AT&T Real-Time Network Security Overview

Transcription

1 AT&T Real-Time Network Security Overview Dan Solero Director of Security Technology, AT&T

2 Know Your Enemy: Security Threats Extend Beyond Viruses & Worms Distributed Denial of Service Spam for Hire Social Engineering Phishing, Sniffing, Keylogging, etc. Data Leakage Lost/Stolen Laptops, Unsecured Servers Insider Threats 2

3 AT&T s Proactive Security Strategy Web-Based Information Collection Broad Network Mapping Service Vulnerability Exploitation DDOS Zombie Code Installation Use of Stolen Accounts for Attack Social Engineering Targeted Scan Password Guessing System File Delete Log File Changes Reconnaissance Scanning System Access Damage Track Coverage Preventive Phase (Defense) Reactive Phase (Defense) AT&T Focuses protection toward these phases of Attack Lifecycle Indications and Warning Threshold (Defense) Other alert tools gather their information in the latter phases of an Attack 3

4 AT&T Real-Time Security Management 24/7 Situational Cyber Security Awareness Threat Management Interface AT&T Global Network Operations Center Management Servers, Consoles, and Database ~40 Cases/Day AT&T Custom Database Technology Daytona System (Data Mining Algorithms) Customized Event Parsers and Consolidators ~170 Alerts/Day ~270 Million Events/Day AT&T Enterprise and Internet Feeds IDS Alarms Firewall Logs DLP Alarms Netflow Proxy Logs Server Alarms Internet Alarms DDOS Detection VPN Logs Honey Pots 4

5 Bot Detection Sampling of identified botnets analyzed Visibility of roughly 10% of total Internet Approximately 16M unique IPs 16 months Hundreds of malware files captured 60+% not detected by Anti-Virus 5

6 Uses of Botnet Data Spam-source Blocking Alerting Improved Detection Vision: Botnet-Aware Network 6

7 AT&T Internet Protect SM Alert A Increased scanning on port 23/tcp (Feb 8, 2006) Description: AT&T Internet Protect has been able to identify a botnet that is actively scanning on port 23/tcp and is targeting Cisco devices such as routers for exploit and access. The activity has taken place in multiple short-term durations; targeting a variety of Internet address segments. Multiple successful exploits have been identified; gaining "enable" and/or "console" passwords for the devices. The exploit is not limited to weak passwords. At this time, it is not clear exactly what exploit is being used to attack the routers nor for what function the routers might be used. However, this capability could be used by malicious users to launch DDoS attacks, sniff private network traffic, change routing on networks, subvert Access Control Lists, and/or use the routers to create logical private networks for the malicious users. Recommendations: Users of Cisco devices should block Internet-facing access to any management services. If it is absolutely necessary to perform management from Internet facing interfaces, use Access Control Lists (ACLs) to restrict access only from IP sources/hosts that are authorized to perform these management actions. * Try to avoid using telnet as a remote access method, and use TACACS+ or RADIUS for authentication. * Make sure IOS patch levels are up to date. * Inspect routers for possible misconfiguration that may have granted telnet access to outside users. * Logs or flow records may be helpful to determine if any unauthorized connections are taking place. * If the router is compromised, there may be no direct evidence since the exploit is capturing passwords. If there is a possibility the router may have been compromised, take actions to prevent further compromise and immediately change passwords. 7

8 Indicators of the StormWorm (W32/Nuwar, Trojan.Peacomm) active on changing udp ports Storm Worm Tracker Storm worm transitions to new port Storm worm continuing to utilize ports 11275/udp and 16275/udp 8

9 Global StormWorm Activity Malware update June 3, 2008 Typical day in

10 AT&T Internet Protect SM Alert A Pop-up spam activity on ports 1026/udp and 1027/udp (May 6, 2008) Description: Internet Protect has observed a significant increase in activity on ports 1026/udp and 1027/udp. Microsoft Net Messenger opens a listener on these ports to receive net messages. This service was initially developed to permit network administrators to send messages to all the clients connected to their network. Today the messenger service is mainly used by pop-up message spammers who send bulk messages to many IP addresses. These messages often contain advertisements and links to web sites. Clicking on these links frequently results in the computer becoming infected. Recommendations: To avoid infection: * Always block any unused ports and services. * If business needs permit, block/filter all traffic to ports 1026/udp and 1027/udp. * Ensure that all the latest Operating Systems and application patches have been applied. * Perform a virus scan with the latest antivirus signatures. * Educate users about the safe internet browsing. * Establish a complex alphanumeric password policy. 10

11 AT&T Internet Protect Alerts Events in downadup/conficker evolution Alert 895 Early indicator RPC scanning Nov 4 Alert 901 Early Indicator SMB scanning Nov 13 Alert 907 Increased traffic from worm variants Nov 21 Alert 913 Increased scanning from Downadup.A and other malware Dec 15 Alert 915 Increased SMB scanning Dec 31 Alert 916 Downadup.B and other malware spreading Jan 5 Alert 934 Downadup.B++ (Conficker.C) worm update Mar 19 10/23 Advisory Microsoft Announces MS Out of Cycle RPC Patch 11

12 Conficker Worm April 01, ,136 visible members, 8 control servers, tracked since 7/

13 AT&T Threat Recon Index (TRI) Downward Trend - SASSER Diminishin g DownAdUp /Conficker Activity Pop-up spam Activity 13

14 Fucuzzy September 01, ,136 visible members, 8 control servers Tracked Since July 2006 Page 14

15 Security Services Expansion Security Enforcement Capabilities DDoS/Botnet protection Firewall rule enforcement Intrusion Detection/Prevention Worm and virus filtering URL filtering Mail filtering Data leakage prevention solution Botnet/threat-aware DNS solution Customer Benefits Minimal initial investment Scalability Professional Support Global Enforcement Nodes Security Operations Center Early Cyber Threat Warnings Metadata collection, Behavior and Anomaly-Based Analysis 24x7 Data Fusion 15

16 AT&T s Security Capabilities How we protect your network infrastructure Employ the network as the first line of defense Utilize AT&T s predictive security capabilities Implement a defense-in-depth strategy Provide a broad portfolio of security services Quick Facts about AT&T Managed Security End to end Security Capabilities- from end point to the cloud Security integrated with AT&T services as appropriate In the Cloud security industry recognition More than 1,400 world-class security experts and support professionals SAS70 Compliant services Customer access to reports and tools via AT&T BusinessDirect Portal 16

17 Thank You! 17

18 Backup slides 18

19 What is a Botnet? Group of compromised computers with common control points that run software autonomously and automatically Used for malicious or unauthorized purposes Common Terms Bot an individual machine that is compromised Botnet a collection of bots that are under common control Botnet controller (a la C&C) server that relays commands and responses Botnet operator the person or people that initiates a bot Pictures from a document by CERT India Page 19

20 Types of Botnet Threats Numerous malicious applications Distributed Denial of Service (DDoS) attack Spam Phishing Sniffing, key-logging and collecting traffic Host rogue network-based applications Fraudulent ad clicking Dead drop points for collection & dissemination of malware Massive and distributed storage capacity for distribution Massive distributed computing power Page 20

21 Illustrative Power of Botnets Just a few bots can disrupt business operations Power Required to Disrupt a Business Power Required to Disrupt Typical ISP or Hosting Provider Page 21

22 Top 10 Bots Potential threats identified, yet still active and waiting NOTES: Actual size could be at least 10-20x larger This report only covers top 10 active IRC-based botnets. Page 22

23 Flow Record Analysis AT&T processes designed to identify suspicious traffic patterns Source_Addr Dest_Addr Port Flags Pkts Bytes Time APRSF :48: S :48: APRSF :48: AP-S :52: APRSF :53: APRS :54: AP-SF :58: AP-SF :16: A--SF :16: APRSF :16: AP-SF :17:05 Analog of Call detail records for Internet traffic Represents one side of conversation Unique flow for each SIP, DIP, protocol, Sport, Dport Page 23

24 Flow Record Analysis AT&T processes designed to identify suspicious traffic patterns Source_Addr Dest_Addr Port Flags Pkts Bytes Time APRSF :48: S :48: APRSF :48: AP-S :52: APRSF :53: APRS :54: AP-SF :58: AP-SF :16: A--SF :16: APRSF :16: AP-SF :17:05 Analog of Call detail records for Internet traffic Represents one side of conversation Unique flow for each SIP, DIP, protocol, Sport, Dport Page 24

25 Example-Internet Anomalies Tracked by AT&T Significant increase in sources scanning port 23/tcp Page 25

26 Scan Activity Targeting Telnet The characteristics that highlight the activity Unique source IP addresses scanning Number of probes Page 26

27 Early Indications of Worm Activity Evolution and status of worm variants Variant B++ Feb 06 Variant C Mar 05 New Variant D Mar 17 New Variant E April 07 Variant A Nov 21 Variant B Dec 29 Variant C/D Activation Variant E Self delete May 03 Page 27

28 Propagation and Communication Widespread, proliferating, and reporting back to hacker Propagation methods Network Exploit 445/tcp scanning for vulnerable systems MS (10/23/08) File shares with null or weak passwords Infected removable devices (e.g., USB drives) Variant C does not make attempts to propagate Variant E scans on tcp/445 again Check-in / Bot Control Methods Bot control hasn t been observed yet Connects via http (80/tcp) to pseudo-randomly generated domains 250 possible domains per day (A to B++ variants) It is believed that these were not used by the botnet security researchers preregistered many of these to track botnet size 50,000 possible domains per day (C variant after 4/1/09) connection attempt every 2 hours (B, B++) or 3 hours (A) Geolocation & External IP address discovery P2P (UDP & TCP) Variant E will self terminate on May 03, 2009 Page 28

29 Worm s Defensive Capabilities Intelligence to turn off security and stay hidden Anti-Mitigation Blocks DNS requests to many security, anti-virus and product update sites (by modifying the kernel driver providing DNS on the machine) Locks certain registry keys so even admin can t change (only system) Terminates anti-virus software Anti-Analysis Gets system time from HTML of public web sites (such as google, facebook, yahoo) so changing system time has no affect Double-packed/encoded executable (not including encryption for updates) Terminates some monitoring tools May detect virtual environments (VMWare) and other anti-debugging features Self-Updating Check-in to pseudo-random domains may facilitate updates Inefficient P2P while scanning on 445/tcp, if finds already infected bot with newer software, it will copy that software Improved P2P (Variant C and later) Finds and connects to peers based on an algorithmic mapping of IP address to pseudorandom port Only properly digitally encrypted (RC4) and signed executables will be installed Page 29

30 AT&T Network-Based Firewall Service Features Transparent, stateful firewall Intrusion Detection / Intrusion Protection Central application of outbound or Inbound/Outbound security policies across many locations Fully managed solution for simplified design, deployment & management Virus screening and spam filtering Service from 1.55Mbps to 135Mbps per gateway (higher bandwidths available) Branch Internet DSL/Dial Customer IP Enabled Frame & ATM Wide Area Network Partner Benefits Main Location/HQ Customer Network DMZ Remote Employees Easily upgrade speeds & sites as traffic grows Web Radius SMTP Leverage WAN investments Reports via customer accessible website Page 30

31 AT&T DDoS Defense Service IP Backbone Scrubbing Legitimate Attacker DIP DIP AT&T OSS Monitor AT&T IP Backbone DIP: Tunnel Scrubber Head-Ends 7606 AT&T 24/7 DDOS Analysis Console DIP Scrubber Scrubber Scrubber Cisco (Riverhead) Guards Server IP: Server IP: Page 31