internet-scale security

Internet-Scale Security Marc Eisenbarth

About the Speaker

About the Speaker’s Employer

Who is Arbor Networks? A Trusted & Proven Vendor Securing the World’s Largest and Most Demanding Networks

90% Percentage of world’s Tier 1 service providers who are Arbor customers

105 Number of countries with Arbor products deployed

69 Tbps Amount of peak global IPv4 traffic monitored by the ATLAS security intelligence initiative right now

#1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments [Infonetics Research]

12 Number of years Arbor has been delivering innovative security and network visibility technologies & products

$18B 2012 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing

Who is Arbor Networks: Analytics

Who is Arbor Networks: Analytics

Google Ideas +

ASERT

h2

p://www.digita

la2ackm

ap.com

The Arbor ecosystem between service providers & enterprises DCs offers unique insight into emerging and active threats

Enterprise data center services are now fully available!

Enterprise Data Centers Service Providers

Who is Arbor Networks: Mitigation

Cloud mi?ga?on with Peakflow

On site mi?ga?on with Pravail

~67Gbps A2ack Traffic ~14Gbps Residual Traffic


“MC is taking it like a champ. we nees more bandwidth”

--- Unknown Bad Guy in #operationpayback


About the Speaker’s Team

§  Arbor Security Engineering & Response Team –  7 researchers, 4 developers and 4 threat analysts –  Broad, interdisciplinary background –  h2ps://github.com/arbor –  h2p://www.arbornetworks.com/asert/

§  Tools –  IDA Pro –  IDAPython –  Hex-‐Rays decompiler –  bindiff –  OllyDbg –  Windbg

Who is ASERT: The Team

–  IDAScope –  P32Dasm –  Pydbg –  CFF Explorer –  Process Hacker –  PEiD

Majority is home-‐grown

Who is ASERT: The Team

§  Goals of Data Collec?on –  Broad coverage required to focus on specific use-‐cases, such as DDoS –  Mul?ple infec?on vectors, CnC mechanisms, backsca2er analysis, etc. –  Generate unique indicators: honeypots, CnCs themselves, harves?ng, etc.

§  Goals of Reverse Engineering –  Reverse engineering of botnet CnC protocol –  Emula?on of full CnC protocol for direct CnC and peer (zombie) analysis –  Unique approach to sta?c and dynamic analysis techniques

§  Goals of Large-‐Scale Analysis –  Understand both latent capabili?es and a2acker resources –  Internet-‐scale correla?on, i.e. relate a .eml to origina?ng executable –  End-‐to-‐end threat lifecycle, i.e. observe actor via CnC then verify the a2ack via flow

Who is ASERT: Reverse Engineering


This bot was seen to a2ack

industrial food processor equipment vendors

// Darkshell bot-to-CnC comms struct { // Header: DWORD dwMagic; // always 0x00000010 for Darkshell // Obfuscated section: char szComputerName[64]; // Name of infected host, NULL-terminated/extended char szMemory[32]; // Amount of memory in infected host; format "%dMB"; NULL-terminated char szWindowsVersion[32]; // Specifies version of Windows; one of: Windows98, Windows95, // WindowsNT, Windows2000, WindowsXP, Windows2003, or Win Vista; // NULL-terminated/extended char szBotVersion[32]; // Specifies version of bot; NULL-terminated/extended; DWORD szUnknown1[4]; // ??? - Always NULL-terminated 'n’ // Binary section: char szPadding1[32]; // Filled with 0x00 bytes WORD wUnknown2; // ??? - We have seen 0x00A0, 0x00B0, and 0x00C0 WORD wUnknown3; // ??? - Always 0xFD7F char szPadding2[20]; // Filled with 0x00 bytes WORD wUnknown4; // ??? - Always 0xB0FC BYTE cUnknown5; // ??? - We have seen 0xD6, 0xD7, 0xE6, 0xE7, and 0xF1 BYTE cZero; // Always 0x00 DWORD dwSignature[8]; // Always 0x00000000, 0xFFFFFFFF, 0x18EE907C, 0x008E917C, // 0xFFFFFFFF, 0xFA8D91&C, 0x25D6907C, 0xCFEA907C };


def decrypt_darkshell(cipherbytes, start_idx=0x04, stop_idx=0xA8): """ De-obfuscates Darkshell comms encoded using the following method: cipherbyte = 0xDE - [plainbyte - (plainbyte & 0x10) << 1] The obfuscation is reversed as follows: intermediate = 0xDE - cipherbyte plainbyte = intermediate + (intermediate & 0x10) << 1 """ len_mesg = len(cipherbytes) if len_mesg != 260: raise RuntimeError("Darkshell bot-to-CnC comms are always 260 bytes") plainbytes = [] for cipherbyte in cipherbytes[start_idx:stop_idx]: intermediate= 0xDE - ord(cipherbyte) plainbytes += [chr(intermediate + ((intermediate & 0x10) << 1))] return cipherbytes[:start_idx] + ''.join(plainbytes) + cipherbytes[stop_idx:]};


Who is ASERT: Threat Intelligence

h2p://www.arborne

tworks.com

/asert/

Who is ASERT: Blog

ASERT Datasets

ASERT Datasets Active Threat Level Analysis System (ATLAS)

1. ATLAS sensors are deployed in global Internet darknet space to discover and classify a;ack ac<vity.

2. This informa<on is sent to an ATLAS central repository where it is combined with Arbor Peakflow, third-‐party, and vulnerability data.

3. ASERT analyzes combined data and converts into ac<onable intelligence which is posted on the ATLAS public portal.

ASERT Datasets: ATLAS Sensors

§  Sensor network –  Func?onally: IDS + Honeypot –  1.76 million (dark) IPv4 addresses covered –  Global (4 con?nents) coverage

§  Sensors perform ini?al triage –  Host/port scanning ac?vity –  Known versus unknown a2acks –  Correla?on to security events and vulnerability disclosure –  Misconfigura?on detec?on –  Backsca2er analysis


§  Honeypots and sinkholes used for further analysis –  Unknown a2acks handed off to high-‐interac?on honeypot / sinkholes –  A2empt to automa?cally develop threat fingerprint –  Honeypots discover what a2ackers are a2emp?ng –  Classify a2acks and characterize scan traffic –  Can capture full payloads


ASERT Datasets ATLAS Statistics

ASERT Datasets: ATLAS Statistics §  275+ ISPs sharing real-‐?me data -‐> ATLAS Internet Trends

§  Automated hourly export via XML / JSON to Arbor’s ASERT team §  Customers realize tangible benefit of par?cipa?on

§  Data derived from Flow / BGP / SNMP correla?on §  Arbor Peakflow product line (Tier 1 ISPs, transit providers, etc.)

§  Correlates Sampled Flow / BGP in real-‐?me §  Distributed in nature §  Network / Router / Interface etc. Traffic Repor?ng §  Threat Detec?on (DDoS / malware infec?ons / C&C u?liza?on)

§  Flow sta?s?cs feedback, based on ASERT security content feeds

ATLAS currently monitoring a peak

of 69.7Tbps of IPv4 traffic across all

par?cipants

ASERT Datasets: ATLAS Statistics

ASERT Data Enrichment

ASERT Data Enrichment ATLAS Subscriber Reputation Feed (SRF)

ASERT Data Enrichment: SRF §  Arbor has extensive sharing network

–  Over a hundred na?onal CERT teams (~50% coverage) –  Large cross-‐sec?on of the security industry -‐ various sharing groups –  ATLAS portal has 711 unique users, represen?ng 6,006 ASNs

§  ATLAS Factoids –  Malware Corral has seen 9.1M unique IPv4 addresses over 90 days –  ASERT has data for 44,570 ASNs of 45,369 ASNs total (~98%) –  ASERT has seen 2.63B unique IPv4 addresses (~71% theore?cal)

–  (2^32 – 588,514,304) public addresses –  ASERT monitors 1.76M “dark” IPv4 addresses

–  The 6,006 ASNs provided ASERT intelligence maps to 1.25B IPv4 hosts (48%)

ASERT provides various “sample digests” in trade with qualified

organiza?ons

ASERT Data Enrichment: SRF AN IODEF VERSION CAN BE DOWNLOADED FROM h2p://atlas-‐public.ec2.arbor.net/XXX/2013-‐10-‐18/atlas_mail_reports/c97d1e95e9878052571d9a2a39deXXXX/XX-‐2013-‐10-‐18.xml ATLAS DETAILED REPORT: <REDACTED> Generated: Sat Oct 19 00:59:16 2013 UTC Covers 24 hour ?me period through now. Ques?ons: Marc Eisenbarth -‐ [email protected] DENIAL OF SERVICE OBSERVED INBOUND ATTACKS Based on actual alerts gathered in our Internet sta?s?cs project. Start, End, Dest CIDR, Dest ASN, Dest CC, Max BPS, Max PPS 2013-‐09-‐06:08:04:49, 2013-‐10-‐18:15:04:48, "xx.xx.92.250/32", "", , 884237504, 552505 2013-‐09-‐06:08:07:49, 2013-‐10-‐18:15:04:48, "xx.xx.92.12/32", "", , 628562560, 393004 2013-‐09-‐06:08:04:49, 2013-‐10-‐18:12:03:48, "xx.xx.92.250/32", "", , 884237504, 552505 2013-‐09-‐06:08:07:49, 2013-‐10-‐18:12:03:48, "xx.xx.92.12/32", "", , 628562560, 393004

ASERT Data Enrichment: SRF OBSERVED OUTBOUND ATTACKS Based on actual alerts gathered in our Internet sta?s?cs project. Start, End, Source CIDR, Source ASN, Source CC, Max BPS, Max PPS <REDACTED> OBSERVED ATTACK COMMANDS Based on botnet tracking Timestamp, C&C CC, C&C ASN, C&C IP, Target CC, Target ASN, Target IP <REDACTED> MALICIOUS CLIENTS A2acks Based on ATLAS honeypot sensors. IP, Cumula?ve Bytes XXX.138.76.59, 15656.0 XXX.138.122.202, 2657.0 XXX.247.33.203, 983.0 XXX.138.133.247, 838.0

ASERT Data Enrichment: SRF Scans Based on ATLAS honeypot sensors. IP, Cumula?ve Bytes XXX.144.74.248, 6316296.0 XXX.167.57.37, 3984822.0 XXX.168.144.59, 3903120.0 XXX.216.131.254, 1522704.0 XXX.216.129.162, 1423104.0 XXX.249.89.82, 1420826.0 XXX.140.122.90, 747584.0 XXX.140.103.249, 480048.0 XXX.140.96.237, 468928.0 XXX.242.187.78, 162192.0 XXX.251.28.182, 154080.0 XXX.158.69.208, 123876.0 XXX.149.69.204, 121860.0 XXX.247.33.203, 117832.0 XXX.210.104.174, 79716.0

ASERT Data Enrichment: SRF MALICIOUS SERVERS Botnet C&C Servers Based on malicious soyware analysis and botnet tracking. CC, ASN, IP, port, malware MD5 <REDACTED> Phishing Servers Based on internal link analysis and third-‐party reports. CC, ASN, IP, port, URL XX, 28526, XXX.215.18.103, 80, h2p://XXXXXXXXX/media/system/css/net.htm Malicious Links URLs contacted by malware during automated analysis. Timestamp, CC, ASN, IP, URL <REDACTED> <snip>

ASERT Data Enrichment Event Analytics

ASERT Data Enrichment: Events


•  Largest DDoS a2ack seen to date •  Traffic levels verified by service

provider community. •  DNS Reflec?on/Amplifica?on A2ack

•  Not a new a2ack vector •  Responsible for other large

(100Gb/sec) a2acks in the past

•  Emphasizes the need to restrict open DNS Resolvers and implement BCP 38/84 at network edges.

•  Key concern is that other groups will start genera?ng larger a2acks, given the media focus on the Spamhaus a2acks.

ASERT Data Enrichment ATLAS Portal

ASERT Data Enrichment: Portal

43

h2p://atlas.arbor.net


44



45



46


ASERT Data Enrichment Malware Corral


48

•  What is the malware designed to do?

•  Not necessarily where it’s been, but where is it going?

•  Don’t look at just active behavior, but potential behavior

•  Prevailing model: unique sample for specific target

Case-Studies Malware Corral Example

Case-Studies: Malware Corral

High fidelity indicators, based on in-‐depth analysis of sample

Case-Studies: Malware Corral

Thank You {meisenbarth,asert}@arbor.net

internet-scale security

Technology

arbor networks

arbor customers90

arbor market position

mitigationthe arbor

arbor products deployed69

speakers team

darkshell obfuscated

darkshell comms