View
0
Download
0
Category
Preview:
Citation preview
Asset&ThreatsModels
Matsuzaki ‘maz’Yoshinobu<maz@iij.ad.jp>
1
Thanks
Mostcontentswereprovidedby:
StevenM.Bellovin• https://www.cs.columbia.edu/~smb
2
StartingOff
•Whatareyoutryingtoprotect?• Againstwhom?
• Allsecuritysystemdesignsshouldstartbyansweringthosetwoquestions.
3
ThreatsModeling
Threat:Anadversarythatismotivatedandcapableofexploitingavulnerability
• Whatvulnerabilitiesdoyouhave?• Whomightattackthem?• Aretheycapableofexploitingthosevulnerabilities?
4
Assets
• Myhousehaseasily-breakableglasswindows
• Banksstoretheirmoneyinvaults
• BankshavemoremoneythanIdo…
(CreativeCommons licensed by Flickruser mbrand)
5
YourAsset
• $moneyand$valuables• credentialsandaccountsinformation• servicesitself• cpu power/bandwidth• software• secretcontents
6
WhoAreYourEnemies?
• Scriptkiddies:littlerealability,butcancausedamageifyou’recareless
• Moneymakers:hackintomachines;turnthemintospamengines;etc.
• Governmentintelligenceagencies
7
TheTreatMatricSkill
DegreeofFocus
Joyhacks
Opportunistichacks
Targetedattacks
AdvancedPersistentThreats
8
JoyHacks
• Hacksdoneforfun,withlittleskill• Somechancefordamage,especiallyonunpatchedcomputers
• Targetsarerandom;noparticularrisktoyourdata(atleastifit’sbackedup)
• Ordinarycarewillsuffice• Mosthackersstartthisway
9
OpportunisticHacks
• Mostphishers,viruswriters,etc• Oftenquiteskilled,butdon’tcaremuchwhomtheyhit–Mayhavesome“0-days”attacks
• Theeffectsarerandombutcanbeserious• Consequences:bankaccounttheft,computersturnedintobots,etc.
10
TargetedAttacks
• Attackerswantyou– Sometimes,youhavesomethingtheywant;othertimes,it’ssomeonewithagrudge
• Backgroundresearch-- learnalotaboutthetarget–Maydophysicalreconnaissance
• Watchforthingslike“spear-phishing”orothercarefully-targetedattacks
11
AdvancedPersistentThreats(APT)
• Veryskillfulattackerswhoareaimingatparticulartargets
• Sometimes-- thoughnotalways-- workingforanation-state
• Very,veryhardtodefendagainstthem• Mayusenon-cybermeans,includingburglary,bribery,andblackmail
• Note:manylesserattacksblamedonAPTs
12
AreYouTargeted?
• Ifyou’rebig,someoneisprobablytargetingyou,especiallyifyou’reunpopular
• Ifyouhavesomethingsomeonewants--includingmoney-- youcanbetargeted
• Oritcouldberandomchance
13
ACrazyNeighbor
• Afamilytoldpoliceaboutaneighbor’s(serious)misbehavior
• Theneighborretaliated:hehackedintotheirWiFi,stoletheirpasswords,createdfacepornographicMySpacepages,sentthreateningandharassingletters“from”them,etc.
• Eventually,theFBIwascalledinbecauseofthethreats,buttheyfoundwhowasreallydoingit
• Conclusion:Afamilywastargeted,fornorationalreason
14
APaintCompany
• Apaintmanufacturerwastargeted,apparentlyforpurposesofindustrialespionage
• Therewerehints-- orclaims-- offoreigngovernmentinvolvement
15
DefenseStrategies
• Defensestrategiesdependontheclassofattacker,andwhatyou’retryingtoprotect
• Tacticsthatkeepoutteenagerswon’tkeepoutanintelligenceagency
• Butstrongerdefensesareoftenmuchmoreexpensive,andcausegreatinconvenience
16
JoyHackers
• Bydefinition,joyhackersuseexistingtoolsthattargetknownholes
• Patchesexistformostoftheseholes;thetoolsareknowntoA/Vcompanies– Thebestdefenseisstayinguptodatewithpatches– Also,keepantivirussoftwareuptodate
• Ordinaryenterprise-gradefirewallswillalsorepelthem
17
OpportunisticHackers
• Sophisticatedtechniquesused– Possiblyevensome0-days
• Youneedmultiplelayersofdefense– Up-to-datepatchesandanti-virus–Multiplefirewalls– Intrusiondetection– Lotsofattentiontologfiles
• Goal:contain theattack
18
TargetedAttacks
• Targetedattacksexploitknowledge;trytoblockordetectthereconnaissance– Securityproceduresmattersalot– Howdoyourespondtophonecallers?–Whatdopeopledowithunexpectedattachments?
• Hardestcase:disgruntledemployeeorex-employee
19
AdvancedPersistentThreats
• Very,veryhardproblem!• Useallofthepreviousdefenses• Therearenosureanswers-- evenairgapsaren’tsufficient
• Payspecialattentiontoprocedures• Investigateall oddities
20
VaryingDefenses
• Don’tusethesamedefensesforeverything• Layerthem;protectvaluablesystemsmorecarefully
• Maybeyoucan’taffordtoencrypteverything-- butyouprobablycanencryptallcommunicationsamongandto/fromyourhigh-valuemachines
21
AllMachinesAreValuable
• Evenmachineswithnointrinsicvaluecanbeturnedintobots– Sendspam,launchDDoS,hostphishingsite,etc.– Spyonyourlocaltraffic– Defense:watchoutboundtrafficfromyoursite
22
ComparisonamongTargets
• Values– Higherisbetterforattackers
• Defense–Weakerisbetterforattackers
• Ifhevaluesarethesame,attackermaywanttotargetweakersystems– Youareweakerwhenothersgetsafer
• Conclusion:followBCPsandreviseyourprocedurestokeepituptodate
23
CaseStudy:AlbertoGonzales
• PenetratedmajorAmericancorporations,startingwithunprotectedWiFi reachablefromtheparkinglot– Stolepasswordsfromloginsessions– UsedSQLinjectionattacks
• Stole180millioncreditcardnumbers• TotaldamagesclaimedtoexceedUS$400million
24
Lessons
• Usepropercrypto• Don’tuseplaintextpasswordswhenloggingin• Don’tmakesimpleprogrammingmistakes• Theregenerallyweren’tmultiplelinesofdefense
• Noonewaswatchingfordataexfiltration
25
CaseStudy:Stuxnet
• TargetedIraniannuclearcentrifugeplant• Usedfour0-days;targetedSCADAsystemsaswellasWindows
• StartedwithinfectedUSBdrive-- butunknownhowthatdrivegotintotheplant
• Attackershaddetailedknowledgeoftheplant’sequipment
• GenerallyattributedtotheUSand/orIsrael
26
Lessons
• Someonepluggedinaninfectedflashdrive– Anagent?(Betterpersonnelsecurity)– Afewinfecteddrivesinaparkinglot?(Betterprocedures)
• Don’tassumethatairgapsandobscuresystemwillprotectyou– 0-dayswereused:patchesandantiviruswon’thelp
• Detectedwhensomeonethoroughly investigatedsomesystemcrashes
27
Morecases
• SonyPicturesEntertainment– wasstolenunreleasedfilms– wasdemandedthecancelationofreleasingacomedyfilm
28
Summary
• Usepropercrypto• Usemultilayersecurity– Up-to-datepatchesandanti-virus– firewall– IDSandanomalydetection
• Revisesecurityprocedure
29
Andagain
•Whatareyoutryingtoprotect?• Againstwhom?
30
Recommended