Sasa Stojanovic [email protected] Veljko Milutinovic [email protected].
416 Days Allan Stojanovic University of Toronto #include disclaimer.h.
-
Upload
virgil-ball -
Category
Documents
-
view
220 -
download
0
Transcript of 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.
![Page 1: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/1.jpg)
416 Days
Allan StojanovicUniversity of Toronto#include disclaimer.h
![Page 2: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/2.jpg)
About Me
4 years at the University of Toronto Near the core networking group
Before that, the banks Before that, health care Before that, transportation Before that, auditing Before that, government Before that, dot-coms
But maybe not quite in that order
![Page 3: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/3.jpg)
The Environment
~ 350,000 public IPv4 addresses And we are running out
~ 400 departments Still not sure how accurate
~ 422,000 accounts in our (new) AD More that are not centralized
Every Make, Every Model, Every Vintage
![Page 4: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/4.jpg)
Open Institution
Our network is mostly open Sometimes when it shouldn't be
Our network encompasses research Some abnormal traffic is normal
Short lived servers Research stations set up for a semester
Long lived services The 30 year old vulnerability
![Page 5: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/5.jpg)
Agenda
Classes of Attack Attacker Skills Attacker Kill Chain Disrupting the Kill Chain Emerging Trends What takes 416 days?
This is about TACTICAL DEFENCE. No silver bullets.
![Page 6: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/6.jpg)
Classes of Attack
“I'd love to install smoke detectors, but I'm too busy fighting fires.”
![Page 7: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/7.jpg)
Two Attack Classes
Targeted
Spear Phishing Waterhole Attack Dumpster diving Resume Intel Etc.
Opportunistic
Generic Phishing Brute force attacks Drive-By Automated web exploits
Etc.
![Page 8: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/8.jpg)
Notes on Attack Classes
Targeted takes more effort on the attacker side
has a better return on investment
requires more skill takes longer to execute
Opportunistic can be automated relies upon statistics basic security hygiene can mitigate it
![Page 9: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/9.jpg)
Attacker Skills
“ ... more like Advanced Persistent Failure to Patch.”
![Page 10: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/10.jpg)
Attacker Skills
Attacker skills are on a bell curve too
The Bar is the level of skill needed to succeed
The Bar is set by the number and/or quality of security mechanisms in place
![Page 11: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/11.jpg)
Attacker Kill Chain
“What's an acceptable numberof compromised accounts?”
![Page 12: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/12.jpg)
Lockheed's Chain
RSA's Chain
HP's Attack LifeCycle SecureWorks Chain
The Kill Chain
![Page 13: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/13.jpg)
Can we disrupt this chain?
![Page 14: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/14.jpg)
Identify the Event
Was it targetted or opportunistic? What level of skill is required?
High, Medium, Low ? Where in the chain does the event fall?
Take your best guess.
![Page 15: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/15.jpg)
Prioritize the Event
Targetted events get priority over opportunistic events
Higher skill attackers get priority over lower skilled attakers
Events later in the chain get priority over events earlier in the chain
This is EXTREMELY simplistic, but if you have nothing else, it is a start.
![Page 16: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/16.jpg)
Example 1
![Page 17: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/17.jpg)
Identify: Example 1
This is an opportunistic attack There is nothing indicating that UofT was directly
targetted. They sent it to the wrong address
This does not require a high level of skills Creation of the payload may require skills the first time
but after that it is automated This is the delivery phase of the chain
Recon is usually complete by the time a mass mailing is sent
![Page 18: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/18.jpg)
Example 2
![Page 19: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/19.jpg)
Identify: Example 2
This is a Targetted attack utornto.ca must have been conciously chosen
This does not require a high level of skills If we are only considering the DNS registration.
This is the action phase of the chain Only because it is being used to provide advertising to
people that typo our domain name
![Page 20: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/20.jpg)
Example 3
![Page 21: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/21.jpg)
Identify: Example 3
This is a Opportunistic attack Automated mass defacement of well known vuln
This is a medium level of skill After the vuln is published, the rest is easy, but some
skill needed to automate. This is the installation phase of the chain
If the defacement is the goal, then this is the action phase. The existance of C2 could confirm this.
![Page 22: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/22.jpg)
Caveats
Keep it loose and simple Change the finding as you find out more
Targetted vs opportunistic may filp-flop Determining intent will help determine where in the chain the attack falls Misdirection, deception, and followup attacks
Determining the phase of the kill chain is difficult because the attacks never end
![Page 23: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/23.jpg)
Disrupting the Kill Chain
“If people would stop getting breached for a moment,
I might be able to get some work done.”
![Page 24: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/24.jpg)
Disrupting the Kill Chain
Try and stop the attacker, not just the attack The earlier in the chain the better Traditional security measures have their place
But most stop the attack, not the attacker Need better techniques to cover each phase of the chain and each class of attack
![Page 25: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/25.jpg)
Optional: HomeworkPhase Opportunistic
AttacksTargetted Attacks Mitigation
Reconaissance Event #1Event #2
Event #3
Weaponization
Delivery Event #4
Exploitation Event #7Event #8
Installation
Control Event #5
Actions Event #6
Gaps. Gaps as far as the eye can see.
![Page 26: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/26.jpg)
Some of My Tools and Techniques
To fill the gaps To provide early detection To identify the attakers To stop the attacks while gathering intelligence on the attackers
To disrupt the attackers operations
![Page 27: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/27.jpg)
Trial By Firewall
Firewalls log access attempts to denied ports
Constant attempts to contact non-exposed services (3389, 22, 23, 902)
Constant attempts to contact non-existent IP addresses
Some of the attempts can be legit (80, 5353)
![Page 28: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/28.jpg)
Trial By Firewall Actions
If it is a destination port 80 or 443, ignore it, or white-list the “good” search engines.
If it tried to access a port on the IP of a critical server, deny all access including what is usually allowed
At least deny all access to target IP from source IP
![Page 29: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/29.jpg)
Dr. BadTouch
Unadvertised ports listening on unadvertised IP addresses should
never be touched
Similar to Trial By Firewall Dedicate an IP address and listen for critical port connections
Only action full handshakes Aka Honeyport without the interaction Remember “artillery”?
![Page 30: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/30.jpg)
Dr. BadTouch Actions
Don't bother with 80/443 unless internal only. DO NOT put a DNS entry for this IP. Deny access to all critical servers, or the entire network
Rotate to a new IP semi-regularly (but unpredictably)
![Page 31: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/31.jpg)
Blatant 404
Web servers log access attempts to nonexistent files
Because this: GET /main.php?pg=../../../../../../../../../../../etc/passwd
%00 deserves action even if 404.
Canned scanners try everything Directory busting and hunting somewhat common
Specific vulnerability searches (PHPMyAdmin anyone?)
![Page 32: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/32.jpg)
Blatant 404 Actions
White-list and ignore your Vuln Scanner Deny on specific type of items or general threshold from all services
Indexed links can cause lots of false positives
![Page 33: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/33.jpg)
Impossible Multi-Auth
Authentication servers log the source of the authentication
Flag accounts with logins from multiple countries in a short period of time
Windows / AD / RDG are a bit problematic Needs a reasonable GEOIP database Be careful with how you implement the time-frame
Requires accurate contact lists
![Page 34: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/34.jpg)
Impossible Multi-Auth Actions
Automatically open a ticket for flag'd ID's Contact the user out-of-band If you have tight Identity Mgmt and password recovery, reset the account
Can be anchored to known local auth (like door keycard)
Tell them to change OTHER passwords too. Respect the privacy of the user
![Page 35: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/35.jpg)
Questionable Single Sources
Authentication servers log the source of the authentication
Flag IP addresses that log in with multiple accounts in a short period of time (like minutes)
Watch for NAT sources, proxies and TOR Be careful with how you implement the time-frame
Requires accurate contact lists
![Page 36: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/36.jpg)
Questionable Single Source Actions
Investigate the IP. What else did they do? If the IP has been malicious, reset all the accounts used from there
Block the IP address Tell them to change OTHER passwords too. Respect the privacy of the user
![Page 37: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/37.jpg)
Phake-Phishing
Authentication servers log the source of failed logins too.
Provide fake credentials, see where they come back
Flag IP addresses that attempt to authenticate with the fake credentials.
Flag for common responses like “scam”, and “bullsh*t” as well
If you are a large org, this recipe has a limited lifespan
![Page 38: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/38.jpg)
Phake-Phishing Actions
All successful logins from that IP are suspect, investigate or just reset all passwords.
Deny the IP address Tell them to change OTHER passwords too Respect the privacy of the user
![Page 39: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/39.jpg)
Emerging Trends
“Not sure if back-door or legit security tool.”
![Page 40: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/40.jpg)
Assume Breached
If you assume that you are already breached, what do you do find out?
Look for Indicators of Compromise (IoC) Examine incidents Determine threat Mitigate risks “on the fly”
Does not preclude Security Hygiene. Patches, Antivirus, Firewalls, etc.
![Page 41: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/41.jpg)
Threat Intelligence
It is about sharing IoCs You can build your own You can buy a service Best of all, do both
Do what you can, with what you got, where you are.
![Page 42: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/42.jpg)
Threat Intelligence Services
HP Threat Central IBM X-Force Exchange eSentire Cymon.io Arbor Atlas Recorded Future REN-ISAC
Never forget that the bad guys are faster and better organized than us.
![Page 43: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/43.jpg)
What take 416 days?
“... more like core incompetencies ...
![Page 44: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/44.jpg)
Whitehats Statistics Report
416 days – Mean Time to Fix – 2012 342 days – Mean Time to Fix – 2013
Ummm … where did the rest of the stats go?
![Page 45: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/45.jpg)
Verizon Data Breach Investigations Report 2014
![Page 46: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/46.jpg)
Questions?
![Page 47: 416 Days Allan Stojanovic University of Toronto #include disclaimer.h.](https://reader037.fdocuments.us/reader037/viewer/2022102908/56649e175503460f94b027c9/html5/thumbnails/47.jpg)
Thank You
Email: allan.stojanovic(at)utoronto.ca Twitter: @allansto