From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Info sec 12 v1 2
1. From Humble Beginnings
(To the Blue Pill of c0nvention )
Professor John Walker CISM CRISC FBCS CITP ITPC
Visiting – The School of Science & Technology, Nottingham Trent University
2. Genesis
From the early days of Fred Cohen discovering the concept of the
Computer Virus, to the release of malicious code into the wild. Such
as Creeper, Brain, Coffee Shop, Lehigh, Jerusalem, Stoned, to name
but a few - in comparison to modern day threats posed by Smart
Malware they were simplistic.
3. That Insider Threat
The Insider Threat is from OUTSIDE:
Today's Smart Malware is taking advantage of the Insider Role ,
by Compromising, and Bypassing Perimeter Defences via utilisation
of Adverse Logic, and Advanced Threats (e.g. AET’s) - and then
Emulating the Privileges and Access rights of the Legitimate owner(s).
4. The Exposure
Having given a presentation to the London RSA Conference, one
Delegates feedback was:
‘There is too much focus on the topics of insecurity, which place
an over emphasis on the adverse events’
Fact of the matter is however, year-on-year, the levels of risk, and
associated vulnerabilities, exposures, and imaginative ways of
attacking targets have increased!
In fact in the current day levels of exposure is high - if you are a user
of on-line services, connected computer, cell phone, or any other
form of connected technology or service, so then by inference, there
is a potential for exposure to exist – so we must deal with facts!
5. Criminal Ingenuity
1) Seek out external intelligence – DNS – MetaData - FOI etc
2) Compromise then upload to Remote Server
3) Obtain Certificates – they are easy to locate
4) Search drives for sensitive files
5) Take Screenshots – audio visual – anything
6) Scan local network for hosts and assets of interest
7) Execute
6. The Challenge
The Challenge is, there still seems to exist a state of denial that
Advanced Threats, and AET’s really don’t exist – possibly caused by
c0nventional thinking, attitudes, and opinion, and a high very high
dependency on Blue Pills!
Time has arrived when we must consider the approach of
Unconventional thinking to close of the h0les, to counter the
imaginative threats posed by the attackers – we need to consider
taking the plunge, and to Swap out Blue for Red thinking.
Consider the Evidence as to reasons why . . . . .
7. The Evidence
Still not convinced :
1. VeriSign – successful, and on multiple occasions
2. Global Payments
3. Barnes & Noble
With bad Statistics to match:
4. RSA
5. Northrup
a) Circa 2011 – only 6% of attacks self detected!
6. Grumman
b) Typical attacks continued for 416 days!
c) Mistakes made like – dealing with Cyber Criminals
7. Lockheed
d) High Exposure to Footprinting via DNS & MetaData
8. L3
9. Sony
10. Pakistan Downed (Microsoft, Google, Apple, eBay)
11. Multiples of SME’s
To name but just a few – did they all do security so badly, or does this imply
there were other actors involved and at work?
8. Pakistan Downed – Nov 12
Big Name technology firms hit by a Hacking Attack under the
Banner of Pakistan Down week commencing 26/11/12, causing
websites to be temporarily shut down.
Google, Apple, Yahoo, Microsoft and eBay sites with domain named
such as .pk, .com.pk & .org.pk were affected by the incident, which
resulted in a redirected to a different page.
The attack featured a picture of two penguins walking across a bridge
with slogan: Pakistan Downed
9. The Motivation
The early motivations of creating, and distributing Viruses was, in
the majority of cases, just for fun. However, in today’s modern
Landscape of Cyber Threats posed by distributed Malware, the
Motivation falls into the following categories:
a) SME Hackers (Financial Gain)
b) Serious & Organised Crime (Financial Gain)
c) Government Sponsored (Intelligence Gathering, Direct/Indirect
Attack, Industrial Espionage)
d) Hacktivist (Mostly Ideological)
e) Script Kiddies (In some cases, used as a learning mission)
f) Cyber Jihad – (Cyber Terrorism)
10. Tricks of the Trade
There have been many techniques developed over the years to
make Malware invisible to detection – one such simplistic method
is that of using XOR, and XNOR to change the profile at rest, or
on-the-fly.
XOR
XNOR
X
Y
=
X
Y
=
0
0
0
0
0
1
0
1
1
0
1
0
1
0
1
1
0
0
1
1
0
1
1
1
This is by no means foolproof, but serves
as an example of the evolution of creativity.
Other methods include, but are not limited to:
a)
b)
c)
d)
e)
Dynamic Domain Name Services (DDNS) Malware Sample: W32.Reatle.E@mm
Fast-Flux
Single-Flux
Double-Flux
Browser Exploit Packs
11. The Techniques
Bogus and malicious parcel tracking confirmations are a common
social engineering technique often used by cybercriminals to trick
users into clicking on malicious links or executing malicious
attachments found in the spamvertised emails.
Credit to: Dancho Danchev
12. Advanced Threats
Advanced Threats in the guise of APT’s (Advanced Persistent
Threats), & AET’s (Advanced Evasion Techniques) must be now
anticipated to pose very real threat – And going forward Into 2013
(as correctly predicted 2011) should be expected to grow.
In the case of crafted AET attack, by manipulating the TCP/IP Stack,
and evading Perimeter Defences, then going on to achieve
compromise of target system(s), say by gaining Shell access on the
Black side of the Firewall Interface.
From this point forward, there will be a jump point on an internal
System(s) which, dependent on the profile, and afforded privileges
will determine the level of compromise the infiltrating Malware
agent may enjoy.
13. Advanced Threats in Action
Shell
Here an example of an Advanced (AET)
Evader penetration utilising manipulation
of the TCP/IP Stack to penetrate a well
known, fully up -to-date Firewall application, achieving Shell Access
to an internal systems – from here It is a matter of Outsider Threat
Manipulation of Insider assets – maybe you have wmic enabled!
14. Duqu
Zero-Day type of vulnerability in question was found in the Win32k
TrueType font-parsing engine; as such, the vulnerability affects
various office programs.
Win32.Duqu.a as well as other malicious programs exploiting the
CVE-2011-3402 vulnerability.
For example, a specially crafted Microsoft Word document opened
on a victim’s machine can be used to elevate privileges and then run
arbitrary code.
Remember that Outside Threat!
15. The protection - 1
At a event I chaired recently, I asked the question of an AV Vendor:
‘Has Anti-Virus – Anti-Malware reached the end of Shelf Life?’
Response:
‘I am representing an Anti-Virus Vendor so am unable to comment’
2 CERTS were published in the UK, and US - November 2012
regarding security vulnerabilities associated with 2 well known, and,
up to that point, respected products.
Vulnerability Note VU#662243
****** Antivirus contains multiple vulnerabilities
Vulnerability Note VU#985625
******* Antivirus products fail to properly handle CAB files
16. The protection - 2
There has also been one AV Vendor who’s product has been badly
performing, suffering what seems to be continuous issues, which
required resolution over an extended period – again an opportunity
to allow exploitation!
Then there is the matter of Detection Rates going as Low as 55.3%
in the case of one Big Name Anti-Virus/Malware application, and a
Response Time to new finds of, in one case 8 hours - there is thus
significant opportunities for Zero Day to enter to a supposedly
protected zone – Trust me, I know from painful experience.
Anti-Virus/Malware Protection is still a MUST HAVE, but it is the
approach of utilising c0nvention, to defend against the imaginative
‘Unconventional’ threats that is its most critical flaw.
More =
Than =
18. The Future & Survival
1) Move away from the tunnelled vision approach taken by
c0nventional Pen Testing – Expect your engaged Teams to become
unconventional
2) Adopt a Red Team approach with assimilated attacks
3) Employ Situational Awareness focused on your Sectors of Trading
4) Enable established CSIRT Capabilities to respond to events
5) Think out-of-the-box, and if you can’t change the people, then
change the people
6) Listen to the next speaker – and keep an open mind