cyber kill chain vs. cyber criminals
Post on 16-Apr-2017
40 Views
Preview:
TRANSCRIPT
Cybercrime Kill Chain vs. Effec4veness of Defense Layers
Dr. Stefan Frei & Francisco Artés @stefan_frei @franklyfranc
Trusted Advice. Measured.
THE FLIGHT TO ABU DHABI TOOK LONGER THAN TESTING IPS.
§ Professional § Research Director @ NSS Labs § Research Analyst Director @ Secunia § Senior Researcher & Pentester @ ISS X-‐Force
§ Contact § Email: sfrei@nsslabs.com § TwiKer: @stefan_frei
Speaker – Dr. Stefan Frei
§ Professional § Research Director @ NSS Labs § CSO/CISO
§ Trace3 § Deluxe Entertainment § Electronic Arts
§ Contact § Email: frank@nsslabs.com § TwiKer: @franklyfranc
Speaker – Mr. Francisco Artés
ABSTRACT Cybercriminals persistently challenge the security of organiza4ons through the rapid implementa4on of diverse aKack methodologies, state of the art malware, and innova4ve evasion techniques. In response organiza4ons deploy and rely on mul4ple layers of diverse security technologies. This talk examines the aKackers' kill chain and the measured effec4veness of typical defense technologies such as Next Genera4on Firewalls, Intrusion Preven4on Systems IPS, An4virus/Malware Detec4on, and browsers internal protec4on. Empirical data on the effec4veness of security products derived from NSS Labs harsh real world tes4ng is presented together with a live demonstra4on of successful evasion of malware detec4on. We find a considerable gap of protec4on levels within/and across different security product groups. Using Maltego complex correla4ons between undetected exploits, crimware kits, and affected so^ware vendor and products are demonstrated.
§ How we get aKacked § Layered Defense § Results from NSS Labs’ tes4ng § Demonstra4on of Exploit vs. Layered Defense § Conclusion
Agenda
AKack Kill Chain – AKacker vs. Defender
off premise
server desktop desktop
Prepare(A:ack((Method/Tools(
attack detection / prevention
Detec.on(Evasion(
Target(Exploita.on(
Value(Extrac.on(
breach detection
AKackers View
Defenders View
AKack Kill Chain – Understanding the AKacker
off premise
server desktop desktop
Prepare(A:ack((Method/Tools(
attack detection / prevention
Detec.on(Evasion(
Target(Exploita.on(
Value(Extrac.on(
breach detection
Understand the threat and the aKackers mo4va4on & methods ⌃
AKack Kill Chain – Understanding Evasion
off premise
server desktop desktop
Prepare(A:ack((Method/Tools(
attack detection / prevention
Detec.on(Evasion(
Target(Exploita.on(
Value(Extrac.on(
breach detection
Understand how malware bypasses detec4on
Assess the effec4veness of layered defenses
⌃⌃
AKack Kill Chain – If preven4on failed
off premise
server desktop desktop
Prepare(A:ack((Method/Tools(
attack detection / prevention
Detec.on(Evasion(
Target(Exploita.on(
Value(Extrac.on(
breach detection
Detect & neutralize
⌃
The Changing Threat Environment
Vandalism
Author of
Tools
TheD Personal Gain
Personal Fame
Curiosity
Script-‐ Kiddy
Hobbyist Hacker
Expert
Tools created by experts now used by less-‐skilled criminals,
for personal gain
Fastest growing segment
Mo4
va4o
n
AKackers’ Exper4se
§ Cybercriminals developed formidable tools Easy to use development tools, Q&A, and service level agreements just as in every mature industry
§ Detec4on Evasion and Resilience By design, malware is developed and deployed with detec4on evasion in mind
Malware Development & Tools
1. Create malicious tool
2. Obfuscate malware, create permuta4ons
3. Test against detec4on engines
4. Deploy undetected samples Q & A
3
Evasion 2
Development 1
Deployment 4
1 x
10,000 x
5,000 x
Malware Development Process
Malware offered for $249 with a Service Level Agreement and replacement warranty if the crea4on is detected by any anP-‐virus within 9 months
Underground Market
Any enterprise can become a vic1m of a3ack: at any 1me, for any reason, and without being specifically targeted.
Results in a high degree of aTack automaPon from systema4c iden4fica4on of targets to fully automated exploita4on
Leads to an increase in opportunisPc aTacks as the a=acker no longer needs exper4se or special skills ⌃
The Availability of Malware Tools
Automated vulnerability scanners and aKack tools cannot differen4ate if you consider yourself a high-‐risk target or not.
How effec1ve is the defense ? How do we know?
Key Security Technologies available: § Network Firewall § Next Genera4on Firewall § Intrusion Preven4on Systems (IPS) § An4virus / An4malware § Browser Protec4on
Our Response: Layered Security
⌃
We respond and rely on layered security
Firewall
IPS
Firewall
IPS
on premise off premise server desktop laptop
Per
imet
er
Layered Defense -‐ Perimeter
Firewall
IPS
Firewall
IPS
An4 Virus
Browser URL Block
An4 Virus
Browser URL Block
on premise off premise server desktop laptop
Per
imet
er
Hos
t bas
ed
Layered Defense – Host Based
on premise off premise
Firewall
IPS
An4 Virus
Browser URL Block
An4 Virus
Browser URL Block
on premise off premise server desktop laptop
Per
imet
er
Hos
t bas
ed
Layered Defense – Direct AKack
direct attack
Firewall
IPS
on premise off premise
on premise off premise server desktop laptop
Per
imet
er
Hos
t bas
ed
Layered Defense – Indirect AKack
direct attack
Firewall
IPS
indirect attack indirect attack
Firewall
IPS
An4 Virus
Browser URL Block
An4 Virus
Browser URL Block
on premise off premise
server desktop laptop
Per
imet
er
Hos
t bas
ed
Layered Defense – Side channel AKack
direct attack
Firewall
IPS
indirect attack indirect attack
Firewall
IPS
An4 Virus
Browser URL Block
An4 Virus
Browser URL Block
sidechannel attack
on premise off premise
Or any of these:
We are doing this:
Wizard-‐like knowledge…
.. sadly, security tes4ng is not that simple
Engineering Workflow ..
It’s more like this -‐
§ Mul4-‐million dollar research and tes4ng facility in Aus4n, Texas
§ Capable of 24 x 7 tes4ng § Global research network captures Internet threats, zero-‐days & trends live, as they arise
Where does the data come from?
To determine the security effec4veness of devices, the following metrics were used:
1. Exploit Block Performance 2. An4 Evasion Performance 3. Performance & Leakage 4. Stability & Reliability
Security Test Metrics
§ The same types of aKack as used by modern cyber criminals
§ U4lizing mul4ple commercial, open source and proprietary tools as appropriate
§ More than 1,400 exploits, tested such that § a reverse shell is returned, allowing the aKacker to execute arbitrary commands
§ a malicious payload is installed § a system is rendered unresponsive
Metric
1 Exploit Block Performance
§ Providing exploit protec4on without factoring in evasion/obfusca4on is misleading
§ Addi4onal test cases are generated for each appropriate evasion technique. • At TCP, IP, and applica4on protocol level • Fragmenta4on, Segmenta4on, Obfusca4on, Encoding, Compression and all combina4ons thereof
Metric
2 An4 Evasion Performance
§ Trade-‐off between security effec4veness and performance Ensure vendors don’t take security shortcuts to maintain or improve performance
§ Evaluated based upon three traffic types Based on hundreds of metrics such as connec4on rates, latency, delta in performance with different packet sizes and HTTP response sizes, stateful/connec4on tracking capabili4es, .. § a mix of perimeter traffic common in enterprises § a mix of internal traffic common
in enterprises § 21KB HTTP response traffic
Metric
3 Performance and Leakage
§ Long-‐term stability is par4cularly important for an in-‐line device Verify the stability of the device under test
§ Tests the ability to maintain security effec4veness under normal & malicious traffic load Products that are not able to sustain legi4mate traffic (or which crash) while under hos4le aKack will not pass
Metric
4 Stability & Reliability
§ Security Effec4veness combines measured cost of ownership, security protec4on, performance, leakage, and stability
§ Security Value Map (SVM) shows security effec4veness and value (cost per protected Mbps) of tested product configura4ons
§ Customizable SVM is customizable to reflect individual weights of the different factors
Security Effec4veness
NSS Labs tested: Network Firewalls Q3/2012
Intrusion Preven4on Systems Q3/2012
End-‐point An4virus Suites Q4/2012
Browsers Q3/2012
Next Genera4on Firewalls Q4/2012
6
15
13
4
6
Network Firewalls
§ Three of the six products tested crashed when subjected to our stability tests This lack of resilience is alarming and indicates the presence of a vulnerability that could be exploited
§ Performance claims in vendor datasheets are generally grossly overstated Performance based on RFC-‐2544 (UDP) does not reflect real world environments
§ Five of the six products failed the TCP Split Handshake test Allowing an aKacker to reverse the flow and bypass security. Four vendors released a patch within a month
¤
§ Longstanding, tried, and field proven technology, such as firewalls, can s4ll fail on basic networking aKacks
§ AKacks never expire – security devices must maintain protec4on for the complete range of aKacks
§ Independent tests are valuable to iden4fy, and have vendors remediate shortcomings
¤ Network Firewalls
0"
50"
100"
150"
200"
250"
300"
350"
400"
IBM"GX"7800"
Junipe
r"SRX
"3600"
Junipe
r"IDP
"8200"
Tipp
ing"P
oint"
PaloAlto"PA"5020"
SonicW
all"
McAfee"M8000"
McAfee"M80000"
ForFGa
te"3240C
"
Ston
esoI
"1302"
CheckPoint"12600"
Sourcefire"3D
8260"
Sourcefire"8120"
Sourcefire"8250"
Sourcefire"Virtu
al"
Mean"74"exploits"
§ Exploit block rate varies between 77% and 98%
§ Tuning of the IPS policy makes a difference, up to 50% less protec4on with default policy
§ Evasion detec4on has improved considerably, all but one vendor tested passed
Undetected Exploits (0f 1,486 tested)
Intrusion Preven4on Systems IPS
¤
714$
244$
89$52$
29$ 11$ 3$ 0$ 0$ 0$0$
100$
200$
300$
400$
500$
600$
700$
800$
1$ 2$ 3$ 4$ 5$ 6$ 7$ 8$ 9$ 10$
Num
ber$o
f$Exploits$
Number$of$IPS$vendors$
Three$exploits$that$are$undetected$by$7$of$10$vendors$IPSs$
Unique Exploits undetected by N Vendors IPS
§ Correla4on of undetected exploits between vendors products
§ Only a small set of exploits is required to successfully bypass all IPS products
§ Only one combina4on of different IPS products blocked all exploits
Intrusion Preven4on Systems IPS
¤
0%# 10%# 20%# 30%# 40%# 50%# 60%# 70%# 80%# 90%# 100%#
Total#Defense#
Panda#
Norman#
F=Secure#
MicrosoC#
Avira#
McAfee#
Trend#Micro#
ESET#
AVG#
Norton#
Avast#
Kaspersky#
Percent undetected exploits (of 144 exploits tested)
¤ End-‐Point An4virus
§ AV products differ up to 58% in block performance
§ Many products failed to detect exploits over HTTPS that were detected over HTTP
§ Keeping AV up-‐to-‐date does not yield adequate protec4on, s4ll many old exploits remain undetected
§ Browsers offer the largest aKack surface in most enterprise networks
§ Browsers are the most common vector for malware installa4ons
§ NSS Labs con4nuously measures browsers block performance since 2011
¤
VM1
Software Stacks
VM2 VM3 VM4
URL Feeds
Browser Block Performance
Suspicious URL block performance
¤ Browser Block Performance
§ Internet Explorer maintained a malware block rate of 95%
§ Firefox and Safari’s block rate was just under 6% § Chrome’s block rate varied from 13% to 74%
¤
94%$
28%$
5%$
5%$
0%$ 20%$ 40%$ 60%$ 80%$ 100%$
Internet$Explorer$
Chrome$
Firefox$
Safari$
Percent$blocked$URLs$
Browser Block Performance
x x
Opportunity for Cybercriminals
exploit availability
# targets
# exploits
=
undetected exploits
Undetected Exploits
Exploits that bypass our defense layers (IPS, NGFW, An4virus, ..)
Sadly enough, these exploits exist and are plen4ful ..
undetected exploits
Exploits for prevalent programs
prevalent & vulnerable programs
Exploits that hit popular programs with large market share
Exploits for popular programs are a dangerous beast ..
Exploits that bypass our defense layers (IPS, NGFW, An4virus, ..)
undetected exploits
Proven and readily available exploits
prevalent & vulnerable programs
exploits available in crimeware kits
Exploits that hit popular programs with large market share
Exploits that are readily available in crimeware kits or penetra4on tes4ng tools
Make them readily available for everyone with a criminal mid calls for disaster!
Exploits that bypass our defense layers (IPS, NGFW, An4virus, ..)
undetected exploits
Failure of the security industry
prevalent & vulnerable programs
exploits available in crimeware kits
Security products failing to detect these exploits are hardly acceptable
Demonstra4on
Undetected Exploits vs. Metasploit
Correla4on of exploits not detected by IPS/NGFW with exploits available in Metasploit Many publicly available and easy to use exploits bypass detec4on
Undetected exploits available in Metasploit
Undetected exploits
26% of 866 Metasploit exploits are not detected by at least one IPS/NGFW
Correla4on of undetected Exploits
Exploits available in crimeware kits are s4ll undetected by IPS or NGFW engines. 43 of 117 exploits that could be aKributed to crimeware kits bypassed detec4on of 9 of 23 detec4on engines
Undetected exploits from crimeware kits
IPS/NGFW devices that missed exploits Crimeware kits
Eleonore
Phoenix
Undetected Exploits vs. AKacked Vendor
Correla4on of exploits not detected by IPS or NGFW with the so^ware vendors of the programs targeted by these exploits Most undetected exploits target Microso^ products – relevant exploits go undetected!
Microso^ Exploits against Microso^ products
Correla4on of undetected Exploits
Many exploits are not detected by several IPS engines 714 of 1,486 exploits tested are not detected by at least one IPS engine, 40% or 286 by at least two IPS engines
Undetected by one IPS
Undetected by mul4ple IPS Bubble size
indicates number of IPS engines not detec4ng given exploit
Combined Failure Rate
Attacker Target Layered Defense
Failure Rate
Device A Device B
Failure Rate
PA PA¢B
10%
Combined Failure Rate
PB
10%
PA¢B = PA . PB = 1% (?) ?
§ Failures are correlated, they are not independent events
§ The combined failure rate is typically considerably higher
PA¢B ≠ PA . PB
PA¢B > PA PB
Correla4on Fallacy -‐ Rethink your risk assessment
§ Vendor claims on the effec4veness or performance of products are frequently overstated, or based on non-‐realis4c assump4ons
§ Several network firewall products tested crashed when subjected to our stability tests
§ An4virus does not prevent a dedicated aKacker from compromising a target
§ Several products failed detec4on of exploits when switching from HTTP to HTTPS
Conclusion & Findings
§ There is no product or combina4on of products tested by NSS Labs that provide 100% protec4on
§ Assume that you are already compromised § Organiza4ons should complement preven4on with breach detec4on and SIEM to iden4fy and act on successful security breaches in a 4mely manner
§ Access to independent informa4on on security product effec4veness and performance is important
Recommenda4ons
§ Technology alone cannot provide the highest protec4on
§ Competent and mo4vated security personal is key to effec4ve security – and make the best use of the tools
Complexity
Thank you sfrei@nsslabs.com frank@nsslabs.com
Trusted Advice. Measured.
§ Network Firewall Group Test 2011 hKps://www.nsslabs.com/reports/network-‐firewall-‐group-‐test-‐2011 or hKp://bit.ly/RzLX3a
§ IPS Compara4ve Analysis 2012 hKps://www.nsslabs.com/reports/ips-‐compara4ve-‐analysis-‐2012 or hKp://bit.ly/SvHwQ
§ Consumer AV/EPP Compara4ve Analysis -‐ Exploit Protec4on hKps://www.nsslabs.com/reports/consumer-‐avepp-‐compara4ve-‐analysis-‐exploit-‐protec4on or hKp://bit.ly/S5Mqs7
§ Is Your Browser Puyng You At Risk? hKps://www.nsslabs.com/reports/your-‐browser-‐puyng-‐you-‐risk-‐part-‐1-‐general-‐malware-‐blocking or hKp://bit.ly/SvGHur
§ Targeted Persistent AKack (TPA) hKps://www.nsslabs.com/reports/analysis-‐brief-‐targeted-‐persistent-‐aKack-‐tpa-‐misunderstood-‐security-‐threat-‐every-‐enterprise or hKp://bit.ly/SvGO99
Resources
top related