Samuele Battistoni (IBM Security Services) Andrea Zapparoli Manzoni (Direttivo Clusit)

Transcription

1 Samuele Battistoni (IBM Security Services) vs Andrea Zapparoli Manzoni (Direttivo Clusit)

2 Cyber Attack vs Security Intelligence vs Security Summit

3 La situazione in una slide 2013 vs 2011: + 267% di cyber attacchi gravi nel mondo 2013 vs 2012: + 26% di danni a parità di numero di attacchi Moltiplicazione degli attori e delle capacità offensive Tutti sono bersagli (privati, aziende, istituzioni) Tutte le piattaforme sono bersagli Le difese tradizionali non funzionano più Violazione di target prima impensabili Il ROI per gli attaccanti è elevatissimo Worst case! Il rischio per gli attaccanti è bassissimo Crescente rischio di Black Swans (HILP) Carenza di leggi e strumenti ad hoc Necessità di gestire rischi ed incidenti (in real time) Necessità di fare prevenzione! Security Summit

4 WHY? Perchè? Utilizziamo sistemi intrinsecamente insicuri come se non lo fossero A destra, la mia automobile nel All epoca ero molto fiero e non mi preoccupavo di nulla. Molti non vogliono sentirselo dire, ma l ICT di oggi, by design, ha il livello di sicurezza della mia 128 Sport del 1971 troppo basso rispetto alle minacce ed ai rischi. Questo è un problema. Le conseguenze sono inevitabili e nel 2012 sono costate al mondo quanto il PIL della Danimarca (400 miliardi di dollari). In Italia, circa lo 0,5% del PIL. Nel 2013, la stima del Ponemon Institute è che sia stata superata la soglia dei 500 miliardi di dollari di danni (diretti ed indiretti). Security Summit

5 Un sito web su 4 è bucabile o già bucato Common vulnerabilities found occurring in web application tested by IBM Application Security Service compared to OWASP Top 10 for 2013 Source: IBM X-Force Research and Development 5

6 Vulnerabilità lato client come se piovesse 6 Source: IBM X-Force Research and Development

7 Risultato 7

8 Perché dobbiamo fare Security Intelligence Perché genera awareness ed elimina le false certezze Perché i cattivi la usano contro i loro bersagli, 24/7 x 365 Perché è fondamentale per prevenire i rischi ( -> ROSI) Perché è importante per contenere le minacce in tempo utile mentre la finestra di compromissione in media oggi è di 230 giorni (!) Perché senza di essa oggi siamo ciechi, sordi e impotenti, ed è su questo che fanno leva gli attaccanti Security Summit

9 One more report? Technology is everywhere and also threats Security Summit

10 #1: Slow network and system errors attack Security Summit

11 #1: Slow network and system errors attack Large manufacture in 13 countries Good perimeter defense Firewall IPS Security Gateway (Web and Security) Antivirus on all internal and DMZ machines (server and PC) Thursday May 22 rd, :00 pm May 22 nd 23 rd, 2014 Friday May 23 rd, :00 am Facts: Network slowdown Account changes SAN errors Customer actions: Active Directory Snapshot diff with backups Findings: 2 machines (PrintServer22) 1 account (SVC472994) TeamViewer installed on PrintServer22 Customer remediation: Remove and Uninstall TeamViewer from PrintServer22 Security Summit

12 #1: Slow network and system errors attack Friday May 23 rd, :00 pm May 23 nd 24 th, 2014 During the night Facts: All SAN volumes disconnected from servers CIO, CTO, Facility Managers account s locked out Call IBM ERS Hotline Have an emergency? Call IBM ERS 24x7x365 (US) (WW) IBM findings: Automatic script that lock targeted accounts using SVC More than 15 DCs worldwide Local logs on the machines 50MB log rotation (~2h retention) Suggestion: disable the script and the SVC account Further investigation needed The bad things: No Access Management Does other business process use SVC account? No Change Control More than one day to answer the question and disable the account No Central log management No log from TeamViewer (removed and uninstalled by the customer) Security Summit

13 #1: Slow network and system errors attack Saturday May 24 rd, 2014 During the day One week before IBM findings: No firewall logs related to TeamViewer traffic RADIUS server, using the configured 50MB, has ~15 days logs On Wed May 21 st there was: Interactive logon (local administrator) Account creation (SVC472994) Before that: IT Head of Security login on RADIUS server and create local administrator (probably using stolen or shared password) Then SVC user, from PrintServer22, performed Questions: Who? How? Why? Domain account change Install Java to control SAN volumes Customer fired the network and VMware administrator on Wednesday 21 st, 2014 Remember: No log from TeamViewer (removed and uninstalled by the customer) Monday 26 th May, 2014 During the day IBM further analysis: Create a VM similar to the PrintServer22 (from old backup) Install TeamViewer, perform login, analyze logs and compare with the original logs: Interactive logon found msg Punch Receive from IP xxx.xxx.xxx.xxx in vsphere Client logs Logs are more or less the same [~90%] IBM sent the IP address to the customer Security Summit

14 Incident Response Needs Have a plan (Incident Response Plan) Predefine your Incident Response Team Chose your approach Watch and Learn (with your forensics partner) Circumvent, block, recover Predefine a backup communication plan (no !) Define stakeholders communication plan: provider, developer, legal, Take care of forensic data Create user awareness (out of the security team) Follow crime/law engagement procedures HAVE EXPERIENCE (previous, dry runs, simulated incidents, tests ) Security Summit

15 #2: The SSH Scanner attack Security Summit

16 #2: The SSH Scanner attack Telco company Late April 2014 End Customer s services DC outsourced Good perimeter defense and monitoring Firewall, IPS, Security Gateway, Antivirus SIEM for Log management and correlation VA and PenTest for compliance Other servers in Customer s DC Used for partner, suppliers and backoffice services Managed directly by the customer team Facts: IBM SOC alert SSH Scanner and Dictionary Attack on entire network A-class (including IBM public network) source: Customer s FTP Server Late April 2014 Context information: The local FTP Server is: used for supplier and partner s documentation and invoice accessed with certificate IBM findings: Late April 2014 Remote root login from Romanian IP root login is disabled how did they logged into this machine? Deeper analysis needed Security Summit

17 #2: The SSH Scanner attack December 2013 January 2014 November 2013 April 2014 November 2013 Context information: Late December st attempt to virtualize the machine Failed due to some technical errors Late January 2014 The machine is virtualized correctly Some log are not registered Found a rootkit that was promptly removed The machine start logging correctly IBM findings: December 9 th, st not planned reboot (obfuscated by a lot of migration in these days) January 11 th, 2014 Another not planner reboot Logs disappear A modified kernel was installed on the machine Disable logging Set a fake root login disabled System setting shows root login disabled, but the remote login is enabled and works From November 2013 Other root logins from Chinese IP More than 6 months on this machine, remain underground, without trigger any alerts. Why? The customer was negotiating a merge with another company: Supplier s invoice and financial information was very valuable Once the job was completed, hackers sold the machine in the dark market (double gain, expense covered) The bad things: Cloning the machine as-is backdoor, misconfiguration, error are replicated on the new machine SSH Scanner solved it was not the only attack Deeper and complete investigation Scope is THE ENTIRE COMPANY Not only the web VA and Pen Test are not enough Security Summit

18 CaaS: Cybercrime as a Service Hacker Service Details Price Visa and Master Card (US) with CVV code $4 American Express (US) with CVV code $7 Visa and Master Card (EU) with CVV code $15 American Express Card (EU) with CVV code $18 Verified by Visa (US) $10 Verified by Visa(EU) $17-$25 Bank Acct. with $70,000-$150,000 Bank account number and online credentials (username/password). $300 Infected Computers 1 $20 5 $90 10 $160 Remote Access Trojan(RAT) $50-$250 Add-On Services to RATs Includes set up of C2 Server, adding FUD to RAT $20-$50 Hacking Website; stealing data Price depends on reputation of hacker $100-$300 DDoS Attacks Per day $90-$100 Per week $400-$600 Source: SecureWorks Source: Forbes Security Summit

19 Ma che se ne fanno di un device bucato? Security Summit

20 Active Threat Assessment (ATA) Data Collection & Reconnaissance Targeted External Testing Internal Scanning & Analysis Reviews & Interviews Reporting & Briefing Uncover indicators of compromise and hidden threats Coordinated Attack Simulation Targeted penetration testing helps identify vulnerable systems and applications from an attacker s perspective, conducted with broad coverage or using a customized and simulated events. An on-site coordinator assists with validating that detection mechanisms are successfully detecting malicious activity. Tool based APT Forensic Scanning Checks for the presence of behavioral Indicators of Compromise (IOCs) frequently seen with intrusions indicating a currently active but previously unknown compromise. Memory (RAM) Analysis For systems identified with suspicious activity, a remote memory (RAM, volatile data) analysis may be done looking for common malware traits. System Log Analysis Logs from firewalls, IDS/IPS devices, Network AV servers, DNS and other systems can help reveal IOCs of an intruder or the presence of malware. Critical Controls Review Assessment of the level of implementation of SANS Top 20 Critical Security Controls helps to develop an overall security strategy. Security Summit

21 Security Intelligence Building Blocks Security Governance How Who & What Why Security Analysis Team Threat Intelligence Gathering Vulnerability analysis and Advisor Risk Assessment Impact Analysis Incident Management Plan Enforcement Optimization Investigation and Forensics Analysis Hunter Team Threat Assessment Infrastructure Application Social Phishing Awareness Attack modeling Ad-hoc projects Security Operations Center Monitoring Incident Escalation and Response Contain, Block, Correlate Security Application Management Security Configuration Management Security Policy Management Security Intelligence Platform Aggregate Security event log and flow Correlation, rules and feeds Security Summit

22 Funziona la Security Intelligence? Si, funziona! Security Summit

23 Grazie! Andrea Zapparoli Manzoni Samuele Battistoni Security Summit

24 Security Summit