416 Days

Allan StojanovicUniversity of Toronto#include disclaimer.h

About Me

4 years at the University of Toronto Near the core networking group

Before that, the banks Before that, health care Before that, transportation Before that, auditing Before that, government Before that, dot-coms

But maybe not quite in that order

The Environment

~ 350,000 public IPv4 addresses And we are running out

~ 400 departments Still not sure how accurate

~ 422,000 accounts in our (new) AD More that are not centralized

Every Make, Every Model, Every Vintage

Open Institution

Our network is mostly open Sometimes when it shouldn't be

Our network encompasses research Some abnormal traffic is normal

Short lived servers Research stations set up for a semester

Long lived services The 30 year old vulnerability

Agenda

Classes of Attack Attacker Skills Attacker Kill Chain Disrupting the Kill Chain Emerging Trends What takes 416 days?

This is about TACTICAL DEFENCE. No silver bullets.

Classes of Attack

“I'd love to install smoke detectors, but I'm too busy fighting fires.”

Two Attack Classes

Targeted

Spear Phishing Waterhole Attack Dumpster diving Resume Intel Etc.

Opportunistic

Generic Phishing Brute force attacks Drive-By Automated web exploits

Etc.

Notes on Attack Classes

Targeted takes more effort on the attacker side

has a better return on investment

requires more skill takes longer to execute

Opportunistic can be automated relies upon statistics basic security hygiene can mitigate it

Attacker Skills

“ ... more like Advanced Persistent Failure to Patch.”

Attacker Skills

Attacker skills are on a bell curve too

The Bar is the level of skill needed to succeed

The Bar is set by the number and/or quality of security mechanisms in place

Attacker Kill Chain

“What's an acceptable numberof compromised accounts?”

Lockheed's Chain

RSA's Chain

HP's Attack LifeCycle SecureWorks Chain

The Kill Chain

Can we disrupt this chain?

Identify the Event

Was it targetted or opportunistic? What level of skill is required?

High, Medium, Low ? Where in the chain does the event fall?

Take your best guess.

Prioritize the Event

Targetted events get priority over opportunistic events

Higher skill attackers get priority over lower skilled attakers

Events later in the chain get priority over events earlier in the chain

This is EXTREMELY simplistic, but if you have nothing else, it is a start.

Example 1

Identify: Example 1

This is an opportunistic attack There is nothing indicating that UofT was directly

targetted. They sent it to the wrong address

This does not require a high level of skills Creation of the payload may require skills the first time

but after that it is automated This is the delivery phase of the chain

Recon is usually complete by the time a mass mailing is sent

Example 2

Identify: Example 2

This is a Targetted attack utornto.ca must have been conciously chosen

This does not require a high level of skills If we are only considering the DNS registration.

This is the action phase of the chain Only because it is being used to provide advertising to

people that typo our domain name

Example 3

Identify: Example 3

This is a Opportunistic attack Automated mass defacement of well known vuln

This is a medium level of skill After the vuln is published, the rest is easy, but some

skill needed to automate. This is the installation phase of the chain

If the defacement is the goal, then this is the action phase. The existance of C2 could confirm this.

Caveats

Keep it loose and simple Change the finding as you find out more

Targetted vs opportunistic may filp-flop Determining intent will help determine where in the chain the attack falls Misdirection, deception, and followup attacks

Determining the phase of the kill chain is difficult because the attacks never end

Disrupting the Kill Chain

“If people would stop getting breached for a moment,

I might be able to get some work done.”

Disrupting the Kill Chain

Try and stop the attacker, not just the attack The earlier in the chain the better Traditional security measures have their place

But most stop the attack, not the attacker Need better techniques to cover each phase of the chain and each class of attack

Optional: HomeworkPhase Opportunistic

AttacksTargetted Attacks Mitigation

Reconaissance Event #1Event #2

Event #3

Weaponization

Delivery Event #4

Exploitation Event #7Event #8

Installation

Control Event #5

Actions Event #6

Gaps. Gaps as far as the eye can see.

Some of My Tools and Techniques

To fill the gaps To provide early detection To identify the attakers To stop the attacks while gathering intelligence on the attackers

To disrupt the attackers operations

Trial By Firewall

Firewalls log access attempts to denied ports

Constant attempts to contact non-exposed services (3389, 22, 23, 902)

Constant attempts to contact non-existent IP addresses

Some of the attempts can be legit (80, 5353)

Trial By Firewall Actions

If it is a destination port 80 or 443, ignore it, or white-list the “good” search engines.

If it tried to access a port on the IP of a critical server, deny all access including what is usually allowed

At least deny all access to target IP from source IP

Dr. BadTouch

Unadvertised ports listening on unadvertised IP addresses should

never be touched

Similar to Trial By Firewall Dedicate an IP address and listen for critical port connections

Only action full handshakes Aka Honeyport without the interaction Remember “artillery”?

Dr. BadTouch Actions

Don't bother with 80/443 unless internal only. DO NOT put a DNS entry for this IP. Deny access to all critical servers, or the entire network

Rotate to a new IP semi-regularly (but unpredictably)

Blatant 404

Web servers log access attempts to nonexistent files

Because this: GET /main.php?pg=../../../../../../../../../../../etc/passwd

%00 deserves action even if 404.

Canned scanners try everything Directory busting and hunting somewhat common

Specific vulnerability searches (PHPMyAdmin anyone?)

Blatant 404 Actions

White-list and ignore your Vuln Scanner Deny on specific type of items or general threshold from all services

Indexed links can cause lots of false positives

Impossible Multi-Auth

Authentication servers log the source of the authentication

Flag accounts with logins from multiple countries in a short period of time

Windows / AD / RDG are a bit problematic Needs a reasonable GEOIP database Be careful with how you implement the time-frame

Requires accurate contact lists

Impossible Multi-Auth Actions

Automatically open a ticket for flag'd ID's Contact the user out-of-band If you have tight Identity Mgmt and password recovery, reset the account

Can be anchored to known local auth (like door keycard)

Tell them to change OTHER passwords too. Respect the privacy of the user

Questionable Single Sources

Authentication servers log the source of the authentication

Flag IP addresses that log in with multiple accounts in a short period of time (like minutes)

Watch for NAT sources, proxies and TOR Be careful with how you implement the time-frame

Requires accurate contact lists

Questionable Single Source Actions

Investigate the IP. What else did they do? If the IP has been malicious, reset all the accounts used from there

Block the IP address Tell them to change OTHER passwords too. Respect the privacy of the user

Phake-Phishing

Authentication servers log the source of failed logins too.

Provide fake credentials, see where they come back

Flag IP addresses that attempt to authenticate with the fake credentials.

Flag for common responses like “scam”, and “bullsh*t” as well

If you are a large org, this recipe has a limited lifespan

Phake-Phishing Actions

All successful logins from that IP are suspect, investigate or just reset all passwords.

Deny the IP address Tell them to change OTHER passwords too Respect the privacy of the user

Emerging Trends

“Not sure if back-door or legit security tool.”

Assume Breached

If you assume that you are already breached, what do you do find out?

Look for Indicators of Compromise (IoC) Examine incidents Determine threat Mitigate risks “on the fly”

Does not preclude Security Hygiene. Patches, Antivirus, Firewalls, etc.

Threat Intelligence

It is about sharing IoCs You can build your own You can buy a service Best of all, do both

Do what you can, with what you got, where you are.

Threat Intelligence Services

HP Threat Central IBM X-Force Exchange eSentire Cymon.io Arbor Atlas Recorded Future REN-ISAC

Never forget that the bad guys are faster and better organized than us.

What take 416 days?

“... more like core incompetencies ...

Whitehats Statistics Report

416 days – Mean Time to Fix – 2012 342 days – Mean Time to Fix – 2013

Ummm … where did the rest of the stats go?

Verizon Data Breach Investigations Report 2014

Questions?

Thank You

Email: allan.stojanovic(at)utoronto.ca Twitter: @allansto