Technology Security Through Absurdity: Lessons Learned

Security Through Absurdity:

Lessons Learned

December 13th, 2013

Security Through Absurdity:

Lessons Learned

December 13th, 2013

Chris Brenton

Director of Security

@chris_brenton

cbrenton@dyn.com

Why Security Through Absurdity?

Pg. 2 Security Through Absurdity: Lessons Learned @chris_brenton

Because we need to enjoy life’shumorous moments

Two paths lie before you…

Enjoy the Journey

•Find the humor “nuggets”•Leverage the life lessons•Grow and move forward

Let It Thin Your Soul

“Like butter scraped overtoo much bread”

Rock The Gandalf Look

By increasing the gray hair density

Rock The Gandalf Look

I already have a 14 yr old daughter

dedicated to that last task

I already have a 14 yr old daughter

dedicated to that last task

Our Journey Begins

Contracted as a security consultant

Owner wants locked down VPN

access to business

Contracted as a security consultant

Owner wants locked down VPN

access to business

Security Requirements

Normally disabled state

Must call first to get access

Must know IP address

Normally disabled state

Must call first to get access

Must know IP address

More Security Requirements

2 Factor authentication

Time limit on access

Log and alert on everything!

Time limit on access

Log and alert on everything!

First Day Onsite

I show up early

First Day Onsite

I show up early

UPS arrives

I show up early

UPS arrives

First Day Onsite

I show up early

UPS arrives

Retrieves key from under rock

I show up early

UPS arrives

First Day Onsite

I show up early

UPS arrives

Lets themselves into building

I show up early

UPS arrives

Lets themselves into building

Is This A Problem?

Key has been under rock for 5 years

Is This A Problem?

Everyone knows its there

Is This A Problem?

Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers

Is This A Problem?

Everyone knows its there– “X” employees (including disgruntle ones)– All delivery couriers– Even the local pizza parlor staff

Did I Forget to Mention…

Business model was computer sales

In excess of $15K in inventory

Nothing high risk saved on the

corporate network

Nothing high risk saved on the

corporate network

Security Task List

Mitigate risks that could put you out

of business next week

Security Task List

Then move on to the week after that

Security Task List

Lather, rinse repeat

What Did Life Teach Me?

Never assume a business risk analysis

has been performed

Never assume a business risk analysis

has been performed

What I Now Do Differently

Don’t assume your contact

understands their risks

Perform a mini risk assessmentPg. 28 Security Through Absurdity: Lessons Learned @chris_brenton

Don’t assume your contact

understands their risks

Perform a mini risk assessment

We implemented a great security solution…But don’t have resources to maintaining it

Case Study #2

Phishing test

Phishing Test Exercise

Contracted to help IT test

social engineering

Test all employees via email

Contracted to help IT test

social engineering

Test all employees via email

The Setup

The Results

13 of 450 employees hit reply

The Results

Sent their logon credentials

The Results

Via plaintext email

The Results

Via plaintext email

To an unknown outside address

Via plaintext email

To an unknown outside address

The Response

Email sent from real IT account

The Response

Phishing test revealed

The Response

Detailed explanation

The Response

Phishing email included as reference

What Happened Next?

19 people hit “reply”

What Happened Next?

and sent their credentials

What Happened Next?

In response to an email telling

them never to do this

In response to an email telling

them never to do this

Math Sanity Check…

13 < 19

Root Cause Analysis

“I just skipped to the executive

summary”

“I just skipped to the executive

summary”

Email is the wrong medium for

in-depth concepts

How you convey info matters

Email is the wrong medium for

in-depth concepts

How you convey info matters

Consider the proper medium to

convey required information

Consider the proper medium to

convey required information

We rely on host-based security… To warn uswhen the host has been compromised

Case Study #3

Phishing Rev 2

Phishing Attack

Spoofed email from CEO

Phishing Attack

Claims to point to a BBC article

Phishing Attack

Link prompts for email logon

name and password

Link prompts for email logon

name and password

The Results

6 people are duped

The Results

6 people are duped

Give away their logon name

and password

6 people are duped

and password

The Results

6 people are duped

and password

In order to read a news story

6 people are duped

and password

In order to read a news story

The Response

Containment

The Response

Containment

The Response

Containment

Followed by a huge education

and awareness effort

Containment

Followed by a huge education

and awareness effort

What Was Included

Email to all employees

What Was Included

Internal blog entries

What Was Included

Updates to awareness training

What Was Included

Leverage the grape vine

Segway to 30 days later

Pentester Hired

Measure results of education effort

Pentester Hired

Mass email phishing test sent

The Results

Good news!

The Results

Good news!

An order of magnitude improvement

in people reporting the attack

Good news!

An order of magnitude improvement

in people reporting the attack

The Results

Bad News!

The Results

Bad News!

6 people failed the test

Bad News!

The Results

Bad News!

It’s a different 6 people

Bad News!

It’s a different 6 people

You Can Never Save Everyone

Strive for 100% but have realistic

(cost effective) expectations

You Can Never Save Everyone

Strive for 100% but have realistic

(cost effective) expectations

Awareness training is good

A reward system motivates people to

leverage what they learned

Awareness training is good

A reward system motivates people to

leverage what they learned

We have an Internet policy…But not a Bring Your Own Device policy.

Case Study #4

Product security evaluation

The Setup

Contracted by a bank

The Setup

Evaluate a new system they are

considering for purchase

The Setup

Hired to evaluate security

The Evaluation

Worst system ever!!!

The Evaluation

Hybrid that combines Windows

and a mini computer

The Evaluation

and a mini computer

Got root 3 times in 20 minutes

and a mini computer

Got root 3 times in 20 minutes

0wn3d During Preso

My Write Up

Most pointed review I’ve written to date

My Write Up

Documented why the architecture was

horribly flawed

My Write Up

horribly flawed

Can’t be patched!

horribly flawed

Can’t be patched!

Quick Factoid!

The word “horrible” has over 50

synonyms

Quick Factoid!

synonyms

It is actually possible to use them all

in a single professional documents

synonyms

It is actually possible to use them all

in a single professional documents

How The Bank Responded

They purchased the system

And opted for the premium support

Contract had already been signed

Convo With The Bank

Me: Which part of “horribly insecure”

did you not understand?

Me: Which part of “horribly insecure”

did you not understand?

Convo With The Bank

Bank: But we can migrate the data

without any conversion costs!

Bank: But we can migrate the data

without any conversion costs!

Convo With The Bank

Me: Sounds like you made up your

mind ahead of time. Why did you

have me evaluate the system?

Me: Sounds like you made up your

mind ahead of time. Why did you

have me evaluate the system?

Convo With The Bank

Bank: We hoped you would like it.

Not everyone understands

“Security Speak”

Not everyone understands

“Security Speak”

Tailor to your audience: Convert

“security speak” to “risk” and

“financial” lingo

Tailor to your audience: Convert

“security speak” to “risk” and

“financial” lingo

We collect system logs…but no one actually looks at them

Case Study #5

The Epic battle of good and evil…

The Setup

DNS SaaS company

The Setup

DNS SaaS company

Offers a “dynamic DNS” product

DNS SaaS company

The Setup

DNS SaaS company

Great solution for cloud users

DNS SaaS company

The Setup

DNS SaaS company

Unfortunately can be used for evil

DNS SaaS company

Unfortunately can be used for evil

How The Bad Guys Operate

Build an infrastructure of “Command

and Control” servers

These manage infections and propagate

malware

The “brains” of the setup

malware

The “brains” of the setup

C&C Infrastructure

Designed to be fault tolerant

C&C Infrastructure

Kill one server, the rest take up the slack

C&C Infrastructure

Dynamic DNS provides redundancy if

server is blocked or taken down

C&C Infrastructure

Can recover when a few servers are lost

Old IR Methodology

Block the account

Old IR Methodology

Block the account

Black hole the host names

Block the account

Old IR Methodology

Block the account

Problem: If you don’t get the

whole C&C network it can recover

Block the account

Problem: If you don’t get the

whole C&C network it can recover

New IR Methodology

Research the account

New IR Methodology

Help innocent clients recover their

system from infection

New IR Methodology

When evil, play cat and mouse

New IR in Practice

Account created from Russia

New IR in Practice

Ticked boxes as a suspect account

New IR in Practice

12+ scripted host names created

New IR in Practice

Fingerprint of Neutrino actors

Time For Some Fun

Let them create their servers

Time For Some Fun

Gave them time to deploy iframes

Time For Some Fun

Let servers get integrated into C&C

Time For Some Fun

Pointed their hosts at honeypots

Impact of Redirection

Broke some C&C functionality

ID 30+ other C&C servers

Block 140,000 infections

Collect new data on functionality

What We Did Next

Warn C&C owners of infection

What We Did Next

Analyze previously unknown data

What We Did Next

Share data with the community

What We Did Next

Update our detection

What The Bad Guys Did Next

What they always do

What The Bad Guys Did Next

What they always do

Try to set their network back up

What they always do

Try to set their network back up

Segway to 6 hours later

Bad guys come back

Using different account credentials

Bad guys come back

Same fingerprint

Bad guys come back

Same fingerprint

Bad guys come back

Same fingerprint

Start spinning up new C&C servers

Bad guys come back

Same fingerprint

Start spinning up new C&C servers

Lather, Rinse, Repeat

We let them setup their C&C

network

Then take it all away

network

This repeats a third time

network

This repeats a third time

Don’t Go Away Mad…

Bad guys relocate to Central

America service provider

We warn the provider

C&C network has yet to recover

Bad guys relocate to Central

America service provider

We warn the provider

C&C network has yet to recover

Remember as you watch this film

When things appear their darkest

Evil may win some of the battles

Good always wins the epic war

Thanks For Attending!

cbrenton@dyn.com

@Chris_Brenton

cbrenton@dyn.com

@Chris_Brenton

Technology Security Through Absurdity: Lessons Learned

Technology

Transcript of Technology Security Through Absurdity: Lessons Learned

Lessons Learned Remote PM+ Cohort Integrated K+S · Lessons Learned Below are key lessons learned on providing Remote PM+ Training of Helpers. These lessons learned are based off

ASSESSMENT & LESSONS LEARNED FROM AFRICAN DIASPORA MARKETPLACEpdf.usaid.gov/pdf_docs/PDACT256.pdf · ASSESSMENT & LESSONS LEARNED FROM AFRICAN ... ASSESSMENT & LESSONS LEARNED FROM

Lessons learned & not learned at MSU

Lessons Learned Events at SLAC · 2012-09-14 · Lessons Learned Events: Summary Comments . Important to identify and communicate lessons learned! Lessons learned and near misses

Lessons learned from Asian tsunami disaster: Sharing knowledgeusir.salford.ac.uk/9805/1/lessons.pdf · Title Lessons learned from Asian tsunami disaster: ... Lessons learned from

LEARNED LESSONS:

Lessons learned after 190M lessons served

Detecting Financial Reporting Fraud – Lessons learned · PDF fileDetecting Financial Reporting Fraud – Lessons learned by ... Detecting Financial Reporting Fraud – Lessons learned

Lessons learneD

D530.1 - Lessons Learned Framework Concept€¦ · Driving Innovation in Crisis Management for European Resilience D530.1 - Lessons Learned Framework Concept Keywords: Lessons learned,

Lessons&Learned&in&Deploying&Akka& Persistencedownloads.typesafe.com/website/presentations/lessons-learned-akk… · Lessons&Learned&in&Deploying&Akka& Persistence Duncan&K.&DeVore

Successes, Challenges, & Lessons Learned...Successes, Challenges, & Lessons Learned Overview Introduction Successes Challenges Lessons Learned New Approaches Highway 70 To Phoenix

Lessons Learned, Opportunities and Innovations in …pdf.usaid.gov/pdf_docs/PBAAD103.pdf · Lessons Learned, Opportunities and Innovations in Human ... Lessons Learned, Opportunities

Lean lessons learned - lean startup methodology and lessons learned from Blossom

Lessons Learned and Lessons to Be Learned: Investment Law & … · 2014. 4. 30. · 1 Lessons Learned and Lessons to Be Learned: Investment Law & Development for Developed Countries

Lessons Learned from “Lessons Learned” · 2 LESSONS LEARNED FROM “LESSONS LEARNED” 2. The NRC set safety goals in its Safety Goal Policy Statement, initiated not long after

Lessons Learned:

Lessons Learned Globally - Campaign for Tobacco-Free Kids...Process lessons learned 2. Content lessons learned See next page for lists of these lessons learned. 7 | Lessons Learned

Redis/Lessons learned

Lessons learned writing exploits LESSONS LEARNED WRITING EXPLOITS Gerardo Richarte Iván Arce