The Peak of Chaos Shane D. Shook, PhD 10/31/2012

Transcription

1 w h a c k e r n a v k n d n h m y a w h o? n r h p e n c n o s a n w s o v y i d u n n n r n m s r k d e a i k o w i r c d i o m u t w e t w s u t s i v i t c a Shane D. Shook, PhD 10/31/2012

2 Cyber Crime Warfare Terrorism Security Who Did It? When Do We Fight Back? Why Did They Do It? How Do We Prevent It (Again)? What is the actual threat?

3 East, West, Everywhere Anonymous Group / LulzSec / AntiSec / Arab Youth Group / Cutting Sword of Justice / Izz ad-din Al Qassam Martyr s Cyber Fighters / Gaza Hackers / Palestinian Cyber Army Anonymous crowdsourcing

4 Anonymous Hacktivists or Actors? Highly capable and as sophisticated as needed First effective demonstrations of new cyber-age: - Distributed Denial of Service - Anonymized Network of Communications - The risk is overlooked, but the Threat is Real - Function over form

5 Anonymous Hacktivism Campaigns Tools: Droppers, Botnets, RATs, PasteBin Tactics: (metasploits) - Phishing, Hacking, Social Engineering Procedures: - Compromise, Recon, Collect, Expose sabotage?

6 Nation/State Social Anarchists? Commercial Competitors Disaffected Minorities

7 OpSony HBGary Federal Operation Greenrights Operation Ababil Oil Companies Governments Banks Actions of a few people against (or in support of) the many

8 Shamoon aka DistTrack Simple, effective, scary but limited - Used off-the-shelf software to bypass UAC - Wiped MBR and FileSystem - Component architecture Intended to Destroy (Sabotage)

9 What is a Risk? - A vulnerability that could be exploited What is a Threat? - A vulnerability that should not exist - Something that will impact your business What is an APT? - Is activity (behavior) that threatens your business - Is not simply malware or exploited vulnerabilities - Is not a risk, is a threat

10 What do these have in common? Vulnerabilities Phish SQL Injection Botnets People They are Risks to your business

11 What do these have in common? Gh0st/PoisonIvy utilized Phishing and SQL Injection Anonymous utilized BotNets and Social Engineering Shamoon exploited Windows Vulnerabilities They are Threats to your business can be done by an individual or a group!

12 Gh0st/PoisonIvy Aurora / Night Dragon / Shady RAT / etc. - SQL Injection of improperly secured websites - Web Server access to Command Shell or - Phish to custom downloader site - Crafted Dropper to exploit software vulnerability and - Windows Privilege Escalation - Credential dumping/cracking - Proxy installation & Private Remote Access - Reconnaissance and Data Harvesting

13 The Peak of Chaos Gh0st/PoisonIvy (RATs) behavioral artifacts Binary Resources Configuration Files Prefetch/Command References Link Files Security & Application Event History Communications History Services History MetaData exists in Windows AND *NIX

14 Everyone focuses on the threat of Zero day exploits The least important threat is Zero - Previously unknown, no patch available The next important is Half - Known, no patch available yet The real threat (most important) is Single - Known, patches available not installed The new threat (critical) is Forever - Impossible to patch

15 Stuxnet / Flame / Wiper - PLC Complex, bulky, effective targeted - Used compromised Certificates (Jmicron / RealTek) - Exploited Single-Day and Forever-Day Vulnerabilities -- MS (AT Task Scheduler) -- Drivers (Keyboard, Print Spooler, Volume) -- Path Vulnerabilities (LNK, RPC, NetShares) -- Hard-coded Passwords (CVE ) - Targeted at ICS control software - Component architecture Intended to Destroy (Sabotage)

16 Project Basecamp - PLC SCADA / ICS risk unknown whether compromised yet - Allows unauthenticated access & control - Exploits Forever-Day Vulnerability -- Just Pass string query/response -- Flash Programming means replace Equipment - Targeted at ICS control software - No software / malware needed -- Metasploit & Nessus Modules available -- Shodan / Every Routable IP reveal sites Can Remotely Control (Including Shutdown) At-Will

17 RuggedCom - PLC SCADA / ICS risk unknown whether compromised yet - Single-Day or Forever-Day Vulnerability -- Default password in Firmware updates -- Single Certificate shared on all devices -- Flash Programming means replace Equipment - No software / malware needed to exploit - Just one of MANY SCADA vulnerabilities emerging Can Remotely Control (Including Shutdown) At-Will

18 70% of Enterprise Computers in Global Companies are running Windows XP (20%~ Service Pack 2) 60% of Enterprise Computers are running IE v8 20% of Enterprise Computers are running IE v7 90% of Enterprise Computers are running unpatched Java 80% of Enterprise Computers are running unpatched Flash 80% of Enterprise Computers are running unpatched Reader

19 The Peak of Chaos 68%+ of consumer PC s run Windows 30% of those consumer PC s run older versions of Windows

20 Remote code execution Internal Java Flash Reader Remote code execution External

21 Today s security tools do not address the problem - Risks are mistaken as threats - Focus upon AntiVirus rather than DLP - No value given to network intelligence - Not enough correlation/reporting tools - Attention to anomalous files, not behavior Know your customer - Who should be doing what, when? - Which systems should they use? - How should they access/communicate? - What are anomalies?

22 When is a risk a threat? Risk Unpatched Software. day Exploit Malware Uncontrolled Access Undocumented Systems Tools vs. Experience Outsourcing Threat Vulnerable to exploits Used in place of malware Used to reconnoiter or sabotage systems Persistent access to non-public information Lack of awareness Lack of perspective Lack of control

23 Biggest Risks: People Outsourcing (experience can t be replaced) Process Incomplete/Inaccurate AMDB & CMDB Technology Reliance on Tools Biggest Threats: People Insiders (not hackers) Process Reliance on (restricted) audit results Technology Pattern vs. Behavior-based detection

24 What can you do to detect/protect/defend? DDOS / BotNets / APT Channels - Upstream Vendor/Public Intelligence - Upstream & Downstream Filtering - Expand The Attack Surface Malware - Heuristic Filtering (Test Before Installing) - Know Your Build (Services, Apps, RAS) RATs - Know Your Admin (& User) Behaviors - Watch for Lateral Movement Indicators Contingency Plans for Recovery & Restoration

25 What does it all mean? 1) Understand Risks versus Threats 2) Everything is vulnerable - If a computer can t do it a person can 3) There are no limits (technical or ethical) 4) Watch out for anomalies 5) Behavior is more important than pattern

26 Contact: