Cyber Warfare: Identifying Attackers Hiding Amongst the Flock

Transcription

1 Cyber Warfare: Identifying Attackers Hiding Amongst the Flock Anthony Lauro Sr. Enterprise Security Architect Akamai Technologies, Inc October 3 rd, 2015

2 Who am I? (unphilosophically speaking) About me: Anthony Lauro CISSP, GWAPT Sr. Enterprise Security Architect Akamai Technologies, Inc 16 years Information Security Experience Advise Akamai clients on Cybersecurity Resilience Lead Application Security training for Enterprise Security Architecture Attended CCCC a long, long time ago

3 There are no rules of architecture for castles in the clouds. -Gilbert K. Chesterton

4 There are no rules of architecture for castles in the clouds. -Gilbert K. Chesterton

5 THREAT LANDSCAPE

6 Q1 13 Q2 13 Evolving Attack Campaigns Q3 13 Q4 13 Q 190 Gbps attack against US financial institution Account Checker (ecommerce) (Financial Services) Operation Ababil 17 D (R Largest DNS reflection attack, 167 Gbps Record number of DDoS attacks in Q EME

7 Top 10 Target Countries for Web Application Attacks Q1 2015

8 Top 10 Source Countries for Web Application Attacks Q1 2015

9 Attacks Grow Because Methods Improve Traditional DDoS attacks used compromised home computers Cloud based DDoS attacks harness the scale of global botnets Amplification attacks target protocol vulns to amplify size SNMP (6.3x) DNS (28x-54x) CharGEN (358.8x) NTP (556.9x) e Gbps Mpps

10 You Don t Have to Be Elite Anymore: You can do it, we can help!

11 Infrastructure Attacks: Smoke Screen? 27% 24% 30% 8% 4% 5%

12 WHAT MOTIVATES THE THREAT ACTOR? Hacked Web Server

13 Are You Prepared?

14 There Are No Immunities Between Verticals Source:

15 2014 Attack Trends Top three attack vectors are application layer attacks Defacement leads as the top attack, followed by SQLi and Account Hijacking as the most prevalent attacks seen in 2014 Source: Stateoftheinternet.com

16 Login Abuse: Account Checker Attacks The fuel for any account checker is a list of credentials. Fortunately for attackers, there are a huge number of credentials that are public. 38,000,000 Adobe accounts 318,000 Facebook accounts 70,000 Google accounts 60,000 Yahoo accounts 22,000 Twitter accounts 8,000 ADP accounts 8,000 LinkedIn accounts

17 DEFENSEIVE Techniques

18 A Castle Built in 1385 Defense against French: 100yr War

19 Acts as a gateway Defensive resources become limited Entry and Exits cannot coexist

20 WEB SECURITY Common Approaches

21 Common Approaches to Web Security Deny the problem Build It Buy Boxes

22 DO NOTHING

23 Approaches for Web Security On-Premise Hardware Internet Service Providers Application Protection Cloud Service Bandwidth Router Firewall ISPs Cloud Platform Load balancer

24 On-Premise Hardware On-Premises Web Security Approach Bandwidth Router Firewall Load balancer Bandwidth Constraint Connection & Processing Limitations Application Vulnerability Exploitation Have to ingest ALL traffic before a Yes/No decision can be made Performance Degradation Throughput of devices cannot meet volume / requests per second of good and bad traffic spikes. Reliability WAF configurations are complex often not tuned properly or not in blocking mode. Accuracy

25 How did this breach occur, we have a WAF!! I put the WAF on a SPAN port. I was afraid of blocking legitimate traffic!

26 Internet Service Provider Approach Internet Service Providers DDoS Only Protection ISPs False Positives/ Upstream Blacklisting Single-Homed Protection Carrier Dependent Architecture Capacity Issues At Scale

27 Those are birds Right? I forgot my shield!

28 Application Protection Cloud Service Approach Application Protection Cloud Service Not Always Enterprise Class Protection Direct-to-Origin DDoS Protection Gap Shared Infrastructure (Capacity Constraints) Acceptable Use Monitoring Challenge Cloud Platform Retaining Real-time Visibility

29 In other words, careful where you aim that gun, #OpISIS, because it might point back at you as well. -Mike Masnick TechDirt

30 MULTI PERIMETER DEFENSE

31 MULTI PERIMETER DEFENSE

32 MULTI PERIMETER DEFENSE

33 For Internet-facing Applications Web Retrieval and integrity of content and data Datacenter Origin Supporting infrastructure and other applications Internet DNS Finding the application User

34 Volumetric Protection Massive resiliency Thousands of points of presence Distributed geographically Rate controls for noisy requestors Multiple Perimeters For Internet-facing Applications Attacks Against CNAMEs Network and application layer filtering capable Protocol validation/filtering SSL decrypt re-encrypt Geo Sensing and Filtering Capable Capacity: Throughput & P/ps Attacks Against Datacenter IP s Direct to origin protection using BGP redirection Multiple globally distributed scrubbing centers Attack capacity to withstand multiple attacks at once Good traffic bypass as not to degrade performance

35 Multiple Perimeters For Internet-facing Applications Application Layer Attacks SSL decryption at scale Risk scoring rule sets Tune accuracy over time Attacks Against DNS Event Visibility Rate Controls - Connection Throttling White Listing Application Inspection DNSSEC Client/Server Locks Anycast Responses Threat intel gathered and validated against global dataset Real-Time event correlation between security policies Ability to identify hosts based on previous malicious behavior Import log feed from cloud into internal SIEM for correlation

36 HOW TO YOU IDENTIFY & CLASSIFY

37 THERE S A DIFFERENCE BETWEEN VISIBILITY & INSIGHT

38 CLIENT REPUTATION SCORING Use behavioral data to protect your castle Collect and correlate attack traffic into a large dataset from across the web Identify bad clients based on past behavior Define a risk score for malicious clients Filter malicious client based on risk score

39 InfoSec teams are swimming in data More raw information is not the solution Information Raw, unfiltered feed Aggregated from virtually every source May be true, false, misleading, incomplete, relevant or irrelevant Not actionable Intelligence Processes, sorted information Aggregated from reliable sources and cross correlated for accuracy Accurate, timely, complete, assessed for relevancy Actionable

40 Threats Change/Advance Over Time 124,625 Shellshock disclosed 69, ,008 16,135 21,359 15,071 30,427 9/24 9/25 9/26 9/27 9/28 9/29 9/30 10/1 Unique Shellshock payloads

41 CASE STUDIES APPLICATION / DDoS ATTACKS

42 Case Study: 320 Gbps DDoS Attack: Gaming Vertical, APAC Region Largest attack ever mitigated by Akamai against single customer Targeted primary website, supporting network infrastructure, and DNS Multiple attack vectors: SYN/UDP floods - entire subnet Volumetric attack against DNS Attack characteristics: 320 Gbps and 71.5 Mpps peak traffic 2.1 million requests/s against DNS

43 One Attack in a Broader DDoS Attack Campaign Day campaign against single customer 39 distinct attacks targeting applications and DNS infrastructure Eight attacks >100 Gbps including record 320 Gbps attack Start Infrastructure (Gbps) Web (Gbps) authdns (Mpps) DNS Reflection (Mpps) End

44 Opening Ceremony Grow revenue opportunities with fast, personalized Olympics web experiences and manage complexity from peak demand, mobile devices and data collection. 1 st day of sports 132 BILLION requests processed by our WAFs 10x more than 2010 Winter WAF rules triggered 127x more than 2010 Winter Olympics Custom Rules Triggered: 166,000,000 Rate Controls (Adaptive Rules) Triggered: 5,600,000 Requests Denied: 182,200,000

45 Opening ceremony Attack traffic Spain to Netherlands 4500 Chile to 3500 Australia Grow -500revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection Ivory Coast to Japan

46 Web Application Attacks by Industry Q Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks.

47 The Attack du jour? Reflection attack Mostly SNMP v2c devices (~3+ years old) with default public community string Routers, printers, cable modems, NAS New tool automates sending getbulkrequest to open SNMP servers. Flood of SNMP GetResponse data sent from reflectors to victim on port 80 SNMP query begins at highest (OID) tree level to obtain largest possible response

48

49 Case Study: NTP Attacks on Origin Attack Vector Request with spoofed source IP of target server sent to a vulnerable NTP server that allows the monlist function. NTP server replies back to the target IP, direct to origin, at massive scale. Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. 500X RETURN RATE IN TRAFFIC >100GBPS ATTACK TRAFFIC AGAINST ORIGIN 1,000+ INCREASE IN HITS PER SECOND AGAINST ORIGIN

50 Use nmap NSE Script: identify vulnerable hosts Example: nmap -su -pu:123 -Pn -n --script=ntp-monlist <target> The monitor list in response to the monlist command is limited to 600 associations. The monitor capability may not be enabled on the target in which case you may receive an error number 4 (No Data Available). There may be a restriction on who can perform Mode 7 commands (e.g. "restrict noquery" in ntp.conf) in which case you may not receive a reply. This script does not handle authenticating and targets expecting auth info may respond with error number 3 (Format Error).

51 SSDP aka upnp (Universal Plug and Pray) SSDP 200-OK Response

52 DNS Attack Targeting Akamai Customer DNS requests peaked at 168k per second. 19B hits in 5 days. Normally serve ~30M hits per week.

53 DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers Best Practice DNS Locks Client DNS Locks clientupdateprohibited clienttransferprohibited clientdeleteprohibited US DoD s DNS Hijacked Registrar locks serverupdateprohibited servertransferprohibited serverdeleteprohibited

54 Remote File Inclusion RFI Attempt to pull click.php file from remote location Using RFI vuln in TimThumb Plugin

55 Here s what click.php is really about! HTTP(s) Redirections can fluctuate between different pay4click companies and advertiser s and that means precious bitcoin revenue for the attacker and his friends.

56 When good things go bad: Rogue Reseller to Competitor At first they were just scraping our site and we saw it to be mutually beneficial After years of this relationship we recently found that they now have a copycat site and are selling our products that they are now manufacturing on their own. Enterprise Manufacturing Customer

57 Blind SQL Injection: Time Based Attack Client Request This type of blind SQL injection relies on the database pausing for a specified amount of time and examining the results. Using this method, an attacker enumerates each letter of the desired piece of data.

58 SQL Injection Analysis 2000 customers over one week Protocol Breakdown SQL Injection Attacks % HTTP 8,137, HTTPS 287, Total 8,425, Breakdown by Intent Source: Akamai CSI

59 CMD INJECTION

60 Remote File Inclusion Attack Request Client Info

61 Credentials Cookie Value Exposure

62 ACCOUNT CHECKERS: CARDERS Several techniques are used to avoid detection and mitigation, including: Randomization of UserAgent header Targeting of alternative (mobile/api/legacy) login pages, which may have weaker mitigation controls and are often overlooked by the customer. Attacks originate from highly distributed set of IP addresses, with different source countries. Use of low request rates to evade rate controls. Change in order of headers. Changes in tactics when 403 responses are received.

63 Fraud Vietnamese Carders Carder TTP Build Tools Server Cultivate List of Open Proxies Acquire Compromised Logins Check/Alter Compromised Accounts Make Fraudulent Purchases Cash out/resell gift cards

64 Login Abuse: THE STRUGGLE IS REAL You know who you are!

65 Login Abuses: TTPs and Defenses Rate controls to block fast moving scripts Attack relies on being able to check thousands of accounts quickly Blocking aggressive scripts prevents login exploitation Internal monitoring for changes to customer accounts address Shipping address Same on multiple accounts Geo blocklists for areas where there is no business Cuts down on the places attackers can launch from Do cloud server providers need to access your webpage? Custom rules to block User-Agent strings (or lack thereof) Attack scripts are often simple and will contain only curl or wget Sometimes none at all

66

67

68 Industries affected Payment Processing Banking & Credit Unions Gambling Oil & Gas E-Commerce High Tech Consulting/Services DD4BC: (DDoS for Bitcoin) Attack Types Boot Stressor sites most likely culprit Reflection Attacks

69 Looking Forward into 2015 Industry Verticals Gaming, Fiserv, Internet & Telecom, Software & Tech, and Media verticals expected to be targeted heavily in 2015 Security vulnerabilities continue to increase due to bespoke/custom applications Good history of successful attacks DDoS Attacks Expect more mega attacks > 100Gbps Commoditization of DDOS attacks IPv6 uptake to increase DDoS vector Never pay ransoms, but do have a plan APPLICATION ATTACK TRENDS APPSEC IS FAILING NEED HELP! IF YOU DON T HAVE AN APPSEC PROGRAM START ONE! INJECTION & XSS RIDE OWASP TOP 10 SESSIONS MGMT YOURE DOING IT WRONG DEVELOPERS YOU RE BEHIND!

70 Cyber Security Requirements: 5 Points To Take Away 1. You Need Validated Data To derive intelligence on current & evolving threats. 2. Scale, Availability & Resilience To be high performing, take the punches, & stay online. 3. A Plan To understand how to respond to bad day scenarios. 4. Control & Flexibility To adapt your defenses dynamically. 5. People & Experience To execute every time you come under attack.

71 RESOURCES OWASP: OPEN WEB APPLICATION SECURITY PROJECT BSIMM5: BUILDING SECURITY IN MATURITY MODEL v5 SANS SWAT: SECURING WEB APPLICATION TECHNOLOGIES v1.1 CERT: SECURE CODING STANDARDS AKAMAI TECHNOLOGIES (HEY, WHY NOT)

72 Tony Lauro CISSP, GWAPT Senior Enterprise Security

73 The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) Thank you NTX ISSA Cyber Security Conference October 2-3,