Matthias Schmidt

TECHNICAL SECURITY

AT A LARGE COMPANY

Studied CS @ Univ Marburg 2001 - 2007

Diploma thesis about Network Security

5 years assistant at Distributed

Systems Group 2007 - 2012

Security

Virtualization

Grid Computing

Head of Technical Security Joined 1&1 in 2012

Security Architecture

Operating Systems Security

Digital Forensics

Malware/Reverse Engineering

Trainings

2

Welcome, Who am I!

18.01.2018

Why we care about Information Security

3

Figures

7 Data Centers on 2 continents

90,000 server at 1&1

60,000 server at Strato

Hosting of more than 20 million domains

Networking

Global connectivity more than 300 GBit/s

70 GBit/s outbound peak load traffic

About 9 billion page impressions per month

More than 5 billion e-mails per month

9,000 TeraByte monthly traffic volume

3

18.01.2018

TECHNICAL SECURITY

General Introduction

4

Flickr. CarbonNYC. CC-BY-2.0

18.01.2018

Focus Topics & Services

5

Technical Security

Cross-Sectional

Consulting

Legacy Migration Projects

PKI

My Secure Workday

Secure Services

…

Application Security

SSLC

Maturity Model

Pentests

Network

Security

Infrastructure Scan

VLAN hardening

Pentests

Office Security

Malware protection

Sandbox Analysis

Memory forensics

Pentests

Infrastructure Security

Hardening

Forensics

SIEM

Pentests

IDS

Comm

CERT

Trainings

Incident Management

18.01.2018

Application Security and its Challenges in corporate Environments

6

Secure Software Development Lifecycle (SSDLC)

Structured way of developing secure software

Predefined set of Life-Cycle Tasks and requirements

Developed an own tool for it https://securityrat.github.io/

Penetration tests

For new applications

For legacy applications

Cover recurring events (PCI DSS/De-Mail re-certification)

Challenges

Secure development in agile environments

Pentests scalability

Third-party software/dependencies

Remember, the cloud is just someone else’s computer

18.01.2018

Infrastructure Security and Digital Forensics

7

Are we affected by $vulnerability?

Simple for hundreds, complex for tens of thousands of systems

We scan at large scale

Zmap, nmap, SSL/TLS scanner, enterprise solutions, …

Volatile and non-volatile Forensic investigations on

Servers

Workstations

Mobile devices

18.01.2018

ADVANCED WORKSTATION

PROTECTION

Signature-based Anti-Virus is dead or …

9 18.01.2018

Office Security

10 18.01.2018

Incident Response Process

18.01.201811

Detection

Prevention

Mitigation Assessment

AnalysisGoal:

Automated

Threat

Treatment

Reduce

Response

Time

Reduce

Resolution

Time

Reduce

Incident

Impact

Reduce

Incident

Probability

There is an Entire Industry behind it…

18.01.201812

So, what do you think that you are worth?

18.01.201813

Now, why does this happen? Don‘t we have anti-virus scanners?

2 18.01.2018

They sometimes fail…

18.01.201815

• Different names

• Different strings

• Different hashes

• Damn!

Poly- and metamorphic malware and the obfuscation curse

18.01.201816

Most modern malware is polymorphic and uses anti-analysis and anti-

detection techniques like

Encryption

Packing

Code/Binary Obfuscation

Virtualization

Anti-debugging

…

Many malware families even are metamorphic (= self-mutating)

Use a new encryption key with every replication cycle

Rotate different obfuscation schemes

Reload code at runtime

Use self-modifying code practices

…

Long story short…

18.01.201817

18.01.201818

Incident Response Infrastructure

Anti-Virus

Server

Malware

Analysis

System

IDS

Ticket System

alerts

IOCs

Alert Database

Operator

IOC Server

request

Workstation

SIEM

Live Forensics

System

Generic Incident Analysis Procedure

18.01.201821

• Anti-Virus \IDS Alert

• User reports„weird“ behavior

AL

E

R

T

• Check forobviousFP signs

• Assessvictimcriticality

• Assesspotentialthreatimpact

TR

I

A

G

E

• Gatherevidence(memorydump, networktraces, …)

• Filter, correlate, andanalyzeevidence

AN

A

L

Y

S

I

S

A typical Incident Analysis Case (1)

18.01.201822

Email with link

to alleged

Winrar installer

Download

trojanized

Winrar ISO

Extract

Winrar.exe

from Winrar.iso

\Users\xxx\Downloads\WinRAR.iso

\Windows\Prefetch\7ZFM.EXE-7C92DCA0.pf\Users\xxx\AppData\Local\Temp\7zOC95DD566\WinRAR.exe\Users\xxx\Downloads\WinRAR\WinRAR.exe

A typical Incident Analysis Case (2)

18.01.201823

Drop, install,

and start

malicious

Service

\Windows\Prefetch\WINRAR.EXE-72EEBF17.pf

\Users\xxx\AppData\Local\Temp\103191234\ic-0.ba8738946c7218.exe\Windows\Prefetch\SC.EXE-4502142D.pf\Windows\Prefetch\NET.EXE-7F832A3A.pf\Windows\Prefetch\IC-0.0C4A2901A2643.EXE-653CBD5D.pf

#Im System wurde ein Dienst installiert.#Dienstname: --#Dienstdateiname: C:\Users\xxx\AppData\Local\Temp\103191234\ic-0.0c4a2901a2643.exe /wl 1#Diensttyp: Benutzermodusdienst#Dienststarttyp: Manuell starten#Dienstkonto: LocalSystem

Execute

trojanized

Winrar.exe

A typical Incident Analysis Case (3)

18.01.201824

Drop and

deploy kernel-

mode Rootkit

Establish C2

Channel

Disable AV via

Powershell

Script

\Windows\Prefetch\POWERSHELL.EXE-59FC8F3D.pf

#PowerShell#HostName=ConsoleHost#HostApplication=powershell.exe -Command & {Add-MpPreference -ExclusionPath@('C:\WINDOWS\system32\drivers\3ee09e28c6d8f3de176caff9ab413c18.sys')}

#Im System wurde ein Dienst installiert.#Dienstname: 3ee09e28c6d8f3de176caff9ab413c18#Dienstdateiname: C:\WINDOWS\system32\drivers\3ee09e28c6d8f3de176caff9ab413c18.sys#Diensttyp: Kernelmodustreiber#Dienststarttyp: Systemstart

172.xxx.xxx.xxx:63401 45.32.xxx.xxx:80 CLOSED 8708 svchost.exe

Incident Response Toolchain - Threat Intelligence Handling with MISP

18.01.201825

Incident Response Toolchain - Impact Assessment with Bloodhound

18.01.201826

Incident Response Toolchain - Live Forensics with Rekall and GRR

18.01.201827

Some Facts & Figures

18.01.201828

Category Type Records

Malware Analyzed unique malware samples 20.995

Malware Malware samples and analysis results 4,6 TB

Threat Intelligence Gathered Threat Intelligence 40 GB

Threat Intelligence Extracted Indicators of Compromise (IOCs) 478.000

Threat Intelligence Generated IDS Rules (SNORT) 26.600

Privilege Monitoring Monitored user and service accounts 13.200

Privilege Monitoring Monitored workstation and servers objects 9.900

Privilege Monitoring Monitored privilege-groups 28.000

Privilege Monitoring Recorded user sessions 11.000

Privilege Monitoring Monitored privilege relations 806.000

TLS CIPHER DISTRIBUTION

Of Ciphers, Key length and more

18.01.201831

History, Statements and Challenges

18.01.201832

In 2013 Edward Snowden revealed top secret documents to the public

Xkeyscore, PRISM, Tempora, …

The world reacted with “Let’s encrypt everything”

Encrypt everything – Does it work?

Incoming SMTP Connections Europe

30%

37%

70%70%

63%

30%

0%

10%

20%

30%

40%

50%

60%

70%

80%

2013 2016 2018

TLS PLAIN

18.01.201833

Encrypt everything – Does it work? (2)

Outgoing SMTP Connections (CW 3/2018)

93%

86%

7%

14%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

EU US

TLS PLAIN

18.01.201834

TLS Cipher Distribution – Incoming

Top 3 TLS cipher suites, one MX incoming

69%

23%

8%ECDHE-RSA/AES-128-GCM/AEAD

DHE-RSA/AES-128-CBC/SHA1

ECDHE-RSA/AES-128-CBC/SHA1

209766

70542

23445

0

50000

100000

150000

200000

250000

1 2 318.01.201835

TLS Cipher Distribution – Incoming (2)

… everything else

54%

11%

9%

9%

4%

4%

3%3%

2%1%

0%DHE-RSA/AES-128-GCM/AEAD

RSA/AES-128-CBC/SHA1

RSA/3DES-CBC/SHA1

RSA/AES-128-GCM/AEAD

ECDHE-RSA/AES-256-CBC/SHA1

DHE-RSA/AES-256-CBC/SHA1

RSA/AES-256-CBC/SHA1

ECDHE-RSA/AES-256-GCM/AEAD

ECDHE-RSA/3DES-CBC/SHA1

ECDHE-RSA/AES-128-CBC/SHA256

DHE-RSA/3DES-CBC/SHA1

18.01.201836

TLS Cipher Distribution – Outgoing

Top 4 TLS cipher suites, one mailer outgoing

72%

13%

10%

5%

ECDHE-RSA/AES-128-GCM/AEAD

ECDHE-RSA/AES-256-CBC/SHA384

ECDHE-RSA/AES-256-GCM/AEAD

DHE-RSA/AES-128-GCM/AEAD

1714309

299244 233268127030

0

200000

400000

600000

800000

1000000

1200000

1400000

1600000

1800000

2000000

1 2 3 418.01.201837

TLS Cipher Distribution – Outgoing (2)

… everything else

35%

23%

8%

8%

7%

5%

5%

3%

2%1%

1% 1% 0% 0%0% 0% 0%

DHE-RSA/AES-128-CBC/SHA1

DHE-RSA/AES-256-GCM/AEAD

RSA/AES-128-CBC/SHA1

DHE-RSA/AES-256-CBC/SHA256

ECDHE-RSA/AES-128-CBC/SHA1RSA/AES-128-GCM/AEAD

ECDHE-RSA/AES-256-CBC/SHA1DHE-RSA/AES-256-CBC/SHA1

RSA/AES-256-CBC/SHA256

RSA/AES-256-GCM/AEAD

RSA/AES-128-CBC/SHA256

ECDHE-RSA/AES-128-CBC/SHA256DHE-RSA/CAMELLIA-256-CBC/SHA1ECDHE-RSA/3DES-CBC/SHA1

18.01.201838

Certificates signed by an official CA?

90%

10%

Valid CA

"Invalid CA"

18.01.201839

WIDE AREA NETWORK

40

Flickr. Abode of Chaos. CC-BY-2.0

18.01.2018

Denial Of Service Attacks

41

Denial of Service (DoS) attacks are known since 20 years

Academia solved the problem decades ago

Google Scholar shows > 540k results for DoS protection

However, they are not gone as of today

Different Types of Attacks

SYN Floods

UDP Floods

• NTP Amplification Attacks

• DNS Amplification Attacks

18.01.2018

Denial Of Service Attacks (cont.)

42

Selected Examples of incoming (D)DoS attacks

UDP NTP Amplification

34 GBit/s with 7M Packets/s

10 GBit/s with 1M Packets/s

Simple UDP Floods

15 GBit/s with 2M Packets/s

DNS Amplification

98 Gbit/s with 9M Packets/s

18.01.2018

Denial Of Service Attacks (cont.)

18.01.201843

Denial Of Service Attacks – Countermeasures

44

QoS enabled on the local switch

Filter malicious traffic on the local distribution router

Blackhole the target’s IP address

Scrub traffic

18.01.2018

CONCLUSIONS

45 18.01.2018

Conclusions

46

Technical measures are good,

security awareness is better

18.01.2018

The End and thanks for your Attention

47

Dr. Matthias SchmidtHead of Technical Security

matthias.schmidt@1und1.de

Q & A

18.01.2018