Deep Security 6 RAM Training, Atlanta & Arlington
Download
Report
Transcript Deep Security 6 RAM Training, Atlanta & Arlington
Trend Micro Virtualization Security
Jerome Law
EMEA Solutions Architect
What is a Hypervisor?
Hypervisors are a “meta” operating system in a virtualized
environment. They have access to all physical devices in a server,
including all disk and memory. Hypervisors both schedule access to
these devices, and help to protect clients from each other. A server
first starts to execute the hypervisor, which then loads each of the
virtual machine client operating systems, allocating the appropriate
amount of memory, CPU usage, network bandwidth and disk space
for each of the VMs.
VMs make requests to the hypervisor through several different
methods, usually involving a specific API call. These APIs are prime
targets for malicious code, so substantial effort is made by all
hypervisors to ensure that the API’s are secure, and that only
authentic (authenticated, and authorized) requests are made from
the VMs. This is a critical path function. It should be noted,
however, that speed is a significant requirement in all hypervisors,
to ensure that the overall performance is not impacted
08/25/09
2
What the Bad Guys are Doing
They hijack computers and misuse them for commercial purposes
Trigger
Downloader
Downloading
Interaction
Infection
Components
With Server
$$$$
WEB
Confidential
7/16/2015
3
Underground Virtualization
Operating System
Virtualization
Hypervisor
Classification
7/16/2015
4
Underground economy
Asset
Going-rate
Pay-out for each unique adware
installation
30 cents in the United States, 20
cents in Canada, 10 cents in the UK,
2 cents elsewhere
Malware package, basic version
$1,000 – $2,000
Malware package with add-on services
Varying prices starting at $20
Exploit kit rental – 1 hour
$0.99 to $1
Exploit kit rental – 2.5 hours
$1.60 to $2
Exploit kit rental – 5 hours
$4, may vary
Undetected copy of a certain
information-stealing Trojan
$80, may vary
Distributed Denial of Service attack
$100 per day
10,000 compromised PCs
1,000 $
Stolen bank account credentials
Varying prices starting at $50
1 million freshly-harvested emails
(unverified)
$8 up, depending on quality
Sample data from research on the underground digital economy in 2007
04/04/08
Copyright 2008 - Trend Micro Inc.
5
Problem
• Every 2 seconds a new
malware threat is created
• 79% of websites hosting
malicious code are legitimate
– thus compromised by
hackers
• 23% of the average user’s day
at work is spent doing
something on the Web
• 45% of the 100 most popular
websites support user
generated content – Web2.0
– 60% infected with malware
• 59% view their organization’s
Web gateway security
solutions as only somewhat
effective, not very effective or
not at all effective in
protecting against web-borne
threats
6
• 42% are prepared to deal with
the risks of Web2.0 in order to
capitalize on its business
benefits (i.e. allow access to social
networking sites etc)
And who’s behind?
compromised ISP subnets owned by -->
ARUBA.IT (and Vortech)
IP Location:
IFRAME redirector from compromised
site --> HostFresh, HK
Italy
Revolve Host:
*.inaddr.arpa.10799INPTRwebx90.aruba.it.
Blacklist Status:
OrgName:
IP Location:
Blacklist Status:
Clear
Address:
City:
RIPE
person:
P.O. Box 10096
nic-hdl:
Amsterdam
e-mail:
StateProv:
Piu Lo
PL466-AP
[email protected]
address:
No. 500, Post Office, Tuen
Mun, N.T., Hong Kong
PostalCode: 1001EB
Country:
Clear
Whois Record
RIPE Network Coordination
Centre
OrgID:
Hong Kong, Hostfresh
NL
phone:
+852-35979788
fax-no:
+852-24522539
country:
other downloaded malware
from various sites
For example.
58.65.239.180
is announced by Atrivo /
Intercage, an infamous
hosting company in the Bay
Area. It is an APNIC IP
address, but the physical
location of servers using IP
addresses in the range
58.65.238.0/23 is the Bay
Area in a datacenter in San
Francisco at Paul Avenue
HK
control and monitoring server -> FasterServers, Chicago, IL
IP Location:
United
States, Chicago, Fastservers Inc
Revolve Host:
<snip>
TRUMAN.DNSPATHING.COM.
Blacklist Status:
Whois Record
OrgName:
FastServers, Inc.
OrgID:
Address:
City:
7/16/2015
7
FASTS-1
175 W. Jackson
Blvd
Address:
Confidential
Clear
Suite 1770
Chicago
StateProv: IL
MPACK Details
•Created by the same group, who created
WebAttacker Toolkit
•Current Version: 0.90
•They gurantee that the released version is
QA‘d against AV-Software
•MPACK kit sells for 700 USD, if Dream
Downloader is included, 1000 USD
•New exploits integrated in MPACK cost
between 50-150USD depending on the
severity/spread of the vulnerability
•DreamDownloader is an
automatic file downloader
triggered by MPACK
•It bypasses several FW
•Disables some Antivirus
•Uses Anti-Debug
techniques
•Detects Virtual Machines
Confidential
Classification
7/16/2015
7/16/2015
8 8
•Uses several packers to
ZLOB Infection Business model
How it works
1. You send surfers to videoscash's sites/galleries/videos in any
possible way.
2. Surfers trying to view free videos, but "seems like" they have no
appropriate video codec installed. And they are offered to download
it.
3. Once they download and install the video codec you get $0.02 $0.26 (depends of the surfer's country).
4. Twice a month You get paid via Epassporte, Wire transfer, Fethard
7/16/2015
9 9
Confidential
or
Webmoney
with no hold!
Classification
7/16/2015
Changing Threat Environment
More profitable
$100 billion: Estimated profits from global cybercrime
-- Chicago Tribune, 2008
More sophisticated, malicious & stealthy
“95% of 285 million records stolen in 2008, were the
result of highly skillful attacks”
“Breaches go undiscovered and uncontained for
weeks or months in 75% of cases.”
-- Verizon Breach Report, 2009
More frequent
We receive 40000 attacks per hour on a typical morning
-- Cleveland Clinic Health System @ HIMSS 2006
More targeted
"Harvard and Harvard Medical School are attacked
every 7 seconds, 24 hours a day, 7 days a week.”
-- John Halamka, CIO
10
PCI DSS
• Layered and coordinated protection
• Closes security gaps in virtual
environments
• Layer of isolation and immunity for
the protection engine from target
malware
• Baseline protection provided for VM
sprawl
• Lower management complexity
• Provides cloud security
11
a is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be
What NOT to worry about
Hypervisor Attacks
• Examples: Blue
Pill, SubVirt, etc.
• These are ALL
theoretical, highly
complex attacks
• Widely recognized
by security
community as
being only of
academic interest
Irrelevant
Architectures
• Example:
numerous reports
claiming guest
escape
• Apply only to
hosted architecture
(e.g. Workstation),
not bare-metal (i.e.
ESX)
• Hosted
architecture
generally suitable
only when you can
trust the guest VM
Contrived Scenarios
• Example: VMotion
intercept
• Involved exploits
where
• Best practices
around
hardening,
lockdown,
design, for
virtualization etc,
not followed, or
• Poor general IT
infrastructure
security is
assumed
a is compiled automatically every 24 hours from the SBL database and sorted by the number of currently listed SBL records for each network (ISP/NSP). The source data, including record information on each spam issue listed can be
What NOT to worry about
Hypervisor Attacks
• Examples: Blue
Pill, SubVirt, etc.
• These are ALL
theoretical, highly
complex attacks
• Widely recognized
by security
community as
being only of
academic interest
Irrelevant
Architectures
• Example:
numerous reports
claiming guest
escape
• Apply only to
hosted architecture
(e.g. Workstation),
not bare-metal (i.e.
ESX)
• Hosted
architecture
generally suitable
only when you can
trust the guest VM
Contrived Scenarios
• Example: VMotion
intercept
• Involved exploits
where
• Best practices
around
hardening,
lockdown,
design, for
virtualization etc,
not followed, or
• Poor general IT
infrastructure
security is
assumed
Some malware that uses anti-VMware tactics:
TROJ_CONYCSPA.M
» This Trojan may be downloaded from the Internet. It may
also be dropped by another malware.
» contains anti-debugging technique to check if the system
runs on the virtual platform, VMWARE. It does the said
routine by checking for a file related to VMWare. If it is
running in the said virtual platform, it does not proceed with
its malicious routines.
» It exports functions that enables it to send spammed email
messages using its own Simple Mail Transfer Protocol
(SMTP) engine.
08/25/09
14
Some malware that uses anti-VMware tactics:
PE_CORELINK.C-O
• This file infector checks if the infected system is running
on VMWare or on a virtual machine environment. It does
its checking by comparing the reply on port. If the reply
returns "VMXh", it adjusts its privileges so that it shuts
down the affected system.
• Propagates via network shares and removable drives
• Downloads TROJ_ALMANAHE.V
• Upon execution, it decrypts the embedded rootkit file
NVMINI.SYS and CDRALW.SYS, detected by Trend Micro
as TROJ_AGENT.THK.
08/25/09
15
Some malware that uses anti-VMware tactics:
TROJ_KAKKEYS.S
• gathers the contact list from the Windows Messenger and Windows
Address Book (WAB), as well as the contents of certain.TXT files
located in the Winny installation folder.
• It sends the stolen information to the 2CH.NET Bulletin Boards by
posting a message to the said boards.
• terminates itself if VMWARE is installed. It does the said routine by
checking the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware
Tools
08/25/09
16
Other related VE entries:
Grayware (5)
•
•
•
•
•
CRCK_VMWARE.B
CRCK_VMWARE.C
TSPY_GOLDUN.CD
TSPY_KAKKEYS.AE
TSPY_KAKKEYS.AK
08/25/09
17
Other related VE entries
Malware (30)
•
•
•
•
•
•
•
•
•
•
•
BKDR_HAXDOOR.DE
BKDR_HAXDOOR.FR
BKDR_HAXDOOR.IV
BKDR_HAXDOOR.JH
BKDR_SDBOT.LP
JS_RESETTABLE.A
PE_CORELINK.C-O
TROJ_AGENT.BRS
TROJ_CONYCSPA.M
TROJ_DLOADER.CPI
TROJ_KAKKEYS.P
08/25/09
18
»
»
»
»
»
»
»
»
»
»
»
»
»
»
TROJ_KAKKEYS.S
TROJ_KAKKEYS.V
TROJ_LDPINCH.DX
TROJ_VMKILLER.B
TROJ_VMWARE.A
WORM_AGOBOT.CW
WORM_ARIVER.A
WORM_IRCBOT.AW
WORM_IXBOT.A
WORM_NUWAR.AOP
WORM_RBOT.ENZ
WORM_SDBOT.CDL
WORM_SDBOT.CKI
WORM_SDBOT.CMH
WTC Stats
Figure 4. Infection count on VMWARE Malware Family
• The infection count on VMWare malware family
increased from last year’s 1234 to 1304.
08/25/09
19
What NOT to worry about
Hypervisor Attacks
• Examples: Blue
Pill, SubVirt, etc.
• These are ALL
theoretical, highly
complex attacks
• Widely recognized
by security
community as
being only of
academic interest
Irrelevant
Architectures
• Example:
numerous reports
claiming guest
escape
• Apply only to
hosted architecture
(e.g. Workstation),
not bare-metal (i.e.
ESX)
• Hosted
architecture
generally suitable
only when you can
trust the guest VM
Contrived Scenarios
• Example: VMotion
intercept
• Involved exploits
where
• Best practices
around
hardening,
lockdown,
design, for
virtualization etc,
not followed, or
• Poor general IT
infrastructure
security is
assumed
Are there any Hypervisor Attack Vectors?
There are currently no known hypervisor attack vectors to date that have
lead to “VM Escape”
•
Architectural Vulnerability
•
•
Designed specifically with Isolation in Mind
Software Vulnerability - Possible like with any code written by humans
•
•
Mitigating Circumstances:
•
Small Code Footprint of Hypervisor (~32MB) is Easier to Audit
•
If a software vulnerability is found, exploit difficulty will be very
high
•
Purpose Built for Virtualization Only
•
Non-interactive environment
•
Less Code for Hackers to Leverage
Ultimately Depends on VMware Security Response and Patching
Concern: Virtualizing the DMZ / Mixing Trust
Zones
Three Primary Configurations:
•
•
•
Physical Separation of Trust Zones
Virtual Separation of Trust Zone with Physical
Security Devices
Fully collapsing all servers and security
devices into a VI3 infrastructure
Also Applies to PCI Requirements 2.2.1,
1.1.x, 6.3.2, and 6.3.3
Questions?
• “How do you secure a virtualized environment”
• “How do you virtualize all of the security infrastructure in
an organization”
• “What do you call something that inspects memory
inside of VM and inspects traffic and correlates the
results? We don’t really have a definition for that today,
because it was impossible, so we never considered it.”
Classification
7/16/2015
23
How do we secure our Virtual
Infrastructure?
Use the Principles of Information Security
–
–
–
–
–
Hardening and Lockdown
Defense in Depth
Authorization, Authentication, and Accounting
Separation of Duties and Least Privileges
Administrative Controls
Securing Virtual Machines
Provide Same Protection
as for Physical Servers
•Host
– Anti-Virus
– Patch Management
•Network
– Intrusion
Detection/Prevention
(IDS/IPS)
– Firewalls
25
Secure Design for Virtualization Layer
Fundamental Design Principles
• Isolate all management
networks
• Disable all unneeded services
• Tightly regulate all
administrative access
26
Enforce Strong Access Controls
Joe
Harry
Security
Principle
Implementation in
VI
Least
Privileges
Roles with only
required privileges
Separation of
Duties
Roles applied only to
required objects
Administrator
Operator
User
Anne
27
Maintain Tight Administrative Controls
Requirement
Example Products
Configuration management,
monitoring, auditing
Tripwire Enterprise for VMware ESX
NetIQ Secure Configuration Manager
Configuresoft ECM for Virtualization
Track and Manage VM
VMware Lifecycle Manager
VMware Stage Manager
Updating of offline VMs
VMware Update Manager
Trend Micro Big Fix (ESP)
Virtual network security
Third Brigade – Trend Micro
Diverse and growing ecosystem of products
to help provide secure VMware Infrastructure
28
Overview – Trend Micro Solution
• Datacenter trends
• Securing VMs
– Traditional approach
– Problems
• VMsafe
• The Trend Micro approach
– Architecture
– Trend Micro Deep Security
– Trend Micro Core
Protection for VMs
5/28/2009
29
Trends in the Datacenter
Cloud
Virtualized
Servers in the open
Physical
Servers virtual and in motion
Servers under pressure
30
30
Securing Virtual Servers the
Traditional Way
Network
IDS / IPS
App
AV
App
App
AV
App
App
AV
App
OS
OS
OS
ESX Server
• Anti-virus: Local, agent-based protection
in the VM
• IDS / IPS: Network-based device or
software solution
31
VMs Need Specialized Protection
Same threats in virtualized servers
as physical.
+
New challenges:
Resource contention
VM Sprawl
Inter-VM traffic
vMotion
1. Dormant VMs
2.
3.
4.
5.
32
Problem 1:
Dormant VMs are unprotected
Dormant VMs
Active VMs
App
AV
App
App
AV
App
App
AV
App
App
AV
App
App
AV
App
OS
OS
OS
OS
OS
ESX Server
Dormant VMs includes VM templates and backups:
• Cannot run scan agents yet still can get infected
• Stale AV signatures
33
Problem 2:
Full System Scans
3:00am Scan
AV
App
Typical AV
Console
OS
ESX Server
Resource Contention with Full System Scans
• Existing AV solutions are not VM aware
• Simultaneous full AV scans on same host
causes severe performance degradation
• No isolation between malware and anti-malware
34
Problem 3:
VM Sprawl
Dormant
Active
New
App
AV
App
OS
ESX Server
Managing VM Sprawl
• Security weaknesses replicate quickly
• Security provisioning creates bottlenecks
• Lack of visibility into, or integration with, virtualization
console increases management complexity
35
Problem 4:
Inter-VM Traffic
Dormant
AV
App
OS
Network
IDS / IPS
Active
AV
App
OS
vSwitch
AV
App
OS
AV
App
OS
vSwitch
Inter-VM traffic
• NIDS / NIPS blind to intra-VM traffic
• First-generation security VMs require intrusive vSwitch
changes
36
Problem 5:
VM Mobility
Dormant
AV
App
OS
Network
IDS / IPS
Active
AV
App
AV
OS
vSwitch
OS
vSwitch
vMotion & vCloud:
• Reconfiguration required: cumbersome
• VMs of different sensitivities on same server
• VMs in public clouds (IaaS) are unprotected
37
App
Introducing VMsafe
Security VM
App
App
App
OS
OS
OS
Firewall
IDS / IPS
Anti-Virus
Integrity
Monitoring
VMsafe
APIs
ESX
Server
– Protect the VM by inspection of virtual components
– Unprecedented security for the app & data inside the VM
– Complete integration with, and awareness of, vMotion,
Storage VMotion, HA, etc.
38
VMsafe™ APIs
CPU/Memory Inspection
• Inspection of specific memory pages
• Knowledge of the CPU state
• Policy enforcement through resource allocation
Networking
• View all IO traffic on the host
• Intercept, view, modify and replicate IO traffic
• Provide inline or passive protection
Storage
• Mount and read virtual disks (VMDK)
• Inspect IO read/writes to the storage devices
• Transparent to device & inline with ESX Storage stack
39
The Trend Micro Approach
Dormant
Security VM
- Firewall
- IDS / IPS
- Anti-Malware
- Integrity
Monitoring
- Log Inspection
VMsafe
APIs
ESX
Server
Comprehensive, coordinated protection for all VMs
• Local, agent-based protection in the VM
• Security VM that secures VMs from the outside
• Multiple protection capabilities
• Integrates with VMware vCenter and VMsafe
40
1: Intrusion Defense VM - TM Deep Security
Intrusion
Defense
Intrusion
Defense
VMsafe APIs
•
•
•
•
VMsafe APIs
Intrusion
Defense
VMsafe APIs
Intrusion Defense provides IDS/IPS & firewall protection
Integrates VMsafe-NET APIs (firewall & IDS/IPS)
Enforces security policy
Newly emerging VMs are automatically protected
41
2: Anti-Malware Scanning VM - TM Core Protection for VMs
Scanning
VMs
VMsafe APIs
•
•
•
•
VMsafe APIs
VMsafe APIs
Anti-malware scanning for target VMs from outside
Integrates VMsafe VDDK APIs to mount VM disk files
Full scans of dormant & active VMs from scanning VM
Immunizes the protection agent from disruptive activities
42
How It Works: Stopping Conficker
Dormant
Active
Infected
Security VM
- Firewall
- IDS / IPS
- Anti-Malware
- Integrity
Monitoring
- Log Inspection
VMsafe
APIs
ESX
Server
•
•
•
•
•
Firewall: Limits VMs accessing a VM with vulnerable service
IDS/IPS: Prevent MS008-067 exploits
Anti-Malware: Detects and cleans Conficker
Integrity Monitoring: Registry changes & service modific’ns
Log Inspection: Brute force password attempts
43
Benefits of Coordinated approach
• Layered and coordinated protection
• Closes security gaps in virtual
environments
• Layer of isolation and immunity for
the protection engine from target
malware
• Baseline protection provided for VM
sprawl
• Lower management complexity
• Provides cloud security
44
Available from Trend
– Anti-malware protection for
TODAY Trend Micro
Core Protection VMware virtual
environments
for VMs
– Firewall, IDS/IPS, Integrity
Trend Micro
Monitoring & Log Inspection
Deep Security 6
– Runs in VMs with vCenter
integration
OCT
2009
– Virtual Appliance
Trend Micro
Deep Security 7 complements agent-based
protection
45
Trend Micro Deep Security Modules
Deep Packet Inspection
Firewall
• Centralized management of server
firewall policy
• Pre-defined templates for common
enterprise server types
• Fine-grained filtering: IP & MAC
addresses, Ports
• Coverage of all IP-based protocols:
TCP, UDP, ICMP, IGMP …
Integrity Monitoring
7/16/2015
Examines incoming & outgoing traffic for:
• Protocol deviations
• Content that signals an attack
• Policy violations.
Log Inspection
• Monitors critical files, systems and
registry for changes
• Critical OS and application files (files,
directories, registry keys and values)
• Flexible, practical monitoring
through includes/excludes
• Auditable reports
Internal Training
Enables IDS / IPS, Web App Protection,
Application Control, Virtual Patching
46
• Collects & analyzes operating system
and application logs for security
events.
• Rules optimize the identification of
important security events buried in
multiple log entries.
Deep Security: Platforms protected
Integrity Monitoring
& Log Inspection
modules
Internal Training
7/16/2015
•
•
•
•
•
Windows 2000
Windows XP, 2003 (32 & 64 bit)
Vista (32 & 64 bit)
Windows Server 2008 (32 & 64 bit)
HyperV (Guest VM)
•
•
•
8, 9, 10 on SPARC
10 on x86 (64 bit)
Solaris 10 partitions
•
•
•
Red Hat 3
Red Hat 4, 5 (32 & 64 bit)
SuSE 9, 10
•
•
VMware ESX Server (Guest VM)
Virtual Center integration
•
XenServer Guest VM
•
•
HP-UX 11i v2
AIX 5.3
47
47
Trend Micro Core Protection for Virtual Machines
More Protection
• First virtualization-aware anti-malware product in the market
• Secures dormant and active VMs efficiently
• New VMs auto-scanned on creation and auto-assigned to a
scanning VM
• Supports VI3 and vSphere 4 (needs vCenter)
Less Complexity
• Flexible Management: Through standalone web console, as a plugin to
Trend Micro OfficeScan or through VMware vCenter
• Flexible Configuration: Can be configured with multiple scanning VMs
on any ESX/ESXi (or physical) server
• Flexible Deployment: CPVM can be setup to co-exist with OSCE or
competitive products if necessary (not ideal*)
CPVM System Requirements
References
– Security Design of the VMware Infrastructure 3 Architecture
(http://www.vmware.com/resources/techresources/727)
– VMware Infrastructure 3 Security Hardening
(http://www.vmware.com/vmtn/resources/726)
– Managing VMware VirtualCenter Roles and Permissions
(http://www.vmware.com/resources/techresources/826)
– DISA STIG and Checklist for VMware ESX
(http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf)
(http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_3
0_apr_2008.pdf)
– CIS (Center for Internet Security) Benchmark
(http://www.cisecurity.org/bench_vm.html)
– Xtravirt Virtualization Security Risk Assessment
(http://www.xtravirt.com/index.php?option=com_remository&Ite
mid=75&func=fileinfo&id=15)
Other Sources:
TNL article on Virtualization:
http://tnl.trendmicro.com.ph/tnl_articles.php?id=242&action=view
Related blog entries:
http://blog.trendmicro.com/vmware-bug-provides-escape-hatch/
http://blog.trendmicro.com/rootkits-get-more-physical/
08/25/09
51
Always remember
It‘s not important how hard you work,
It is important, how smart you work!
Confidential
7/16/2015
52
Thank You
[email protected]
+44 7979 993377