defending against 1,000,000 cyber attacks by michael banks
TRANSCRIPT
Defending Against 1,000,000 Cyber Attacks
Michael Banks | Rendition InfoSec
$whoamiMichael Banks (@4MikeBanks)
• Information Security Consultant
• SigO
$./disclaimer.py | OVAMO | IANAL | TINLA
OVAMO: Opinions and Views of this presentation are my own and not of any of my employers
IANAL: I am not a lawyer
TINLA: This is not legal advice
Overview • Background
• Cyber Attacks
• Numbers
• Project Slam
• take-a-ways
$./Background.py
$./helloWorld.py
Standard Form - 86
$./traceRoute.py --myLifeandData“Hacking of Government Computers Exposed 21.5 Million People” –NY Times
$./drill.py | grep “WTF”“…OPM, for example thwarts 10 million confirmed intrusion attempts targeting our network.” - KATHERINE ARCHULETA
$./theme.py
1. Need more talent.
2. <insert org here> faces MILLIONS of cyber attacks…
3. The inevitable:
Cyber Pearl Harbor
$./CyberAttacks.py
Who are you asking?
$./cyberAttacks.py --congress18 U.S.C. § 1030.
Computer Fraud & Abuse Act “Fraud and related activity in connection with computers: (a) Whoever—
(1) having knowingly accessed a computer without authorization or exceeding authorized access…”
$./cyberAttacks.py --dodDOD Joint Terminology for
Cyberspace Operations
“A hostile act using computer or related
networks or systems, and intended to disrupt and/ or
destroy an adversary’s critical cyber systems, assets, or functions.”
$./cyberAttacks.py --defineAudience
18 U.S.C. § 1030.Computer Fraud & Abuse Act
DOD Joint Terminology for Cyberspace Operations
$./Numbers.py
$./numbers.py --shhh“Officials said Saturday that over 62,000 cyberattacks
had been registered in a single day…”
“…70 million hacker attacks on the servers…”
“The Kingdom had experienced
more than 60 million cyber-
attacks last year…”
“..systems automatically detect and prevent more than 10 million attacks, from
tens of thousands of locations, including millions of attacks where the attacker
has valid credentials. That’s over 4 billion attacks prevented last year alone…”
$./numbers.py
“Up to 300 Million Cyber Attacks on XXX (3LA) Data Centers Take Place Each Day”
$./numbers.py --includeReality
What do they even mean and how are they calculating these.
$./numbers.py --strangeAddition
Media/Public• SSH Brute Force Attempt• Wordlist of 10,000• 1 IP (x.x.x.x)• 3 Mins• Unsuccessful Login
• Reported as:• 10,000 Rapid Sophisticated
Cyber Attacks Thwarted
Analyst/Community• SSH Brute Force Attempt• Wordlist of 10,000• 1 IP (x.x.x.x)• 3 Mins• Unsuccessful Login
• Reported as:• 1 Failed Attempted
Intrusion Event
$./numbers.py --strangeAddition
Media/Public• All Port nMap Scan• 65535 Ports• 1 IP (x.x.x.x)• 1 Min
• Reported as:• Over 65,000 Rapid
Sophisticated Cyber Attacks Thwarted
Analyst/Community• All Port nMap Scan• 65535 Ports• 1 IP (x.x.x.x)• 1 Min
• Reported as:• No Report (”We get
scanned all the time”)
$./ProjectSlam.py
$./projectSlam.py
A project designed to research
adversary behavior and utilize the
data captured to generate wordlists,
blacklists, and methodologies of
various threat actors that can be
provided back to the public.
$./projectSlam.py
• v1 (2016)
• Kippo-0.9
• Debian 8
• Cloud Based Deployment
• Geographically Located in New York
• Public Accessible Ports: 22, 80, 443
$./projectSlam.py
• Username / Pass (Wordlist)
• Source IP (Location)
• Full TTY Sessions
• A!! D@ Toolz
$./projectSlam.py
• v2 (2017) – a full interaction honeypot to
enumerate more information from the attacker.
• Docker (Pre-Populated)
$./projectSlam.py
~4,000 Every Day
~1.4 Million in a year
$./projectSlam.py
Trailing 20 Weeks
$./projectSlam.py
$./projectSlam.py
$./projectSlam.py
Usernames Count
1. root 499,111
2. admin 13,496
3. Administrator 1,428
4. support 1,046
5. user 954
6. test 739
7. ubnt 666
8. guest 525
Usernames Count
9. oracle 390
10. ftpuser 359
11. PlcmSpIp 355
12. pi 324
13. postgres 264
14. operator 221
15. git 214
$./projectSlam.py
Passwords Count1. 123456 3,6832. admin 3,6063. password 3,2834. root 3,0425. 1234 2,9896. 12345 2,8767. test 2,7228. 123 2,5759. !@ 2,51810. 1 2,478
Passwords Count11. p@ssw0rd 2,44812. wubao 2,36613. root123 2,34714. jiamima 2,31115. !q@w 2,27216. ! 2,26317. !qaz@wsx 2,25118. idc!@ 2,19619. admin!@ 2,18120. support 750
$./projectSlam.py
Trailing 20 Weeks
$./projectSlam.py |whatsNext
$./projectSlam.py |whatsNext
• Report for 2016 (Jan ‘17)• Full Report• Wordlist• IP List
• Deployment for 2017 (Jan-Dec)
• Report for 2017 (Jan ‘18)• Full Report• Wordlist• IP List
$TakeHome.py
$TakeHome.py
• Partial Wordlist
• Partial IP List
$TakeHome.py
Github.com/mikebanks/projectSlam
$Conclusion.py
• Don’t use simple passwords
• Use unique usernames• Reset default credentials• Where possible use 2FA
$Questions.py |audience
RenditionInfoSec.com@4MikeBanks | [email protected] | (847) 208-2393
MichaelBanks.org