Think Like a Hacker:

Using Network Analytics and Attack

Simulation to Find and Fix Security Gaps

• Michelle Johnson Cobb

• VP, Marketing and BD

• March 15, 2012

• SANS webcast

© 2012 Skybox Security

Skybox Security Overview

© 2012 Skybox Security

• Network Modeling

• Access Path Analysis

• Attack Simulation

Unique, High-Performance Technology

• 6 of the top 10 banks, 5 of the 10 largest NATO members

• Financial Services, Retail, Energy, Government, Defense, Retail, Telecommunications, Manufacturing, Technology

Proven in Demanding Network Environments

2

• Automated Firewall Management

• Continuous Network Compliance

• Risk and Vulnerability Management

Leading Security Risk Management Solutions

Preventing Attacks is not Trivial

• 300 firewalls

• 25,000 rules

• 250 routers/gateways

• 55,000 nodes

• 65 daily network changes

• 10,000 daily reported

vulnerabilities

• Infrastructure spanning

three continents

© 2012 Skybox Security 3

Security Manager

toolkit:

First… Think Like a Hacker

Pre-Attack

Reconnaissance?

© 2012 Skybox Security 4

Gather info on

network topology

Find access paths

Find exploitable

vulnerabilities

Try out attack

scenarios

Or Find and Fix to

Prevent Attack?

Hacker toolkit:

Wireshark, nmap,

Nessus, netcat,

Snort, Google, John

the Ripper, etc.

Building a Network Model

© 2012 Skybox Security 5

Firewall Load Balancer

Router IPS Vulnerability Scanner

Patch

Automatically import data from

network devices, management systems

Gather info on

network topology

Feeding the Network Model

© 2012 Skybox Security 6

Must be imported, normalized, correlated

Gather info on

network topology

How is the Model Created?

© 2012 Skybox Security 7

• Import topology data

• Device configs

• Routing tables

• Automatically create a

hierarchical model tree,

grouping hosts by

TCP/IP network

• Add function,

location, type

• Analyze model to detect

missing info – hosts, ACLs,

routing rules for gateways

Gather info on

network topology

Comprehensive Network Model

© 2012 Skybox Security

• Normalized view of the

network security situation

• Visualize entire network

• Updated continuously

• 3 models: Live, Forensic,

and What-if

Gather info on

network topology

Virtual “Sandbox” for Complex

Security Analysis

© 2012 Skybox Security

Prioritize exposed

vulnerabilities

Find device

misconfigurations

Analyze access paths

Now - Check the Firewalls!

• Analyze firewall rule base

against policies/best

practices (NIST, PCI…)

• Identify risky rules

• Uniform policy for all

firewalls

Find access

paths

Access Analyzer Finds all Paths

• Complete End-to-

End path analysis

• Highlighting

ACL’s and routing

rules

• Supports NAT,

VPN, Dynamic

Routing and

Authenticated

rules

Find access

paths

Determine Rules Allowing Access

• Find blocking

or allowing

devices

• Show rules

involved

• View routes

Find access

paths

Check for Access Policy Violations

• Define what is

allowed, limited

and denied

between

Security Zones

• Compliance

Metrics

• Violating Rules

• Exceptions

• Multiple policies

• Dashboard

Find access

paths

Exploitable Vulnerabilities?

Start with the scan…

Vulnerabilities • CVE 2009-203

• CVE 2006-722

• CVE 2006-490

Find exploitable

vulnerabilities

Add Skybox Vulnerability

Dictionary Content

• Collects vulnerability data from multiple sources

(scanners, published repositories, threat feeds)

• Represent vulnerabilities in standard format

• Adds severity, degree of difficulty, commonality of

exploit and attack impact (CIA)

• Models pre-conditions for exploitation – used in

attack simulation

© 2012 Skybox Security 15

Find exploitable

vulnerabilities

Look at Potential Threat Origins

Rogue Admin

Internet

Hacker

Compromised

Partner

Vulnerabilities • CVE 2009-203

• CVE 2006-722

• CVE 2006-490

Find exploitable

vulnerabilities

Simulate all Possible Attacks

Compromised

Partner

Attack

Simulations

Rogue Admin

Vulnerabilities • CVE 2009-203

• CVE 2006-722

• CVE 2006-490

Find exploitable

vulnerabilities

Internet

Hacker

How Attack Simulation Works

© 2012 Skybox Security

Probable attack vector to Finance servers asset group This attack is a “multi-step”

attack, crossing several network zones

Connectivity Path

Business Impact Attack Vector

How to Block

Potential

Attack?

Quantify and Prioritize Risks

Vulnerability (CVSS Score & CIA Impact)

+

Exposure (Threat Origins & Network)

+

Business Impact (CIA Impact and Asset Importance)

{Attack Simulation}

Risk

Plan Defensive Strategy

© 2012 Skybox Security

Most Critical

Actions

Vulnerabilities

Threats

Skybox Security Portfolio

© 2012 Skybox Security 21

Firewall Assurance

Automated firewall

analysis and audits

Change Manager

Complete firewall

change workflow

Network Assurance

Network compliance and

access path analysis

Risk Control

Identify exposed

vulnerabilities

Threat Manager

Workflow to address

new threats

Remote Buffer Overflow Attack

Steps

1. Buffer overflow vulnerability

MS11-004 on FTP server in

DMZ

2. Exploit to gain root control

on the FTP server

3. FTP server trust relations with

DNS server in core network

4. DNS server running Free BSD

has BIND vulnerability -

enables control of DNS server

5. Finance server compromised.

Significant damage or data

loss

Prevent a Buffer Overflow Attack

• Skybox Risk Control identifies attack paths

• Attack simulation reveals a small number of exposed vulnerabilities

• Skybox issues urgent ticket request to patch the FTP server

• Security team patches a single vulnerability to block potential attack and reduce high risk of Financial Server compromise

© 2012 Skybox Security 23

Buffer Overflow Attack

Firewall Bypass Attack Steps

1. DMZ firewall allowed access

through TCP port

443 to internal network

(which might be okay)

2. A misconfigured load

balancer rule performed

NAT to TCP port 80

3. Allowing port 80 access to

the development network –

a very risky situation

© 2012 Skybox Security 24

Firewall Bypass

Preventing the Firewall Bypass Attack

• Skybox Firewall Assurance automatically finds risky rules and configs in firewalls

• Skybox Network Assurance creates up-to-date network model and checks rest of layer 3 devices - load balancers, switches, routers

• Skybox checks policy rules such as: “No access from Internet to Internal except …”

• End-to-end access path analysis – every possible path

• Skybox issues tickets to address violations reported

Client-Side Attack Steps

Malware enables attacker

to collect data from

machine, continue attack

within the network, and

send data back to attacker

A vulnerability or misconfig

on desktops is exploited

and malware is installed

User opens infected email

attachment or clicks link to a

malicious or hacked website

Source: SANS Tutorial: HTTP Client-side Exploit

Preventing a Client-Side Attack

EMEA region at highest risk

Retrieve exact list of vulnerable hosts

Remediate in order of risk impact

Adobe Reader 9.x and 8.x contribute the

majority of the risk (76%)

Best Practices to Prevent Attacks

© 2012 Skybox Security

Automate security

processes

Get the comprehensive

network view

Find security gaps

every day

Validate changes

in advance

28

Prioritize by

risk level

Time for Questions

Thank You!

www.skyboxsecurity.com

© 2012 Skybox Security