cyber-securitycyber-threatsWHAT THEY ARE, WHAT THEY ARE NOT

CYBER

Internet scenario 1307TLDs

butlengthofPSlistis7890◦ publicsuffixlistisaninitiativeofMozilla

dataasof15May2016

May2016 2

picturefrominternet-map.net

CYBER

Internet infrastructure 73792autonomoussystems(May2015)◦ https://www.iana.org/assignments/as-numbers/as-numbers.xhtml

ASsdefineameshedsystem

May2016 3

CYBER

about securitySECURITY

May2016 4

CYBER

about securitySECURITY

physical

May2016 4

CYBER

about securitySECURITY

physical

information(oldacceptation)

May2016 4

CYBER

about securitySECURITY

physical

information(oldacceptation)

(inter)network

May2016 4

CYBER

about securitySECURITY

physical

information(oldacceptation)

(inter)network

cyber

May2016 4

CYBER

about securitySECURITY

physical

information(oldacceptation)

(inter)network

cyber

cyber(newacceptation)

May2016 4

CYBER

information and network security strongly overlap Informationsecurity(#infosec)◦ ISO/IEC27000:2009

◦ Preservationofconfidentiality,integrityandavailabilityofinformation◦ Inaddition,alsootherproperties,suchasauthenticity,accountability,non-repudiationandreliability

◦ CNSS(2010)◦ Theprotectionofinformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,

modification,ordestructioninordertoprovideconfidentiality,integrity,andavailability

◦ ISACA(2008)◦ Ensuresthatonlyauthorizedusers(confidentiality)haveaccesstoaccurateandcompleteinformation(integrity)

whenrequired(availability)

Networksecurity◦ Theprotectionoftheinformationthatmaybereachablethroughanetwork◦ Themeasuresfortheproperfunctioningofthenetworkandthatcontrastabusesandattacks

May2016 5

CYBER

cyber-security thecyber-securityattractedtheattentionofalloperatorsfollowingthedevelopmentoftechnologiesforthe(inter)networkingandfortheremotemonitoringandcontrolinindustry◦ e.g.,theSCADA(SupervisoryControlandDataAcquisition)technology

affectsbothcomputerandphysicalsecurity

themoderncyberneticswasbornin1948,whentheAmericanphilosopher/mathematicianNorbertWienerdefineditas"thescientificstudyofcontrolandcommunicationintheanimalandthemachine"

thecyberthreathasbeentakenseriouslybygovernmentsaroundtheworld;inItaly:◦ DPCM24/01/2013:Direttivarecanteindirizziperlaprotezioneciberneticaelasicurezzainformaticanazionale

◦ DPCM27/01/2014:Strategianazionaleperlasicurezzacibernetica

May2016 6

CYBER

cybersecurity = computer security

May2016 7

CYBER

cyber threats

May2016 8

CYBER

cyber threats

May2016 8

CYBER

cyber threats

May2016 8

CYBER

March 2016 Cyber Attacks Statistics (source: hackmageddon.com)

May2016 9

CYBER

March 2016 Cyber Attacks Statistics (source: hackmageddon.com)

May2016 9

CYBER

March 2016 Cyber Attacks Statistics (source: hackmageddon.com)

May2016 9

CYBER

March 2016 Cyber Attacks Statistics (source: hackmageddon.com)

May2016 9

CYBER

March 2016 Cyber Attacks Statistics (source: hackmageddon.com)

May2016 9

CYBER

advanced persistent threats (APT) Setofstealthyandcontinuouscomputerhackingprocesses,oftenorchestratedbyhuman(s)targetingaspecificentity(Wikipedia)◦ usuallytargetsorganizationsand/ornationsforbusinessorpoliticalmotives◦ APTprocessesrequireahighdegreeofcovertnessoveralongperiodoftime

Advanced:operatorsbehindthethreathaveafullspectrumofintelligence-gatheringtechniquesattheirdisposal

Persistent:operatorsgiveprioritytoaspecifictask,ratherthanopportunisticallyseekinginformationforfinancialorothergain◦ Thisdistinctionimpliesthattheattackersareguidedbyexternalentities◦ Thetargetingisconductedthroughcontinuousmonitoringandinteractioninordertoachievethedefinedobjectives

Threat:APTsareathreatbecausetheyhavebothcapabilityandintent.◦ APTattacksareexecutedbycoordinatedhumanactions,ratherthanbymindlessandautomatedpiecesofcode

May2016 10

CYBER

a possible APT methodology 1/2 1. Initialcompromise:performedbyuseofsocialengineeringand

spearphishing,overemail,usingzero-dayviruses.Anotherpopularinfectionmethodwasplantingmalwareonawebsitethatthevictimemployeeswillbelikelytovisit.

2. EstablishFoothold:plantremoteadministrationsoftwareinvictim'snetwork,createnetworkbackdoorsandtunnelsallowingstealthaccesstoitsinfrastructure.

3. EscalatePrivileges:useexploitsandpasswordcrackingtoacquireadministratorprivilegesovervictim'scomputerandpossiblyexpandittoWindowsdomainadministratoraccounts.

4. InternalReconnaissance:collectinformationonsurroundinginfrastructure,trustrelationships,Windowsdomainstructure.

May2016 11

CYBER

a possible APT methodology 2/2 5. MoveLaterally:expandcontroltootherworkstations,serversand

infrastructureelementsandperformdataharvestingonthem.

6. MaintainPresence:ensurecontinuedcontroloveraccesschannelsandcredentialsacquiredinprevioussteps.

7. CompleteMission:exfiltratestolendatafromvictim'snetwork.

ithasbeentheChinesemethodologyin2004-2013,accordingMandiant(aFireEyeco.):http://intelreport.mandiant.com/ bestpracticesfordetectingandmitigatingadvancedpersistentthreats(Gartner,2015)https://www.gartner.com/doc/3043819/best-practices-detecting-mitigating-advanced oneofthemostimportantpubliclyavailableguidelinestofightingtargetedcyberthreats:http://www.asd.gov.au/infosec/mitigationstrategies.htm

May2016 12

CYBER

many recent studies on APTsmostsecurityfirmscopingwithAPTs

May2016 13

CYBER

typical targets1. Financialsystems2. Utilitiesandindustrialequipment3. Aviation4. Consumerdevices5. Largecorporations6. Automobiles7. Government

May2016 14

CYBER

Cyber Threat Management

May2016 X

CYBER

threats (unordered partial list)

Backdoors Denial-of-serviceattack Direct-accessattacks Eavesdropping Spoofing(fromARPtoapplicationlevel) Tampering Repudiation Informationdisclosure Privilegeescalation

Exploits SocialengineeringandTrojans Indirectattacks Webapplications(attacksto) Malware(broadcategory)

May2016 15

thetaskofcategorizingthreatsisanimpossiblemission,duetothemultipleconceptuallevelsandrolesofthemthatcreatemanyassociationsIS-A,HAS-A,IMPLIES,andotherrelationships

CYBER

typical network attacks

Eavesdropping

Scanning(preliminarytorealattack)◦ idlescan◦ portscan

Denial-of-serviceattack(includingsmurf,SYN-flood,…)

Spoofing(DNS,ARP,IP,…)

Maninthemiddle/inthebrowser

Bufferoverflow(stack,heap,formatstringattack,…)◦ rememberheartbleed?

SQLinjection

Replayattacks

Poisoning(DNScache,ARPcache,…)

May2016 16

manyattacksmakesensebothatlocalnetworkandatinter-networklevel

CYBER

SSL/TLS: heartbeat & heartbleed

May2016 17

CYBER

credential stealing BruceSchneier(CRYPTO-GRAM,May2016) Themostcommonwayhackersofallstripes,fromcriminalstohacktiviststoforeigngovernments,breakintonetworksisbystealingandusingavalidcredential.Basically,theystealpasswords,setupman-in-the-middleattackstopiggy-backonlegitimatelogins,orengageinclevererattackstomasqueradeasauthorizedusers.It'samoreeffectiveavenueofattackinmanyways:itdoesn'tinvolvefindingazero-dayorunpatchedvulnerability,there'slesschanceofdiscovery,anditgivestheattackermoreflexibilityintechnique. RobJoyce(UsenixEnigmasecurityconference,Jan2016.https://youtu.be/bDJb8WOJYdA) Alotofpeoplethinkthatnationstatesarerunningtheiroperationsonzerodays,butit'snotthatcommon.Forbigcorporatenetworks,persistenceandfocuswillgetyouinwithoutazeroday;therearesomanymorevectorsthatareeasier,lessrisky,andmoreproductive.

Stealingavalidcredentialandusingittoaccessanetworkiseasier,lessrisky,andultimatelymoreproductivethanusinganexistingvulnerability,evenazero-day.

May2016 18

CYBER

cryptography for the #infosec confidentiality◦ symmetric(block/stream)ciphers,possiblybasedonpublic-keyciphersforthekeyexchange,orsecuredDiffie-Hellman

dataintegrityandauthenticity◦ MAC,HMAC◦ keyed/unkeyedstronglycollisionresistanthashfunctions

authenticationandnonrepudiation◦ public-keycryptographyanddigitalsignatures◦ challenge-responsetechniques◦ thirdpartiesbased(e.g.,Kerberos)

overall:usingnonces,timestamps,CSPRNG realcrypto-systems:basedonstandardsecureprotocols(SSH,SSL/TLS,IPSec,Kerberosetc.)andonstandarddigitalcertificates(X509,issuedbyCertificateAuthorities)

May2016 19

CYBER

attack models against #infosecpassive(eavesdropping,usedportsanalysis)

MITM(specialcase:man-in-the-browser,MITB)

replay,reflectionetc.

breakingthecryptography◦ bruteforce(shortkeysordictionarybased)◦ (second)pre-imageattacks(birthdayparadox,crackstation.net,…)◦ chosen/knownplain/ciphertext(possibleadaptive)

◦ lunchtimeattack(chosenciphertext)◦ known-plaintextattackusedtodecryptEnigma

May2016 20

CYBER

October2015 D-Hdeclinestarted?

Fromtheabstract:Afteraweek-longprecomputationforaspecified512-bitgroup,wecancomputearbitrarydiscretelogsinthatgroupinaboutaminute.

May2016 21

CYBER

cyber-security at different level attackscanbemadeatallthelevelsoftheTCP/IPstack

eachattackcanbeaningredientofabroaderattack◦ thehigherinthestack,thebroadertheattack

May2016 22

CYBERMay2016 23

THANK YOU

Fabriziod'Amoredamore@dis.uniroma1.it

@fabriziodamore