Botnets How are we protecting our organisations from being part of such a phenomenon Clinton Cutajar...
-
Upload
lee-stafford -
Category
Documents
-
view
215 -
download
0
Transcript of Botnets How are we protecting our organisations from being part of such a phenomenon Clinton Cutajar...
BotnetsHow are we protecting our organisations from being part of
such a phenomenon
Clinton CutajarTeam Leader – Information Security
Personal Background
Location – Malta, Europe
Academic• M.Sc. Information Security• B.Sc. IT (Hons) in Computer Science and AI
Industrial• Check Point • Juniper• Cisco • CISA• CompTIA+
Computime Ltd - Malta
• Established in 1979.• Systems integrator – 90 Employees.• Dedicated Systems, Networking and Information Security
teams.• Projects in Malta, Europe and North Africa.• Clientele – Banks, Insurance agencies, Financial, Government,
Education and more.• Partners with Check Point, Juniper, Cisco, Splunk, Vasco, etc …
What is a Bot?
• A malicious piece of software with the ability to communicate with a command-and-control (C&C) infrastructure.
• Communication with C&C allows a bot agent to receive new instructions and malicious capabilities (plain text or encrypted).
• Compromised host used as an unwilling participant in Internet crime as soon as it is linked into a botnet via that same C&C.
Attacking Behaviour
• The method used by botmasters for attacking to achieve their ultimate goals.
• Infecting new hosts• Stealing personal information• Phishing and SPAM proxy• DDoS
Infecting new hosts
• Several methods how to deliver bot agent to the victim
• Compressed attachments• Encrypted attachments• Drive by download• Infected USB drives• Exploiting vulnerabilities within applications allowing remote
code execution
Stealing Personal Information
• Banking details, social security numbers etc ..• Details sold to crime masterminds• Methods to steal data
• Key loggers• MiB (Man in the Browser) attack• Camera shots
Phishing and Spam proxy
• SPAM is the process of flooding the Internet with multiple copies of the same message.
• Mostly related to Sex/Dating and pharmaceutical products.
• Phishing make use of fake emails routing victims to bogus websites to steal login credentials.
• Botmaster can sell SPAM services to 3rd parties using infected hosts to send mails.
Phishing and SPAM proxy (cont)
Phishing and Spam proxy (cont)
Distributed Denial of Service (DDOS)• A DoS (Denial of Service) seek to render target systems
inaccessible by exhausting all network resources.
• DDoS attack is a DoS generated from different locations around the globe making it difficult to isolate particular IP addresses generating the malicious traffic
• DoS targets availability. Confidentiality and Integrity are not affected.
Communication Protocols
• IRC• HTTP• IM
Centralised (Star) Model• The botmaster selects a single high
bandwidth host (usually compromised) to be the C&C.
• Infected host is preconfigured to “phone home” to this central C&C, registering itself as a botnet member and awaits new instructions.
• Advantages:- Rapid (low latency) data transfer
(commands and stolen data) due to direct communication
- Easy to implement- Scalable to support large botnets-
• Disadvantages:- Blocking the central C&C shutdowns
the botnet.
Decentralised (Distributed) Model
• Integrates peer-to-peer (P2P) concepts into malicious software, increasing scalability and availability, making the botnet more resilient.
• P2P botnets are difficult to estimate the size of botnet and trying to shut down a P2P botnet is somewhat difficult as no central hubs can be pin-pointed and disabled.
• Communication system does not rely on a single centralised server (which is easier to detect and shut down) but P2P C&C destination.
Rallying Mechanism
• A method by which new bots locate and join the botnet. There are mainly three types of mechanisms how a bot can locate its C&C server.
• Hard coded IPs• Dynamic DNS Domain • Dynamic DNS servers
Evasion Techniques
• Evasion techniques are ways to circumvent detection mechanisms from identifying communication between the bot infected host and the C&C
• Covert Channels• VoIP• Skype• IPv6• Fluxing
Evasion Techniques – Covert Channels
• Covert channels are ways on how to transfer instructions to the infected host going undetected.
• Embed instructions in valid web objects, pages and documents.
• Popular covert channels• JPG Images (in EXIF information)• Microsoft Word 2007 files (XML metadata)• LinkedIn and Twitter status updates
Evasion Techniques – Covert Channels
Evasion Techniques – Fluxing
• A new way to allow C&C location resolution and failover resilience.
• Two type of fluxing• IP Flux : changing the IP address within a domain.• Domain Flux : changing the DNS that is pointing to a particular IP.
• Both technologies are used by professional botmasters.
Popular Botnets
Rustock SPAM Botnet
ZEUS Banking Botnet
LOIC Traffic GeneratorPoison Ivy RAT
Vendor Protection
• Different vendors offering botnet related protection- Check Point with Anti-Bot blade- Cisco with Anti-Bot license and CSC-SSM- HP Tipping Point- ThreatSTOP DNS Service- McAfee Host security
• Frequency of db update / real-time query is very important• Need to keep up with latest threats• Update services- Check Point ThreatCloud- Cisco Signature Intelligence Operations (SIO)
Check Point Anti-Bot
• Inspects traffic when exiting firewall.• For each traffic, Check Point AB blade checks:
- DNS- IP- Communication pattern
• Request is sent to Threat cloud and receive back state.
• If a positive match traffic is dropped denying malicious communication traffic.
Signatures and Updates• Collaboration is required to computer crime.• Need inputs from different areas.• Provide changes and new information to customers as fast as
possible.• Can be compared to a human virus (Eg swine flu) where
different organisation collaborate to find a solution
Check Point ThreatCloud
Botnet Incident – RSA Breach
• RSA – Organisation providing security tokens for dual factor authentication.
• Attack Feb 2011 – Devastating effect for RSA- 60$ Million damages- Loss of trust
• Final target of the attack – one of RSA clients- Lockheed Martin – US Defence Contractor
Botnet Incident – RSA Breach (cont)
Anti-Botnet actions
• Operation b107- Takedown of Rustock botnet (SPAM).- Date of takedown - 2011.- Collaboration between security organisations.- The McColo datacentre knockout, famous for hosting master
servers of botnets.- Managed to put offline by disconnecting McColo uplinks but a
new uplink (TeliaSoneraCERT) allowed the botmaster to update the zombie army with the new C&C server location.
- Definite takedown by seizing physical servers in 7 US and 2 overseas hosted servers.
- Spam rate decreased by 33.4%.
Security in practice
• A full holistic solution required rather than just isolated security functionalities.
• Dual layer firewall (different vendors) to avoid possible vulnerabilities on a particular OS from being exploited.
• Multiple functionalities - On external firewall
- Intrusion Prevention System (IPS)- Network Anti-Virus- Email filter (protecting from SPAM etc) in the DMZ
- On internal firewall- URL Filtering- Application Control- Anti-Bot
• Reporting Tool to generate “readable” reports• Host security to prevent infections when connected to guest internet
ISP2ISP1
INT_FW1 INT_FW2
Layer 1 Firewall Cluster Vendor 1
Security FnIPS, Network AV
Servers Network
DMZWeb
Web ServerHTTP TCP 80
DB Server
BackendEmail Server
Domain Controller Users Net 1 Users Net 2
EXT_FW1 EXT_FW2
Mgmt Network
Firewall MgmtCentralised
Logger andReporter
MonitoringServer
Layer 2 Firewall Cluster Vendor 2
Security FnURL filtering,
Application Control and Anti-Bot
Frontend Email Server
OWA TCP 443SMTP Relay : Email Filter
only
SecondaryDomain
Controller
Wireless Access based on 802.1x
with Domain authentication
Email FilterSMTP TCP 25
SecondaryEmail Filter
SMTP TCP 25
DMZEmail
DMZESRV
Internal Routers inActive / Standby
configuration
BackupFirewall Mgmt
Conclusion
• Security is risk based and it is impossible to be completely fail-proof.
• Even though security vendors are constantly studying and reverse engineering malicious applications to provide signatures for their products, there can still be the possibility that malicious communication manages to make it through the network protection.
• It is very important to deal with an experienced well established security vendor known to provide immediate support.
• Users must also collaborate by not running non-trusted executables which may easily be malware.
• Security is strong as its weakest link, the latter usually being the user (as we have seen in the RSA case).
Thanks