? • APT: – Advanced = smart – Persistent = long-lasting
- 8. 8 More inconvenient answers
- 9. 9 So you want to have a 200TB .pcap... • You need packet capture infrastructure • You need storage • You need to be able to apply today’s knowledge to last year’s traffic • You need power and intelligence
- 10. 10 A view from 30000 meters high
- 11. 11 A view from 30000 meters high • We all know what a DDoS attack is, right? • digitalattackmap.com from Google Ideas
- 12. A real world case • Online gaming community – 3 million registered users, 30.000 simultaneous players online – Free platform with premium paying subscriptions – Repeatedly attacked at peak time (Saturday evening), causing players disconnections, lost points, complains, troubleshooting time, etc.
- 13. The damage and the first reactions • Attacks continued for weeks • Dropped from 3 to 2 million subscribers • Increased ISP bandwidth from 20Mbps to 100Mbps • Tried deploying firewalls, IPS • No success • Customers were moving to the competition, website risked being shut down for good.
- 14. Enter Arbor • The customer contacted us • Our reseller got in touch with the customer’s ISP • Installed trial • Visibility and basic protection achieved.
- 15. Analysis 15
- 16. Analysis 16
- 17. Volumetric attacks • Fine tuning of customer premise equipment blocked all attacks; • Attackers escalated in size: 100Mbps bandwidth congested in minutes. • Need for upstream protection.
- 18. Cloud signaling The Internet Upstream Provider Local Provider Customer Premises miJgaJon ISP-‐based miJgaJon A_ackers
- 19. Cloud signaling The Internet Upstream Provider Local Provider Customer Premises miJgaJon ISP-‐based miJgaJon A_ackers Cloud Signaling Request
- 20. 20 The latest trend • NTP-based amplification reflection attacks • NTP traffic, global, 2013-2014
- 21. 0 25 50 75 100 125 150 175 Dimension in Mbps
- 22. 1,297 0 250 500 750 1,000 1,250 1,500 Dimension in Mbps
- 23. 1,297 2,640 0 2,500 5,000 7,500 10,000 12,500 Dimension in Mbps
- 24. 1,297 2,640 100,000 191,000 300,000 0 50,000 100,000 150,000 200,000 250,000 300,000 Dimension in Mbps
- 25. Stop attacks at the right place: build your arsenal A microscope, to see the Jny details A moviola, to replay what happened Behavior analysis to detect anomalies levels, to get the complete picture. Inspec.on... at different
- 26. ...and most of all... Build a team of experts with the right mix of skills.
- 27. Thank you Marco Gioanola, Consulting Engineer, Arbor Networks