AT&T Real-Time Network Security Overview

Similar documents
Glasnost or Tyranny? You Can Have Secure and Open Networks!

Networking for Caribbean Development

Innovations in Network Security

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Secure Your Mobile Workplace

74% 96 Action Items. Compliance

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Modular Network Security. Tyler Carter, McAfee Network Security

Zscaler Internet Security Frequently Asked Questions

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

INTRODUCTION TO FIREWALL SECURITY

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Introduction of Intrusion Detection Systems

A Critical Investigation of Botnet

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Information Security Threat Trends

Phone Fax

Chapter 9 Firewalls and Intrusion Prevention Systems

Malicious Network Traffic Analysis

13 Ways Through A Firewall

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Top tips for improved network security

BlackRidge Technology Transport Access Control: Overview

Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia

Locking down a Hitachi ID Suite server

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Security Administration R77

BigData and (in)security Considerations

Cisco & Big Data Security

Secure Cloud-Ready Data Centers Juniper Networks

Detecting peer-to-peer botnets

Web App Security Audit Services

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

State of Texas. TEX-AN Next Generation. NNI Plan

13 Ways Through A Firewall What you don t know will hurt you

Tunisia s experience in building an ISAC. Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Data Center security trends

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Second-generation (GenII) honeypots

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

HoneyBOT User Guide A Windows based honeypot solution

Targeted attacks: Tools and techniques

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

About Botnet, and the influence that Botnet gives to broadband ISP

Concierge SIEM Reporting Overview

Domain 6.0: Network Security

From Network Security To Content Filtering

NETWORK TO NETWORK INTERFACE PLAN

Introducing IBM s Advanced Threat Protection Platform

Network Incident Report

Achieving PCI-Compliance through Cyberoam

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Understanding Security Testing

Protecting Critical Infrastructure

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Intrusion Detection Systems

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team

Network Monitoring Tool to Identify Malware Infected Computers

Global Partner Management Notice

Did you know your security solution can help with PCI compliance too?

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Automate your IT Security Services

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

How To Manage Security On A Networked Computer System

Current Threat Scenario and Recent Attack Trends

Designing a security policy to protect your automation solution

Integrated Protection for Systems. João Batista Territory Manager

Stop DDoS Attacks in Minutes

Attacks from the Inside

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cyber Security Where Do I Begin?

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Radware s Behavioral Server Cracking Protection

IBM Internet Security Systems

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

AVeS Cloud Security powered by SYMANTEC TM

Security A to Z the most important terms

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

IBM. Vulnerability scanning and best practices

On and off premises technologies Which is best for you?

Protecting the Infrastructure: Symantec Web Gateway

Transcription:

AT&T Real-Time Network Security Overview Dan Solero Director of Security Technology, AT&T

Know Your Enemy: Security Threats Extend Beyond Viruses & Worms Distributed Denial of Service Spam for Hire Social Engineering Phishing, Sniffing, Keylogging, etc. Data Leakage Lost/Stolen Laptops, Unsecured Servers Insider Threats 2

AT&T s Proactive Security Strategy Web-Based Information Collection Broad Network Mapping Service Vulnerability Exploitation DDOS Zombie Code Installation Use of Stolen Accounts for Attack Social Engineering Targeted Scan Password Guessing System File Delete Log File Changes Reconnaissance Scanning System Access Damage Track Coverage Preventive Phase (Defense) Reactive Phase (Defense) AT&T Focuses protection toward these phases of Attack Lifecycle Indications and Warning Threshold (Defense) Other alert tools gather their information in the latter phases of an Attack 3

AT&T Real-Time Security Management 24/7 Situational Cyber Security Awareness Threat Management Interface AT&T Global Network Operations Center Management Servers, Consoles, and Database ~40 Cases/Day AT&T Custom Database Technology Daytona System (Data Mining Algorithms) Customized Event Parsers and Consolidators ~170 Alerts/Day ~270 Million Events/Day AT&T Enterprise and Internet Feeds IDS Alarms Firewall Logs DLP Alarms Netflow Proxy Logs Server Alarms Internet Alarms DDOS Detection VPN Logs Honey Pots 4

Bot Detection Sampling of identified botnets analyzed Visibility of roughly 10% of total Internet Approximately 16M unique IPs 16 months Hundreds of malware files captured 60+% not detected by Anti-Virus 5

Uses of Botnet Data Spam-source Blocking Alerting Improved Detection Vision: Botnet-Aware Network 6

AT&T Internet Protect SM Alert A000586 Increased scanning on port 23/tcp (Feb 8, 2006) Description: AT&T Internet Protect has been able to identify a botnet that is actively scanning on port 23/tcp and is targeting Cisco devices such as routers for exploit and access. The activity has taken place in multiple short-term durations; targeting a variety of Internet address segments. Multiple successful exploits have been identified; gaining "enable" and/or "console" passwords for the devices. The exploit is not limited to weak passwords. At this time, it is not clear exactly what exploit is being used to attack the routers nor for what function the routers might be used. However, this capability could be used by malicious users to launch DDoS attacks, sniff private network traffic, change routing on networks, subvert Access Control Lists, and/or use the routers to create logical private networks for the malicious users. Recommendations: Users of Cisco devices should block Internet-facing access to any management services. If it is absolutely necessary to perform management from Internet facing interfaces, use Access Control Lists (ACLs) to restrict access only from IP sources/hosts that are authorized to perform these management actions. * Try to avoid using telnet as a remote access method, and use TACACS+ or RADIUS for authentication. * Make sure IOS patch levels are up to date. * Inspect routers for possible misconfiguration that may have granted telnet access to outside users. * Logs or flow records may be helpful to determine if any unauthorized connections are taking place. * If the router is compromised, there may be no direct evidence since the exploit is capturing passwords. If there is a possibility the router may have been compromised, take actions to prevent further compromise and immediately change passwords. 7

Indicators of the StormWorm (W32/Nuwar, Trojan.Peacomm) active on changing udp ports Storm Worm Tracker Storm worm transitions to new port Storm worm continuing to utilize ports 11275/udp and 16275/udp 8

Global StormWorm Activity Malware update June 3, 2008 Typical day in 2008 9

AT&T Internet Protect SM Alert A000834 Pop-up spam activity on ports 1026/udp and 1027/udp (May 6, 2008) Description: Internet Protect has observed a significant increase in activity on ports 1026/udp and 1027/udp. Microsoft Net Messenger opens a listener on these ports to receive net messages. This service was initially developed to permit network administrators to send messages to all the clients connected to their network. Today the messenger service is mainly used by pop-up message spammers who send bulk messages to many IP addresses. These messages often contain advertisements and links to web sites. Clicking on these links frequently results in the computer becoming infected. Recommendations: To avoid infection: * Always block any unused ports and services. * If business needs permit, block/filter all traffic to ports 1026/udp and 1027/udp. * Ensure that all the latest Operating Systems and application patches have been applied. * Perform a virus scan with the latest antivirus signatures. * Educate users about the safe internet browsing. * Establish a complex alphanumeric password policy. 10

AT&T Internet Protect Alerts Events in downadup/conficker evolution Alert 895 Early indicator RPC scanning Nov 4 Alert 901 Early Indicator SMB scanning Nov 13 Alert 907 Increased traffic from worm variants Nov 21 Alert 913 Increased scanning from Downadup.A and other malware Dec 15 Alert 915 Increased SMB scanning Dec 31 Alert 916 Downadup.B and other malware spreading Jan 5 Alert 934 Downadup.B++ (Conficker.C) worm update Mar 19 10/23 Advisory Microsoft Announces MS08-067 Out of Cycle RPC Patch 11

Conficker Worm April 01, 2009 15,136 visible members, 8 control servers, tracked since 7/2006 12

AT&T Threat Recon Index (TRI) Downward Trend - SASSER Diminishin g DownAdUp /Conficker Activity Pop-up spam Activity 13

Fucuzzy September 01, 2008 15,136 visible members, 8 control servers Tracked Since July 2006 Page 14

Security Services Expansion Security Enforcement Capabilities DDoS/Botnet protection Firewall rule enforcement Intrusion Detection/Prevention Worm and virus filtering URL filtering Mail filtering Data leakage prevention solution Botnet/threat-aware DNS solution Customer Benefits Minimal initial investment Scalability Professional Support Global Enforcement Nodes Security Operations Center Early Cyber Threat Warnings Metadata collection, Behavior and Anomaly-Based Analysis 24x7 Data Fusion 15

AT&T s Security Capabilities How we protect your network infrastructure Employ the network as the first line of defense Utilize AT&T s predictive security capabilities Implement a defense-in-depth strategy Provide a broad portfolio of security services Quick Facts about AT&T Managed Security End to end Security Capabilities- from end point to the cloud Security integrated with AT&T services as appropriate In the Cloud security industry recognition More than 1,400 world-class security experts and support professionals SAS70 Compliant services Customer access to reports and tools via AT&T BusinessDirect Portal 16

Thank You! 17

Backup slides 18

What is a Botnet? Group of compromised computers with common control points that run software autonomously and automatically Used for malicious or unauthorized purposes Common Terms Bot an individual machine that is compromised Botnet a collection of bots that are under common control Botnet controller (a la C&C) server that relays commands and responses Botnet operator the person or people that initiates a bot Pictures from a document by CERT India Page 19

Types of Botnet Threats Numerous malicious applications Distributed Denial of Service (DDoS) attack Spam Phishing Sniffing, key-logging and collecting traffic Host rogue network-based applications Fraudulent ad clicking Dead drop points for collection & dissemination of malware Massive and distributed storage capacity for distribution Massive distributed computing power Page 20

Illustrative Power of Botnets Just a few bots can disrupt business operations Power Required to Disrupt a Business Power Required to Disrupt Typical ISP or Hosting Provider Page 21

Top 10 Bots Potential threats identified, yet still active and waiting NOTES: Actual size could be at least 10-20x larger This report only covers top 10 active IRC-based botnets. Page 22

Flow Record Analysis AT&T processes designed to identify suspicious traffic patterns Source_Addr Dest_Addr Port Flags Pkts Bytes Time 200.121.13.98 192.31.106.4 25 -APRSF 6 315 2005-10-01 01:48:02 200.121.13.98 63.240.122.252 25 ----S- 1 64 2005-10-01 01:48:08 200.121.13.98 192.35.35.3 25 -APRSF 6 315 2005-10-01 01:48:24 200.121.13.98 12.38.96.8 25 -AP-S- 9 1860 2005-10-01 01:52:14 200.121.13.98 69.46.203.3 25 -APRSF 6 368 2005-10-01 01:53:48 200.121.13.98 129.246.101.42 25 -APRS- 8 422 2005-10-01 01:54:17 80.140.212.26 66.246.215.72 25 -AP-SF 4 1719 2005-10-03 13:58:27 80.140.222.170 66.235.221.51 25 -AP-SF 8 417 2005-10-04 12:16:00 80.140.222.170 166.102.165.21 25 -A--SF 5 208 2005-10-04 12:16:36 80.140.222.170 69.67.254.10 25 -APRSF 7 380 2005-10-04 12:16:51 80.140.222.170 64.202.166.12 25 -AP-SF 16 804 2005-10-04 12:17:05 Analog of Call detail records for Internet traffic Represents one side of conversation Unique flow for each SIP, DIP, protocol, Sport, Dport Page 23

Flow Record Analysis AT&T processes designed to identify suspicious traffic patterns Source_Addr Dest_Addr Port Flags Pkts Bytes Time 200.121.13.98 192.31.106.4 25 -APRSF 6 315 2005-10-01 01:48:02 200.121.13.98 63.240.122.252 25 ----S- 1 64 2005-10-01 01:48:08 200.121.13.98 192.35.35.3 25 -APRSF 6 315 2005-10-01 01:48:24 200.121.13.98 12.38.96.8 25 -AP-S- 9 1860 2005-10-01 01:52:14 200.121.13.98 69.46.203.3 25 -APRSF 6 368 2005-10-01 01:53:48 200.121.13.98 129.246.101.42 25 -APRS- 8 422 2005-10-01 01:54:17 80.140.212.26 66.246.215.72 25 -AP-SF 4 1719 2005-10-03 13:58:27 80.140.222.170 66.235.221.51 25 -AP-SF 8 417 2005-10-04 12:16:00 80.140.222.170 166.102.165.21 25 -A--SF 5 208 2005-10-04 12:16:36 80.140.222.170 69.67.254.10 25 -APRSF 7 380 2005-10-04 12:16:51 80.140.222.170 64.202.166.12 25 -AP-SF 16 804 2005-10-04 12:17:05 Analog of Call detail records for Internet traffic Represents one side of conversation Unique flow for each SIP, DIP, protocol, Sport, Dport Page 24

Example-Internet Anomalies Tracked by AT&T Significant increase in sources scanning port 23/tcp Page 25

Scan Activity Targeting Telnet The characteristics that highlight the activity Unique source IP addresses scanning Number of probes Page 26

Early Indications of Worm Activity Evolution and status of worm variants Variant B++ Feb 06 Variant C Mar 05 New Variant D Mar 17 New Variant E April 07 Variant A Nov 21 Variant B Dec 29 Variant C/D Activation Variant E Self delete May 03 Page 27

Propagation and Communication Widespread, proliferating, and reporting back to hacker Propagation methods Network Exploit 445/tcp scanning for vulnerable systems MS08-067 (10/23/08) File shares with null or weak passwords Infected removable devices (e.g., USB drives) Variant C does not make attempts to propagate Variant E scans on tcp/445 again Check-in / Bot Control Methods Bot control hasn t been observed yet Connects via http (80/tcp) to pseudo-randomly generated domains 250 possible domains per day (A to B++ variants) It is believed that these were not used by the botnet security researchers preregistered many of these to track botnet size 50,000 possible domains per day (C variant after 4/1/09) connection attempt every 2 hours (B, B++) or 3 hours (A) Geolocation & External IP address discovery P2P (UDP & TCP) Variant E will self terminate on May 03, 2009 Page 28

Worm s Defensive Capabilities Intelligence to turn off security and stay hidden Anti-Mitigation Blocks DNS requests to many security, anti-virus and product update sites (by modifying the kernel driver providing DNS on the machine) Locks certain registry keys so even admin can t change (only system) Terminates anti-virus software Anti-Analysis Gets system time from HTML of public web sites (such as google, facebook, yahoo) so changing system time has no affect Double-packed/encoded executable (not including encryption for updates) Terminates some monitoring tools May detect virtual environments (VMWare) and other anti-debugging features Self-Updating Check-in to pseudo-random domains may facilitate updates Inefficient P2P while scanning on 445/tcp, if finds already infected bot with newer software, it will copy that software Improved P2P (Variant C and later) Finds and connects to peers based on an algorithmic mapping of IP address to pseudorandom port Only properly digitally encrypted (RC4) and signed executables will be installed Page 29

AT&T Network-Based Firewall Service Features Transparent, stateful firewall Intrusion Detection / Intrusion Protection Central application of outbound or Inbound/Outbound security policies across many locations Fully managed solution for simplified design, deployment & management Virus screening and spam filtering Service from 1.55Mbps to 135Mbps per gateway (higher bandwidths available) Branch Internet DSL/Dial Customer IP Enabled Frame & ATM Wide Area Network Partner Benefits Main Location/HQ Customer Network DMZ Remote Employees Easily upgrade speeds & sites as traffic grows Web Radius SMTP Leverage WAN investments Reports via customer accessible website Page 30

AT&T DDoS Defense Service IP Backbone Scrubbing Legitimate Attacker DIP 1.2.3.4 DIP 1.2.3.4 AT&T OSS Monitor AT&T IP Backbone DIP: 1.2.3.4 Tunnel Scrubber Head-Ends 7606 AT&T 24/7 DDOS Analysis Console DIP 1.2.3.4 Scrubber Scrubber Scrubber Cisco (Riverhead) Guards Server IP:2.3.4.5 Server IP:1.2.3.4 Page 31

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information