Anatomy of an Attack - Aventri...Exploits for known vulnerabilities $500–$2,000 Malware (pay per...

Anatomy of an AttackUnderstanding the means and motivations around attacks

Gary Newe

© 2016 F5 Networks

An Unprecedented Year in Security

3

© 2016 F5 Networks

58% 52% 42%Increasing

attack sophistication

Complexity of solutions

Employees underestimate

importance

41%Budget

too small

37%Data leakage from personal devices accessing apps

in the cloud

Source: F5 State of Application Delivery Survey, 2016

Not All Security Challenges Are Technical3 of top 5 “most challenging” security concerns aren’t technical

4

$

© 2016 F5 Networks

Twin Forces Are Impacting the Security Landscape

Cloud and Mobility • Apps deployed across data

center, SDN, public cloud, and SaaS environments

• Multi-device mobility is now the norm

• Mobile apps surpass desktop apps

Threat Evolution and SSL Obfuscation • Encryption used in 32.8%

of traffic • 68% of IT: zero-day attacks

greatest threat, “Targeted attacks are the new normal” (Forrester Research)

• $9.4M average cost to restore reputation (Ponemon)

ADVANCED SECURITY THREATS ARE INCREASING !5

© 2016 F5 Networks

The Evolution of the Application

6

© 2016 F5 Networks

Client/ServerCentralized

Apps

1995

40M 20K


UsersApps

HTML

App

6

© 2016 F5 Networks


Apps

1995

40M 20K

Internet ApplicationsData Confidentiality

2000

400M 9.5M


UsersApps

HTML

App

App

SOAP

JAVA SSL

6

© 2016 F5 Networks


Apps

1995

40M 20K


2000

400M 9.5M

Mobile DevicesMobility Malware

Threats

2005

1B 58M


UsersApps

HTML

App

App

SOAP

JAVA SSLApp

FLASH

SAML XML

AJAXVOIP

6

© 2016 F5 Networks


Apps

1995

40M 20K


2000

400M 9.5M


Threats

2005

1B 58M

Public CloudWebsite

Availability Threats

2B 207M

2010


UsersApps

HTML

App

App

SOAP

JAVA SSLApp

FLASH

SAML XML

AJAXVOIP

Apps

MOBILE VIDEO

HTML 5 ITIL

HYPERVISOR

6

© 2016 F5 Networks


Apps

1995

40M 20K


2000

400M 9.5M


Threats

2005

1B 58M

Public CloudWebsite

Availability Threats

2B 207M

2010

Hybrid CloudBlended Attacks

3.2B 1B

2015


UsersApps

HTML

App

App

SOAP

JAVA SSLApp

FLASH

SAML XML

AJAXVOIP

Apps

MOBILE VIDEO

HTML 5 ITIL

HYPERVISOR

App SaaS

Apps IaaS

DEVOPS

SDN/SDS IPV6

CONTAINERS

IOT

NANO/MICRO

MACHINE LEARNING

6

© 2016 F5 Networks

Understanding Motivations of Cyber Criminals

CYBER CRIME

Organized crime/cyber crime

Company ransom/risk of reputation Buys data to compromise key companies Willing to move to another target if protection is robust

GOAL

HOW

7

© 2016 F5 Networks


Stolen assets/Criminal activity Payout

Credit card numbers $5–$10 for virgin account

Bank credentials $80–$700

Bank transfers 10%–50%

Social security number $30–$50

Zero-day exploits $1,000–$100,000

Exploits for known vulnerabilities $500–$2,000

Malware (pay per install) Up to $1.50 (U.S. victims)

CYBER CRIME



GOAL

HOW

CRIME PAYS*

* Source: Alert Logic

7

© 2016 F5 Networks

CYBER CRIME




GOAL

HOW

8

© 2016 F5 Networks

CYBER CRIME




GOAL

HOW

8

HACKTIVISM

Spread a message and promote a political agenda

Deface websites, dump company- specific internal information Can gain sympathy quickly

© 2016 F5 Networks

CYBER CRIME




GAIN INTELLECTUAL PROPERTY

Penetrate company defenses and successfully exfiltrate data Recent attacks have been 200+ days installed

Well-funded and well-resourced

Competitive advantage and information warfare

GOAL

HOW

8

HACKTIVISM

Spread a message and promote a political agenda

Deface websites, dump company- specific internal information Can gain sympathy quickly

© 2016 F5 Networks

Anatomy of an Attack

9

© 2016 F5 Networks


RECONNAISSANCE Identification, target selection, and organization to determine methods that will work with the highest degree of success.

9

© 2016 F5 Networks



9

WEAPONIZATION AND PACKAGING Takes many forms, including: web application, off-the-shelf or custom malware, documents (PDF, Office).

© 2016 F5 Networks



DELIVERY Transmission of the payload. Initiated by user via malicious web presence, or opening of a malicious PDF file.

9


© 2016 F5 Networks




EXPLOIT The malicious payload gains foothold by exploiting vulnerability of zero-day vector.

9


© 2016 F5 Networks





9


INSTALL Often a remote access Trojan. Usually stealthy in operation, allowing persistence or “dwell time” to be achieved.

© 2016 F5 Networks





COMMAND AND CONTROL (C2) Adversaries control assets within your organization, and tell the controlled asset “what to do next.”

9



© 2016 F5 Networks





COMMAND AND CONTROL (C2) Adversaries control assets within your organization, and tell the controlled asset “what to do next.”

ACT Adversary exfiltrates data, identifies more targets, expands footprint, and obtains valuable data.

9



© 2016 F5 Networks

How Are the Sources of Attacks Changing?

10

© 2016 F5 Networks


STATE SPONSOR

10

© 2016 F5 Networks


STATE SPONSOR ORGANIZED CRIMINAL

10

© 2016 F5 Networks



WELL-MEANING INSIDER10

© 2016 F5 Networks

MALICIOUS INSIDER



WELL-MEANING INSIDER10

© 2016 F5 Networks

Network Threats

11

© 2016 F5 Networks

Network Threats

27% 90%

OF ATTACKS ARE FOCUSED HERE

OF SECURITY INVESTMENT

11

© 2016 F5 Networks

Network Threats Application/User Threats

27% 90% 78% 10%





11

© 2016 F5 Networks

Today’s Threat Landscape

Stolen user credentials/

fraud

Phishing Network DDoS attacks

Application vulnerability

exploits

Recon.port scan

Attacks against SSL

vulnerabilities

APPLICATION ATTACKSNETWORK ATTACKS SESSION ATTACKS

DNS amplification/cache poisoning

Application DDoS attacks

Botnet/SPAM

Man in the middle

Man in the browser

CLIENT-SIDE ATTACKS

DNS attacks

MalwareBusiness logic

abuse

DATADATA

OWASP Top 10

12

© 2016 F5 Networks



fraud



exploits

Recon.port scan

Attacks against SSL

vulnerabilities




Botnet/SPAM

Man in the middle

Man in the browser

CLIENT-SIDE ATTACKS

DNS attacks


abuse

DATADATA

OWASP Top 10

13

OWASP Top 10

USER ACCESS AND CREDENTIALS

APPLICATION PROTECTION

ATTACKS ARE DISPROPORTIONATELY TARGETING THESE AREAS

User App

© 2016 F5 Networks



fraud



exploits

Recon.port scan

Attacks against SSL

vulnerabilities




Botnet/SPAM

Man in the middle

Man in the browser

CLIENT-SIDE ATTACKS

DNS attacks


abuse

DATADATA

OWASP Top 10

14

OWASP Top 10

ATTACKS ARE DISPROPORTIONATELY TARGETING THESE AREAS

User App

SSL ENCRYPTION

USER ACCESS AND CREDENTIALS

LAYER 7 APPLICATION PROTECTION

AVAILABILITY

© 2016 F5 Networks

How Can You Mitigate Attacks?

15

© 2016 F5 Networks


ATTACK

HOW TO MITIGATE

LARGE RETAIL COMPANIES

Attackers stole credentials from a third-party vendor

Apply better/stronger authentication to remote access technologies (VDI/SSL VPN)

15

© 2016 F5 Networks


ATTACK

HOW TO MITIGATE




ONLINE PAYMENT SERVICE

Aimed at password change functionality of the payment site

Enabled discovery of automated attacks against this critical application function

15

© 2016 F5 Networks


ATTACK

HOW TO MITIGATE




ONLINE PAYMENT SERVICE

Aimed at password change functionality of the payment site

Enabled discovery of automated attacks against this critical application function

BANKING AND FINANCIAL SERVICES

Scrubbing services and mitigation of a computational attack

Attacked by a multipronged DDoS attack

15

© 2016 F5 Networks

The Hybrid ThreatMobile phone retail company breach with a DDoS smoke screen • DDoS attack before giant data breach • 2.4M customers’ data stolen from web

application attack • More commonplace threat for Internet

connected businesses • Especially those that house sensitive data • For example, credit cards or personal information

16

Average Attack Size

Unknown 12%

Over 50 Gbps 6%

10–50 Gbps 20%

1–10 Gbps 38%

500–999 Mbps 23%

© 2016 F5 Networks

Sample from actual email

Attack Threats: Pay up or Else!

• DD4BC claims ~400 Gbps • Extortion demands starting at 25 Bitcoins • Initially targeted Bitcoin, payment providers,

banks, and now moving to other targets • UDP amplification attacks (NTP, SSDP, DNS),

TCP SYN floods, and layer 7 attacks

April–May 2015: Emails sent to legitimate businesses with the threat of massive DDoS attacks

17

© 2016 F5 Networks

Web App Attacks Adversaries Use

Use of Stolen Credit CardsUse of Backdoor or C2

SQLI

RFIAbuse of Functionality

Brute Force

XSSPath Traversal

Forced Browsing

OS Commanding 1.5%2.0%3.4%6.3%6.8%8.3%8.3%

19.0%40.5%

50.7%“This year, organized crime became the most frequently seen threat actor for web app attacks.”

Verizon 2015 Data Breach Investigations Report

Source: Verizon 2015 Data Breach Investigations Report

18

© 2016 F5 Networks

Vulnerability Likelihood

0%

25%

50%

75%

100%

Insufficient Transport Layer Protection Brute Force URL Redirector Abuse Insufficient Authorization SQL Injection

5%6%6%6%8%11%11%15%16%

24%26%29%

47%56%

70%

19

© 2016 F5 Networks

What Are Advanced Security Threats?

20

Volumetric denial of service • Difficult to screen out at high rates • Denies legitimate user access to site

Computational or consumption attacks • Artificially inflate SaaS consumption • Require a deep understanding of what items

induce delay or fault within an application

Browser-based malware • Exists wholly outside the perimeter • Delivers various malicious programs to

users’ computers

Spear phishing • Targets specific organizations, seeking

unauthorized access to confidential data • Perpetrators out for financial gain,

trade secrets, or military information

Monitoring saturation attacks • Overwhelm SIEM tools to disguise

malicious inbound actions • Mask data exfiltration

Advanced persistent threats (APTs) • Targeted cybercrime of stealth over

prolonged duration • Low-and-slow to avoid detection

A NEW SECURITY PERIMETER IS REQUIRED!

© 2016 F5 Networks

Application Attacks Hurt Your BusinessEvolving Security Threats

21

Source 1: Ponemon Institute, 2015 Cost of Cyber Crime Study, 2 IBM Security Services, 2015 Cyber Security Intelligence Index

© 2016 F5 Networks


21

81MMonitored cyber attacks Worldwide2


Average cost of cyber crime per company1

$7.7M

Successful attacks per year per company1

99

© 2016 F5 Networks


21

81MMonitored cyber attacks Worldwide2


Average cost of cyber crime per company1

$7.7M

Successful attacks per year per company1

99

Damages brand reputation. Results in significant downtime and revenue loss. Compromises sensitive enterprise, employee, and customer data. Breaches compliance required to conduct business online.

© 2016 F5 Networks

Comprehensive Security Across Hybrid EnvironmentIncorporate Threat Feeds in Cloud-Based, Network, and App Security Services

22

NetworkCloud Application

Threat Intelligence Feed

Scanner AnonymousProxies

AnonymousRequests

Botnet Attackers

Legitimate Users

DDoSAttackers

Cloud Scrubbing

Service

Volumetric attacks and floods, operations

center experts, L3-7 known signature attacks,

IP Reputation

ISPa/b

Multiple ISP strategy

Network attacks: ICMP flood, UDP flood, SYN flood

DNS attacks: DNS amplification,

query flood, dictionary attack, DNS poisoning,

IP Reputation

IPS

Network and DNS

ApplicationHTTP attacks:

Slowloris, slow POST,

recursive POST/GET IP Reputation

Next-Generation Firewall Corporate Users

SSL attacks: SSL renegotiation,

SSL flood Financial Services

E-Commerce

Subscriber

© 2016 F5 Networks

Monitoring and mitigating attacks while reducing false positives requires a 24/7 staff of skilled DDoS analysts • Full provisioning and configuration • Proactive alert monitoring • Identification and inspection of attacks • Custom and script mitigation Service level agreements time to: • Notify, mitigate, escalate

Security Operations Center (SOC)

Security Operations CenterOutsourcing DDoS Monitoring and Mitigation

23

Availability and Support

Tier II DDoS Analysts and Above

Active DDoS Threat Monitoring

© 2016 F5 Networks

Web Application Firewall

Protect web applications and data from layer 7 attacks Enable compliance, such as PCI DSS Provide WAF service backed by 24x7x365 support from experts

Proven Security Effectiveness as a Convenient Cloud-Based Service

25

Legitimate User

L7 Protection: Geolocation attacks, DDoS, SQL

injection, OWASP Top Ten attacks, zero-day threats, AJAX applications,

JSON payloads

Public Cloud Hosted Web App

Private Cloud Hosted Web App

VA/DAST Scans

Policy can be built from third-party DAST

Web Application Firewall Services

WAF

Cloud

Physical Hosted Web App

WAF

Attackers

Protect Web Apps, AnywhereEasily Extend WAF Protections to SaaS and Cloud Apps

PROTECT WEB APPS, NO MATTER WHERE THEY RESIDE WITH CONSISTENT POLICIES AND COMPLIANCE ACROSS HYBRID ENVIRONMENTS!


• Threat Research and Intelligence Team

• Security Operations Center • Security Incident

Response Team (SIRT) • Security Architects

and Security Consulting

Security Force



• Worldwide coverage • Global scope and scale • Regional focus • 24x7 team • Sensors and honeynets

• Threat Research and Intelligence Team

• Security Operations Center • Security Incident

Response Team (SIRT) • Security Architects

and Security Consulting

Security Force• Owned and

third-party intelligence • Darknet and

other sources • Vulnerability testing • Research tools


© 2016 F5 Networks

Best Practices in Protecting Your Apps

LEAVE NO APPS UNPROTECTED

Most attacks are at the application layer with little security investment

Many times DDoS attacks are smoke screens for app attacks

Integrated security protects an app instance, WAFs protect all apps based on policy

Virtual and cloud WAFs will continue to grow

Apps migrated to clouds will be exposed to more attacks

Mitigate app attacks using a WAF no matter app location

28

• Add class to your personal schedule.

• Survey will pop up in Mobile App. • Answer the multiple choice. • Submit your question to complete. • Receive 5 points!

Give Feedback – Get Points!

Anatomy of an Attack - Aventri...Exploits for known vulnerabilities $500–$2,000 Malware (pay per...

Documents

Transcript of Anatomy of an Attack - Aventri...Exploits for known vulnerabilities $500–$2,000 Malware (pay per...