keeping bot herders off your servers and breaking the lateral kill chain of today’s attackers

Keeping Bot Herders off Your Servers and Breaking the

Lateral Kill Chain of Today’s Attackers

© 2012 Monterey Technology Group Inc.

Brought to you by

Speaker Chris Merritt –

www.lumension.com

Preview of Key Points


Malware isn’t just a workstation problemThe factsProtecting servers with defense-in-depth

My own findings in recent IT audit engagementsA recent study about DNSChangerAn underground service that sells RDP access

to Fortune 500 computers

Malware isn’t just a Workstation Problem


Finding servers with “workstation” softwareAcrobatFlashAdobe Air OfficeBabylon

My own findings in recentIT audit engagements


Finding servers with “workstation” softwareLab systemsDevelopment environmentsUn-firewalled systems on internal network

My own findings in recentIT audit engagements


Krebs on securityhttp://tinyurl.com/d45q9hj“More than two months after authorities shut

down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and … at nearly 50 percent of all federal government agencies, new research shows.”

This included servers

A recent study about DNSChanger


http://tinyurl.com/d45q9hj

Service Sells Access to Fortune 500 Firms by Brian Krebs (http://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/)

Russians selling access to private company servers in just $4 by Mohit Kumar (http://thehackernews.com/2012/10/russians-selling-access-to-private.html)

An underground service that sells RDP access to Fortune 500 computers


http://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/

http://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/

http://thehackernews.com/2012/10/russians-selling-access-to-private.html

http://thehackernews.com/2012/10/russians-selling-access-to-private.html

Malware isn’t just a workstation problemAdditional layers of defense are needed beyond

just AV

Fact


Protecting Servers with Defense-in-Depth


Written policy

Monitoring

Use of jump boxes

Application inventory

Attack surface

Centralized patch management

Application control

Acceptable reasons to logon interactively Prohibited activities

Browsing internetDownloading filesOpening files from Internet except software vetted for that server

Installing any software except necessary for server’s role

Written policy


Reduce # of systems that anyone logs onto interactively

Set up “jump boxes”Terminal ServicesAll MMC snap-ins

Restrict“Logon via remote desktop” user rightFirewallAlert on interactive logons

• Event ID 4624 with Logon type 10 or 2

Use of jump boxes


New serviceEvent IDs 4697

New processEvent IDs 4688

Take into account maintenance windows

Monitoring


Vulnerability scanAny unnecessary features installed/activated?Unnecessary appsFirewall rules

Attack surface


2 high profile software vendors automatic update infrastructures compromisedMicrosoftAdobe

Don’t allow any systems, especially servers to automatically install software that appears to have come from vendor

Control what goes on your systems

Centralized patchmanagement


Find out what is running on your serversLumension free application scanner

Query security log for new process events and normalizelogparser "select distinct EXTRACT_TOKEN(Strings, 5, '|') into progs.txt from security where EventID=4688" -i evt -o tsv

Important part of attack surface reduction

Application inventory


Take centralized control of what runs on your servers

Application whitelisting is the single most direct and effective way to keep unwanted software off trusted systemsEspecially effective against lateral movementEnd user workstation -> admin -> serverEven more so on systems where preceedings cannot be fully implemented

Application control


AppLocker only appropriate for large fleets of 100% identical systems

Most workstations don’t fit that profileDefinitely not servers

Intelligent whitelisting much different than traditional whitelisting like AppLocker

Application control


Brought to you by

Speaker Chris Merritt –

www.lumension.com

Defense-in-Depth Security Keeps Bot HerdersOff Your Servers

Chris MerrittDirector of Solution MarketingLumension

source: http://commons.wikimedia.org/wiki/File:Botnet.svg

Defense-in-Depth Against Server Threats

Known Malware

Unknown Malware

Unwanted, Unlicensed,

Unsupported Applications

Application Vulns

Config. Vulns

Physical Infiltration

AntiVirus X X

ApplicationControl X X X

Patch & Remediation X X

Security Configuration Management

X

Device Control X

Lumension® Endpoint Management and Security Suite

Total Endpoint Protection

End

point Security

End

poin

t O

pera

tions Lumension® AntiVirus

Lumension® Application Control

Lumension® Device Control

Lumension® Patch and Remediation

Lumension® Content Wizard

Lumension® Configuration Mgmt.

Lumension® Disk EncryptionLumension® Power Management

Lumension® Endpoint Management PlatformSingle Server | Single Console | Scalable Architecture | Single, Modular Agent

Endpoint Reporting Services

Lumension® Endpoint Management and Security Suite

Total Endpoint Protection for Servers

Server S

ecurityS

erve

r O

pera

tion

s Lumension® AntiVirus



Lumension® Patch and Remediation



Lumension® Endpoint Management PlatformSingle Server | Single Console | Scalable Architecture | Single, Modular Agent

Server Reporting Services

Lumension® Patch and RemediationE

ndpo

int

Ope

ratio

ns Lumension® Patch and Remediation



Lumension® Power Management

Endpoint Operations

Comprehensive and Secure Patch Management

Provides rapid, accurate and secure patch and configuration management for applications and operating systems:

• Comprehensive support for multiple OS types (Windows, *nix, Apple), native applications, and 3rd party applications

• Streamline and centralize management of heterogeneous environments

• Visibility and control of all online or offline endpoints • Elevate security posture and proactively reduce risk • Save time and cost through automation

Lumension® Content WizardE

ndpo

int

Ope

ratio





Endpoint Operations

Cost-Effectively Streamline Endpoint Management

Simple, wizard-based policy creation and baseline enforcement – without add’l tools:

• Patch Creation• Software Installs and Uninstalls • Windows Security Policies • Power Management Policies • NEW! Windows Firewall Policies

Lumension® Security Configuration Mgmt.E

ndpo

int

Ope

ratio





Endpoint Operations

Prevent Configuration Drift and Ensure Policy Compliance

Ensure that endpoint operating systems and applications are securely configured and in compliance with industry best practices and regulatory standards:

• Security Configuration Management• Out-of-the-box Checklist Templates• NIST Validated Solution • Continuous Policy Assessment and Enforcement• Based on Open Standards for Easy Customization• Security Configuration and Posture Reporting

Lumension® AntiVirus

27

Multilayered Protection Against Malware

Based on proven technology from industry leader providing complete protection against known and unknown malware including viruses, worms, Trojans, spyware, adware and more

Includes a breadth of analysis techniques from traditional signature matching to behavioral analysis to effectively protect against zero-day and evolving threats:• Antivirus (AV) protection (full signature matching)• DNA Matching (partial signature matching)• SandBox (behavioral analysis in an emulated

environment)• Exploit Detection (find hidden/embedded malware)

VB100 certified by VirusBulletin

Endpoint S

ecurity




Lumension® Disk Encryption

Endpoint Security


Proactive Protection Against Malware and More

Effective Endpoint Security: Block known and unknown malware without signatures, and prevent exploitation of application / configuration vulnerabilities

Control the Unwanted: Real-time view of all application inventory, ensuring only approved software is allowed to run, and denying / removing all unwanted applications

Control the Unknown: Enforce, log and audit all endpoint application change while controlling end-users with Local Admin rights

Flexible and Easy-To-Use: Unified solution workflow via single console with flexible trusted change management policy

Endpoint S

ecurity





Endpoint Security

Lumension® Device ControlPolicy-Based Data Protection and Encryption

Protect Data from Loss or Theft: Centrally enforce usage policies of all endpoint ports and for all removable devices / media.

Increase Data Security: Define forced encryption policy for data flows onto removable devices / media. Flexible exception management.

Improve Compliance: Centrally encrypt removable devices / media to ensure data cannot be accessed if they are lost or stolen.

Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.

Endpoint S

ecurity





Endpoint Security

Next Steps

Free Tools http://www.lumension.com/Resources/Premium-Security-Tools.aspx Application Scanner – see what applications are running on your servers Device Scanner – see what removable devices are being used Vulnerability Scanner – see what your OS / application risks are

Whitepapers Endpoint Management and Security Buyers Guide

• http://www.lumension.com/Resources/WhitePapers/Endpoint-Management-and-Security-Buyers-Guide.aspx

Free Evaluation http://www.lumension.com/

endpoint-management-security-suite/free-trial.aspx

30

http://www.lumension.com/Resources/Premium-Security-Tools.aspx

http://www.lumension.com/Resources/WhitePapers/Endpoint-Management-and-Security-Buyers-Guide.aspx

http://www.lumension.com/Resources/WhitePapers/Endpoint-Management-and-Security-Buyers-Guide.aspx

http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx

http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx

Global Headquarters

8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

[email protected]

mailto:[email protected]