Post on 09-Jan-2017
Threat Intelligence At The Cloud
Or Katz - Principal Security Researcher
Ezra Caltum - Senior Security Researcher
©2015 AKAMAI | FASTER FORWARDTM
Hide and Seek
©2015 AKAMAI | FASTER FORWARDTM
Hide and Seek
Akamai Cloud
The Playground? Who is Hiding?
Who is Seeking? The Goal of the Game?
Threat Actors
Find malicious activity and create actionable threat intelligence
©2015 AKAMAI | FASTER FORWARDTM
Hide: Threat Actors
©2015 AKAMAI | FASTER FORWARDTM
Seek: Akamai Threat Research Team Akamai’s State of The Internet Report
Research Publication Thought Leadership
©2015 AKAMAI | FASTER FORWARDTM
The Platform • 167,000+ Servers • 750+ Cities • 92 Countries
The Data • 2 trillion hits per day • 260+ terabytes of
compressed daily logs
Playground: Akamai’s Content Delivery Network (CDN)
Data Centers
End User
©2015 AKAMAI | FASTER FORWARDTM
The Goal: Threat Intelligence
Highlights of threat intelligence: • New insights • Forecast future threats • Digested output • Actionable
According to Gartner: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard”
©2015 AKAMAI | FASTER FORWARDTM
Why Threat Intelligence At the Cloud?
Volume, Velocity and Variety
Leading to better: • visibility to threat landscape • Insights • Future threats forecasting • Security level
©2015 AKAMAI | FASTER FORWARDTM
Case Study – Slow & Low
Customer: “Some of the Web site accounts had been taken over, I suspect that it was a brute force attack”
©2015 AKAMAI | FASTER FORWARDTM
Web Brute Force
Also known as: Password guessing attack
User: Ezra Password: 123456
Brute Forcer
Web Application
©2015 AKAMAI | FASTER FORWARDTM
Brute Force - Common vs. Advanced
Common • Attack method – Brute force flood • Attacking resources – single/few • Detection technique – Noisy logs • Protection - Rate control
Advanced • Attack method – Brute force slow and low • Attacking resources – multiple/Botnet • Detection technique – ? • Protection - ?
©2015 AKAMAI | FASTER FORWARDTM
Slow & Low – On Site Threat Intelligence
Step 1 (on-site) Analyzing each IP address activity per Web application
Step 2 (on-site) Analyzing aggregated Web
application login attempts per hour
Resource Application
5 ~ 12 login attempts per hour ~50 login attempts per hour
©2015 AKAMAI | FASTER FORWARDTM
Slow and Low – At Cloud
Step 3 (cloud) Tracking brute forcer across the cloud!
Monitoring all IP addresses activity on all targeted Web application
1. Each Botnet member target 100 ~ 300 Web applications 2. Botnet execute ~10,000 login attempts per hour over Cloud
network 3. Botnet is running over the same virtual hosting service provider 4. The Botnet was active at least few months before detected
BINGO
©2015 AKAMAI | FASTER FORWARDTM
On-site vs. Cloud
On-Site Cloud
©2015 AKAMAI | FASTER FORWARDTM
Brute Force Botnet
©2015 AKAMAI | FASTER FORWARDTM
Brute Force by Industry Segment
©2015 AKAMAI | FASTER FORWARDTM
Actionable Insight
• Tactical controls - Block any login attempts initiated from detected Botnet • Strategic controls - Adjust security control brute force rate mitigations • GEO intelligence - Restrict GEO login • Present threat Intel. - Detection based on cross targeted correlation • Future threat Intel. - Forecasting based on industry intelligence
©2015 AKAMAI | FASTER FORWARDTM
Summary
• Cloud platform can yield unique actionable threat intelligence • Cloud threat intelligence introduce the ability to use cross targets, cross
industry and evasive techniques in order to produce unique threat intelligence
• Using gaming techniques while at work is fun! • When you are 195cm tall it is hard to find good hiding places
©2015 AKAMAI | FASTER FORWARDTM
Ezra Caltum - @aCaltum Or Katz - @or_katz