Pattern Recognition and Applications Lab Cybersecurity › giorgiogiacinto › files › 2020 › 03...
Transcript of Pattern Recognition and Applications Lab Cybersecurity › giorgiogiacinto › files › 2020 › 03...
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic
Engineering
Cybersecurity
History and Current Threats
Spring Semester 2019-2020
http://pralab.diee.unica.it
The Evolution of Communication
2
http://pralab.diee.unica.it
Communications
3
http://pralab.diee.unica.it
Human generations & communications
4D. De Kerckhove
http://pralab.diee.unica.it
Packet switching for communication• 1965: Two computers at MIT Lincoln Lab communicate
with one another using packet-switching technology.– the signal is first coded into a binary string– the string is subdivided into chunks of equal size– the sender and recipient addresses are added to the string
• with the necessary sequence information– this packet is routed till the final destination through
different computers and networks• packets reach the destination in random order
– the message is reconstructed at destination
5
http://pralab.diee.unica.it
In the beginning it was the ARPANET• 1969: the U.S. Defense Department's Advanced Research
Projects Agency (ARPA) developed ARPANET, with for Internet communication
• ’70s– Some U.S. and UK Universities start connecting to the
ARPANET– Protocols definition– Email service– Commercial service
6
http://pralab.diee.unica.it
The growth of the Internet• ‘80s– Universities around the world start creating their national
networks, and connecting these networks one another
• ‘90s– First dial-up Internet services– Birth of the WWW – HTML for creating web sites
• 2000– dot-com bubble– on-line social networks
7
http://pralab.diee.unica.it
Summing up…• The Internet has been first designed– to be a private network for defence purposes– to be a network for sharing knowledge among researchers
• The Internet enabled digital communication– text, audio, pictures, movies over the same channel
• The Internet was NOT designed – for ordinary communications among persons– for the communication of citizens with banks, the health
sector, the government, etc.
8
http://pralab.diee.unica.it
Security and Computers
9
http://pralab.diee.unica.it
The Value of Things
10
http://pralab.diee.unica.it
Cyber CrimeHigh gain/cost ratio
Goods and Risks are transformed into intangible assets
Low material costs
Life is rarely at risk
Cyber Crime isnot perceived as a Crime
11
http://pralab.diee.unica.it
The ’80…
12“Wargames”, 1983 - https://youtu.be/U2_h-EFlztY
http://pralab.diee.unica.it
Nowadays…
13
http://pralab.diee.unica.it
Computer risks underestimated
14“Wargames”, 1983
http://pralab.diee.unica.it
History of Computer Attacks
15
http://pralab.diee.unica.it
Funny names…• 1945
A moth stuck in a relay was discovered in a computer while Grace Hopper was working on a Mark II computer – debugging
• 1964 – 1970A toy whistle that was, at the time, packaged in boxes of Cap'n Crunch cereal, was discovered to emit a tone at precisely 2600 hertz—the same frequency that was used by AT&T long lines to indicate that a trunk line was ready and available to route a new call.
Experimenting with this whistle allowed the development of blue boxes: electronic devices capable of reproducing other tones used by AT&T.
AT&T monitored all the calls from payphones to detect phreakers, those who made free long-distance calls by generating the enabling tones through blue boxes
16
http://pralab.diee.unica.it
Virus and Worm – the early days• 1979
The first worm was developed at Xerox ParcThe goal was to develop a tool allowing to improve the efficiency of networked computers
• 1983The first time the name computer virus is used
• 1986The Brain, the first virus against MS-DOS systems The developers included their contact information so that infected users could contact them for the removal...
17
http://pralab.diee.unica.it
Offensive Viruses and Worms• 1987
Alameda, Cascade, Jerusalem, Lehigh and Miami viruses
• 1988Robert Morris succeeded in making a worm travel through the ARPANET and disabling 6000 computer –$ 10.000 fine to Morris
• 1990The first mutant virus is created
• 1995The first virus exploiting the macro feature in MS Word
18
http://pralab.diee.unica.it
Coordinated attacks• 1998
Solar Sunrise – two Californian teenagers were able to control 500 computers (private, military, government) through a coordinated attack
• 2000Amazon, Yahoo, and eBay were blocked through infected computers at UCSB – flooding
• 2001The Code Red worm caused $2 billion losses by infecting MS Windows NT and Windows 2000 machines
• 2016A DDoS attack against Dyn, a DNS provider, obscured a large part of Internet sites to the users from the US East Coast
19
http://pralab.diee.unica.it
Evolution of attacker’s motivations
20
Threat Actors: Occasional Intruders
Motives: Testing and probing systems and channels, computer disruptions, hacking
Attacks: Exploiting absence of security controls, sniffing data traffic
Threat Actors: Script Kiddies,
Motives: Notoriety and fame, world-wide notoriety spread virus and worms, computer disruptions, profit from botnet-spamming
Attacks: Viruses, Worms, DoS, Buffer Overflow Exploits, Spamming, Sniffing Network Traffic, Phishing emails with viruses
Threat Actors: Fraudsters, cyber-gangs
Motives: Identity Theft, Online and Credit/Debit Card Fraud
Attacks: SQLi, Sniffing Wireless Traffic, Session Hijacking, Phishing, Vishing, Drive by Download, Account take-over, MitM, MiTB, counterfeiting, banking malware, Trojans
Threat Actors: Hacktivists, cyber criminals, country sponsored spies, cyber-warfare actors, fraudsters,
Motives: Political, Stealing Company Secrets, Fraud, Reputation Damage
Attacks: DDoS, APTs, Account Take Over, MitM, MitB,Session Hijacking,
1995 2000 2005 2010 2015
Thre
at S
ever
ity
Fonte: Marco Morana
Tim LloydOmega (1996)
Vladimir Levinciti (1998) De Guzman
ILoveYou virus (2000)
Albert GonzzalesTJ Maxx (2007)
Isreael-Palestine DDoS(2012)
Rinat ShabayevBlackPOS (2013)
http://pralab.diee.unica.it
Economic motivations
21
http://pralab.diee.unica.it
Economic motivations
22
http://pralab.diee.unica.it 23
http://pralab.diee.unica.it
Threat Actors and Their Motives
MOTIVESACTORS
Verizon - 2019 Data Breach Investigations Report
24
http://pralab.diee.unica.it
Computer Security
25
http://pralab.diee.unica.it
The CIA Triad
26
Figure 1.1 Essential Network and Computer Security Requirements
Dataand
services
Availability
Integrity
Accountability
Authenticity
Confid
entiality
http://pralab.diee.unica.it
Hardware• Availability– Damage, steal – Power outages
• Confidentiality and Integrity– access to memory, register locations– trust in the implementation
27
http://pralab.diee.unica.it
Levels of Impact
Low
The loss could be expected to have a limited adverse effect
Moderate
The loss could be expected to have a serious
adverse
High
The loss could be expected to have a severe
or catastrophic adverse effect
on organizational operations, organizational assets, or individuals
http://pralab.diee.unica.it
Architecture of a Computer Systems from a Security Perspective
29
http://pralab.diee.unica.it
Threat Model• Any action performed by a computer system can be
modelled as an information flow from a source to a sink
• Computer attacks aim at modifying the information flow
• Four main categories of attacks can be defined
30
Informationsource
Informationdestination
(a) Normal flow
(b) Interruption (c) Interception
(d) Modification (e) Fabrication
Figure 15.2 Security Threats
http://pralab.diee.unica.it
1. Interruption• An asset is destroyed or disabled– hardware damages– interruption of communication lines– exhausting all the available resources– disabling core services
• This kind of attack is called Denial of Service (DoS) as the attack threats the availability
31
http://pralab.diee.unica.it
2. Interception• A third unauthorised party gain access to information flows
• This attack is a threat to confidentiality
32
http://pralab.diee.unica.it
3. Modification• A third unauthorised party
– intercepts the information flow by spoofing the identity of the destination (this is an attack per se)
– sends a modified flow to the destination
• This attack is a threat to confidentiality and integrity
33
http://pralab.diee.unica.it
4. Fabrication• A third unauthorised party produces information flows
by spoofing the identity of the source
• This attack is a threat to integrity
34
http://pralab.diee.unica.it
Summary
Availability Confidentiality Integrity/Authenticity
HardwareEquipment is stolen or disabled, thus denying the device
Software Programs are deleted, denying access to users
An unauthorised copy of software is made
A working program is modified, either to cause it to fail during execution ot to cause it to do some unintended task
Data Files are deleted, denying access to users
An unauthorised read of data is performed. An analysis of statistical data reveals underlying data
Existing files are modified or new files are fabricated
Communication lines
Messages are destroyed or deleted. Communication lines or networks are rendered unavailable
Messages are read. The traffic pattern of messages is observed
Messages are modified, delayed, reordered, or duplicated. False messages are fabricated
35
http://pralab.diee.unica.it
Threat consequences (RFC2828)
36
Threat Consequence Threat Action (Attack)
Unauthorized DisclosureAn entity gains access to data for which the entity is not authorized
Exposure: Sensitive data are directly released to an unauthorized entity.
Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations.
Inference: A unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system's security protections.
DeceptionAn authorized entity receiving false data and believing it to be true.
Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity.
Falsification: False data deceive an authorized entity.Repudiation: An entity deceives another by falsely denying
responsibility for an act.
http://pralab.diee.unica.it
Threat consequences (RFC2828)
37
Threat Consequence Threat Action (Attack)
DisruptionThe correct operation of system services and functions are interrupted or prevented.
Incapacitation: Prevents or interrupts system operation by disabling a system component.
Corruption: Undesirably alters system operation by adversely modifying system functions or data.
Obstruction: A threat action that interrupts delivery of system services by hindering system operation.
UsurpationControl of system services or functions by an unauthorized entity.
Misappropriation: An entity assumes unauthorized logical or physical control of a system resource.
Misuse: Causes a system component to perform a function or service that is detrimental to system security.
http://pralab.diee.unica.it
Vulnerabilities
38
http://pralab.diee.unica.it
Definitions• Vulnerability– Any flaw in the system that can be leveraged to perform
attacks against availability, confidentiality and integrity.• e.g., lack of access controls, unchecked bounds in C, etc.
• Threat– The potential for a threat-source to successfully exploit a
particular information system vulnerability. (ENISA)
• Attack– Any kind of malicious activity that attempts to collect,
disrupt, deny, degrade, or destroy information system resources or the information itself [by exploiting system vulnerabilities] (CNSS)
39
http://pralab.diee.unica.it
Finding Threats• Any computer program or protocol may contain weaknesses
– originating from the programming language– causing unexpected outputs from unexpected inputs– that allow for the arbitrary modification of the program flow
• The maliciousness depends on the context– input values, API usage, etc. cannot be considered malicious per
se but the maliciousness is related to the context and the related consequences
– ambiguity and misinterpretation may occur when data and instructions are passed from one component to another
• The detection of weaknesses is a very difficult task– Deep knowledge of languages and protocols – Multiple information sources (network traffic, application logs,
system calls, etc.)– Static or dynamic analysis
40
http://pralab.diee.unica.it
Sources of vulnerabilitiesDa
ta a
nd In
stru
ctio
ns
Data
and
Inst
ruct
ions
Data and Instructions
Data and Instructions
Ambiguities in the interpretation and
processing of byte flows
41
http://pralab.diee.unica.it
Example: Obfuscationa program that builds a program that builds a program…
D. Ugarte, D. Maiorca, F. Cara, G. Giacinto. PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware, DIMVA 2019
Modifications on binary files or source codes that do not alter the semantics, and make them hard to understand for human analysts or machines.
42
http://pralab.diee.unica.it
Example: Obfuscationa program that builds a program that builds a program…
D. Ugarte, D. Maiorca, F. Cara, G. Giacinto. PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware, DIMVA 2019
The core activity of the resulting program is not evident, as it is hidden behind layers of manipulation functions.
43
http://pralab.diee.unica.it
Vulnerabilities exploited in 2015
44DBIR – Verizon 2016
http://pralab.diee.unica.it
CVE –Common Vulnerabilities and Exposureshttp://cve.mitre.org - https://nvd.nist.gov
45
http://pralab.diee.unica.it
Exploiting vulnerabilities
46
http://pralab.diee.unica.it
Critical vulnerabilitieshttps://nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time
47
According to the CVSS (Common Vulnerabilities Scoring System)
http://pralab.diee.unica.it
Examples• Search information on CVE-2020-0601– Technical description– Severity– Exploits– Available patches
• Search information on CVE-2019-8197– Technical description– Severity– Exploits– Available patches
48
http://pralab.diee.unica.it
The search engine for exposed devices
49
http://pralab.diee.unica.it
Defense in Depth and Attack Surface
Figure 1.4 Defense in Depth and Attack Surface
Attack Surface
MediumSecurity Risk
HighSecurity Risk
LowSecurity RiskD
eep
Laye
ring
Shal
low
Small Large
MediumSecurity Risk
50
An attack surface consists of the reachable and exploitablevulnerabilities in a system
http://pralab.diee.unica.it
Threats
51
http://pralab.diee.unica.it
ENISA Threat taxonomyhttps://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view
52
http://pralab.diee.unica.it
Threat Landscape 2018
53
https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018
http://pralab.diee.unica.it
Why Malware is the No. 1 Threat
54
http://pralab.diee.unica.it
Cyber Threat Intelligence
55
http://pralab.diee.unica.it
Cyber Kill Chain
56
Released by Lockheed Martin in 2011.
The rationale is that by understanding each of these stages, defenders can better identify and stop attackers at each of the respective stages.
Since 2011, various versions of the “Cyber Kill Chain” have been released
http://pralab.diee.unica.it
Cyber Kill Chain
57
http://pralab.diee.unica.it
Cyber Kill Chain
58
http://pralab.diee.unica.it
Cyber Kill Chain
59
http://pralab.diee.unica.it
Cyber Kill Chain
60
http://pralab.diee.unica.it
Cyber Kill Chain
61
http://pralab.diee.unica.it
Cyber Kill Chain
62
http://pralab.diee.unica.it
Cyber Kill Chain
63
http://pralab.diee.unica.it
• Allow listing concrete threats, categorised according to the kill chain taxonomy
– CAPEC (MITRE)Common Attack Pattern Enumeration and ClassificationV3.1 (April 2019 - 519 attack patterns)
– ATT&CK (MITRE)knowledge base of adversary tactics and techniques based on real-world observations
– OWASP Cheat Sheet Seriesa concise collection of high value information on specific web application security topics
64
Attack Libraries
http://pralab.diee.unica.it
Advanced Persistent Threats (APT)• Persistency– Threat actors want to keep access to their victims’
networks even when discovered.
• Persistency is achieved by ensuring that malware loads every time a machine reboots– registering malware to run as a service– modifying auto-start entries – creating files in specific locations to trick legitimate
programs into loading them
65
http://pralab.diee.unica.it
Lateral Movements• When the threat actor move laterally from the initial
infected machine to other neighbouring hosts – to perform reconnaissance activities – to increase the number of infected machines
• Lateral movement often occurs without the use of malware– e.g., exploiting operating system services– the detection of newly compromised systems is more
difficult– detection requires analysing the logs of multiple hosts
66
http://pralab.diee.unica.it
Phishing
67
http://pralab.diee.unica.it
Phishing Attack Statistics
68
http://pralab.diee.unica.it
Phishing Attack Statistics
69
http://pralab.diee.unica.it
Ransomware
70
http://pralab.diee.unica.it
Ransomware
71
http://pralab.diee.unica.it
Ransomware• Downloaded from malicious links
• Two main families– Lock screen’ ransomware
The idea is to scare the victim into paying up.– Crypto-ransomware
Once it finds its way onto your machine it will encrypt all or most of the data on your hard drive based on file type.
• The attacker will demand a ransom – usually a few hundred dollars – be paid in Bitcoin in return for the decryption key
72
http://pralab.diee.unica.it
Ransomware
73
http://pralab.diee.unica.it
Cybersecurity Strategy
74
http://pralab.diee.unica.it
StrategySecurity Policy
Formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources
Security ImplementationInvolves four complementary courses of action:• Prevention• Detection• Response• Recovery
AssuranceEncompassing both system design and system implementation, assurance is an attribute of an information system that provides grounds for having confidence that the system operates such that the system’s security policy is enforced
Evaluation• Process of examining a computer
product or system with respect to certain criteria
• Involves testing and may also involve formal analytic or mathematical techniques
http://pralab.diee.unica.it
Prevention• Physical protection of hardware assets– physical access control
• guards, passcodes, biometrics, video surveillance, etc.– disaster protection (flooding, fire, etc.)– cooling
• Logical access control mechanisms– least privilege
Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary
– Firewallsblock all the traffic flows that are not allowed
76
http://pralab.diee.unica.it
Prevention• Identity management– access management– authorization management– user event behaviour analysis
• Data protection– Backup and Redundancy– Cryptography
• Software– Security updates and patches– Trusted sources– certified software (http://www.commoncriteriaportal.org)
77
http://pralab.diee.unica.it
Detection• Endpoint defence tools– Anti Malware products for the detection of viruses, worms,
trojans, spyware, etc.– installed in any endpoint device
• Intrusion Detection Systems– Detect malicious activities by analysing traffic flows– Deployed at the perimeter of the protected network
• Security Event Information Management (SIEM) systems– log analysis
78
http://pralab.diee.unica.it
Awareness• We all have multiple identities – one real identity and multiple virtual identities
• Virtual identities– a projection of a real identity (persons, companies,
government) that exhibit just a portion of a real identity• images, places, relations, official documents, etc..
– …but also identities loosely or not-at-all related to real identities• they just exists in the virtual world
79
http://pralab.diee.unica.it
Is this the Era of Feudal Security?https://www.schneier.com/blog/archives/2012/12/feudal_sec.html
• In the Personal Computer era, each person was responsible for the security– backups– antivirus
• Are we in a new feudal era where our service providers must provide for our security?– A few vendors are becoming our feudal lords
• for the security of software• for the security of data that we save in their servers
80
http://pralab.diee.unica.it
Designing for security
81
http://pralab.diee.unica.it
Why computer security is a big issue?
• Software complexity– difficult to fully identify all the threats at design time, and
at test time
• Networking produces a very complex system– difficulty in understanding the effect of all the possible
interactions
• New software, and new versions are released at a fast pace
• Large volume of vulnerabilities discovered daily– still many companies does not implement Software
Development Lifecycles with security checks
82
http://pralab.diee.unica.it
Challanges
83
http://pralab.diee.unica.it
Consumerization• New technologies are delivered directly to the mass
market– individuals use new technologies in advance with respect
to the company they work for
• Short time-to-market does not allow– understanding all the risks related to the new product– updating the security assessment
• BYOD (Bring Your Own Device)– what happens to the corporate network if the employee is
allowed to attach her own device? – how the security can be assessed?
84
http://pralab.diee.unica.it
The Personal Devices Environment
85
Location Instant Messages
Pictures
Videos
Social Sharing
Cloud Storage
Contacts Financial Data
Music
Personal Preferences
Digital Wallets
A L W A Y S O N
Calendar
TravelsAccess to the
Company’s Network
http://pralab.diee.unica.it
Personal devices & Networked objectsThreats & Opportunities
• What is the meaning of “Privacy” in our society?
• We leave a lot of traces related to our daily life– and smartphones are powerful personal sensors!
• New criminal organizations take advantage of this wealth of data, and of the smart devices in our pockets…
• ….but data and smart devices also help LEA investigations– on cybercrime– on traditional criminal activities
Digital Forensics
86
http://pralab.diee.unica.it
Internet of (every)Things
87CSA (Cloud Security Alliance) 2015
http://pralab.diee.unica.it
Internet of Things• Bruce Schneier prefers to move the focus on computers
with things attached to them– Your modern refrigerator is a computer that keeps things
cold. – Your oven, similarly, is a computer that makes things hot. – An ATM is a computer with money inside. – Your car is no longer a mechanical device with some
computers inside: it's a computer with four wheels and an engine. Actually, it's a distributed system of over 100 computers with four wheels and an engine.
88
http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html
http://pralab.diee.unica.it
Internet of Things
89
IEEE Spectrum 2015
http://pralab.diee.unica.it
IoT
90
The Mirai botnet was made up of millions of infected IoT devices
On Sept 13, 2016 the website “KrebsOnSecurity” was under DDoS attack from the Mirai botnet
On Oct 21, 2016 the DNS provide “Dyn” was taken down for a few hours by a DDoS attack from the Miraibotnet
Symantec – ISTR2016
http://pralab.diee.unica.it
Connected dolls
91
http://pralab.diee.unica.it
Cloud Pets
92
http://pralab.diee.unica.it
Sources of difficulties in Cybersecurity
93
http://pralab.diee.unica.it
Truisms on Computer Security1. On the Internet, attack is easier than defense
– The interconnection of millions of devices makes the Internet a very complex system.
– More complexity means more people involved, more parts, more interactions, more mistakes in the design and development process.
– A complex system means a large attack surface. – The defender has to secure the entire attack surface.
The attacker just has to find one vulnerability It's simply not a fair battle.
2. Most software is poorly written and insecure
3. Connecting everything to each other via the Internet will expose new vulnerabilities
4. Everybody has to stop the best attackers in the world
5. Laws inhibit security research
94http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html
Bruce Schneier
http://pralab.diee.unica.it
Unfalsifiability of Security Claims
A theory which is not refutable by any conceivable event is non-scientific. Irrefutability is not a virtue of a theory (as people often think) but a vice
K. Popper, Conjectures and Refutations, 1959
• There is an inherent asymmetry in computer securitythings can be declared insecure by observation, but not the reverse. – There is no observation that allows us to declare an arbitrary system or
technique secure. – While the claim that countermeasures are sufficient is always subject to
correction, the claim that they are necessary is not.
• When justifications are unfalsifiable, deciding the relative importance of defensive measures reduces to a subjective comparison of assumptions.– Relying on such claims is the source of two problems
• once we go wrong we stay wrong and errors accumulate• and we have no systematic way to rank or prioritize measures.
95
Cormac HerleyMicrosoft Research, Redmond, WA, USA