shut the front door and the back door too! - iten · pdf fileshut the front door and the back...

Shut the Front Door and the

Back Door Too!(How and Why Hackers Attack and What

to Do About It)

Jim NitterauerSenior Systems Administrator

A Little About Me

• Senior Systems Administrator at AppRiver, LLC since 2006

• Is Responsible for global network deployment & security in 10 datacenters

• Manages SecureTide global infrastructure

• Filtering for more than 850,000 mailboxes

• 600 plus servers

• Manages SecureSurf global DNS infrastructure

• Anycast DNS Security

• 100 Plus servers

• Founded Creative Data Concepts Limited, Inc. in 1994

• Founded GridSouth Networks, LLC in 2006

• President of Gulf Breeze Area Chamber of Commerce 2003 & 2004

• B.S Biology 1985 Ursinus College

• M.S. Microbiology 1989 University of Alabama

• Regular Black Hat and DEFCON attendee

• Completed Sans 560 – Network Penetration Testing and Ethical Hacking

Talk Overview

• Review key security (data) breaches and

network attacks that have occurred over the past

12 months (What Do Hackers Do?)

• Discuss the major motivations driving these

attacks (Why Do Malicious Hackers Hack?)

• Outline the most common attack vectors in use

(How Do Malicious Hackers Hack?)

• What is FUD?

• Learn how to uncover, mitigate and prevent

common attacks (What Do I Do When Hackers

Hack?)

Recent Data Breach Summary

• Timeline September 2013 – August 2014

– Total Reported Breaches – 259

– Total Identities Exposed – 598 million

• Top Causes of Data Breaches

– Malicious Hackers – 53%

– Accidentally Made Public – 21%

– Theft or Loss of Computer or Drive – 20%

– Inside Theft – 6%

Symantec Intelligence Report – August, 2014

Recent Data Breach Summary


Recent Data Breach Timeline

• Timeline September 2013 – August 2014


Recent Data Breach Top Ten


Recent Data Breaches in the News

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Recent Data Breaches in the News

• EBay

– Hackers obtain a small number of employee login credentials

– Use that info to access database containing user records in late

February and early March

– Data copied and posted for sale

• Home Depot

– Malware installed on POS systems across 2,200 stores

– Syphoned credit card details of up to 56 million customers

– May be same Russian group that hit Target, Sally Beauty, P.F.

Chang’s, Neiman Marcus and Michael’s

Recent Data Breached in the News

• Adventura Hospital (Florida)

– 82,000 patients impacted by third data breach in two years

– Latest began just one day after previous breach had ended and

lasted two years

• JPMorgan Chase & Company

– Break-in acknowledged 9/20/2014

– Details not provided

– No fraudulent use of compromised data detected

• Apple iCloud

– Celebrity accounts hacked due to a flaw in iCloud Web API

– Compromising photos copied and made available publically

Recent Network Attacks

• Destiny and Call of Duty Servers

– Used by PlayStation and Xbox

– Hit with DDoS attack by Lizard Squad

• Silk Road 2.0

– Hit by sophisticated DDoS Attack

– 9/20/2014

– Last February lost $2.6 million in bitcoin due to attack

• Codespaces

– June 2014 - Amazon cloud account hacked

– All virtual servers and backups deleted

– Business closed on the day of the attack

• Spamhaus

– Hit with 300 Gbps DNS amplification attack

The Face of Cybercrime Today

“The Web has become the new threat vector of choice by hackers and cyber criminals

to distribute malware and perpetrate identity theft, financial fraud and corporate

espionage.” -- IDC

Malware

• What is Malware?

– Software or code that is executed on a computer

without the knowledge or consent of the operator

– Designed to

• Assess and exploit security vulnerabilities in systems

• Provide remote command and control access to

unauthorized parties (botnet participation)

• Distribute confidential or personal information to

unauthorized parties

– Distributed by multiple vectors

– May permanently damage data

• Ex. Ransomware

Malware Top Ten - Windows


Malware Top Ten - Mac


Malware – Ransomware Trends


Malware – Activity by Source (Bots)


Vulnerabilities

• What are Vulnerabilities?

– Any design or coding flaw that exposes data or systems to

potential exploitation or results in unexpected behavior or

performance

– Also called an attack surface

– Requires three elements for exploitation

• A susceptible system

• Attacker access to the flaw

• Attacker capable of exploiting the flaw

– Not all vulnerabilities pose same level of risk

– A “Zero Day” vulnerability usually refers to a software flaw that is

exposed and exploited before the vendor is aware of the issue

and can release a fix

Vulnerabilities – Zero Day

• Most Recent Zero Day Exploits

– Bash shell environment variable manipulation

(Shellshock)

– Open SSL Heartbleed private SSL certificate

disclosure (Memory scraping)

– Microsoft Internet Explorer Use-after Free flash

exploit

• Excellent Resource

– http://blog.beyondtrust.com/zd_threat

Vulnerability Disclosure Timeline


Vulnerabilities – Zero Day


Vulnerabilities - Browser


Vulnerabilities – Plug-in


Mobile Threats

• Mobile Threats

– Place personal mobile devices at risk by

• Tracking user activity

• Stealing personal information

• Creating backdoors

• Reconfiguring device

• Displaying annoyances

• Redirecting content

• Spamming

– Many mobile devices are connected to corporate

resources including email services

Mobile Threat Classifications


Social Media

• Social Media (Twitter, Facebook, etc.)

– Fake offerings

– Manual Sharing

– Life jacking

– Comment Jacking

– Fake Apps

– Misleading news stories or links

• Ultimately leads to attempted malware infection

or attempt to steal credentials

Social Media


Email – Phishing, SPAM and Viruses

• Email trends

– Phishing rate down in August from 1 in 1290 to 1 in

1587 email messages

– Global SPAM rate for August was 62.6 percent

meaning 62 out of 100 messages were SPAM

• AppRiver’s SecureTide customers see SPAM rates closer to

87.7%

• More U.S. based customers – more valuable targets

– One out of every 270 contained a virus

– 3.2% of all email contained a malicious URL

• AppRiver’s customer base sees a higher percentage of

emails with malicious URLs

• More U.S. based customers – more valuable targets

Email – Phishing Rates


Email – Global SPAM Rates


Email – Viruses Per Message


Email – Viruses Per Message

• What does antivirus software protect against?

– On average, less than 1% of all threats are due to

virus infiltration

Email – Messages w/ Malware URL


Malicious Hackers

• What they are NOT . . .

– Some teenager hacking a Web site for bragging rights

– A Script Kiddie

– White Hat vs. Black Hat

Malicious Hackers

• What they ARE . . .

– Well-trained experts with a plethora of tools at their

disposal

– Sell themselves to the highest bidder

– Work for or are part of sophisticated criminal

enterprises

– Members of global activist networks

• Anonymous

• Syrian Electronic Army

• LulzSec

• Others

Malicious Hacker Motivations

• Making social statements

– Hacktivism

– Bring down specific targets based upon political views

• Theft

– Stealing data that can be resold for profit

• Personal info

– Credit Cards

– SSNs

– Medical Records

• Corporate info

– Financial info

– Trade Secrets

– Espionage

Malicious Hackers Target

• Three Basic Targets

– Revenue

• What can they steal that can be sold?

• Steal items that have cash value (Bank transfers, Bitcoin)

• Access bank accounts

• Steal intellectual property

– Reputation

• Defile your Web site and other public resources

• Smear you reputation

• Degrade service

– Upset customers

– Break SLAs

– Result in revenue loss

Malicious Hackers Target

– Resources

• Own your network, servers and workstations

– Continuous data gathering

– Access higher level computing resources and data

• Use these resources to attack others

– Botnet participation

– Anonymous proxy

Malicious Hackers

• Use a combination of attack vectors

– Often the most visible attack is NOT the real attack

• DDoS to create panic

• Physical compromise occurs during chaos

– Vectors include

• Physical attacks

• Social engineering

• Network attacks (local and hosted resources)

– Wired

– Wireless

Common Attack Mechanisms

• Overall Process

– Seven stages

• Recon

• Lure

• Redirect

• Exploit

• Place malicious code

• Call home

• Data Theft


– Process much like a structured penetration test

except that hackers

• Are not limited by budget

• Are not limited by “Rules of Engagement”

• Are not motivated to play by the rules

• Are not easily caught and prosecuted

Web Sense - The Seven Stages of Advanced Threats and Data Theft - 2012


• Information gathering

– Publically available info

• Web sites (Maltego)

• Google, Bing, etc. (Search Diggity Suite)

• Facebook, Twitter, Instagram, LinkedIn

• Dumpster diving

• Web file (document) metadata (ExifTool, FOCA, others)

• Internet Registries (ARIN, Network Solutions, GoDaddy, etc.)

• DNS Tools (DNSstuff.com, dnstools.com, dig)

• Job Postings

• Links (BiLE – BiLateral Link Extractor)


• Information gathering (continued)

– Social Engineering

• Phishing

• Phone scams

• Social media profile impersonation

• Physical entry (break-in or tailgating)

– Wireless network exploitation

• Man in the middle attack

• Open or WEP Protected Wi-Fi connected to corporate LAN

• Wireless Redirection attack

• Bluetooth or RFID scanning


• Information gathering (continued)

– Public network analysis

• Network scanning (nmap, Zenmap, masscan)

• Packet sniffing (Wireshark, TCPdump)

• Vulnerability scans (Nessus, Qualis)

• Web site exploitation (BeEF, metasploit)

• DNS poisoning

• DNS zone transfers

• Google Dorks (http://www.exploit-db.com/google-dorks/)

– Rouge device placement

• Compromised USB keys (ex. USB Rubber Ducky)

• Rogue Wi-Fi sniffer (ex. Wi-Fi Pineapple)

• Raspberry Pi device


• Exploitation Attacks

– DDoS (Distributed Denial of Service)

• SYN floods

• NTP Amplification

• DNS Amplification

• UDP floods

• Pings floods

– SQL Injection

• Attacks Web site to reveal back-end database info

– Structure

– Actual data

• Can lead to Web site defacement or data poisoning


• Exploitation Attacks (continued)

– Brute Force password cracking

• Somewhat limited but can still be done

– Remote key logging

– Cross Site Scripting

• Hijack user browser sessions

• Gather credentials or hack accounts

– BGP Hijacking

• ISP starts announcing BGP routes for IP blocks they do NOT

own

• Upstream ISP allows advertisement through filter

• Causes traffic redirection to rouge end points



– Client Side Exploitation

• Breaching network

• Pivoting to workstation

• Gather more info to access additional resources

• Steal confidential data

• Tools

– Metasploit, Armitage

– Cain, John the Ripper, THC Hydra, Ophcrack, RainbowCrack

– Netcat, Scapy



– Wireless Exploitation

• Man in the Middle attack

• Fake access points (Impersonation)

• Router hacking based on known exploits

• DoS w/ radio interference

• WEP or WPA password cracking

– Packet sniffing

• Read unencrypted credentials

• Ex. Wall of Sheep at DEFCON

– Internet of Things (IoT) Hacks

• Household devices (thermostats, TVs, DVD players, etc.)



– Ex: DNS Amplification

• Recursive DNS resolvers respond to spoofed IP with large

amounts of data

• ~500 byte request in with up to 4096 byte response out

• 4096/500 = 8.192 x amplification

• Hundreds or thousands of open DNS resolvers hit and

respond to victim IP all at once

• Some attacks can have an amplification factor of over 60

• 5 Mbps cable modem could generate an attack of 3 Gbps

• Consider a botnet network with thousands of members acting

all at once



– DNS Amplification Attack Diagram

Common Attack Mechanisms – Tools

• Tools

– Pre-built Linux distributions

• Kali Linux

• Backtrack Linux (Deprecated)

• Pentoo

• Node Zero

• BlackBox

• Blackbuntu

• Others

– All are open source and basically freehttp://www.blackmoreops.com/2014/02/03/notable-penetration-test-linux-

distributions-of-2014/

Common Attack Mechanisms - Tools

• Information gathering tools (continued)

– These distros already have most of the tools used

regularly for penetration testing

– They are maintained by various organizations

• Ex: Kali maintained by Offensive Security

– Easily updatable using normal Linux update

processes

• apt-get

• yum

– Have a wealth of public instruction available

Proliferation of FUD

• What is FUD?

– Fear, Uncertainty and Doubt

– Marketing technique first used by IBM in 1970s

– Examples

• Microsoft – Windows vs. OS/2 & other flavors of DOS

• SCO vs. IBM – Accused IBM of giving away SCO code

• Apple – iPhone jail breaking could allow hackers to crash cell

towers

• Recent FUD in the news• NBC story regarding device hacking at Sochi

• Death of Windows XP

• Y2K Doomsday predictions

• LinkedIn and Yahoo security breaches

Proliferation of FUD

• So What is Wrong with FUD?

– Distracts us from acting upon facts

– Harms our reputation as IT professionals

– Overuse by the media desensitizes people

– Causes mistrust and skepticism

• Can FUD be beneficial?

– Can, for the short term, motivate people to take action

– As facts become clear, FUD should be dramatically

reduced

Detecting, Mitigating & Preventing Attacks

• Detecting Attacks

– First, know what is normal!

– Log everything and analyze

• Local syslog

• Windows event logs

• AD DNS Logging

• Kiwi, BRO, PRTG

• Elastic Search (ELK)

– Monitor critical devices, services, files, interfaces,

etc..

• PRTG or Nagios

• Netflow

• Monitor port on Internet port to router for sniffing, IDS


• Detecting Attacks (continued)

– Configure alerting

• For abnormal behavior (slower or faster than normal

responses, file sizes, etc..)

• For abnormal system and resource usage

• Track over time

• Analyze trends

– Deploy Honeypots

• Kfsensor, Honeyd, Honeybot, HoneyDrive

• Use that data to understand how your network is…

– being exploited or owned

– being attacked in hopes of being owned


• Detecting Attacks (continued)

– Employ deep packet inspection

• Security Onion

– Linux distro

– Snort

– Snorby

– BRO

– ELSA

– TCP Replay

• Network Security Toolkit

– Remote monitoring

• Network paths

• DNS


• Mitigating Attacks

– Understand the attack

• What does the data reveal?

– Malware

– DDoS

– Data breach

– Physical compromise

– Web site compromise

• How critical is the incident?

– Determine the source and scope

• Packet captures (Wireshark or TCP Dump)

• DNS logging on AD controller

• Use TCP Replay to analyze the data (Security Onion)


• Mitigating Attacks (continued)

– Take steps to block the current attack

• Port block

• Rate limit traffic

• IP block

• Web fix

• Isolate infected PC or server

– Once blocked, do post mortem

• Plug holes

• Change policies

• Patch, etc.


• Preventing Attacks

– Know that there is no one “Silver Bullet”

• If a vendor says they have a device that will solve all your

problems, quickly show them the door

• Security is a multi-layered approach

• Design security from the outside in and inside out

– Web site

• Tight coding

• Limit information disclosure

• Secure customer PII

• DO NOT host site internally

• Test with Web application vulnerability testers


• Preventing Attacks (continued)

– Email Services

• Deploy robust SPAM and Virus filtering

– Ex. SecureTide

– Be sure it is an OFF SITE (cloud) service

• DO NOT Host email internally

• Configure archiving if compliance requires

• Use an email encryption service when sending sensitive data

– Ex. CypherPost Pro

• Be sure all connections use SSL or TLS

– No transferring credentials in clear text

– POP3 and IMAP have both encrypted and non-encrypted ports

– Know the difference and use encryption



– Internet Connection

• Deploy a next generation firewall and lock it down

• Get an SLA from your provider

• Deploy honeypots

• Monitor as discussed earlier

• Deploy IDS / IPS in line

• Vulnerability Assessments

• Use BGP Blackholes (Bogons, Spamhaus DROP)

– VPN (Remote User Access)

• Use PPTP or IPSEC VPN for all remote client access

• Use 2 factor authentication

– RSA Key (rotating code + PIN)

– AD Authentication



– VPN (continued)

• Log all connections

– Look for connection patterns

– Same user, multiple locations

– Connection Frequency

• Require VPN connections always

– No connection to corporate network from home or open Wi-Fi

– No connection to corporate network from shared computers

– Wireless

• Separate guest access from corporate Wi-Fi

• No connection to corporate LAN on guest Wi-Fi

• Use WPA2 / AES as minimum encryption (NO WEP)

• Scan for rogue access points



– Physical Access

• Know your vendors and repair techs

– Have access policies

– Require pre-arranged appointments

– Accompany visitors when possible

• Limit physical access

– Doors

– Elevators (easily hacked even w/ access control)

– Set up trap areas between elevators and office entrances

• Deploy cameras

• Do weekly walk-throughs

– Data rooms, closets, etc.

– Investigate suspect devices



– Physical Access (continued)

• Validate door locking schedule

• Deploy swipe locks

• Require ID badges

• Review surveillance videos regularly

• Question all unfamiliar visitors

• Enforce a visitor policy

– LAN Protection

• Firewall

• VLAN

– Separate by need to access

– Enforce with access lists on firewall



– LAN Protection (continued)

• Implement NAP (Network Access Protection)

– Limit device connections

– By MAC and compliance profile

– Enforce policies

• Test and implement hard drive encryption

• Enforce USB device policy

• Implement DNS Malware Filtering

– SecureSurf

– No “whitelisting” for known infected content

• Implement Content Filtering

– Adjust restrictions based upon user activity

– Adjust per department



– LAN Protection (continued)

• Enforce a clear Acceptable Use Policy

• Monitor DNS logs

• Set robust password policies

– Required length, characters

– Refresh regularly – expiration policy

• Follow OS best security practices

• Be proactive and glaringly anal about updates and patches

• Set strict BYOD policies

– Phones

– Tablets

– Laptops



– Hardware Retirement

• Implement a device wiping policy

• Contract with a shredding company to destroy all defunct

hardware

– Educate Users

• Users are your weakest link!

• Computer users should have a minimum competency level

• Must ALWAYS be aware of the potential dangers

• Discuss and enforce Social Networking practices

– Etiquette

– Acceptable Use



– Educate Your IT Staff

• Subscribe to reputable data feeds

• Podcasts

• Take online courses

• Make use of open source security tools

• Collaborate with peers

– SANS – Securing the Human

– Bottom line – KNOW YOUR ENEMY

Wrap Up

• Q &A

• Contact Info -

Jim Nitterauer

[email protected]

@jnitterauer

http://www.linkedin.com/in/gridsouth

850-932-5338 x6468

mailto:[email protected]

http://www.linkedin.com/in/gridsouth

shut the front door and the back door too! - iten · pdf fileshut the front door and the back...

Documents