C. Universal Threat Management (UTM) C.1. Threats

Transcription

1 UTM I&C School Prof. P. Janson September 2014 C. Universal Threat Management (UTM) C.1. Threats 1 of 21

2 In spite of all the foregoing techniques the IT world is still insecure Why isn t there total security? Brittle software + people failures On June 4, 1996 an unmanned Ariane 5 rocket launched by the European Space Agency exploded just forty seconds after its lift-off from Kourou, French Guiana. After a decade of development costing $7 billion, the destroyed rocket and its cargo were valued at $500 million. The cause of the failure was a software error in the inertial reference system. Specifically a 64-bit floating point number relating to the horizontal velocity of the rocket with respect to the platform was converted to a 16-bit signed integer. The number was larger than 32,767, the largest integer storable in a 16-bit signed integer, and thus the conversion failed. 2 of 21

3 In this first chapter on Unified Threat Management we will first see how and why IT is threatened 3 of 21

4 First we need to introduce some facts and taxonomies Then we review some important threats and their features Some history Some figures Threat objectives and consequences Threat types Hackers Malware vectors Malware taxonomy Brittle software terminology Software (in)security 4 of 21

5 Hackers & hacking Hacker & hacking Formerly => flattering skills Never => flattering behavior Today => criminal behavior Honored skills => ethical / white-hat hackers = security engineers Black-hat hacker objectives Illegally penetrating systems to steal, modify, or destroy information (attacking C-I-A) By first defeating authentication, authorization, and / or assurance To perpetrate or inject malware that will then perpetrate the C-I-A attack While hiding their own tracks (defeating accountability) 5 of 21

6 Main hacking threats By increasing complexity Trying easy / default credentials Brute forcing dictionary attack Stealing credentials Abusing or circumventing poor authentication or authorization Injecting code as data Including code as (remote) data file (see attack chapter) (see attack chapter) Exploiting prior backdoor (see next lesson) 2/3 of attacks involve authentication abuses of 21

7 Malware vectors Social engineering via Explicit or drive-by downloads from untrusted web sites (e.g. file sharing) Verizon 2013 DBIR Hacks Against authentication or authorization (see earlier chart) File inclusion / injection hacks (see attack chapter) Unsigned or drive-by downloads from reputable but corrupted web sites Other malware installed earlier times more likely than from shady sites (Source Cisco 2013 Annual Security Report) By increasing complexity 7 of 21

8 Malware taxonomy The essence of all malware Mobile code Malware propagation taxonomy Viruses, worms, Trojan horses, and Easter eggs Malware hiding taxonomy Outboard, stealth, and polymorphic malware Malware functional taxonomy Defeating CIA 4 NB: taxonomy boundaries are often fuzzy so malware may fall in multiple categories NB: Hard malware can also be inserted into chips at Specification, design, or fabrication stage System, logic, gate, transistor, or physical level most perversely By development environment tools By companies in foreign countries with shady agendas Can however hardly propagate after fabrication!... 8 of 21

9 The essence of all malware mobile code A genuine hardware system delivered with clean original software programs cannot do any harm A genuine software program delivered over a trusted supply channel cannot do any harm Malware can be injected only from corrupted systems OR over untrusted channels Trouble is: Clean systems & trusted channels contain vulnerabilities (see later) that hackers can leverage to inject malware 9 of 21

10 Malware propagation taxonomy Trojan horse malware typically hidden inside genuine software Typically does not propagate by itself & means to remain invisible An Easter egg is a funny but otherwise harmless Trojan Horse Virus malware existing only inside some regular executable file Propagates by grafting itself onto other files / storage devices and traveling with them wherever they go Worm malware existing by itself as separate software file(s) Typically self-propagates over the network by exploiting security holes or through removable media Inside host code Stand-alone No propagation Trojan horse (Trojan horse) Self-propagation Virus Worm 10 of 21

11 Distribution of malware propagation categories * (* Backdoors are a form of Trojan horses) Source: IBM X-Force 2009 Mid-Year Trend and Risk Report Reprinted by courtesy of International Business Machines Corporation, ( ) International Business Machines Corporation 11 of 21

12 Malware hiding taxonomy Malware is easier to search and identify if located in regular storage areas Outboard malware tries to hide in unlikely places Data files, hidden files, boot sector, other non-file areas Malware is easier to search and identify if it leaves visible footprints (= signatures) Stealth / obfuscated malware covers its own tracks by lying about its presence Faking absence, size, hash, etc. e.g. using rootkits Malware is easier to search and identify if it leaves recognizable signatures Oligomorphic malware encrypts itself with different keys for every instance Polymorphic malware decrypts itself with different routines for every instance Metamorphic malware organizes itself into different flowcharts for every instance => Recognizing such malware becomes harder as characteristic signatures gets smaller //// ///// \\\\\ ### xxxx %% 12 of 21

13 Malware functional taxonomy Frequency Passive malware (data) (for social engineering) Devious spam, fraudware Active malware (code) (by attack chronology) 6 Authorization, authentication Exploits Backdoors Redirection malware 3 Accountability, administration and assurance Rootkits System & network utilities Integrity Defense disabling malware Malware infection malware Confidentiality Spyware / scumware Exfiltration malware Verizon 2013 DBIR Availability Botnets 5 13 of 21

14 Passive (social engineering data) malware Adware Adware leverages the greed factor to trick victims into spending money for something they want Some adware is of course legitimate and advertises genuine products / services But much fraudulent adware advertises fake products / services Scareware Scareware leverages the FUD factor to trick victims into spending money to avoid something they fear Some scareware is of course legitimate adware for genuine offerings But much fraudulent scareware advertises fake products / services Ransomware Ransomware is a particular form of scareware threatening to harm recipients unless they pay for protection Merely e-xtortion, e-racketeering, e-blackmailing Clickware / likeware Hides rogue link behind legitimate looking button to lure user into triggering an action deviating clicks to revenue-making site or propagating attack to SNW friends 14 of 21

15 Authorization, authentication, accountability, administration, assurance deception malware Exploits (defeat authorization & authentication) Break into systems through known vulnerabilities Backdoors (defeat authentication) Allow hackers to re-enter infected systems through convenient hidden pathway Redirection malware (defeat authentication / accountability) Redirects browser clicks to unintended web sites (to abuse user or server authority, or redirect to rogue or corrupted web sites) Remote Administration Tools (RATs), e.g. Poison Ivy (defeat authentication) Allow remote management of infected system Proxies (defeat accountability) Allow hiding true origin or destination of network connections Rootkits (defeat administration & assurance) Hide presence of other (stealth) malware 15 of 21

16 Integrity defeating malware Defense disabling malware Prevent detection of attacks & infections Malware infection malware Downloaders pull other malware from a remote site to a target system Injectors / droppers push other malware components onto a target system 16 of 21

17 Confidentiality defeating malware Typically stealth to hide information theft (except when activists look for embarrassing visibility) Spyware / scumware: key-loggers, form-grabbers, screen / RAM scrapers, etc. Infostealers / exfiltration malware: leaks victims valuable information Customer, supplier, or employee PI Financial information Security information Intellectual property Trade secrets Etc. Used in Industrial espionage for gaining some commercial advantage National or international espionage for gaining political / military advantage Identity theft and impersonation Targeted personal attacks (spear phishing / whaling / APAs) 17 of 21

18 Availability defeating malware Botnets = worst of all threats Trojan Horses that propagate like worms and viruses Rely on textbook examples of stealth and morphing malware Include exploit, infection, disabling, and RAT malware To mass-deliver DDoS, spam, spyware throughout zombie networks Typically detected by abnormal HTTP activity type and volume Increasingly sophisticated Server-based zombies for higher power and connectivity Self-repairing C&C center and zombie replication and migration DNS fast-fluxing or C&C center domain-fluxing for evasion through Domain Generation Algorithm (DGA) Botnet C&C center Zombie Fixed name DNS variable IP addresses Botnet C&C center Variable name fixed IP address Botnet C&C center 18 of 21

19 Trojan malware category distribution Source: IBM X-Force 2009 Mid-Year Trend and Risk Report Reprinted by courtesy of International Business Machines Corporation, ( ) International Business Machines Corporation 19 of 21

20 Remember basics: the weakest link = the human element Malware is just like poison Poison is harmless unless ingested Intelligent people do not willingly ingest unidentified substances The same should but often does not apply to IT users even educated ones This is how social engineering, spam, phishing, SNW, and hacking have become the poison delivery mechanisms, so once again the same lesson: Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. A. Einstein there is no technical fix for human stupidity, which is the weakest link! 20 of 21

21 Terminology (Software) faults, errors, and failures (Hardware) V V V (Security) vulnerabilities, attacks, and intrusions 21 of 21