416 days allan stojanovic university of toronto #include disclaimer.h
TRANSCRIPT
416 Days
Allan StojanovicUniversity of Toronto#include disclaimer.h
About Me
4 years at the University of Toronto Near the core networking group
Before that, the banks Before that, health care Before that, transportation Before that, auditing Before that, government Before that, dot-coms
But maybe not quite in that order
The Environment
~ 350,000 public IPv4 addresses And we are running out
~ 400 departments Still not sure how accurate
~ 422,000 accounts in our (new) AD More that are not centralized
Every Make, Every Model, Every Vintage
Open Institution
Our network is mostly open Sometimes when it shouldn't be
Our network encompasses research Some abnormal traffic is normal
Short lived servers Research stations set up for a semester
Long lived services The 30 year old vulnerability
Agenda
Classes of Attack Attacker Skills Attacker Kill Chain Disrupting the Kill Chain Emerging Trends What takes 416 days?
This is about TACTICAL DEFENCE. No silver bullets.
Classes of Attack
“I'd love to install smoke detectors, but I'm too busy fighting fires.”
Two Attack Classes
Targeted
Spear Phishing Waterhole Attack Dumpster diving Resume Intel Etc.
Opportunistic
Generic Phishing Brute force attacks Drive-By Automated web exploits
Etc.
Notes on Attack Classes
Targeted takes more effort on the attacker side
has a better return on investment
requires more skill takes longer to execute
Opportunistic can be automated relies upon statistics basic security hygiene can mitigate it
Attacker Skills
“ ... more like Advanced Persistent Failure to Patch.”
Attacker Skills
Attacker skills are on a bell curve too
The Bar is the level of skill needed to succeed
The Bar is set by the number and/or quality of security mechanisms in place
Attacker Kill Chain
“What's an acceptable numberof compromised accounts?”
Lockheed's Chain
RSA's Chain
HP's Attack LifeCycle SecureWorks Chain
The Kill Chain
Can we disrupt this chain?
Identify the Event
Was it targetted or opportunistic? What level of skill is required?
High, Medium, Low ? Where in the chain does the event fall?
Take your best guess.
Prioritize the Event
Targetted events get priority over opportunistic events
Higher skill attackers get priority over lower skilled attakers
Events later in the chain get priority over events earlier in the chain
This is EXTREMELY simplistic, but if you have nothing else, it is a start.
Example 1
Identify: Example 1
This is an opportunistic attack There is nothing indicating that UofT was directly
targetted. They sent it to the wrong address
This does not require a high level of skills Creation of the payload may require skills the first time
but after that it is automated This is the delivery phase of the chain
Recon is usually complete by the time a mass mailing is sent
Example 2
Identify: Example 2
This is a Targetted attack utornto.ca must have been conciously chosen
This does not require a high level of skills If we are only considering the DNS registration.
This is the action phase of the chain Only because it is being used to provide advertising to
people that typo our domain name
Example 3
Identify: Example 3
This is a Opportunistic attack Automated mass defacement of well known vuln
This is a medium level of skill After the vuln is published, the rest is easy, but some
skill needed to automate. This is the installation phase of the chain
If the defacement is the goal, then this is the action phase. The existance of C2 could confirm this.
Caveats
Keep it loose and simple Change the finding as you find out more
Targetted vs opportunistic may filp-flop Determining intent will help determine where in the chain the attack falls Misdirection, deception, and followup attacks
Determining the phase of the kill chain is difficult because the attacks never end
Disrupting the Kill Chain
“If people would stop getting breached for a moment,
I might be able to get some work done.”
Disrupting the Kill Chain
Try and stop the attacker, not just the attack The earlier in the chain the better Traditional security measures have their place
But most stop the attack, not the attacker Need better techniques to cover each phase of the chain and each class of attack
Optional: HomeworkPhase Opportunistic
AttacksTargetted Attacks Mitigation
Reconaissance Event #1Event #2
Event #3
Weaponization
Delivery Event #4
Exploitation Event #7Event #8
Installation
Control Event #5
Actions Event #6
Gaps. Gaps as far as the eye can see.
Some of My Tools and Techniques
To fill the gaps To provide early detection To identify the attakers To stop the attacks while gathering intelligence on the attackers
To disrupt the attackers operations
Trial By Firewall
Firewalls log access attempts to denied ports
Constant attempts to contact non-exposed services (3389, 22, 23, 902)
Constant attempts to contact non-existent IP addresses
Some of the attempts can be legit (80, 5353)
Trial By Firewall Actions
If it is a destination port 80 or 443, ignore it, or white-list the “good” search engines.
If it tried to access a port on the IP of a critical server, deny all access including what is usually allowed
At least deny all access to target IP from source IP
Dr. BadTouch
Unadvertised ports listening on unadvertised IP addresses should
never be touched
Similar to Trial By Firewall Dedicate an IP address and listen for critical port connections
Only action full handshakes Aka Honeyport without the interaction Remember “artillery”?
Dr. BadTouch Actions
Don't bother with 80/443 unless internal only. DO NOT put a DNS entry for this IP. Deny access to all critical servers, or the entire network
Rotate to a new IP semi-regularly (but unpredictably)
Blatant 404
Web servers log access attempts to nonexistent files
Because this: GET /main.php?pg=../../../../../../../../../../../etc/passwd
%00 deserves action even if 404.
Canned scanners try everything Directory busting and hunting somewhat common
Specific vulnerability searches (PHPMyAdmin anyone?)
Blatant 404 Actions
White-list and ignore your Vuln Scanner Deny on specific type of items or general threshold from all services
Indexed links can cause lots of false positives
Impossible Multi-Auth
Authentication servers log the source of the authentication
Flag accounts with logins from multiple countries in a short period of time
Windows / AD / RDG are a bit problematic Needs a reasonable GEOIP database Be careful with how you implement the time-frame
Requires accurate contact lists
Impossible Multi-Auth Actions
Automatically open a ticket for flag'd ID's Contact the user out-of-band If you have tight Identity Mgmt and password recovery, reset the account
Can be anchored to known local auth (like door keycard)
Tell them to change OTHER passwords too. Respect the privacy of the user
Questionable Single Sources
Authentication servers log the source of the authentication
Flag IP addresses that log in with multiple accounts in a short period of time (like minutes)
Watch for NAT sources, proxies and TOR Be careful with how you implement the time-frame
Requires accurate contact lists
Questionable Single Source Actions
Investigate the IP. What else did they do? If the IP has been malicious, reset all the accounts used from there
Block the IP address Tell them to change OTHER passwords too. Respect the privacy of the user
Phake-Phishing
Authentication servers log the source of failed logins too.
Provide fake credentials, see where they come back
Flag IP addresses that attempt to authenticate with the fake credentials.
Flag for common responses like “scam”, and “bullsh*t” as well
If you are a large org, this recipe has a limited lifespan
Phake-Phishing Actions
All successful logins from that IP are suspect, investigate or just reset all passwords.
Deny the IP address Tell them to change OTHER passwords too Respect the privacy of the user
Emerging Trends
“Not sure if back-door or legit security tool.”
Assume Breached
If you assume that you are already breached, what do you do find out?
Look for Indicators of Compromise (IoC) Examine incidents Determine threat Mitigate risks “on the fly”
Does not preclude Security Hygiene. Patches, Antivirus, Firewalls, etc.
Threat Intelligence
It is about sharing IoCs You can build your own You can buy a service Best of all, do both
Do what you can, with what you got, where you are.
Threat Intelligence Services
HP Threat Central IBM X-Force Exchange eSentire Cymon.io Arbor Atlas Recorded Future REN-ISAC
Never forget that the bad guys are faster and better organized than us.
What take 416 days?
“... more like core incompetencies ...
Whitehats Statistics Report
416 days – Mean Time to Fix – 2012 342 days – Mean Time to Fix – 2013
Ummm … where did the rest of the stats go?
Verizon Data Breach Investigations Report 2014
Questions?
Thank You
Email: allan.stojanovic(at)utoronto.ca Twitter: @allansto