Upload
grant-blankenship
View
214
Download
1
Embed Size (px)
Citation preview
Innovative Hackers are Bad for Business
Brian O’Higgins
CTO, Third Brigade Inc.
October 14, 2005
2 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
3 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
4 © 2005, Third Brigade Inc.
Attacks are changing
Major Malware Trends
1985 1995 2005
Boot sector virus
Files and executables
Office macrovirus
Email attachments
Web applicationattacks
5 © 2005, Third Brigade Inc.
Old Internet security statistics
Source: www.cert.org/stats
Vulnerabilities are the root cause for malware
Vulnerabilities
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
1995 1997 1999 2001 20030
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
1995 1997 1999 2001 2003
Attackers are getting more efficient at
exploiting vulnerabilities
Incidents
6 © 2005, Third Brigade Inc.
Where are attackers successful?
Remote
LocalNetwork
LocalSystem
71%
18%
11%
Source of attack
Vulnerability
45%
Configuration
31%
BruteForce
12%
12%Other
Type of exploit
Source: Zone-h.org
7 © 2005, Third Brigade Inc.
Attacks: Increasingly Sophisticated
1980 1985 1990 1995 2000
High
Low
Knowledge
Adapted from www.cert.org
Password guessing
Self replicating code
Password cracking
Exploiting known vulnerabilities
Burglaries
Hijacking sessions
Network management diagnostics
GUI
Automated probes/scans
Automated probes/scans
www attacks
DDOS attacks
Disabling audits
Back doors
Sweepers
Sniffers
Packet spoofing
Denial of service
Stealth scanning techniques Tools
ASN.1 attacks
2005
8 © 2005, Third Brigade Inc.
Automated exploit tools
“…The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only”
9 © 2005, Third Brigade Inc.
The root cause
• 1 vulnerability for every 1,000-4,000 lines of code
• 100M+ lines of code not unusual
• Many sources of compromise (confidentiality, integrity & availability)
• Not likely to change in the near and medium future
Server (Host)Server (Host)
Database
Database
Web/App Server
Web/App Server
OSOS
Web AppWeb App
Client (Host)Client (Host)
OSOS
Client BrowserClient
BrowserOther AppsOther Apps
Other AppsOther Apps
10 © 2005, Third Brigade Inc.
Software vulnerabilities
• Symantec Internet Security Report, 1H 2005– 1,862 new vulnerabilities, highest ever– 59% related to web applications
• SANS Top 20 list, Q1 2005 – 600+ new vulnerabilities listed that:
1. Affect large number of users
2. Not patched on substantial number of machines
3. Allow computer to be taken over by remote, non- authorized user
4. Sufficient details published on the internet
5. Discovered or first patched during Q1 2005
11 © 2005, Third Brigade Inc.
Business impact
Source: Computer Economics Impact of Malicious Code Study of 100 I.T. and Security Executives
Worldwide Financial Losses
$20 B
$15 B
$10 B
$5 B
2002 2003 2004Millions USD
per hour of downtime
Lost Revenue
Trans
Retail
E-Comm
Media
Banking
Brokerage
Source: Yankee Group
12 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
13 © 2005, Third Brigade Inc.
Hacking is changing
• Mass nuisance profit motive
• Targeted attacks take advantage of s/w vulnerabilities– Can exploit a database without
having to compromise any servers
$
14 © 2005, Third Brigade Inc.
Bot Nets for hire
• “First hour is free”– Infect web servers, then unsuspecting PCs– Change infection after a few thousand
downloads to stay under virus signature radar– Call to the mothership for subsequent updates– Password stealing program web site count
doubled from June 2005 to July 2005 (www.antiphishing.org)
15 © 2005, Third Brigade Inc.
Popular Web Application Attacks
$ Buffer overflow
Command injection
Cross-site scripting
Parameter manipulation
Session hijacking
Improper error handling
Google hacking
16 © 2005, Third Brigade Inc.
SB 1386 impact
• California breach notification legislation– Spreading to other jurisdictions– Notifications and subsequent press are
biggest contributor to online fear– Since the Feb 15 2005 ChoicePoint breach,
78 notifications have been publicized covering 50M individuals (www.privacyrights.org)
17 © 2005, Third Brigade Inc.
Consumer confidence erodes
• U.S. survey on data security breach notification (sep 25 2005)
– Ponemon Institute (www.ponemon.org) survey of 10,000 victims of data security breach
• 19% of respondents have terminated relationship• 40% more said they are thinking about terminating• 5% had hired lawyers• Businesses using canned communication are 3X
more likely to lose the customer vs. personalized
18 © 2005, Third Brigade Inc.
Security fears harm e-banking
• Forrester Research study of 11,300 users in the UK– Concludes that 600,000 from a total of 15M
have quit online banking – 20% of internet users say security fears will
stop them from ever banking online– 50% of UK internet users paranoid about
online banking security
19 © 2005, Third Brigade Inc.
Breach notification is costly
• Feb 2005 ChoicePoint breach– 145,000 records – $11.4 M charges Q1 and Q2 2005– $79/per account. Gartner estimates this is
more likely $90/account all in.
$750M mkt cap drop immediately after the breach publicized
20 © 2005, Third Brigade Inc.
Costs for notification
• Smaller numbers, cost per account higher 5,000 accounts ~ $1,500 per account
• Very large compromises, >1M accounts, direct costs ~$50 per account.– But this may be the death sentence for the
company (CardSystems 40M accounts)
Source: Gartner, Data Protection is Less Costly Than Data Breaches, 28 Sept 2005
21 © 2005, Third Brigade Inc.
Business case to protect data
• Three recommendations from Garter, and ballpark costs for 100K accounts
1. Encrypt Stored Data $5/account initial, $1 recurring
2. Deploy HIPS on servers $6/account initial, $2 recurring
3. More rigorous audits $4/account recurringvs. expenditure of $90/customer account exposed in a breach
*Source: Gartner, Data Protection is Less Costly Than Data Breaches, 28 Sept 2005
22 © 2005, Third Brigade Inc.
Mitigating attacks
24% Known VulnerabilitiesPreventative Action:
– Patching– Shielding (virtual patching)
21 % Unknown VulnerabilitiesPreventative Action:
– Shielding (virtual patching)
Vulnerability
45%
Configuration
31%
BruteForce
12%
12%Other
They exploit
23 © 2005, Third Brigade Inc.
Patching: A race you can’t win
Source: Symantec Internet Security Threat Report, H1, 2005
Vulnerabilitypublished
54 days
Exploit 6 days
Patch
24 © 2005, Third Brigade Inc.
Patching needs to take time
Start Safe
Last System Patched & Rebooted
High value systems are difficult to patch:• Patch may impact the system
• Patches inherently slow and expensive to test
• Most patches not designed to be easily reversible
• Service disruption or machine reboot
Vulnerability Published and
Patch Released
Push new Image
TestPatch
Evaluate Patch
Develop &documentnew image
NoticePatch
25 © 2005, Third Brigade Inc.
Attacks are occurring faster
Start time
Vulnerability Published & Patch Released
Approaching the Zero Day Attack
2003 - MSBlast WormKnown vulnerability in Windows ~8 million computers infected`
28 days
2004 - Sasser Worm Exploited Windows hole: “Local Security Authority Subsystem Service” ~10 million Windows computers infected in 4 days
18 days
2005 - Zotob Worm6 days later, 10 variants, widespread in 1 weekWindows plug and play flaw
1 day
26 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
27 © 2005, Third Brigade Inc.
Good Guys: Patch
The vulnerability gap
time
Vulnerability Gap
Bad Guys: ATTACK
Vulnerability Published and
Patch Released
Unknown Exploits Known Exploits Last System Patched & Rebooted
28 © 2005, Third Brigade Inc.
Good Guys: Patch
Getting ahead of the attackers
time
Vulnerability Gap
Bad Guys: ATTACK
Last System Patched & Rebooted
Smart Guys: Shield
Known Exploits
Vulnerability Published and
Patch Released
Unknown Exploits
29 © 2005, Third Brigade Inc.
Host Intrusion Prevention
Security Technologies You Will Probably Need
Host-based IPS
802.1x
Quarantine/containment
Personal intrusion prevention and URL blocking
Gateway spam/antivirus scanning
Security audit capabilities
Vulnerability management
Web services security
Identity management
SSL/TLS
Business-continuity plan
PC lockdown cables and anti-tamper alarms
Source: Gartner Security ITxpo, June, 2005
30 © 2005, Third Brigade Inc.
IDS
Security controls: evolution of the perimeter
DMZ
Firewall
ERPFinanceEmailWeb LaptopHR Workstation
Corporate Network
Fir
ew
all
IPS
Branch
Network
31 © 2005, Third Brigade Inc.
Network defenses are necessary but not sufficient
DMZ
Firewall
ERPFinanceEmailWeb LaptopHR Workstation
Corporate Network
Fir
ew
all
IPS
Encrypted attacks over the internet
Mobile users leaving the
safety of the perimeter
WLAN providing alternate
paths into the network
Insider attacks
Branch
Network
32 © 2005, Third Brigade Inc.
The host is the last line of defense
DMZ
Firewall
ERPFinanceEmailWeb LaptopHR Workstation
Corporate Network
Fir
ew
all
Branch
Network
IPS
Encrypted attacks over the internet
Mobile users leaving the
safety of the perimeter
WLAN providing alternate
paths into the network
Insider attacks
Firewall
IPS
33 © 2005, Third Brigade Inc.
Experts agree
“Firewall-based prevention solutions that function with deep packet inspection techniques are key to effective protection from the growing number of cyber threats”
Gartner, Richard Stiennon, Research VP
“By 2006, 50% of enterprise servers and 30% of corporate PCs will incorporate host-based security agents (0.7 probability)”
Gartner, John Pescatore, Research VP
34 © 2005, Third Brigade Inc.
Different perspectives of HIP
What is HIP?
Analysts
IPSvendors
Firewallvendors
IDSvendors
Anti-virusvendors
35 © 2005, Third Brigade Inc.
Gartner HIP framework
Attack-FacingNetwork
Inspection
PersonalFirewall
Vulnerability-Facing Network
Inspection
AntivirusSystem
HardeningApplicationInspection
ResourceShielding
Application Hardening
Behavioral Containment
1 2 3
4 5 6
7 8 9
Gartner “Understanding the Nine Protection Styles of Host-Based Intrusion Prevention”
Malicious Code
Trying to enter
Trying to execute
Executing
36 © 2005, Third Brigade Inc.
Which approach to use?
Attack-FacingNetwork
Inspection
PersonalFirewall
Vulnerability-Facing Network
Inspection
AntivirusSystem
HardeningApplicationInspection
ResourceShielding
Application Hardening
Behavioral Containment
1 2 3
4 5 6
7 8 9
Gartner “Understanding the Nine Protection Styles of Host-Based Intrusion Prevention”
Attack-FacingNetwork
Inspection
Antivirus
ResourceShielding
Known Bad
PersonalFirewall
SystemHardening
Application Hardening
Known Good
Vulnerability-Facing Network
Inspection
ApplicationInspection
Behavioral Containment
Unknown
Stop malicious code before it
enters the host
“Gartner believes that leading HIP solutions will use multiple protection techniques, and recommends solutions that take a network-level approach be considered mandatory for deployment by the end of the year.”
Neil MacDonald, Gartner
37 © 2005, Third Brigade Inc.
Analysts recommend HIP
– “The Role of Network Intrusion Prevention in Protecting Medical Devices” (2004)
– “Most Important Security Action: Limiting Access to Corporate and Customer Data” (2005)
– “Host-Intrusion Prevention is here to Stay” (2004)
38 © 2005, Third Brigade Inc.
HIP: Security best practise
Found in security guidelines
– “Recommended Security Controls for Federal Information System 800-53” (2005)
– SANS: HIPAA Security Step-by- Step
39 © 2005, Third Brigade Inc.
How HIP works
Firewall
Known Good
Network-based HIP security mechanisms
Deep Packet Inspection
Known Bad
Signatures
Unknown
Rules-basedengine
40 © 2005, Third Brigade Inc.
Protecting the host
HIP Agent
Incoming or
Outgoing
Network
Traffic
Protected
and
Corrected
TrafficStatefulfirewall
Signaturefilters
Rulesbasedfilters
41 © 2005, Third Brigade Inc.
Non-intrusive at the network layer
System Execution Control- Highly dynamic environment
- OS versioning and patching
- Application versioning and patching
- Control mechanism versioning and updating
- High test requirements (run applications)
Applications
Network Based- Implemented at the network layer which
is less subject to change
- Transparent to Applications and the OS
- Easy to test (replay data through it) Network-Based
TCP/IP
OS
ApplicationsSystem Execution
Control TCP/IP
OS
42 © 2005, Third Brigade Inc.
Software must resist attack
• Software agents must be resilient to attack ‘knocking out the security guard’– Use kernel-mode implementations rather than
user-mode– Stateful implementations are resistant to
evading deep packet inspection
• Manage agents with a central console, not the end user
43 © 2005, Third Brigade Inc.
Accuracy: Perfect is impossible, but make the errors really small
Sensitivity
Probabilityof error
False Positives: Stopping the wrong thing
False Negatives: Not stopping
the attack
0
100%
• Trade-off on errors• Tune more accurately• Host based allows fine tuning
44 © 2005, Third Brigade Inc.
Proof: HIP stops attacks
OWASP Top 10 Vulnerabilities Unprotected Protected
1. Unvalidated input 25 02. Broken access control 0 03. Broken authentication and session mgt. 10 04. Cross site scripting (XSS) flaws 8 05. Buffer overflows 3 06. Injection flaws 13 07. Improper error handling 23 08. Insecure storage 0 09. Denial of service 2 010. Insecure configuration management 17 0
Industry leading web application scanner: several thousands tests on typical web application
45 © 2005, Third Brigade Inc.
Commercial applications
Software
(# of known major vulnerabilities)
Rules-based filters
Rules-based
+ signature filters
FTP – 3com, Netterm, wuftpd (17) 94% 100%HTTP – IIS (105) 86% 100%HTTP – Apache (20) 90% 100%SMTP – Exchange, Sendmail (3) 100% 100%
Protected with Network-based HIP
46 © 2005, Third Brigade Inc.
Outline
Evolving Threat
Hackers and Targeted Attacks
Counter-attack: Host Intrusion Prevention
Conclusions
47 © 2005, Third Brigade Inc.
Internet, intrusions and HIP everywhere
VoIP
Telecom
Mobile & PDAFinancial
Enterprise Computing
SCADA Medical Systems
Military
48 © 2005, Third Brigade Inc.
Evaluate HIP now
• Host Intrusion Prevention
technology and products are
becoming mainstream by YE 2005.
• Organizations need to start
evaluating options and testing
solutions now.
49 © 2005, Third Brigade Inc.
Deployment strategy
• Incorporate HIP into pilots– Confirm user acceptance (performance,
transparency and manageability)– Identify the types of threats these systems are
seeing– Demonstrate the effectiveness of HIP in
protecting these systems
• Deploy applications with confidence– Protect against known and unknown
vulnerabilities