Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005

Innovative Hackers are Bad for Business

Brian O’Higgins

CTO, Third Brigade Inc.

October 14, 2005

2 © 2005, Third Brigade Inc.

Outline

Evolving Threat

Hackers and Targeted Attacks

Counter-attack: Host Intrusion Prevention

Conclusions


Outline

Evolving Threat



Conclusions


Attacks are changing

Major Malware Trends

1985 1995 2005

Boot sector virus

Files and executables

Office macrovirus

Email attachments

Web applicationattacks


Old Internet security statistics

Source: www.cert.org/stats

Vulnerabilities are the root cause for malware

Vulnerabilities

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

4,500

1995 1997 1999 2001 20030

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

1995 1997 1999 2001 2003

Attackers are getting more efficient at

exploiting vulnerabilities

Incidents


Where are attackers successful?

Remote

LocalNetwork

LocalSystem

71%

18%

11%

Source of attack

Vulnerability

45%

Configuration

31%

BruteForce

12%

12%Other

Type of exploit

Source: Zone-h.org


Attacks: Increasingly Sophisticated

1980 1985 1990 1995 2000

High

Low

Knowledge

Adapted from www.cert.org

Password guessing

Self replicating code

Password cracking

Exploiting known vulnerabilities

Burglaries

Hijacking sessions

Network management diagnostics

GUI

Automated probes/scans

Automated probes/scans

www attacks

DDOS attacks

Disabling audits

Back doors

Sweepers

Sniffers

Packet spoofing

Denial of service

Stealth scanning techniques Tools

ASN.1 attacks

2005


Automated exploit tools

“…The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only”


The root cause

• 1 vulnerability for every 1,000-4,000 lines of code

• 100M+ lines of code not unusual

• Many sources of compromise (confidentiality, integrity & availability)

• Not likely to change in the near and medium future

Server (Host)Server (Host)

Database

Database

Web/App Server

Web/App Server

OSOS

Web AppWeb App

Client (Host)Client (Host)

OSOS

Client BrowserClient

BrowserOther AppsOther Apps

Other AppsOther Apps


Software vulnerabilities

• Symantec Internet Security Report, 1H 2005– 1,862 new vulnerabilities, highest ever– 59% related to web applications

• SANS Top 20 list, Q1 2005 – 600+ new vulnerabilities listed that:

1. Affect large number of users

2. Not patched on substantial number of machines

3. Allow computer to be taken over by remote, non- authorized user

4. Sufficient details published on the internet

5. Discovered or first patched during Q1 2005


Business impact

Source: Computer Economics Impact of Malicious Code Study of 100 I.T. and Security Executives

Worldwide Financial Losses

$20 B

$15 B

$10 B

$5 B

2002 2003 2004Millions USD

per hour of downtime

Lost Revenue

Trans

Retail

E-Comm

Media

Banking

Brokerage

Source: Yankee Group


Outline

Evolving Threat



Conclusions


Hacking is changing

• Mass nuisance profit motive

• Targeted attacks take advantage of s/w vulnerabilities– Can exploit a database without

having to compromise any servers

$


Bot Nets for hire

• “First hour is free”– Infect web servers, then unsuspecting PCs– Change infection after a few thousand

downloads to stay under virus signature radar– Call to the mothership for subsequent updates– Password stealing program web site count

doubled from June 2005 to July 2005 (www.antiphishing.org)


Popular Web Application Attacks

$ Buffer overflow

Command injection

Cross-site scripting

Parameter manipulation

Session hijacking

Improper error handling

Google hacking


SB 1386 impact

• California breach notification legislation– Spreading to other jurisdictions– Notifications and subsequent press are

biggest contributor to online fear– Since the Feb 15 2005 ChoicePoint breach,

78 notifications have been publicized covering 50M individuals (www.privacyrights.org)


Consumer confidence erodes

• U.S. survey on data security breach notification (sep 25 2005)

– Ponemon Institute (www.ponemon.org) survey of 10,000 victims of data security breach

• 19% of respondents have terminated relationship• 40% more said they are thinking about terminating• 5% had hired lawyers• Businesses using canned communication are 3X

more likely to lose the customer vs. personalized


Security fears harm e-banking

• Forrester Research study of 11,300 users in the UK– Concludes that 600,000 from a total of 15M

have quit online banking – 20% of internet users say security fears will

stop them from ever banking online– 50% of UK internet users paranoid about

online banking security


Breach notification is costly

• Feb 2005 ChoicePoint breach– 145,000 records – $11.4 M charges Q1 and Q2 2005– $79/per account. Gartner estimates this is

more likely $90/account all in.

$750M mkt cap drop immediately after the breach publicized


Costs for notification

• Smaller numbers, cost per account higher 5,000 accounts ~ $1,500 per account

• Very large compromises, >1M accounts, direct costs ~$50 per account.– But this may be the death sentence for the

company (CardSystems 40M accounts)

Source: Gartner, Data Protection is Less Costly Than Data Breaches, 28 Sept 2005


Business case to protect data

• Three recommendations from Garter, and ballpark costs for 100K accounts

1. Encrypt Stored Data $5/account initial, $1 recurring

2. Deploy HIPS on servers $6/account initial, $2 recurring

3. More rigorous audits $4/account recurringvs. expenditure of $90/customer account exposed in a breach

*Source: Gartner, Data Protection is Less Costly Than Data Breaches, 28 Sept 2005


Mitigating attacks

24% Known VulnerabilitiesPreventative Action:

– Patching– Shielding (virtual patching)

21 % Unknown VulnerabilitiesPreventative Action:

– Shielding (virtual patching)

Vulnerability

45%

Configuration

31%

BruteForce

12%

12%Other

They exploit


Patching: A race you can’t win

Source: Symantec Internet Security Threat Report, H1, 2005

Vulnerabilitypublished

54 days

Exploit 6 days

Patch


Patching needs to take time

Start Safe

Last System Patched & Rebooted

High value systems are difficult to patch:• Patch may impact the system

• Patches inherently slow and expensive to test

• Most patches not designed to be easily reversible

• Service disruption or machine reboot

Vulnerability Published and

Patch Released

Push new Image

TestPatch

Evaluate Patch

Develop &documentnew image

NoticePatch


Attacks are occurring faster

Start time

Vulnerability Published & Patch Released

Approaching the Zero Day Attack

2003 - MSBlast WormKnown vulnerability in Windows ~8 million computers infected`

28 days

2004 - Sasser Worm Exploited Windows hole: “Local Security Authority Subsystem Service” ~10 million Windows computers infected in 4 days

18 days

2005 - Zotob Worm6 days later, 10 variants, widespread in 1 weekWindows plug and play flaw

1 day


Outline

Evolving Threat



Conclusions


Good Guys: Patch

The vulnerability gap

time

Vulnerability Gap

Bad Guys: ATTACK


Patch Released

Unknown Exploits Known Exploits Last System Patched & Rebooted


Good Guys: Patch

Getting ahead of the attackers

time

Vulnerability Gap

Bad Guys: ATTACK

Last System Patched & Rebooted

Smart Guys: Shield

Known Exploits


Patch Released

Unknown Exploits


Host Intrusion Prevention

Security Technologies You Will Probably Need

Host-based IPS

802.1x

Quarantine/containment

Personal intrusion prevention and URL blocking

Gateway spam/antivirus scanning

Security audit capabilities

Vulnerability management

Web services security

Identity management

SSL/TLS

Business-continuity plan

PC lockdown cables and anti-tamper alarms

Source: Gartner Security ITxpo, June, 2005


IDS

Security controls: evolution of the perimeter

DMZ

Firewall

ERPFinanceEmailWeb LaptopHR Workstation

Corporate Network

Fir

ew

all

IPS

Branch

Network


Network defenses are necessary but not sufficient

DMZ

Firewall


Corporate Network

Fir

ew

all

IPS

Encrypted attacks over the internet

Mobile users leaving the

safety of the perimeter

WLAN providing alternate

paths into the network

Insider attacks

Branch

Network


The host is the last line of defense

DMZ

Firewall


Corporate Network

Fir

ew

all

Branch

Network

IPS

Encrypted attacks over the internet

Mobile users leaving the

safety of the perimeter

WLAN providing alternate

paths into the network

Insider attacks

Firewall

IPS


Experts agree

“Firewall-based prevention solutions that function with deep packet inspection techniques are key to effective protection from the growing number of cyber threats”

Gartner, Richard Stiennon, Research VP

“By 2006, 50% of enterprise servers and 30% of corporate PCs will incorporate host-based security agents (0.7 probability)”

Gartner, John Pescatore, Research VP


Different perspectives of HIP

What is HIP?

Analysts

IPSvendors

Firewallvendors

IDSvendors

Anti-virusvendors


Gartner HIP framework

Attack-FacingNetwork

Inspection

PersonalFirewall

Vulnerability-Facing Network

Inspection

AntivirusSystem

HardeningApplicationInspection

ResourceShielding

Application Hardening

Behavioral Containment

1 2 3

4 5 6

7 8 9

Gartner “Understanding the Nine Protection Styles of Host-Based Intrusion Prevention”

Malicious Code

Trying to enter

Trying to execute

Executing


Which approach to use?


Inspection

PersonalFirewall


Inspection

AntivirusSystem

HardeningApplicationInspection

ResourceShielding



1 2 3

4 5 6

7 8 9

Gartner “Understanding the Nine Protection Styles of Host-Based Intrusion Prevention”


Inspection

Antivirus

ResourceShielding

Known Bad

PersonalFirewall

SystemHardening


Known Good


Inspection

ApplicationInspection


Unknown

Stop malicious code before it

enters the host

“Gartner believes that leading HIP solutions will use multiple protection techniques, and recommends solutions that take a network-level approach be considered mandatory for deployment by the end of the year.”

Neil MacDonald, Gartner


Analysts recommend HIP

– “The Role of Network Intrusion Prevention in Protecting Medical Devices” (2004)

– “Most Important Security Action: Limiting Access to Corporate and Customer Data” (2005)

– “Host-Intrusion Prevention is here to Stay” (2004)


HIP: Security best practise

Found in security guidelines

– “Recommended Security Controls for Federal Information System 800-53” (2005)

– SANS: HIPAA Security Step-by- Step


How HIP works

Firewall

Known Good

Network-based HIP security mechanisms

Deep Packet Inspection

Known Bad

Signatures

Unknown

Rules-basedengine


Protecting the host

HIP Agent

Incoming or

Outgoing

Network

Traffic

Protected

and

Corrected

TrafficStatefulfirewall

Signaturefilters

Rulesbasedfilters


Non-intrusive at the network layer

System Execution Control- Highly dynamic environment

- OS versioning and patching

- Application versioning and patching

- Control mechanism versioning and updating

- High test requirements (run applications)

Applications

Network Based- Implemented at the network layer which

is less subject to change

- Transparent to Applications and the OS

- Easy to test (replay data through it) Network-Based

TCP/IP

OS

ApplicationsSystem Execution

Control TCP/IP

OS


Software must resist attack

• Software agents must be resilient to attack ‘knocking out the security guard’– Use kernel-mode implementations rather than

user-mode– Stateful implementations are resistant to

evading deep packet inspection

• Manage agents with a central console, not the end user


Accuracy: Perfect is impossible, but make the errors really small

Sensitivity

Probabilityof error

False Positives: Stopping the wrong thing

False Negatives: Not stopping

the attack

0

100%

• Trade-off on errors• Tune more accurately• Host based allows fine tuning


Proof: HIP stops attacks

OWASP Top 10 Vulnerabilities Unprotected Protected

1. Unvalidated input 25 02. Broken access control 0 03. Broken authentication and session mgt. 10 04. Cross site scripting (XSS) flaws 8 05. Buffer overflows 3 06. Injection flaws 13 07. Improper error handling 23 08. Insecure storage 0 09. Denial of service 2 010. Insecure configuration management 17 0

Industry leading web application scanner: several thousands tests on typical web application


Commercial applications

Software

(# of known major vulnerabilities)

Rules-based filters

Rules-based

+ signature filters

FTP – 3com, Netterm, wuftpd (17) 94% 100%HTTP – IIS (105) 86% 100%HTTP – Apache (20) 90% 100%SMTP – Exchange, Sendmail (3) 100% 100%

Protected with Network-based HIP


Outline

Evolving Threat



Conclusions


Internet, intrusions and HIP everywhere

VoIP

Telecom

Mobile & PDAFinancial

Enterprise Computing

SCADA Medical Systems

Military


Evaluate HIP now

• Host Intrusion Prevention

technology and products are

becoming mainstream by YE 2005.

• Organizations need to start

evaluating options and testing

solutions now.


Deployment strategy

• Incorporate HIP into pilots– Confirm user acceptance (performance,

transparency and manageability)– Identify the types of threats these systems are

seeing– Demonstrate the effectiveness of HIP in

protecting these systems

• Deploy applications with confidence– Protect against known and unknown

vulnerabilities

The End

Brian O’[email protected]

www.thirdbrigade.com

Documents

Innovative Hackers are Bad for Business Brian O’Higgins CTO, Third Brigade Inc. October 14, 2005