Attacker POV to computer networks Attacker profiles and ...users.jyu.fi/~timoh/TIES327/L3.pdf ·...

13.11.2013 PVTTEIOS – Simo Huopio– [email protected]

Agenda

•  Attacker POV to computer networks •  Attacker profiles and public cases •  Fuzzing and fuzzing tools •  Modeling and simulation


File: Simo Huopio

•  M.Sc. (HUT 1999) •  Work: VTT, F-Secure, Nokia, PVTT •  Embedded systems, Product security,

UX/Usability, Vulnerability testing


File: PVTT EIOS •  PVTT: Defence Forces Technical Research Center

–  Personnel count ~175 at Riihimäki & Ylöjärvi –  Weapons Technology-, Explosives and CBRN

Protection Technology-, and Electronics & Information Technology (EIOS) divisions

–  From 2014 on FDF Research Center •  EIOS research teams:

–  Radiofrequency Sensors –  Electronic Warfare –  C4 Systems –  Operational Analysis


Part 1: Attacker POV to

computer networks


Why attacker POV?

•  Necessary in order to be a good defender: –  Network (service) administrator –  Networked device manufacturer –  Every computer owner (I wish) –  Applies naturally to manufacturer and user of any

technical defence equipment

Attacker POV to computer networks


Steps within attacker POV

•  Attack preparation •  Example cases •  More creative examples



Attack preparations: Target intelligence •  Gathering of all relevant data regarding the target •  First step: OSINT = Open Source Intelligence

–  Historically: Newspaper, news services, Radio and TV broadcasts, Public discussion

–  Internet-domain: Following the traditional media, network fingerprint of companies, associations and individuals

•  Next in the line: More active data acquisition



OSINT – under the surface •  Search engine results (behind the obvious) •  WWW page source code, metadata

–  Tools, versions, usernames, service analytics, bugs •  Old versions of the pages

–  archive.org, search engine caches •  Real people and companies connected to the pages

–  Domain registration, company-, trademark- and patent registration, distinct search services

–  Names, addresses, telephone numbers, email & web addresses, VAT & company id numbers



OSINT – Social Media

•  The rate of self publishing through social media has exploded

•  Multitude of services, complex approach to privacy

•  Slips between the private and work domains

•  Data mining, contact graphs, •  Trends: Location, ”social media login”



OSINT – Information leaks

•  From intranet to public Internet –  Externalized communication

•  eMail/Calendar/Contacts, telco/meeting services –  Extranets –  ERP systems

•  Often a configuration error or user mistake •  How to find: Creative use of search engines,

dedicated search engines •  Intentional leaks / whistleblowers



Tool example: Maltego Attacker POV to computer networks


Active information gathering

•  Attack by itself so over the legality boundary •  Natural targets for deeper analysis

–  Wireless networks with insufficient protection –  Unpatched/old software –  Configuration errors on server software –  Users (workstations and social engineering) –  Etc..



Example: Hostile WLAN -router •  Man-in-the-middle attack to the users •  Stealing the connection attempts and sessions of the

real router users •  Easy to deploy where ”free internet” is available •  Tools available for

–  Traffic capture/analysis –  Stealing the sessions and credentials –  Providing malicious software updates

•  Defences –  Heavy duty end-to-end protection –  Close monitoring of the used security certificates (e.g. https/

SSL) –  Authentication of trusted WLAN access points (WPA2 XXX)


13.11.2013 PVTTEIOS – Simo Huopio– [email protected] 14


Example: Generic malware

•  Targets: workstations, smartphones, embedded systems...

•  Distribution via spam, www-pages and directly •  Infected computers are used to

–  Sending spam and/or malware –  Information gathering from the workstation and the network –  To do generic purpose evilness as a bot in the botnet

•  Commercial activity: All phases are available as a service with support and analytics

•  Defences –  Keeping software up-to-date, Anti-Virus –  Rigorous security policy. –  Separation of the admin –accounts and normal usage



Example: Attacking an individual person/organization •  E-mail with infected attachment/link sent apparently from

trusted partner •  Target: acquisition of a specific information •  Challenging from defender perspective

–  Attack code can be quality tested and checked against the most recent Anti-Virus databases

–  Forged SSL certificates can be used to reduce doubts –  Zero day vulnerabilities may be used for high profile targets –  As the messages used are not spam nor mass mailed and the

malware does not spread autonomously the attack can be easily go unnoticed.

•  Defence –  Restrictions for email attachments –  Well configured firewalls (both on ws and on perimeter) –  Avoiding to store passwords in the browsers/clients –  Clear, enforced policy on protected data



Example: Attacking a server

•  Getting access to internet-connected server with active means

•  Software vulnerabilities, configuration errors, asymmetry on attackers side

•  Information theft, access to other systems within the company, malware distribution, blackmailing, publicity

•  Defence –  Efficient update- and security policies –  Prepared and rehearsed approach to successful attacks

•  Publicity seeking actors: Anonymous, LulzSec..



Advanced Persistent Threat (APT)

•  Generic term / buzzword for directed, tailored attack campaign

•  Goal is usually data exfiltration, can be used to sabotage, data manipulation

•  Attack vector is usually combination of social engineering and custom malware

18


APT – Definition (2)

•  Advanced – Well prepared, Tailored, Professional

•  Persistent – Long term, no hurry, secured access,

redundancy & diversity •  Threat

– Target selection: Nation states, defence & high tech industry

19


APT – Defence (3)

•  Gather logs, learn how to persistently follow them and do it

•  Plan and know your network so you can see the anomalies

•  Force the attacker to take risks •  Plan and rehearse for attacker success Check/contact CERT-FI for further notes

20


It is worth to remember...



Creative examples..

22


”USB Rubber duck”

23

$80 USB-stick which pretends to be a computer keyboard and executes quickly predefined commands on host machine (hak5.org)



”USB rubber duck” in detail •  Internally the HW is e.g. Teensy or Arduino board

with extended USB capability. •  USB HID –profile in use (works also when the USB

mass storage profile is blocked) •  Example script functionalities (Kautilya)

–  Open a browser with hidden window on page X –  Open text file from URL, decode it and execute it as a

program –  Activate ”Win7 Hosted Network” + backdoor (ADMIN) –  Access the attacker AP and open URL (ADMIN)

•  Restriction: HID profile is one directional. Return channel has to be arranged separately

24



Creative use of mobile phones

ANTI: pentest tool for Android devices

Aircrack-ng on mobile: OSS tool for cracking WLAN-passwords



(Ancient) mobile phones..

Metasploit tookit Backtrack 5



SkyNET

“a 3G-enabled mobile attack drone and stealth botmaster”

Cost 600 USD

Speciality: Autonomous operation with predefined plan and message passing within the swarm

(USENIX 8/2011)



Hobbyist drone which breaks in and eavesdrops WLAN and GSM networks. Cost 6500 USD (DEF CON 19, 8/2011)



Car as a target?

•  Practically all essential functionality of modern car is controlled by microcontrollers.

•  Typically all controllers are networked on the same bus (CAN)

•  External attack surface: Wireless connectivity for sensors, entertainment, service. CAN connectors on insecure locations. Media files.

29



Car as a target? (2)

30



Car as a target? (3) •  Results:

–  Devices on CAN –bus are very vulnerable

–  CAN segmentation weak –  Many viable vectors:

OBD-II, CD, WiFi, Bluetooth, TPMS, Mobile

–  Controlling brakes, cruise.. •  Exploitation needs lots of

work and results are car/model spesific

•  www.autosec.org •  DEF CON 21 /

Miller & Valasek

31



Osa 2: Q&A? Part 1: Q&A?


Part 2: Public attack examples


Public attack examples


Actors

•  Criminals •  Hactivists •  Nation states



Actors: Criminals •  Motivation?

–  Everything worth money: CC info, bank credentials spam, blackmail, bitcoin mining

–  Reputation •  Botnets as a primary tool

–  Usage: DDoS, spam, malware distribution –  Fierce R&D efforts and concurrent race with

OS vendors, app vendors and security researchers on •  Distribution mechanism •  Command & Control •  Hiding the activity and the malware binaries. Obfuscation.

–  All stages available as a service •  Challenges:

–  Trusting clients and partners, money transfers, mistakes



Actors: Hactivists •  Motivation?

–  Ideology, need to influence the society –  Reputation and lulz

•  Tools –  Everything that is available –  Most effecitve ”weapon” is still the

available time and motivation of the individuals

•  Challenge –  Double life –  Parents ;-)



Actors: Nation States •  Motivation?

–  Political targets and pressure –  National defence –  Credibility and reputation

•  Professional approach –  Proper planning and intelligence –  Testing and quality control –  (Depending to the actor) the top professionals, resources

and knowledge available •  Challenges

–  Laws and international treaties –  High risk on active pervasive operations, negative publicity –  The professionals do not necessary have the top skills



Public examples

•  Project Aurora •  Stuxnet (/Dugu/Flame/Gauss/XX) •  Shady Rat •  Red October •  Leaked NSA operations



Project Aurora

•  Time: second half of 2009 •  Target: Big US tech companies (Google,

Adobe, Juniper, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical, etc.)

•  Result: –  Lots of stolen IP: Source code, plans, analysis – Possible malcious changes to product source

code



Project Aurora (2)

•  Very sophisticated attack: Zero Day vulnerabilities used in e.g. Internet Explorer and Perforce

•  SSL C&C connection to USA & Taiwan •  Allegedly part of longer campain by

PRC



Stuxnet •  Internet-worm found in June 2010 •  Allegedly part of US and Israel ”Olympic

Games” project which targeted to delay the nuclear program of Iran

•  Technial target is SCADA: –  Windows-workstations where certain software is

run (PCS7, WinC & STEP7) –  Main target: Siemens S7-300 PLC with specific

configuration, e.g. Wacon frequency transformers –  > Configuration which is used to control uranium

enritchment on Natanz nuclear research facility, Iran



Stuxnet (2)

•  Not the first CNO to SCADA but the most sophisticated so far: – Several zero days used – The first PLC rootkit – Multitude of cloaking and spreading

mechanisms – Remarkably big for a malware



Dugu, Flame, Gauss, XX

•  Several Stuxnet –related malware have been found

•  Many commonalities within the family – Modular design, found to share modules – Partially share the same C&C channel – Many zero days used per specimen – Logic implemented using Lua



Dugu, Flame, Gauss, XX

•  Evident signs of long lasting professional software development – Version development of modules – Multitude and version changes of compiling

tools – Timeline analysis of the variats suggest a

single development team •  (At least) one variant still unidentified

45



Shady RAT (2011)

•  An operation active since 2006 •  RAT = Remote Access Tool •  Allegedly very big, targeting at least 72

organizations: US defence contractors, UN, Olympic comittee

•  Abnormal amount of exfiltrated data

Julkiset esimerkit


Red October (2013)

•  Another advanced cyberespionage campaign

•  Specialties: targets also mobiles, relied on java vulnerabilities, amount of C&C and exfiltration domains

•  Operational since 2007

47


13.11.2013 PVTTEIOS – Simo Huopio– [email protected] 48


Snowden revelations

•  NSA sigint operations have been massive: –  “Upstream” for wholesale surveillance of

fibers in US (“Room 641A”) –  “PRISM” for SIGINT collections directly

from the US internet company servers –  “XKeyScore” for sifting the massive amount

of gathered data

49



Snowden revelations (2)

•  Many CNE operations revealed, e.g. – BELGACOM telco hacking (“OP SOCIALIST”)

by GCHQ/NAC –  Long time monitoring/tapping of many nation

state leaders (e.g. Angela Merkel) by NSA •  Technology: “Quantum Insert” by

redirecting traffic to trojanised version of a common website in Internet trunk network

50



”2011 - Year of Hack”



”2012 – not much better”

52



”2013 – Snowden/NSA, #UMhack”

53



Part 2: Q&A?


Part 3: Fuzzing?


Why robustness testing?

•  Quality control (own products) •  Trust (products in use) •  Security (white hat research) •  Attack preparation (black hat research)

Fuzzing?


Fuzzing? •  Fuzzing is a process where one tries to break the

target software by doing something unpredictable to it •  In order to fix or exploit the bugs in software they

have to be found first. Many exploitable bugs manifest themselves by crashing the software

•  Most common errors that are externally triggered are caused by errors in input processing

•  Challenge is to find suitably broken input in sensible time. Input space grows exponentially!

Fuzzing?


Requirement vs. Implementation

Positive requirements

Undefined area

Negative requirements

Wanted functionality

Unwanted functionality

Actual functionality

Implementation Definition Result

Fuzzing?


Black Box?

•  In so called black box testing one doesn’t care the internal structure or the mechanisms of the target

•  Target behaviour on different inputs is observed by comparing it to the wanted or the expected

Fuzzing?


White box?

•  On white box- approach the internal structure and mechanisms of the target are known and they can be used for the testing

•  E.g. The source code usage, built-time instrumentation of executeabl code, etc.

Fuzzing?


How to fuzz 1: Planning

•  SUT? •  Target? •  Time and other resources available? •  Black-/Whitebox? •  Interfaces & How to inject? •  Instrumentation? •  Reporting?

Fuzzing?


How to fuzz 2: test setup

SUT Test workstation

Kohdeympäristö Test data input

SUT monitoring

Interface under test

Fuzzing?


How to fuzz 3: Going through the test material

Monitor SUT

Create Test data

Inject Test data

Save Error case

Deviation detected

SUT OK

Fuzzing?


How to fuzz 4: Closer analysis of the findings •  Repeating the test case •  Reducing the needed input in the case •  Analysis of the seriousness of the bug •  Reporting and further work

–  White box •  Finding (and fixing) the bug in the code

–  Black box •  SUT robustness analysis •  Exploitation analysis

Fuzzing?


Attack/Injection vectors

Grafiikkakirjastot Muistinhallinta

Järjestelmäkutsut Verkko API

NFS CIFS ISCSI RPC

Sovellukset

TLS / SIP

IP

Bt, WLAN

Files / Media Filesystem Applications / GUI

Net

Wireless

USB, FW

Perhiperal connectivity

Virransyöttö, I2C, JTAG, väylät, I/O

Internal embedded hw interfaces

Fuzzing?


Where’s the bug?

Fuzzing?


Where’s the bug?

7 Application layer (Services X,Y,Z..)

4 Transport layer (TCP/UDP)

3 Network layer (IP)

WAN, Ethernet, WLAN

7 Application layer

6 Presentation layer

5 Session layer

4 Transport layer

3 Network layer

2 Data link layer

1 Physical layer

Router, Firewall, IDS/IPS

Switch

Repeater, Hub

Gateway, Firewall, IDS/IPS

MAC Address

IP Address

(IP+) Port number

Application URL E-Mail address Torrent file (+layers within app protocol)

ISO OSI base Network Components

Internet realization Addressing

TCP/IP Stack

NIC FW + Driver

NIC HW

Client, Server, Proxy, local Firewall

Endpoint Components

TCP/IP Stack Firewall, IDS/IPS

Medium (wire, optical cable, air, etc.)

Modulation/Coding

Physical/Mechanical

Fuzzing?


Where’s the bug?

(IP+) Port number

Application URL E-Mail address Torrent file (+layers within app protocol)

Addressing


Endpoint Components

TCP/IP Stack

Fuzzing?


Where’s the bug?


TCP/IP Stack

OS/Browser: HTTP

Plugin: Adobe Flash

Browser: Javascript

Fuzzing?


Where’s the bug?

OS/Browser: HTTP

Plugin: Adobe Flash

Browser: Javascript

Fuzzing?


Where’s the bug?

Output State machine

Semantic analysis Format & Syntax check

Output State machine



Fuzzing?


The challenges in injecting on network environment •  Application protocols are ”deep”

– Encryption- and authentication – Compressing – Web application GUI

•  ”Soft” application protocol is usually exploitable in straightforward way

Fuzzing?


In practice

•  Above mentioned challenges apply especially on server software

•  When testing the clients most of the fuzzing is done locally – File formats (media, XML, etc.) – Server controlled by tester – Checksum and signing challenges apply

also locally

Fuzzing?


Tool example: Radamsa – ”pack of fuzzers”

http://code.google.com/p/ouspg/wiki/Radamsa big parts © Aki Helin / OUSPG

Fuzzing?


Radamsa?

•  Unified command line front end to versatile group of fuzzing algorithms

•  Handles fuzzer selection, file and network i/o, test and source material logistics

•  Two main modes – Generating test material to set of files – Feeding/offering test material to network

clients/servers

Fuzzing?


<clip clip>

•  The rest of Radamsa –slides are removed from shared version

•  Further information about radamsa from http://code.google.com/p/ouspg/wiki/Radamsa and from the author Aki Helin/OUSPG

81

Fuzzaus?


Part 3: Q&A?


Part 4: Simulating network attacks


Simulating network attacks

•  Why model & simulate? •  Different approaches •  Key-Challenge Petri Net (KCPN)



Questions by Administrators

•  How an attack could affect to my network? •  What could be an optimal way for

protection? •  What are the priorities between the distinct

fortification efforts? •  In order to get answers one can

– Apply standards and audit results – Try, make mistakes and learn – Model and simulate

85



Why model and simulate?

•  Flexible way to go through different scenarios

•  When a working model is achieved it can be used to get quick answers to new kinds of questions

86



Traditional approaches

•  Attack graphs – Make very detailed analysis possible but in

practice do not scale to larger systems •  Network simulators

–  In many products simulating the security side is very limited

•  Role playing – Creative way to get information out of the

group of experts

87



KCPN -model

•  “Golden mean” level of abstraction – CIA: Confidentiality, Integrity, Availability – Attacker actions are abstracted

•  Best ideas combined – The ability of examine the details of attack

graphs – Usability of network simulators – Flexibility of state machines – Scalability from hierarchy

88



KCPN –model: example

89



KCPN –model: topology

90



KCPN –model elements

91

•  Input Gate – key challenge to attacker •  Instantaneous Activity – state transition •  Output Gate – key distribution



KCPN –model in simulator

92



KCPN –model: Hierarchy

93



KCPN vs. SAN

•  Coloring of the places and hierarchy (HCSAN)

•  CIA –attributes and their analysis •  Key challenge –functionality on state

input gates

94



95



KCPN - realism

•  The model is flexible but the fact that real world networks are very hard to simulate hasn’t gone anywhere

•  At the moment KCPN is an academic idea – further development and verification is needed!



Usage

•  To ”smarten up” the protective measures of complex networks

•  To get deferred benefit in planning of a network attack – Cf. Operational analysis of traditional

warfare



Summary


Take-aways

•  It is very hard to protect a service or a product connected a public network. It is best to plan for the successful attack

•  In addition to having R&D process that can produce secure code, continuous robustness testing helps to find and fix vulnerabilities before anyone else

Summary


Take-aways (2)

•  The most sofisticated attacks are professionally planned and executed: Well planned on top of solid intelligence, tested against the probable AV products, zero day vulnerabilities,

•  By modelling and simulating one can find the weakest points of the protected network and concentrate the efforts to fortify them.

Summary


Thank you. Questions?

[email protected]

Attacker POV to computer networks Attacker profiles and ...users.jyu.fi/~timoh/TIES327/L3.pdf ·...

Documents

Transcript of Attacker POV to computer networks Attacker profiles and ...users.jyu.fi/~timoh/TIES327/L3.pdf ·...