Upload
arbor-networks
View
648
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Arbor Networks is a member of an elite group of institutions that might be referred to as "super remediators." This is a reflection of having both visibility and remediation capabilities at nearly every tier one operator and the vast majority of service provider networks globally. The Arbor Security Engineering and Response Team (ASERT) shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) in an out-of-band manner, apart from the Arbor Networks product line. We also provide this same data to thousands of network operators via in-band security content feeds. ASERT also operates the world's largest distributed honeynet, capturing traffic destined for pullup routes at major providers across the globe. As of Q3 2014, ASERT monitors roughly 90 terabits per second (Tbps) of global Internet traffic, which we estimate to be a third of the average global Internet bandwidth. This mission and the associated resources that Arbor Networks brings to bear to the problem of global Internet security is a massive impetus for innovation and research. This presentation was originally given at AUSCert 2014 and outlines various datasets that ASERT maintains and offers some brief statistics and findings on global DDoS and advanced threat intelligence.
Citation preview
Internet-Scale Security Marc Eisenbarth
About the Speaker
About the Speaker’s Employer
Who is Arbor Networks? A Trusted & Proven Vendor Securing the World’s Largest and Most Demanding Networks
90% Percentage of world’s Tier 1 service providers who are Arbor customers
105 Number of countries with Arbor products deployed
69 Tbps Amount of peak global IPv4 traffic monitored by the ATLAS security intelligence initiative right now
#1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments [Infonetics Research]
12 Number of years Arbor has been delivering innovative security and network visibility technologies & products
$18B 2012 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing
Who is Arbor Networks: Analytics
Who is Arbor Networks: Analytics
Who is Arbor Networks: Analytics
Who is Arbor Networks: Analytics
Who is Arbor Networks: Analytics
Google Ideas +
ASERT
h2
p://www.digita
la2ackm
ap.com
The Arbor ecosystem between service providers & enterprises DCs offers unique insight into emerging and active threats
Enterprise data center services are now fully available!
Enterprise Data Centers Service Providers
Who is Arbor Networks: Mitigation
Cloud mi?ga?on with Peakflow
On site mi?ga?on with Pravail
~67Gbps A2ack Traffic ~14Gbps Residual Traffic
Who is Arbor Networks: Mitigation
“MC is taking it like a champ. we nees more bandwidth”
--- Unknown Bad Guy in #operationpayback
Who is Arbor Networks: Mitigation
About the Speaker’s Team
§ Arbor Security Engineering & Response Team – 7 researchers, 4 developers and 4 threat analysts – Broad, interdisciplinary background – h2ps://github.com/arbor – h2p://www.arbornetworks.com/asert/
§ Tools – IDA Pro – IDAPython – Hex-‐Rays decompiler – bindiff – OllyDbg – Windbg
Who is ASERT: The Team
– IDAScope – P32Dasm – Pydbg – CFF Explorer – Process Hacker – PEiD
Majority is home-‐grown
Who is ASERT: The Team
§ Goals of Data Collec?on – Broad coverage required to focus on specific use-‐cases, such as DDoS – Mul?ple infec?on vectors, CnC mechanisms, backsca2er analysis, etc. – Generate unique indicators: honeypots, CnCs themselves, harves?ng, etc.
§ Goals of Reverse Engineering – Reverse engineering of botnet CnC protocol – Emula?on of full CnC protocol for direct CnC and peer (zombie) analysis – Unique approach to sta?c and dynamic analysis techniques
§ Goals of Large-‐Scale Analysis – Understand both latent capabili?es and a2acker resources – Internet-‐scale correla?on, i.e. relate a .eml to origina?ng executable – End-‐to-‐end threat lifecycle, i.e. observe actor via CnC then verify the a2ack via flow
Who is ASERT: Reverse Engineering
Who is ASERT: Reverse Engineering
This bot was seen to a2ack
industrial food processor equipment vendors
// Darkshell bot-to-CnC comms struct { // Header: DWORD dwMagic; // always 0x00000010 for Darkshell // Obfuscated section: char szComputerName[64]; // Name of infected host, NULL-terminated/extended char szMemory[32]; // Amount of memory in infected host; format "%dMB"; NULL-terminated char szWindowsVersion[32]; // Specifies version of Windows; one of: Windows98, Windows95, // WindowsNT, Windows2000, WindowsXP, Windows2003, or Win Vista; // NULL-terminated/extended char szBotVersion[32]; // Specifies version of bot; NULL-terminated/extended; DWORD szUnknown1[4]; // ??? - Always NULL-terminated 'n’ // Binary section: char szPadding1[32]; // Filled with 0x00 bytes WORD wUnknown2; // ??? - We have seen 0x00A0, 0x00B0, and 0x00C0 WORD wUnknown3; // ??? - Always 0xFD7F char szPadding2[20]; // Filled with 0x00 bytes WORD wUnknown4; // ??? - Always 0xB0FC BYTE cUnknown5; // ??? - We have seen 0xD6, 0xD7, 0xE6, 0xE7, and 0xF1 BYTE cZero; // Always 0x00 DWORD dwSignature[8]; // Always 0x00000000, 0xFFFFFFFF, 0x18EE907C, 0x008E917C, // 0xFFFFFFFF, 0xFA8D91&C, 0x25D6907C, 0xCFEA907C };
Who is ASERT: Reverse Engineering
def decrypt_darkshell(cipherbytes, start_idx=0x04, stop_idx=0xA8): """ De-obfuscates Darkshell comms encoded using the following method: cipherbyte = 0xDE - [plainbyte - (plainbyte & 0x10) << 1] The obfuscation is reversed as follows: intermediate = 0xDE - cipherbyte plainbyte = intermediate + (intermediate & 0x10) << 1 """ len_mesg = len(cipherbytes) if len_mesg != 260: raise RuntimeError("Darkshell bot-to-CnC comms are always 260 bytes") plainbytes = [] for cipherbyte in cipherbytes[start_idx:stop_idx]: intermediate= 0xDE - ord(cipherbyte) plainbytes += [chr(intermediate + ((intermediate & 0x10) << 1))] return cipherbytes[:start_idx] + ''.join(plainbytes) + cipherbytes[stop_idx:]};
Who is ASERT: Reverse Engineering
Who is ASERT: Threat Intelligence
h2p://www.arborne
tworks.com
/asert/
Who is ASERT: Blog
ASERT Datasets
ASERT Datasets Active Threat Level Analysis System (ATLAS)
1. ATLAS sensors are deployed in global Internet darknet space to discover and classify a;ack ac<vity.
2. This informa<on is sent to an ATLAS central repository where it is combined with Arbor Peakflow, third-‐party, and vulnerability data.
3. ASERT analyzes combined data and converts into ac<onable intelligence which is posted on the ATLAS public portal.
ASERT Datasets: ATLAS Sensors
§ Sensor network – Func?onally: IDS + Honeypot – 1.76 million (dark) IPv4 addresses covered – Global (4 con?nents) coverage
§ Sensors perform ini?al triage – Host/port scanning ac?vity – Known versus unknown a2acks – Correla?on to security events and vulnerability disclosure – Misconfigura?on detec?on – Backsca2er analysis
ASERT Datasets: ATLAS Sensors
§ Honeypots and sinkholes used for further analysis – Unknown a2acks handed off to high-‐interac?on honeypot / sinkholes – A2empt to automa?cally develop threat fingerprint – Honeypots discover what a2ackers are a2emp?ng – Classify a2acks and characterize scan traffic – Can capture full payloads
ASERT Datasets: ATLAS Sensors
ASERT Datasets ATLAS Statistics
ASERT Datasets: ATLAS Statistics § 275+ ISPs sharing real-‐?me data -‐> ATLAS Internet Trends
§ Automated hourly export via XML / JSON to Arbor’s ASERT team § Customers realize tangible benefit of par?cipa?on
§ Data derived from Flow / BGP / SNMP correla?on § Arbor Peakflow product line (Tier 1 ISPs, transit providers, etc.)
§ Correlates Sampled Flow / BGP in real-‐?me § Distributed in nature § Network / Router / Interface etc. Traffic Repor?ng § Threat Detec?on (DDoS / malware infec?ons / C&C u?liza?on)
§ Flow sta?s?cs feedback, based on ASERT security content feeds
ATLAS currently monitoring a peak
of 69.7Tbps of IPv4 traffic across all
par?cipants
ASERT Datasets: ATLAS Statistics
ASERT Data Enrichment
ASERT Data Enrichment ATLAS Subscriber Reputation Feed (SRF)
ASERT Data Enrichment: SRF § Arbor has extensive sharing network
– Over a hundred na?onal CERT teams (~50% coverage) – Large cross-‐sec?on of the security industry -‐ various sharing groups – ATLAS portal has 711 unique users, represen?ng 6,006 ASNs
§ ATLAS Factoids – Malware Corral has seen 9.1M unique IPv4 addresses over 90 days – ASERT has data for 44,570 ASNs of 45,369 ASNs total (~98%) – ASERT has seen 2.63B unique IPv4 addresses (~71% theore?cal)
– (2^32 – 588,514,304) public addresses – ASERT monitors 1.76M “dark” IPv4 addresses
– The 6,006 ASNs provided ASERT intelligence maps to 1.25B IPv4 hosts (48%)
ASERT provides various “sample digests” in trade with qualified
organiza?ons
ASERT Data Enrichment: SRF AN IODEF VERSION CAN BE DOWNLOADED FROM h2p://atlas-‐public.ec2.arbor.net/XXX/2013-‐10-‐18/atlas_mail_reports/c97d1e95e9878052571d9a2a39deXXXX/XX-‐2013-‐10-‐18.xml ATLAS DETAILED REPORT: <REDACTED> Generated: Sat Oct 19 00:59:16 2013 UTC Covers 24 hour ?me period through now. Ques?ons: Marc Eisenbarth -‐ [email protected] DENIAL OF SERVICE OBSERVED INBOUND ATTACKS Based on actual alerts gathered in our Internet sta?s?cs project. Start, End, Dest CIDR, Dest ASN, Dest CC, Max BPS, Max PPS 2013-‐09-‐06:08:04:49, 2013-‐10-‐18:15:04:48, "xx.xx.92.250/32", "", , 884237504, 552505 2013-‐09-‐06:08:07:49, 2013-‐10-‐18:15:04:48, "xx.xx.92.12/32", "", , 628562560, 393004 2013-‐09-‐06:08:04:49, 2013-‐10-‐18:12:03:48, "xx.xx.92.250/32", "", , 884237504, 552505 2013-‐09-‐06:08:07:49, 2013-‐10-‐18:12:03:48, "xx.xx.92.12/32", "", , 628562560, 393004
ASERT Data Enrichment: SRF OBSERVED OUTBOUND ATTACKS Based on actual alerts gathered in our Internet sta?s?cs project. Start, End, Source CIDR, Source ASN, Source CC, Max BPS, Max PPS <REDACTED> OBSERVED ATTACK COMMANDS Based on botnet tracking Timestamp, C&C CC, C&C ASN, C&C IP, Target CC, Target ASN, Target IP <REDACTED> MALICIOUS CLIENTS A2acks Based on ATLAS honeypot sensors. IP, Cumula?ve Bytes XXX.138.76.59, 15656.0 XXX.138.122.202, 2657.0 XXX.247.33.203, 983.0 XXX.138.133.247, 838.0
ASERT Data Enrichment: SRF Scans Based on ATLAS honeypot sensors. IP, Cumula?ve Bytes XXX.144.74.248, 6316296.0 XXX.167.57.37, 3984822.0 XXX.168.144.59, 3903120.0 XXX.216.131.254, 1522704.0 XXX.216.129.162, 1423104.0 XXX.249.89.82, 1420826.0 XXX.140.122.90, 747584.0 XXX.140.103.249, 480048.0 XXX.140.96.237, 468928.0 XXX.242.187.78, 162192.0 XXX.251.28.182, 154080.0 XXX.158.69.208, 123876.0 XXX.149.69.204, 121860.0 XXX.247.33.203, 117832.0 XXX.210.104.174, 79716.0
ASERT Data Enrichment: SRF MALICIOUS SERVERS Botnet C&C Servers Based on malicious soyware analysis and botnet tracking. CC, ASN, IP, port, malware MD5 <REDACTED> Phishing Servers Based on internal link analysis and third-‐party reports. CC, ASN, IP, port, URL XX, 28526, XXX.215.18.103, 80, h2p://XXXXXXXXX/media/system/css/net.htm Malicious Links URLs contacted by malware during automated analysis. Timestamp, CC, ASN, IP, URL <REDACTED> <snip>
ASERT Data Enrichment Event Analytics
ASERT Data Enrichment: Events
ASERT Data Enrichment: Events
• Largest DDoS a2ack seen to date • Traffic levels verified by service
provider community. • DNS Reflec?on/Amplifica?on A2ack
• Not a new a2ack vector • Responsible for other large
(100Gb/sec) a2acks in the past
• Emphasizes the need to restrict open DNS Resolvers and implement BCP 38/84 at network edges.
• Key concern is that other groups will start genera?ng larger a2acks, given the media focus on the Spamhaus a2acks.
ASERT Data Enrichment: Events
ASERT Data Enrichment: Events
ASERT Data Enrichment ATLAS Portal
ASERT Data Enrichment: Portal
43
h2p://atlas.arbor.net
ASERT Data Enrichment: Portal
44
h2p://atlas.arbor.net
ASERT Data Enrichment: Portal
45
h2p://atlas.arbor.net
ASERT Data Enrichment: Portal
46
h2p://atlas.arbor.net
ASERT Data Enrichment Malware Corral
ASERT Data Enrichment: Portal
48
• What is the malware designed to do?
• Not necessarily where it’s been, but where is it going?
• Don’t look at just active behavior, but potential behavior
• Prevailing model: unique sample for specific target
Case-Studies Malware Corral Example
Case-Studies: Malware Corral
Case-Studies: Malware Corral
Case-Studies: Malware Corral
Case-Studies: Malware Corral
Case-Studies: Malware Corral
Case-Studies: Malware Corral
Case-Studies: Malware Corral
Case-Studies: Malware Corral
Case-Studies: Malware Corral
High fidelity indicators, based on in-‐depth analysis of sample
Case-Studies: Malware Corral
Thank You {meisenbarth,asert}@arbor.net