Post-Access Cyber Defense

Transcription

1 Post-Access Cyber Defense Dr. Vipin Swarup Chief Scientist, Cyber Security The MITRE Corporation November 2015 Approved for Public Release; Distribution Unlimited

2 2 Cyber Security Technical Center 430+ technical staff solving cyber security challenges using a strong science and engineering foundation Leveraging broad and deep technical knowledge Serving as integrating back plane Bringing a strategic and objective technology perspective Providing thought leadership to cyber security work programs Technical Capability Areas System Security Engineering Cyber Resiliency & Cyber Situation Awareness Critical Enabling Security s Security for Enterprise & Cloud Architectures Cyber Assessments and Testing Mobile & Emerging Technologies Strategy, Policy, Privacy Cyber Partnerships, Sharing, & Automation Threat Based Operations (e.g., SOCs, Threat Intel) Threat-based Ops Systems Analysis & Reverse Engineering Mission Technologies (e.g., Insider Threat, Forensics) NIST RMF bits and bytes to policy and governance

3 Example: Phishing & Waterholing Attacks 3 IT administrators targeted and spear-phished Initial compromise and credential theft IT administrators credentials used to upload malware to patch server Malware distributed and executed via authorized, trusted channels South Korea, March 2013: 32,000+ computers & servers of banks and broadcasters rendered inoperable

4 Cyber Threat Model : ATT&CK Matrix Tactics and Techniques 4 Persistence Privilege Escalation Legitimate s Accessibility Features AddMonitor DLL Search Order Hijack Edit Default File Handlers New Path Interception Scheduled Task File Permission Weakness Shortcut Modification Web shell BIOS Hypervisor Rootkit Logon Scripts Master Boot Record Mod. Exist g Registry Run Keys Serv. Reg. Perm. Weakness Windows Mgmt Instr. Event Subsc. Winlogon Helper DLL Exploitation of Vulnerability Defense Evasion Binary Padding DLL Side- Loading Disabling Security Tools File System Logical Offsets Hollowing Rootkit Bypass UAC DLL Injection Indicator blocking on host Indicator removal from tools Indicator removal from host Masquerad-ing NTFS Extended Attributes Obfuscated Payload Rundll32 Scripting Software Packing Timestomp Access Dumping s in Files Network Sniffing User Interaction manipulation Host Enumeration Account File system Group permission Local network connection Local networking Operating system Owner/User Security software Window Lateral Movement Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol Windows management instrumentation Windows remote management Remote s Replication through removable media Shared webroot Taint shared content Windows admin shares Execution C2 Exfiltration Command Line File Access PowerShell Hollowing Registry Rundll32 Scheduled Task Manipulation Third Party Software Commonly used port Comm through removable media Custom application layer protocol Custom cipher Data obfuscation Fallback channels Multiband comm Multilayer Peer connections Standard app layer protocol Standard nonapp layer protocol Standard cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium From local system From network resource From removable media Scheduled transfer

5 5 Improving Embedded Security (e.g., BIOS) BIOS (Basic Input/Output System) executes when a computer starts up before the OS loads UEFI (Unified Extensible Firmware Interface) is the de facto (Intel) BIOS standard 100s of vendors A BIOS attack, performed remotely, can result in permanent denial of service or persistent stealth backdoors BIOS vulnerabilities include: BIOS configuration errors: 20 configurations need to be set correctly with complex interdependencies Exploitable firmware vulnerabilities: enable attacker to bypass all configuration locks MITRE disclosed UEFI vulnerabilities to Intel in Nov/Dec 2013 and at BlackHat/Defcon in Aug HP and 39+ Dell models affected and patched Other vendors products also affected UEFI Security Response Team stood up

6 Cyber Games and Behavioral Analytics 6 Living lab (enclave of operational enterprise network) 250 computers, primarily Windows 7 Blue Team: 100% detection of implants; 97% of systems accessed TTP Emulation Workstation Workstation Blue Team Red Team FMX Living Lab FMX Servers Target Server

7 7 Cyber Denial & Deception (D&D) Methodology Cyber-D&D Should be a strategic component of the active defense lifecycle Needs to be coordinated with intelligence and operations Deception Chain A model for planning, preparing, and executing deception operations Applicable at every phase of the intrusion lifecycle Should be used in conjunction with the D&D Methods Matrix for mapping and tracking operational objects and methods Outcomes Exercises/experiments (SLX II, FMX) with Deception Chain and D&D Methods Matrix Cyber-D&D book Ex. tactical D&D goals

8 8 CyGraph Cyber Stack Network Infrastructure Segmentation Topology Sensors Cyber Posture Configurations Vulnerabilities Policy rules Cyber Threats Campaigns Actors Incidents Indicators TTPs Mission Dependencies Objectives Activities Tasks Information Relevant to Cyber Security & Mission Assurance

9 Cyber Physical Resiliency 9 1) GPS Altitude Spoofing 2) Controllers over respond Safety Stability Efficiency 3) UAV loses stability Environment Controller Command Measurement Operator System Actuator Sensor Physical System

10 Notional Post-Access Cyber Defense Gaps 10 Persistence Privilege Escalation Legitimate s Accessibility Features AddMonitor DLL Search Order Hijack Edit Default File Handlers New Path Interception Scheduled Task File Permission Weakness Shortcut Modification Web shell BIOS Hypervisor Rootkit Logon Scripts Master Boot Record Mod. Exist g Registry Run Keys Serv. Reg. Perm. Weakness Windows Mgmt Instr. Event Subsc. Winlogon Helper DLL Exploitation of Vulnerability Defense Evasion Binary Padding DLL Side- Loading Disabling Security Tools File System Logical Offsets Hollowing Rootkit Bypass UAC DLL Injection Indicator blocking on host Indicator removal from tools Indicator removal from host Masquerad-ing NTFS Extended Attributes Obfuscated Payload Rundll32 Scripting Software Packing Timestomp Access Dumping s in Files Network Sniffing User Interaction manipulation Host Enumeration Account File system Group permission Local network connection Local networking Operating system Owner/User Security software Window Lateral Movement Application deployment software Exploitation of Vulnerability Logon scripts Pass the hash Pass the ticket Peer connections Remote Desktop Protocol Remote s Replication through removable media Shared webroot Taint shared content Windows admin shares Detect Partially Detect No Detect Windows management instrumentation Windows remote management Execution C2 Exfiltration Command Line File Access PowerShell Hollowing Registry Rundll32 Scheduled Task Manipulation Third Party Software Commonly used port Comm through removable media Custom application layer protocol Custom cipher Data obfuscation Fallback channels Multiband comm Multilayer Peer connections Standard app layer protocol Standard nonapp layer protocol Standard cipher Uncommonly used port Automated or scripted exfiltration Data compressed Data encrypted Data size limits Data staged Exfil over C2 channel Exfil over alternate channel to C2 network Exfil over other network medium Exfil over physical medium From local system From network resource From removable media Scheduled transfer

11 Questions?