keeping bot herders off your servers and breaking the lateral kill chain of today’s attackers
TRANSCRIPT
Keeping Bot Herders off Your Servers and Breaking the
Lateral Kill Chain of Today’s Attackers
© 2012 Monterey Technology Group Inc.
Brought to you by
Speaker Chris Merritt –
www.lumension.com
Preview of Key Points
© 2012 Monterey Technology Group Inc.
Malware isn’t just a workstation problemThe factsProtecting servers with defense-in-depth
My own findings in recent IT audit engagementsA recent study about DNSChangerAn underground service that sells RDP access
to Fortune 500 computers
Malware isn’t just a Workstation Problem
© 2012 Monterey Technology Group Inc.
Finding servers with “workstation” softwareAcrobatFlashAdobe Air OfficeBabylon
My own findings in recentIT audit engagements
© 2012 Monterey Technology Group Inc.
Finding servers with “workstation” softwareLab systemsDevelopment environmentsUn-firewalled systems on internal network
My own findings in recentIT audit engagements
© 2012 Monterey Technology Group Inc.
Krebs on securityhttp://tinyurl.com/d45q9hj“More than two months after authorities shut
down a massive Internet traffic hijacking scheme, the malicious software that powered the criminal network is still running on computers at half of the Fortune 500 companies, and … at nearly 50 percent of all federal government agencies, new research shows.”
This included servers
A recent study about DNSChanger
© 2012 Monterey Technology Group Inc.
Service Sells Access to Fortune 500 Firms by Brian Krebs (http://krebsonsecurity.com/2012/10/service-sells-access-to-fortune-500-firms/)
Russians selling access to private company servers in just $4 by Mohit Kumar (http://thehackernews.com/2012/10/russians-selling-access-to-private.html)
An underground service that sells RDP access to Fortune 500 computers
© 2012 Monterey Technology Group Inc.
Malware isn’t just a workstation problemAdditional layers of defense are needed beyond
just AV
Fact
© 2012 Monterey Technology Group Inc.
Protecting Servers with Defense-in-Depth
© 2012 Monterey Technology Group Inc.
Written policy
Monitoring
Use of jump boxes
Application inventory
Attack surface
Centralized patch management
Application control
Acceptable reasons to logon interactively Prohibited activities
Browsing internetDownloading filesOpening files from Internet except software vetted for that server
Installing any software except necessary for server’s role
Written policy
© 2012 Monterey Technology Group Inc.
Reduce # of systems that anyone logs onto interactively
Set up “jump boxes”Terminal ServicesAll MMC snap-ins
Restrict“Logon via remote desktop” user rightFirewallAlert on interactive logons
• Event ID 4624 with Logon type 10 or 2
Use of jump boxes
© 2012 Monterey Technology Group Inc.
New serviceEvent IDs 4697
New processEvent IDs 4688
Take into account maintenance windows
Monitoring
© 2012 Monterey Technology Group Inc.
Vulnerability scanAny unnecessary features installed/activated?Unnecessary appsFirewall rules
Attack surface
© 2012 Monterey Technology Group Inc.
2 high profile software vendors automatic update infrastructures compromisedMicrosoftAdobe
Don’t allow any systems, especially servers to automatically install software that appears to have come from vendor
Control what goes on your systems
Centralized patchmanagement
© 2012 Monterey Technology Group Inc.
Find out what is running on your serversLumension free application scanner
Query security log for new process events and normalizelogparser "select distinct EXTRACT_TOKEN(Strings, 5, '|') into progs.txt from security where EventID=4688" -i evt -o tsv
Important part of attack surface reduction
Application inventory
© 2012 Monterey Technology Group Inc.
Take centralized control of what runs on your servers
Application whitelisting is the single most direct and effective way to keep unwanted software off trusted systemsEspecially effective against lateral movementEnd user workstation -> admin -> serverEven more so on systems where preceedings cannot be fully implemented
Application control
© 2012 Monterey Technology Group Inc.
AppLocker only appropriate for large fleets of 100% identical systems
Most workstations don’t fit that profileDefinitely not servers
Intelligent whitelisting much different than traditional whitelisting like AppLocker
Application control
© 2012 Monterey Technology Group Inc.
Brought to you by
Speaker Chris Merritt –
www.lumension.com
Defense-in-Depth Security Keeps Bot HerdersOff Your Servers
Chris MerrittDirector of Solution MarketingLumension
source: http://commons.wikimedia.org/wiki/File:Botnet.svg
Defense-in-Depth Against Server Threats
Known Malware
Unknown Malware
Unwanted, Unlicensed,
Unsupported Applications
Application Vulns
Config. Vulns
Physical Infiltration
AntiVirus X X
ApplicationControl X X X
Patch & Remediation X X
Security Configuration Management
X
Device Control X
Lumension® Endpoint Management and Security Suite
Total Endpoint Protection
End
point Security
End
poin
t O
pera
tions Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Disk EncryptionLumension® Power Management
Lumension® Endpoint Management PlatformSingle Server | Single Console | Scalable Architecture | Single, Modular Agent
Endpoint Reporting Services
Lumension® Endpoint Management and Security Suite
Total Endpoint Protection for Servers
Server S
ecurityS
erve
r O
pera
tion
s Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Endpoint Management PlatformSingle Server | Single Console | Scalable Architecture | Single, Modular Agent
Server Reporting Services
Lumension® Patch and RemediationE
ndpo
int
Ope
ratio
ns Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Power Management
Endpoint Operations
Comprehensive and Secure Patch Management
Provides rapid, accurate and secure patch and configuration management for applications and operating systems:
• Comprehensive support for multiple OS types (Windows, *nix, Apple), native applications, and 3rd party applications
• Streamline and centralize management of heterogeneous environments
• Visibility and control of all online or offline endpoints • Elevate security posture and proactively reduce risk • Save time and cost through automation
Lumension® Content WizardE
ndpo
int
Ope
ratio
ns Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Power Management
Endpoint Operations
Cost-Effectively Streamline Endpoint Management
Simple, wizard-based policy creation and baseline enforcement – without add’l tools:
• Patch Creation• Software Installs and Uninstalls • Windows Security Policies • Power Management Policies • NEW! Windows Firewall Policies
Lumension® Security Configuration Mgmt.E
ndpo
int
Ope
ratio
ns Lumension® Patch and Remediation
Lumension® Content Wizard
Lumension® Configuration Mgmt.
Lumension® Power Management
Endpoint Operations
Prevent Configuration Drift and Ensure Policy Compliance
Ensure that endpoint operating systems and applications are securely configured and in compliance with industry best practices and regulatory standards:
• Security Configuration Management• Out-of-the-box Checklist Templates• NIST Validated Solution • Continuous Policy Assessment and Enforcement• Based on Open Standards for Easy Customization• Security Configuration and Posture Reporting
Lumension® AntiVirus
27
Multilayered Protection Against Malware
Based on proven technology from industry leader providing complete protection against known and unknown malware including viruses, worms, Trojans, spyware, adware and more
Includes a breadth of analysis techniques from traditional signature matching to behavioral analysis to effectively protect against zero-day and evolving threats:• Antivirus (AV) protection (full signature matching)• DNA Matching (partial signature matching)• SandBox (behavioral analysis in an emulated
environment)• Exploit Detection (find hidden/embedded malware)
VB100 certified by VirusBulletin
Endpoint S
ecurity
Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Disk Encryption
Endpoint Security
Lumension® Application Control
Proactive Protection Against Malware and More
Effective Endpoint Security: Block known and unknown malware without signatures, and prevent exploitation of application / configuration vulnerabilities
Control the Unwanted: Real-time view of all application inventory, ensuring only approved software is allowed to run, and denying / removing all unwanted applications
Control the Unknown: Enforce, log and audit all endpoint application change while controlling end-users with Local Admin rights
Flexible and Easy-To-Use: Unified solution workflow via single console with flexible trusted change management policy
Endpoint S
ecurity
Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Disk Encryption
Endpoint Security
Lumension® Device ControlPolicy-Based Data Protection and Encryption
Protect Data from Loss or Theft: Centrally enforce usage policies of all endpoint ports and for all removable devices / media.
Increase Data Security: Define forced encryption policy for data flows onto removable devices / media. Flexible exception management.
Improve Compliance: Centrally encrypt removable devices / media to ensure data cannot be accessed if they are lost or stolen.
Continuous Audit Readiness: Monitor all device usage and data transfers. Track all transferred files and content. Report on all data policy compliance and violations.
Endpoint S
ecurity
Lumension® AntiVirus
Lumension® Application Control
Lumension® Device Control
Lumension® Disk Encryption
Endpoint Security
Next Steps
Free Tools http://www.lumension.com/Resources/Premium-Security-Tools.aspx Application Scanner – see what applications are running on your servers Device Scanner – see what removable devices are being used Vulnerability Scanner – see what your OS / application risks are
Whitepapers Endpoint Management and Security Buyers Guide
• http://www.lumension.com/Resources/WhitePapers/Endpoint-Management-and-Security-Buyers-Guide.aspx
Free Evaluation http://www.lumension.com/
endpoint-management-security-suite/free-trial.aspx
30
Global Headquarters
8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828