Transcript Targeted Network Attacks

Targeted Network Attacks
Mike Cotton
Digital Defense Incorporated
Presenter Background
Mike Cotton, CISSP
•
•
•
•
Principal Vulnerability Research
8 Years of Computer Security Experience
BS Computer Science (Trinity University)
Authored network auditing software which
has scanned millions of computers for
vulnerabilities.
Who is Digital Defense (DDI)?
• We deliver a comprehensive portfolio of risk management
services
–
–
–
–
information security programs
regulatory compliance solutions
security testing of IT products
security education offerings
• We use proprietary Software as a Service (SaaS) technology
and industry best practices to deliver this broad array of
services
• Our clients range from small financial institutions to global
Fortune enterprises
• Visit our web site at www.ddifrontline.com or contact us at
888.273.1412
© 2010 Digital Defense, Inc. | All rights reserved
3
Background Information
TARGETED ATTACKS
Current State of Information Security
• Companies have made substantial investments
in network security technology.
• IT Audit practices have matured and helped
lock down networks against most common
attacks.
• This has improved detection and eradication
of typical internet based malware threats.
• Has generally not improved the situation
where a company is specifically targeted.
– Maybe even made companies a bit more
complacent
What Are Targeted Attacks?
• Different from random internet attacks.
– Trojans / Spyware / Computer Worms etc.
– The sorts of things IT departments see every
week
• Share a common set of characteristics
– Focus exclusively on a specific organization
– Typically preceded by heavy reconnaissance
– Often use payloads specifically tailored for the
target
– Often times leverage social engineering
– Not interested in traditional monetization
schemes
Some recent examples:
• Recently been a raft of successful highprofile targeted network attacks:
– Aurora network penetration against Google
– Stuxnet attack against Bushehr Reactor in
Iran
– US Centcom Computers compromised
– Canadian Government State Secrets Stolen by
attacks originating in China.
– Anonymous attacks security company HBGary
The HBGary Incident
• In January 2011 the CEO of HBGary
Federal, a DC-based network security
firm declares his intention to ‘unmask’
the leaders of ‘Anonymous’, an
internet ‘hacktivist’ group which had
recently engaged in a series of internet
attacks in support of Wikileaks.
• Feburary 2011:
– Anonymous decides to retaliate.
Attacks Begin
• Anonymous scouts HBGary's internet facing
systems.
• Determines one of the systems is vulnerable to
SQL-Injection attack, proceeds to use this to
hack into it, cracks the passwords.
• Uses newly acquired usernames and passwords
to break into other company systems and
obtain more sets of credentials.
• Attempts all acquired credentials against
HBGary's main corporate email account
(hosted on Google Apps) and obtains
Administrator access.
Attacks Continue
• Anonymous now has access to every email
anyone at HBGary has ever written or received
at work.
• Downloads entire corporate email archive.
• Leverages the compromised email accounts to
socially engineer access to additional systems
that have thus far resisted attacks.
– Targets: www.rootkit.com a popular security
website run by HBGary co-founder Greg Hoglund.
Leveraging Email Accounts:
Leveraging Email Ctd.
HBGary Aftermath
• Anonymous posts entire HBGary corporate email archive
on Bit-Torrent for anyone to download.
– This includes sensitive correspondence with top secret
agencies.
• Defaces then shuts down HBGary websites and servers.
• Publishes username and passwords of anyone who has
ever registered with affiliated websites (rootkit.com)
• Rebuffs pleadings by HBGary CEO Penny Leavy (on IRC) to
halt the attacks.
• Publishes details of attacks which result in multiple
writeups in:
–
New York Times, Wall Street Journal, Washington Post
etc.
Working your way through the network
ATTACK METHODS
Gaining a Foothold on the Network
• Most popular methods:
– Email attachment: PDF,DOC,XLS,PPT
combined with a bit of social engineering.
– Malicious Web Page / Web Browser Attacks
• Get someone at the company to click a URL.
• Social Media Offers Another Delivery Vector.
• Click threshold very low compared to attachment.
– Exposed Internet Facing Systems
• Company's Webservers.
• Routers and Switches.
Email Attachments
• Booby trapped PDF is probably still the
most popular method:
– target clicks on pdf attachment
– backdoor is installed on computer
– outbound http-ssl uplink established to
server on internet
– attacker can travel back down this uplink
to access internal network.
Targeted Social Engineering
• Some goals the attacker has:
– Email message has to be enticing enough
to get target to open the attachment.
– Once opened the target should quickly
lose interest and close document.
– Ideally the email will spark no further
communication
• Import Company Announcement!!!
• Bob Jones has been promoted to associatemanager for the tri-state area.
Social Engineering Ctd.
• Company Restructuring Announcement
/ Layoff Notice
– 100% click-through rate.
– 0% chance of evading detection.
• Summary of proposed procedures to
comply with new Sarbanes Oxley
regulations.
– 0% click-through rate.
– 100% chance of evading detection.
Common Network Defenses
• Antivirus: Could locate payload within
crafted PDF and flag file as malicious.
• Intelligent Firewalls: May alert network
administrators to unusual outbound
network traffic.
• Intrusion Prevention Systems: could
block attacks before they reach the
destination.
• Email server configuration may not allow
certain attachment formats.
Bypassing Antivirus
• Well established ways to bypass these systems
– Primary detection mechanism remains signatures
– Unable to handle complex malware encodings
– Variety of standard programs called ‘packers’ do
this.
• Polypack is the current favorite (Michigan)
• Test payload against the AV systems the target
is known to run:
• Job Postings will often leak this info.
• Resumes from former employees.
• Vendors bragging about premier clients.
Race to Zero Contest
Antivirus Vendors Response
Evading Intrusion Detection Systems
• Just make outbound traffic look like
normal web traffic
• Outbound HTTP-SSL traffic unlikely to
generate any alarms
• Some rootkits will attempt to only send
outbound traffic at the same time that
a user is browsing.
Evasion as a Rootkit Selling Point
Banned Attachments / Formats
• Very Rarely A Problem
– Companies don’t like to do anything that
will impact normal operations so PDF,DOC
etc. should always sail through just fine.
– Some companies will ban their employees
from use MSOffice in any form but it’s
exceptionally rare.
• Often have the option of throwing an
.EXE into a ZIP file w/ a DOC icon /
description.
Domain Controllers
• Domain Controller is the centralized
administration system for windows
network.
• Taking it over allows you access to all
client nodes (i.e. Windows XP machine)
• All client nodes can talk directly to it.
• Any client node compromise will allow
an attacker an unfirewalled path to
the domain controller.
Domain Attacks
• Typical plan:
– compromise a client machine through
browser-attack or email
– route additional attacks through this
endpoint.
– compromise the domain controller
• Attacker now effectively controls the
entire company windows network
– emails, financials, salary-lists, databases
Domain Attack [Movie]
Patch Cycles
• Reverse Engineering tools have
improved to the point that vendor
patches => attack maps
– Time to develop attacks has gone from
Weeks => Days => Hours.
– Clock often starts ticking at the time that
the patch is released to the public.
Patch => Attack
Graph of Changed Function
Authentication Bypass
SOLUTIONS
Solutions
• Realize there is not magic bullet
• Security vendors will often try to
portray their products as such.
• When was the last time you heard “Our
organization was targeted by a
sophisticated cyber attack and came
away unscathed”?
Employee Security Training
• Don’t make it just a checkbox.
• Build this into new employee orientation.
• Give concrete examples of what can
happen when these policies aren’t
followed
– Don't just say "Don't give out your password
over the phone"
– Play an audiotape of someone getting talked
into doing just that.
(Google at Defcon 18 Example)
Reduce The Attack Surface
• You can’t hack software which isn’t
installed.
• Do people really need Adobe Shockwave
Flash installed at work?
– It has an abysmal security record.
– Often times used by attackers as the browser
exploitation vector of choice.
– Just remove it unless you have a legitimate
business case (few do).
(iPhone seems to do just fine without it)
Steve Jobs: April 2010
• Flash had… “one of the worst security
records in 2009. We also know firsthand that Flash is the number one
reason macs crash. We have been
working with Adobe to fix these
problems but they have persisted for
several years now. We don’t want to
reduce the reliability and security of
iPhones, iPods, and iPads by adding
Flash.”
Reduce Attack Surface Ctd.
• Consider doing the same with Java
support in the browser
– Java in the browser (Applets/JavaFX) is
effectively dead technology at this point.
– One of the primary mechanisms to attack
web browsers get attacked
– You'll never notice the difference +
removes a massive attack surface.
Standardize Hardened
Configurations
• Standardize on modern hardened
configurations
– At this point Windows XP is maybe the easiest
OS on the planet to break into.
– At the very least move client machines to
Windows 7 or OSX
– Additionally consider Firefox or Chrome
browsers
• Non-standard configurations are harder to attack.
• Better attack sandboxing technology
Implement a Vuln Management Program
• Try to use real-world scenarios or
simulated-attacks to see how
employees react to these sorts of
situations.
• Adjust policies and procedures to deal
with any deficiencies.
• Track changes you’ve implemented to
prepare for this sort of event.
Questions?