La nueva generación de vulnerabilidades d Casos Prácticos Ing Miguel Angel Aranguren Romero Ing. Miguel Angel Aranguren Romero CISA, CISM, CGEIT, CRISC COBIT Foundations Certificate CISSP, OSCP ITIL v3 Foundations Certificate
Introducción
Vendors Reporting the Largest Number of Vulnerability Disclosures in History Vulnerability disclosures up 27%. Web applications continue to be the largest category of disclosure. Significant increase across the board signifies efforts that are going on throughout the software industry to improve software quality and identify and patch vulnerabilities.
Patches Still Unavailable for Many Vulnerabilities 44% of all vulnerabilities disclosed in 2010 had no vendor-supplied patches to remedy the vulnerability. Most patches become available for most vulnerabilities at the same time that they are publicly disclosed. However some vulnerabilities are publicly disclosed for many weeks before patches are released. Patch Release Timing First 8 Weeks of 2010
Public Exploit Exposures Up in 2010 Public exploit disclosures up 21% in 2010 versus 2009 Approximately 14.9% of the vulnerabilities disclosed in 2010 had public exploits, which is down slightly from the 15.7% last year However more vulnerabilities were disclosed this year, so the total number of exploits increased. The vast majority of public exploits are released the same day or in conjunction with public disclosure of the vulnerability.
Exploit Effort vs. Potential Reward Economics continue to play heavily into the exploitation probability of a vulnerability All but one of the 25 vulnerabilities in the top right are vulnerabilities in the browser, the browser environment, or in email clients. The only vulnerability in this category that is not a browser or email client side issue is the LNK file vulnerability that t the Stuxnet t worm used to exploit computers via malicious i USB keys.
Web App Vulnerabilities Continue to Dominate Nearly half (49%) of all vulnerabilities are Web application vulnerabilities. Cross Site Scripting & SQL injection vulnerabilities continue to dominate.
Definiciones
What is APT? Advanced Using exploits for unreported vulnerabilities (zero day) Advanced, custom malware that isn t detected by antivirus products Coordinated attacks using a variety of vectors Persistent Attacks lasting for months or years Resistant to remediation attempts Attackers are dedicated to the target they WILL get in Threat Targeted at specific individuals and groups within an organization, aimed at compromising confidential information Not random attacks they re actually out to get you
Los principales p eventos
SQL Injection Attack Tools * Automatic page rank verification * Search engine integration for finding vulnerable sites * Prioritization of results based on probability for successful injection * Reverse domain name resolution * etc.
The drive by download process Desktop Users Downloader installed Exploit material Served Ml Malware installed and activated Browse The Internet Web server with embedded iframe Malicious iframe host Web browser targeted
Bot Network kactivity i on the Rise in 2010 Trojan Bot networks continued to evolve in 2010 by widespread usage and availability. Zeus (also known as Zbot and Kneber) continue to evolve through intrinsic and plugin advances. Various bot networks based on Zeus were responsible for millions of dollars in losses over the last few years. Microsoft led operation resulted in the takedown kd of a majority of Waldec botnet in late February. Communication between Waledac s command and control centers and its thousands of zombie computers was cut off in a matter of days. Much of the other activity seen is Zeus.
Spear Phishing Example of e mail with malicious PDF
Stuxnet Sophisticated: i Included exploits for 4 unpatched (0 day) vulnerabilities Included components signed with stolen digital certificates Spread through numerous network vectors and crossed air gaps with USB sticks Infected developer machines with a rootkit that hid the malware and the code changes it was making Targeted: Used the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract project data. Modified code on programmable logic controllers (PLCs) Code modifications only occurred in limited circumstances Code that controls particular frequency converter drives from specific vendors Drives that operate in particular frequency ranges Collateral Damage Worldwide infections
The Three Legged Stool
Virtualization Security Increasingly a Focus 35% of server class vulnerabilities affect the hypervisor Virtualization Vulnerability Disclosures expected to fall in 2010 Number of disclosures peaked in 2008 at 100, fell by 12 percent to 88 in 2009, and appears on track to fall slightly further in 2010 (39 virtualization vulnerabilities were disclosed in the first half of 2010). This trend suggests that virtualization vendors have been paying more attention to security since 2008 and/or security researchers have focused their efforts on easier targets.
Anatomy of RSA Breach: Highlights Need for Continuous Monitoring http://blogs.rsa.com/rivner/anatomy of an attack/ 26
Cómo se gestionaron los problemas?
Responding to Targeted Attacks: An Iterative Approach
Harden Your original security posture may need to be reconsidered. Email Security Don t allow incoming e mail spoofed from your organization s addresses Consider e mail signing Identityand Access Management How well managed are your access policies? Do people only have access to what they need access to? How hardened is your access control system? Multifactor authentication can complicate the attack's task Review access policies frequently Physical Segmentation Frequently used by the DoD Can you afford separate systems for web browsing and for sensitive work? Some data never needs exposure to the Internet "It has become clear that Internet access in itself is a vulnerability that we cannot mitigate. We have tried incremental steps and they have proven insufficient." Mark Foulon, Bureau of Industry and Security, US Dept Of Commerce Consider all forms of connectivity what is your policy on USB sticks? Keep up with traditional security measures IPS and Firewalls and even Anti Virus can actually help Each point solution is part of a complete breakfast
Detect You cannot detect everything, but if you can detect something, you can pull on that thread and unravel complicated attacks. User Educate targeted employees Make education personal, this is not a compliance activity Again, the goal isn t to stop all spear phishing, some people will still fall prey the goal is to detect some of it Network 0 Day Attack Heuristics Shell Code Obfuscation Protocol anomalies Unexpected Encryption Known Command and Control protocols System Out of policy configuration changes Buffer Overflow detection Application whitelisting Data Access Monitoring
Analyze and Remediate Captured attacks should be analyzed Execute exploits in a controlled environment and monitor Determine command and control protocol and IP addresses Determine registry and other system changes Honeypot attackers and watch their activity Collect as much information as possible! Remediate Determine if other hosts have communicated with C&C systems Network evidence logging can help in this respect Use system management tools to search for configuration changes associated with the malware Feedback Integrate lessons about malware and attacks into network and end host defense systems used in the detection phase
Estrategias de Contención
Constantly Adapting to New Threats If the bad guys: Steal privileged credentials for critical systems (SAP, PeopleSoft, Siebel, etc.) Co opt rogue insiders or outsourced DBAs to steal confidential data stored in the cloud (data breaches/leaks) Then we can: Continuously monitor all access to immediately identify suspicious or unauthorized activity in real time ( beyond IAM ) Implement granular policies to restrict access to sensitive tables (plus continuously monitor all access) Launch attacks on unpatched database systems Store malware and stolen data in our databases Turn off database logging to cover their tracks (anti forensics) Implement virtual patching to block and/or alert on attempted access to vulnerable packages/procedures ( beyond AV ) Implement automated data discovery technology to find sensitive data & malware Implement database logging/monitoring outside the database (without relying on native DBMS/SIEM capabilities) 35
Otros fallos importantes
Otros Fallos Importantes DigiNotar http://www.globalsign.com/company/press/090611 security response.html http://technet.microsoft.com/en us/security/bulletin/ms01 017 [kernel.org users] [KORG] Master back end break in http://www.boards.ie/vbulletin/showthread.php?threadid=2056374752 Make requests through Google servers +DDoS http://www.ihteam.net/advisory/make requests through google servers ddos/ Fraudulent Digital Certificates Could Allow Spoofing http://www.microsoft.com/technet/security/advisory/2607712.mspx /t h t/ it / i /2607712 Biclique cryptanalysis of the full AES https://research.microsoft.com/en us/projects/cryptanalysis/aes.aspx / /p / y / p Shady RAT http://www.mcafee.com/us/resources/white papers/wp operation shady rat.pdf
Tendencias del futuro cercano
1.BIOS rootkit 2.Harpooning 3.Mobile Malware 4.Malware inside 5.SCADA 6.Botnets Datamining Tendencias del Futuro Cercano
Conclusiones y reflexiones finales
Awareness is much important every day The solution is not in a box Conclusiones y Reflexiones Finales the use of technologies like IPS (NIPS/HIPS), DAM, DM, DLP, AV, NextGen Firewall and VA continue to be the tools to acomplish the needed work. We will continue to have attacks against new technologies and online business mechanisms, the consolidation of new business models require new actions. changes in our response capabilities and the level of corporate demand to have those capabilities must shape the way to engage in business over the Internet.
GRACIAS!!! Ing. Miguel Angel Aranguren Romero CISA, CISM, CGEIT, CRISC Cobit Foundations Certificate CISSP, OSCP ITIL v3 Foundations Certificate marangur@co.ibm.com Miguel.aranguren@gmail.com Miguel.aranguren@isaca.org.co