Anatomy of an Attack - Aventri...Exploits for known vulnerabilities $500–$2,000 Malware (pay per...
Transcript of Anatomy of an Attack - Aventri...Exploits for known vulnerabilities $500–$2,000 Malware (pay per...
Anatomy of an AttackUnderstanding the means and motivations around attacks
Gary Newe
© 2016 F5 Networks
An Unprecedented Year in Security
3
© 2016 F5 Networks
58% 52% 42%Increasing
attack sophistication
Complexity of solutions
Employees underestimate
importance
41%Budget
too small
37%Data leakage from personal devices accessing apps
in the cloud
Source: F5 State of Application Delivery Survey, 2016
Not All Security Challenges Are Technical3 of top 5 “most challenging” security concerns aren’t technical
4
$
© 2016 F5 Networks
Twin Forces Are Impacting the Security Landscape
Cloud and Mobility • Apps deployed across data
center, SDN, public cloud, and SaaS environments
• Multi-device mobility is now the norm
• Mobile apps surpass desktop apps
Threat Evolution and SSL Obfuscation • Encryption used in 32.8%
of traffic • 68% of IT: zero-day attacks
greatest threat, “Targeted attacks are the new normal” (Forrester Research)
• $9.4M average cost to restore reputation (Ponemon)
ADVANCED SECURITY THREATS ARE INCREASING !5
© 2016 F5 Networks
The Evolution of the Application
6
© 2016 F5 Networks
Client/ServerCentralized
Apps
1995
40M 20K
The Evolution of the Application
UsersApps
HTML
App
6
© 2016 F5 Networks
Client/ServerCentralized
Apps
1995
40M 20K
Internet ApplicationsData Confidentiality
2000
400M 9.5M
The Evolution of the Application
UsersApps
HTML
App
App
SOAP
JAVA SSL
6
© 2016 F5 Networks
Client/ServerCentralized
Apps
1995
40M 20K
Internet ApplicationsData Confidentiality
2000
400M 9.5M
Mobile DevicesMobility Malware
Threats
2005
1B 58M
The Evolution of the Application
UsersApps
HTML
App
App
SOAP
JAVA SSLApp
FLASH
SAML XML
AJAXVOIP
6
© 2016 F5 Networks
Client/ServerCentralized
Apps
1995
40M 20K
Internet ApplicationsData Confidentiality
2000
400M 9.5M
Mobile DevicesMobility Malware
Threats
2005
1B 58M
Public CloudWebsite
Availability Threats
2B 207M
2010
The Evolution of the Application
UsersApps
HTML
App
App
SOAP
JAVA SSLApp
FLASH
SAML XML
AJAXVOIP
Apps
MOBILE VIDEO
HTML 5 ITIL
HYPERVISOR
6
© 2016 F5 Networks
Client/ServerCentralized
Apps
1995
40M 20K
Internet ApplicationsData Confidentiality
2000
400M 9.5M
Mobile DevicesMobility Malware
Threats
2005
1B 58M
Public CloudWebsite
Availability Threats
2B 207M
2010
Hybrid CloudBlended Attacks
3.2B 1B
2015
The Evolution of the Application
UsersApps
HTML
App
App
SOAP
JAVA SSLApp
FLASH
SAML XML
AJAXVOIP
Apps
MOBILE VIDEO
HTML 5 ITIL
HYPERVISOR
App SaaS
Apps IaaS
DEVOPS
SDN/SDS IPV6
CONTAINERS
IOT
NANO/MICRO
MACHINE LEARNING
6
© 2016 F5 Networks
Understanding Motivations of Cyber Criminals
CYBER CRIME
Organized crime/cyber crime
Company ransom/risk of reputation Buys data to compromise key companies Willing to move to another target if protection is robust
GOAL
HOW
7
© 2016 F5 Networks
Understanding Motivations of Cyber Criminals
Stolen assets/Criminal activity Payout
Credit card numbers $5–$10 for virgin account
Bank credentials $80–$700
Bank transfers 10%–50%
Social security number $30–$50
Zero-day exploits $1,000–$100,000
Exploits for known vulnerabilities $500–$2,000
Malware (pay per install) Up to $1.50 (U.S. victims)
CYBER CRIME
Organized crime/cyber crime
Company ransom/risk of reputation Buys data to compromise key companies Willing to move to another target if protection is robust
GOAL
HOW
CRIME PAYS*
* Source: Alert Logic
7
© 2016 F5 Networks
CYBER CRIME
Understanding Motivations of Cyber Criminals
Organized crime/cyber crime
Company ransom/risk of reputation Buys data to compromise key companies Willing to move to another target if protection is robust
GOAL
HOW
8
© 2016 F5 Networks
CYBER CRIME
Understanding Motivations of Cyber Criminals
Organized crime/cyber crime
Company ransom/risk of reputation Buys data to compromise key companies Willing to move to another target if protection is robust
GOAL
HOW
8
HACKTIVISM
Spread a message and promote a political agenda
Deface websites, dump company- specific internal information Can gain sympathy quickly
© 2016 F5 Networks
CYBER CRIME
Understanding Motivations of Cyber Criminals
Organized crime/cyber crime
Company ransom/risk of reputation Buys data to compromise key companies Willing to move to another target if protection is robust
GAIN INTELLECTUAL PROPERTY
Penetrate company defenses and successfully exfiltrate data Recent attacks have been 200+ days installed
Well-funded and well-resourced
Competitive advantage and information warfare
GOAL
HOW
8
HACKTIVISM
Spread a message and promote a political agenda
Deface websites, dump company- specific internal information Can gain sympathy quickly
© 2016 F5 Networks
Anatomy of an Attack
9
© 2016 F5 Networks
Anatomy of an Attack
RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.
9
© 2016 F5 Networks
Anatomy of an Attack
RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.
9
WEAPONIZATION AND PACKAGING Takes many forms, including: web application, off-the-shelf or custom malware, documents (PDF, Office).
© 2016 F5 Networks
Anatomy of an Attack
RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.
DELIVERY Transmission of the payload. Initiated by user via malicious web presence, or opening of a malicious PDF file.
9
WEAPONIZATION AND PACKAGING Takes many forms, including: web application, off-the-shelf or custom malware, documents (PDF, Office).
© 2016 F5 Networks
Anatomy of an Attack
RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.
DELIVERY Transmission of the payload. Initiated by user via malicious web presence, or opening of a malicious PDF file.
EXPLOIT The malicious payload gains foothold by exploiting vulnerability of zero-day vector.
9
WEAPONIZATION AND PACKAGING Takes many forms, including: web application, off-the-shelf or custom malware, documents (PDF, Office).
© 2016 F5 Networks
Anatomy of an Attack
RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.
DELIVERY Transmission of the payload. Initiated by user via malicious web presence, or opening of a malicious PDF file.
EXPLOIT The malicious payload gains foothold by exploiting vulnerability of zero-day vector.
9
WEAPONIZATION AND PACKAGING Takes many forms, including: web application, off-the-shelf or custom malware, documents (PDF, Office).
INSTALL Often a remote access Trojan. Usually stealthy in operation, allowing persistence or “dwell time” to be achieved.
© 2016 F5 Networks
Anatomy of an Attack
RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.
DELIVERY Transmission of the payload. Initiated by user via malicious web presence, or opening of a malicious PDF file.
EXPLOIT The malicious payload gains foothold by exploiting vulnerability of zero-day vector.
COMMAND AND CONTROL (C2) Adversaries control assets within your organization, and tell the controlled asset “what to do next.”
9
WEAPONIZATION AND PACKAGING Takes many forms, including: web application, off-the-shelf or custom malware, documents (PDF, Office).
INSTALL Often a remote access Trojan. Usually stealthy in operation, allowing persistence or “dwell time” to be achieved.
© 2016 F5 Networks
Anatomy of an Attack
RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.
DELIVERY Transmission of the payload. Initiated by user via malicious web presence, or opening of a malicious PDF file.
EXPLOIT The malicious payload gains foothold by exploiting vulnerability of zero-day vector.
COMMAND AND CONTROL (C2) Adversaries control assets within your organization, and tell the controlled asset “what to do next.”
ACT Adversary exfiltrates data, identifies more targets, expands footprint, and obtains valuable data.
9
WEAPONIZATION AND PACKAGING Takes many forms, including: web application, off-the-shelf or custom malware, documents (PDF, Office).
INSTALL Often a remote access Trojan. Usually stealthy in operation, allowing persistence or “dwell time” to be achieved.
© 2016 F5 Networks
How Are the Sources of Attacks Changing?
10
© 2016 F5 Networks
How Are the Sources of Attacks Changing?
STATE SPONSOR
10
© 2016 F5 Networks
How Are the Sources of Attacks Changing?
STATE SPONSOR ORGANIZED CRIMINAL
10
© 2016 F5 Networks
How Are the Sources of Attacks Changing?
STATE SPONSOR ORGANIZED CRIMINAL
WELL-MEANING INSIDER10
© 2016 F5 Networks
MALICIOUS INSIDER
How Are the Sources of Attacks Changing?
STATE SPONSOR ORGANIZED CRIMINAL
WELL-MEANING INSIDER10
© 2016 F5 Networks
Network Threats
11
© 2016 F5 Networks
Network Threats
27% 90%
OF ATTACKS ARE FOCUSED HERE
OF SECURITY INVESTMENT
11
© 2016 F5 Networks
Network Threats Application/User Threats
27% 90% 78% 10%
OF ATTACKS ARE FOCUSED HERE
OF SECURITY INVESTMENT
OF ATTACKS ARE FOCUSED HERE
OF SECURITY INVESTMENT
11
© 2016 F5 Networks
Today’s Threat Landscape
Stolen user credentials/
fraud
Phishing Network DDoS attacks
Application vulnerability
exploits
Recon.port scan
Attacks against SSL
vulnerabilities
APPLICATION ATTACKSNETWORK ATTACKS SESSION ATTACKS
DNS amplification/cache poisoning
Application DDoS attacks
Botnet/SPAM
Man in the middle
Man in the browser
CLIENT-SIDE ATTACKS
DNS attacks
MalwareBusiness logic
abuse
DATADATA
OWASP Top 10
12
© 2016 F5 Networks
Today’s Threat Landscape
Stolen user credentials/
fraud
Phishing Network DDoS attacks
Application vulnerability
exploits
Recon.port scan
Attacks against SSL
vulnerabilities
APPLICATION ATTACKSNETWORK ATTACKS SESSION ATTACKS
DNS amplification/cache poisoning
Application DDoS attacks
Botnet/SPAM
Man in the middle
Man in the browser
CLIENT-SIDE ATTACKS
DNS attacks
MalwareBusiness logic
abuse
DATADATA
OWASP Top 10
13
OWASP Top 10
USER ACCESS AND CREDENTIALS
APPLICATION PROTECTION
ATTACKS ARE DISPROPORTIONATELY TARGETING THESE AREAS
User App
© 2016 F5 Networks
Today’s Threat Landscape
Stolen user credentials/
fraud
Phishing Network DDoS attacks
Application vulnerability
exploits
Recon.port scan
Attacks against SSL
vulnerabilities
APPLICATION ATTACKSNETWORK ATTACKS SESSION ATTACKS
DNS amplification/cache poisoning
Application DDoS attacks
Botnet/SPAM
Man in the middle
Man in the browser
CLIENT-SIDE ATTACKS
DNS attacks
MalwareBusiness logic
abuse
DATADATA
OWASP Top 10
14
OWASP Top 10
ATTACKS ARE DISPROPORTIONATELY TARGETING THESE AREAS
User App
SSL ENCRYPTION
USER ACCESS AND CREDENTIALS
LAYER 7 APPLICATION PROTECTION
AVAILABILITY
© 2016 F5 Networks
Today’s Threat Landscape
Stolen user credentials/
fraud
Phishing Network DDoS attacks
Application vulnerability
exploits
Recon.port scan
Attacks against SSL
vulnerabilities
APPLICATION ATTACKSNETWORK ATTACKS SESSION ATTACKS
DNS amplification/cache poisoning
Application DDoS attacks
Botnet/SPAM
Man in the middle
Man in the browser
CLIENT-SIDE ATTACKS
DNS attacks
MalwareBusiness logic
abuse
DATADATA
OWASP Top 10
14
OWASP Top 10
ATTACKS ARE DISPROPORTIONATELY TARGETING THESE AREAS
User App
SSL ENCRYPTION
USER ACCESS AND CREDENTIALS
LAYER 7 APPLICATION PROTECTION
AVAILABILITY
© 2016 F5 Networks
Today’s Threat Landscape
Stolen user credentials/
fraud
Phishing Network DDoS attacks
Application vulnerability
exploits
Recon.port scan
Attacks against SSL
vulnerabilities
APPLICATION ATTACKSNETWORK ATTACKS SESSION ATTACKS
DNS amplification/cache poisoning
Application DDoS attacks
Botnet/SPAM
Man in the middle
Man in the browser
CLIENT-SIDE ATTACKS
DNS attacks
MalwareBusiness logic
abuse
DATADATA
OWASP Top 10
14
OWASP Top 10
ATTACKS ARE DISPROPORTIONATELY TARGETING THESE AREAS
User App
SSL ENCRYPTION
USER ACCESS AND CREDENTIALS
LAYER 7 APPLICATION PROTECTION
AVAILABILITY
© 2016 F5 Networks
How Can You Mitigate Attacks?
15
© 2016 F5 Networks
How Can You Mitigate Attacks?
ATTACK
HOW TO MITIGATE
LARGE RETAIL COMPANIES
Attackers stole credentials from a third-party vendor
Apply better/stronger authentication to remote access technologies (VDI/SSL VPN)
15
© 2016 F5 Networks
How Can You Mitigate Attacks?
ATTACK
HOW TO MITIGATE
LARGE RETAIL COMPANIES
Attackers stole credentials from a third-party vendor
Apply better/stronger authentication to remote access technologies (VDI/SSL VPN)
ONLINE PAYMENT SERVICE
Aimed at password change functionality of the payment site
Enabled discovery of automated attacks against this critical application function
15
© 2016 F5 Networks
How Can You Mitigate Attacks?
ATTACK
HOW TO MITIGATE
LARGE RETAIL COMPANIES
Attackers stole credentials from a third-party vendor
Apply better/stronger authentication to remote access technologies (VDI/SSL VPN)
ONLINE PAYMENT SERVICE
Aimed at password change functionality of the payment site
Enabled discovery of automated attacks against this critical application function
BANKING AND FINANCIAL SERVICES
Scrubbing services and mitigation of a computational attack
Attacked by a multipronged DDoS attack
15
© 2016 F5 Networks
The Hybrid ThreatMobile phone retail company breach with a DDoS smoke screen • DDoS attack before giant data breach • 2.4M customers’ data stolen from web
application attack • More commonplace threat for Internet
connected businesses • Especially those that house sensitive data • For example, credit cards or personal information
16
Average Attack Size
Unknown 12%
Over 50 Gbps 6%
10–50 Gbps 20%
1–10 Gbps 38%
500–999 Mbps 23%
© 2016 F5 Networks
Sample from actual email
Attack Threats: Pay up or Else!
• DD4BC claims ~400 Gbps • Extortion demands starting at 25 Bitcoins • Initially targeted Bitcoin, payment providers,
banks, and now moving to other targets • UDP amplification attacks (NTP, SSDP, DNS),
TCP SYN floods, and layer 7 attacks
April–May 2015: Emails sent to legitimate businesses with the threat of massive DDoS attacks
17
© 2016 F5 Networks
Web App Attacks Adversaries Use
Use of Stolen Credit CardsUse of Backdoor or C2
SQLI
RFIAbuse of Functionality
Brute Force
XSSPath Traversal
Forced Browsing
OS Commanding 1.5%2.0%3.4%6.3%6.8%8.3%8.3%
19.0%40.5%
50.7%“This year, organized crime became the most frequently seen threat actor for web app attacks.”
Verizon 2015 Data Breach Investigations Report
Source: Verizon 2015 Data Breach Investigations Report
18
© 2016 F5 Networks
Vulnerability Likelihood
0%
25%
50%
75%
100%
Insufficient Transport Layer Protection Brute Force URL Redirector Abuse Insufficient Authorization SQL Injection
5%6%6%6%8%11%11%15%16%
24%26%29%
47%56%
70%
19
© 2016 F5 Networks
What Are Advanced Security Threats?
20
Volumetric denial of service • Difficult to screen out at high rates • Denies legitimate user access to site
Computational or consumption attacks • Artificially inflate SaaS consumption • Require a deep understanding of what items
induce delay or fault within an application
Browser-based malware • Exists wholly outside the perimeter • Delivers various malicious programs to
users’ computers
Spear phishing • Targets specific organizations, seeking
unauthorized access to confidential data • Perpetrators out for financial gain,
trade secrets, or military information
Monitoring saturation attacks • Overwhelm SIEM tools to disguise
malicious inbound actions • Mask data exfiltration
Advanced persistent threats (APTs) • Targeted cybercrime of stealth over
prolonged duration • Low-and-slow to avoid detection
A NEW SECURITY PERIMETER IS REQUIRED!
© 2016 F5 Networks
Application Attacks Hurt Your BusinessEvolving Security Threats
21
Source 1: Ponemon Institute, 2015 Cost of Cyber Crime Study, 2 IBM Security Services, 2015 Cyber Security Intelligence Index
© 2016 F5 Networks
Application Attacks Hurt Your BusinessEvolving Security Threats
21
81MMonitored cyber attacks Worldwide2
Source 1: Ponemon Institute, 2015 Cost of Cyber Crime Study, 2 IBM Security Services, 2015 Cyber Security Intelligence Index
Average cost of cyber crime per company1
$7.7M
Successful attacks per year per company1
99
© 2016 F5 Networks
Application Attacks Hurt Your BusinessEvolving Security Threats
21
81MMonitored cyber attacks Worldwide2
Source 1: Ponemon Institute, 2015 Cost of Cyber Crime Study, 2 IBM Security Services, 2015 Cyber Security Intelligence Index
Average cost of cyber crime per company1
$7.7M
Successful attacks per year per company1
99
Damages brand reputation. Results in significant downtime and revenue loss. Compromises sensitive enterprise, employee, and customer data. Breaches compliance required to conduct business online.
© 2016 F5 Networks
Comprehensive Security Across Hybrid EnvironmentIncorporate Threat Feeds in Cloud-Based, Network, and App Security Services
22
NetworkCloud Application
Threat Intelligence Feed
Scanner AnonymousProxies
AnonymousRequests
Botnet Attackers
Legitimate Users
DDoSAttackers
Cloud Scrubbing
Service
Volumetric attacks and floods, operations
center experts, L3-7 known signature attacks,
IP Reputation
ISPa/b
Multiple ISP strategy
Network attacks: ICMP flood, UDP flood, SYN flood
DNS attacks: DNS amplification,
query flood, dictionary attack, DNS poisoning,
IP Reputation
IPS
Network and DNS
ApplicationHTTP attacks:
Slowloris, slow POST,
recursive POST/GET IP Reputation
Next-Generation Firewall Corporate Users
SSL attacks: SSL renegotiation,
SSL flood Financial Services
E-Commerce
Subscriber
© 2016 F5 Networks
Monitoring and mitigating attacks while reducing false positives requires a 24/7 staff of skilled DDoS analysts • Full provisioning and configuration • Proactive alert monitoring • Identification and inspection of attacks • Custom and script mitigation Service level agreements time to: • Notify, mitigate, escalate
Security Operations Center (SOC)
Security Operations CenterOutsourcing DDoS Monitoring and Mitigation
23
Availability and Support
Tier II DDoS Analysts and Above
Active DDoS Threat Monitoring
© 2016 F5 Networks
Connecting the Dots
24
© 2016 F5 Networks
Web Application Firewall
Protect web applications and data from layer 7 attacks Enable compliance, such as PCI DSS Provide WAF service backed by 24x7x365 support from experts
Proven Security Effectiveness as a Convenient Cloud-Based Service
25
Legitimate User
L7 Protection: Geolocation attacks, DDoS, SQL
injection, OWASP Top Ten attacks, zero-day threats, AJAX applications,
JSON payloads
Public Cloud Hosted Web App
Private Cloud Hosted Web App
VA/DAST Scans
Policy can be built from third-party DAST
Web Application Firewall Services
WAF
Cloud
Physical Hosted Web App
WAF
Attackers
Protect Web Apps, AnywhereEasily Extend WAF Protections to SaaS and Cloud Apps
PROTECT WEB APPS, NO MATTER WHERE THEY RESIDE WITH CONSISTENT POLICIES AND COMPLIANCE ACROSS HYBRID ENVIRONMENTS!
© 2016 F5 Networks 27
Global Threat Intelligence
© 2016 F5 Networks 27
• Threat Research and Intelligence Team
• Security Operations Center • Security Incident
Response Team (SIRT) • Security Architects
and Security Consulting
Security Force
Global Threat Intelligence
© 2016 F5 Networks 27
• Worldwide coverage • Global scope and scale • Regional focus • 24x7 team • Sensors and honeynets
• Threat Research and Intelligence Team
• Security Operations Center • Security Incident
Response Team (SIRT) • Security Architects
and Security Consulting
Security Force• Owned and
third-party intelligence • Darknet and
other sources • Vulnerability testing • Research tools
Global Threat Intelligence
© 2016 F5 Networks
Best Practices in Protecting Your Apps
LEAVE NO APPS UNPROTECTED
Most attacks are at the application layer with little security investment
Many times DDoS attacks are smoke screens for app attacks
Integrated security protects an app instance, WAFs protect all apps based on policy
Virtual and cloud WAFs will continue to grow
Apps migrated to clouds will be exposed to more attacks
Mitigate app attacks using a WAF no matter app location
28
© 2016 F5 Networks
Recommendations
29
© 2016 F5 Networks
Recommendations
Strong focus on risk management
29
© 2016 F5 Networks
Recommendations
Strong focus on risk management
29
Consider the sources for attacks
© 2016 F5 Networks
Recommendations
Strong focus on risk management
29
Consider the sources for attacks
Reduce the impact of user-facing threats
© 2016 F5 Networks
Recommendations
Strong focus on risk management
29
Develop strong application security
Consider the sources for attacks
Reduce the impact of user-facing threats
© 2016 F5 Networks
Recommendations
Strong focus on risk management
29
Improve visibility across threat vectors
Develop strong application security
Consider the sources for attacks
Reduce the impact of user-facing threats
• Add class to your personal schedule.
• Survey will pop up in Mobile App. • Answer the multiple choice. • Submit your question to complete. • Receive 5 points!
Give Feedback – Get Points!