View
113
Download
0
Embed Size (px)
Citation preview
@NTXISSA #NTXISSACSC3
Cyber Warfare: Identifying Attackers Hiding Amongst the Flock
Anthony Lauro
Sr. Enterprise Security Architect
Akamai Technologies, Inc
October 3rd, 2015
@NTXISSA #NTXISSACSC3
Who am I? (unphilosophically speaking)
About me:
• Anthony Lauro | CISSP, GWAPT
• Sr. Enterprise Security Architect Akamai
Technologies, Inc
• 16 years Information Security Experience
• Advise Akamai clients on Cybersecurity Resilience
• Lead Application Security training for Enterprise
Security Architecture team @Akamai
• Attended CCCC a long, long time ago…
@NTXISSA #NTXISSACSC3
There are no rules of
architecture for castles in the
clouds.
-Gilbert K. Chesterton
@NTXISSA #NTXISSACSC3
There are no rules of
architecture for castles in the
clouds.
-Gilbert K. Chesterton
@NTXISSA #NTXISSACSC3
Evolving Attack Campaigns
190 Gbps attack against
US financial institution
Q1 13 Q2 13
Account Checker
(eCommerce)
Largest DNS
reflection attack,
167 Gbps
(Financial Services) Operation Ababil
Q1 14Q3 13 Q4 13
DDoS
(Retail)
209 Gbps
EMEA media company
Record number of
DDoS attacks in Q3
13
17%
@NTXISSA #NTXISSACSC3
Attacks Grow Because Methods Improve
• Traditional DDoS attacks used compromised home computers
• ‘Cloud’ based DDoS attacks harness the scale of global botnets
• Amplification attacks target protocol vulns to amplify size
• SNMP (6.3x)
• DNS (28x-54x)
• CharGEN (358.8x)
• NTP (556.9x)
Gbps
Mpps
2014e
2013
201220112010
20092008
200720062005
112
188
2211
39
15
48
29
68
38
79
45
82
69
144
320
270
160
@NTXISSA #NTXISSACSC3
There Are No Immunities Between Verticals
Source: www.informationisbeautiful.net/
@NTXISSA #NTXISSACSC3
2014 Attack Trends
• Top three attack vectors are
application layer attacks
• Defacement leads as the top
attack, followed by
SQLi and Account Hijacking
as the most prevalent attacks
seen in 2014
Source: Stateoftheinternet.com
@NTXISSA #NTXISSACSC3
Login Abuse: Account Checker Attacks
The fuel for any account checker is a list of credentials.
Fortunately for attackers, there are a huge number of credentials
that are public.
• 38,000,000 Adobe accounts
• 318,000 Facebook accounts
• 70,000 Google accounts
• 60,000 Yahoo accounts
• 22,000 Twitter accounts
• 8,000 ADP accounts
• 8,000 LinkedIn accounts
@NTXISSA #NTXISSACSC3
• Acts as a gateway
• Defensive resources
become limited
• Entry and Exits cannot
coexist
@NTXISSA #NTXISSACSC3
Approaches for Web Security
On-Premise Hardware
Router
Firewall
Load
balancer
Bandwidth
Application Protection
Cloud Service
Cloud
Platform
ISPs
Internet Service Providers
@NTXISSA #NTXISSACSC3
On-Premises Web Security Approach
On-Premise Hardware
Router
Firewall
Load
balancer
Bandwidth Bandwidth Constraint
Connection & Processing Limitations
Application Vulnerability Exploitation
“Have to ingest ALL traffic before a
Yes/No decision can be made”
Performance Degradation
Throughput of devices cannot meet
volume / requests per second of good
and bad traffic spikes.
Reliability
WAF configurations are complex
often not tuned properly or not in
blocking mode.
Accuracy
@NTXISSA #NTXISSACSC3
I put the WAF on a SPAN port.
I was afraid of blocking
legitimate traffic!
How did this breach
occur, we have a WAF!!
@NTXISSA #NTXISSACSC3
Internet Service Provider Approach
ISPs
Internet Service Providers
DDoS Only Protection
False Positives/ Upstream Blacklisting
Single-Homed Protection
Carrier Dependent Architecture
Capacity Issues At Scale
@NTXISSA #NTXISSACSC3
Application Protection
Cloud Service Approach
Application Protection Cloud Service
Cloud
Platform
Direct-to-Origin DDoS Protection Gap
Shared Infrastructure (Capacity Constraints)
Acceptable Use Monitoring Challenge
Retaining Real-time Visibility
Not Always Enterprise Class Protection
@NTXISSA #NTXISSACSC3
“In other words, careful where you aim that gun,
#OpISIS, because it might point back at you as
well.” -Mike Masnick TechDirt
@NTXISSA #NTXISSACSC3
For Internet-facing Applications
Internet
WebRetrieval and integrity
of content and data
OriginSupporting infrastructure and
other applications
DNSFinding the application
Datacenter User
@NTXISSA #NTXISSACSC3
Multiple PerimetersFor Internet-facing Applications
Volumetric Protection
• Massive resiliency
• Thousands of points of presence
• Distributed geographically
• Rate controls for noisy requestors
Attacks Against CNAMEs
• Network and application layer filtering capable
• Protocol validation/Filtering
• SSL decrypt – re-encrypt
• Geo Sensing and Filtering Capable
• Capacity: Throughput & P/ps
Attacks Against Datacenter IP’s
• Direct to origin protection using BGP redirection
• Multiple globally distributed scrubbing centers
• Attack capacity to withstand multiple attacks at once
• Good traffic bypass as not to degrade performance
@NTXISSA #NTXISSACSC3
Multiple PerimetersFor Internet-facing Applications
Application Layer Attacks
SSL decryption at scale
Risk scoring rule sets
Tune accuracy over time
Attacks Against DNS
Rate Controls - Connection Throttling
White Listing
Application Inspection
DNSSEC
Client/Server Locks
Anycast Responses
Event Visibility
Threat intel gathered and validated against global dataset
Real-Time event correlation between security policies
Ability to identify hosts based on previous malicious behavior
Import log feed from ‘cloud’ into internal SIEM for correlation
@NTXISSA #NTXISSACSC3
• Use behavioral data to protect your
castle
•Collect and correlate attack traffic into a
large dataset from across the web
• Identify bad clients based on past behavior
•Define a risk score for malicious clients
•Filter malicious client based on risk score
CLIENT REPUTATION SCORING
@NTXISSA #NTXISSACSC3
Information Intelligence
Raw, unfiltered feed Processes, sorted information
Aggregated from virtually every
source
Aggregated from reliable sources and
cross correlated for accuracy
May be true, false, misleading,
incomplete, relevant or irrelevant
Accurate, timely, complete, assessed
for relevancy
Not actionable Actionable
InfoSec teams are swimming in data
More raw “information” is not the solution
@NTXISSA #NTXISSACSC3
53
11,00816,135
21,35915,071
30,427
69,226
124,625
9/24 9/25 9/26 9/27 9/28 9/29 9/30 10/1Unique Shellshock payloads
Threats Change/Advance Over Time
Shellshock disclosed
@NTXISSA #NTXISSACSC3
Case Study: 320 Gbps DDoS Attack:Gaming Vertical, APAC Region
• Largest attack ever mitigated by Akamai
against single customer
• Targeted primary website, supporting
network infrastructure, and DNS
• Multiple attack vectors:
• SYN/UDP floods - entire subnet
• Volumetric attack against DNS
• Attack characteristics:
• 320 Gbps and 71.5 Mpps peak traffic
• 2.1 million requests/s against DNS
@NTXISSA #NTXISSACSC3
138
232
321
155177
312
4
198217
308
35 33
70
3
21.5
One Attack in a Broader DDoS Attack Campaign
Start EndInfrastructure (Gbps) authDNS (Mpps) DNS Reflection (Mpps)Web (Gbps)
21 + Day campaign against single customer
• 39 distinct attacks targeting applications and DNS infrastructure
• Eight attacks >100 Gbps including record 320 Gbps attack
@NTXISSA #NTXISSACSC3
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Opening
Ceremony
1st day of sports
• 132 BILLION requests
processed by our WAFs• 10x more than 2010 Winter
Olympics
• WAF rules triggered• 127x more than 2010 Winter
Olympics
• Custom Rules Triggered:
166,000,000
• Rate Controls (Adaptive Rules)
Triggered: 5,600,000
• Requests Denied: 182,200,000
@NTXISSA #NTXISSACSC3
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
0
100
200
300
400
500Attack traffic…
0
50000
100000
150000
200000
250000
300000Spain toNetherlands
0
100
200
300
400
500
600
-500
500
1500
2500
3500
4500 Chile to…Australia…
0
2000
4000
6000
8000
10000
12000
14000
16000Ivory Coastto Japan
3-1
1-51-2
3-1
Opening ceremony
@NTXISSA #NTXISSACSC3
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Web Application Attacks by Industry – Q1 2015
@NTXISSA #NTXISSACSC3
• Reflection attack• Mostly SNMP v2c devices (~3+ years old) with default
“public” community string• Routers, printers, cable modems, NAS• New tool automates sending getBulkRequest to open
SNMP servers.• Flood of SNMP GetResponse data sent from reflectors to
victim on port 80• SNMP query begins at highest (OID) tree level to obtain
largest possible response
The Attack du jour?
@NTXISSA #NTXISSACSC3
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Case Study: NTP Attacks on Origin
500XRETURN RATE
IN TRAFFIC
>100GBPSATTACK TRAFFICAGAINST ORIGIN
1,000+INCREASE IN HITS PER
SECOND AGAINST ORIGIN
Attack Vector
Request with spoofed source IP of target server sent to a vulnerable NTP server that allows the monlist function.
NTP server replies back to the target IP, direct to origin, at massive scale.
@NTXISSA #NTXISSACSC3
Use nmap NSE Script:
identify vulnerable hosts
Example: nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>
• The monitor list in response to the monlist command is limited to 600
associations.
• The monitor capability may not be enabled on the target in which case you may
receive an error number 4 (No Data Available).
• There may be a restriction on who can perform Mode 7 commands (e.g. "restrict
noquery" in ntp.conf) in which case you may not receive a reply.
• This script does not handle authenticating and targets expecting auth info may
respond with error number 3 (Format Error).
@NTXISSA #NTXISSACSC3
DNS Attack Targeting Akamai Customer
• DNS requests peaked at 168k per second.
• 19B hits in 5 days. Normally serve ~30M hits per week.
@NTXISSA #NTXISSACSC3
DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers
• Client DNS Locks
• clientUpdateProhibited
• clientTransferProhibited
• clientDeleteProhibited
• Registrar locks
• serverUpdateProhibited
• serverTransferProhibited
• serverDeleteProhibited
US DoD’s DNS Hijacked
Best Practice DNS Locks
@NTXISSA #NTXISSACSC3
RFI Attempt to pull click.php file from
remote location
Using RFI vuln in TimThumb Plugin
Remote File Inclusion
@NTXISSA #NTXISSACSC3
Here’s what click.php is really about!
HTTP(s) Redirections can fluctuate between 14-20
different pay4click companies and advertiser’s and that
means precious bitcoin revenue for the attacker and his
friends.
http://www.secureworks.com/cyber-threat-intelligence/threats/ppc-hijack/
@NTXISSA #NTXISSACSC3
When good things go bad:
Rogue Reseller to Competitor
“After years of this relationship we recently found that they now have a copycat site and are selling
our products that they are now manufacturing on their own.” – Enterprise Manufacturing Customer
“At first they were just scraping our site and we saw it to be mutually beneficial…”
@NTXISSA #NTXISSACSC3
Blind SQL Injection: Time Based Attack
This type of blind SQL injection relies on the database pausing for a specified amount of time and examining
the results. Using this method, an attacker enumerates each letter of the desired piece of data.
Client Request
@NTXISSA #NTXISSACSC3
SQL Injection Analysis2000 customers over one week
SQLInjectionAttacks %
HTTP 8,137,681 96.6
HTTPS 287,808 3.4
Total 8,425,489 100
Protocol Breakdown
Breakdown by Intent
Source: Akamai CSI
@NTXISSA #NTXISSACSC3
ACCOUNT CHECKERS: CARDERS
Several techniques are used to avoid
detection and mitigation, including:
● Randomization of UserAgent header
● Targeting of alternative (mobile/API/legacy) login pages, which may have weaker mitigation controls and are often overlooked by the customer.
● Attacks originate from highly distributed set of IP addresses, with different source countries.
● Use of low request rates to evade rate controls.
● Change in order of headers.
● Changes in tactics when 403 responses are received.
@NTXISSA #NTXISSACSC3
Fraud – Vietnamese Carders
Carder TTP
• Build Tools Server
• Cultivate List of Open Proxies
• Acquire Compromised Logins
• Check/Alter Compromised Accounts
• Make Fraudulent Purchases
• Cash out/Resell gift cards
@NTXISSA #NTXISSACSC3
Login Abuses: TTPs and Defenses
Rate controls to block fast moving scripts• Attack relies on being able to check thousands of accounts quickly
• Blocking aggressive scripts prevents login exploitation
Internal monitoring for changes to customer accounts• Email address
• Shipping address
• Same email on multiple accounts
Geo blocklists for areas where there is no business• Cuts down on the places attackers can launch from
• Do cloud server providers need to access your webpage?
Custom rules to block User-Agent strings (or lack thereof)• Attack scripts are often simple and will contain only “curl” or “wget”
• Sometimes none at all
@NTXISSA #NTXISSACSC3
DD4BC: (DDoS for Bitcoin)
• Industries affected• Payment Processing
• Banking & Credit Unions
• Gambling
• Oil & Gas
• E-Commerce
• High Tech Consulting/Services
• Attack Types• Boot Stressor sites most likely culprit
• Reflection Attacks
@NTXISSA #NTXISSACSC3
Looking Forward into 2015
• Industry Verticals• Gaming, Fiserv, Internet & Telecom, Software & Tech, and Media verticals expected
to be targeted heavily in 2015
• Security vulnerabilities continue to increase due to bespoke/custom applications
• Good history of successful attacks
• DDoS Attacks• Expect more ‘mega’ attacks > 100Gbps
• Commoditization of DDOS attacks
• IPv6 uptake to increase DDoS vector
• Never pay ransoms, but do have a plan
• APPLICATION ATTACK TRENDS
• APPSEC IS FAILING – NEED HELP!
• IF YOU DON’T HAVE AN APPSEC PROGRAM
START ONE!
• INJECTION & XSS RIDE OWASP TOP 10
• SESSIONS MGMT – YOURE DOING IT WRONG
• DEVELOPERS – YOU’RE BEHIND!
@NTXISSA #NTXISSACSC3
1. You Need ’Validated’ DataTo derive intelligence on current & evolving threats.
2. Scale, Availability & ResilienceTo be high performing, take the punches, & stay online.
3. A PlanTo understand how to respond to bad day scenarios.
4. Control & Flexibility To adapt your defenses dynamically.
Cyber Security Requirements: 5 Points To Take Away
5. People & ExperienceTo execute every time you come under attack.
@NTXISSA #NTXISSACSC3
RESOURCES
OWASP: OPEN WEB APPLICATION SECURITY PROJECT
https://www.owasp.org/index.php/Main_Page
BSIMM5: BUILDING SECURITY IN MATURITY MODEL v5
https://www.bsimm.com/
SANS SWAT: SECURING WEB APPLICATION TECHNOLOGIES v1.1
http://software-security.sans.org/resources/swat
CERT: SECURE CODING STANDARDS
http://www.cert.org/secure-coding/research/secure-coding-standards.cfm?
AKAMAI TECHNOLOGIES (HEY, WHY NOT)
https://www.akamai.com/us/en/cloud-security.jsp