The Internet Threat Horizon - mirror.die.net · 2012-11-07 · The Internet Threat Horizon Roland...

The Internet Threat Horizon

Roland Dobbins <[email protected]> Solutions Architect +66-83-266-6344 BKK mobile +65-8396-3230 SIN mobile Arbor Public

“We cannot solve problems by using the same kind of thinking we used when we created them.”

- Albert Einstein

- Arbor Public

Security Evolution Threats and Countermeasures through 2012

- Arbor Public

Sophistication of Tools

DDoS

Password Guessing

Self Replicating Code

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Back Doors Hijacking Sessions

Scanners Sniffers

Stealth Diagnostics

Technical Knowledge Required

High

Low

Botnets

Blended Threats

Root Kits

Evolution of Threats and Exploits

- Arbor Public

•  Infections doubled every 8.5 seconds

•  Infected 75,000 hosts in first 11 minutes

•  Caused network outages that caused

…. cancellations of airline flights

…. closing of retail outlets at a large consumer electronics chain

…. transactional service delivery loss at commercial ATMs

At peak, scanned 55 million hosts per second

Threat Evolution: Acceleration Towards Day Zero Example: SQL Slammer (an oldie, but a goodie)

- Arbor Public

The Miscreant Economy is Forever

Satellite Network

Home Control Network

Cable Network

Mobile Network

Broadband Network Provider

Internet

Mobile Network

Broadband Network Provider

Internet

- Arbor Public

Threat Economy: Today

Writers Middle Men Second Stage Abusers

Bot-Net Management:

For Rent, for Lease, for Sale

Bot-Net Creation

Personal Information

Electronic IP Leakage

$$$ Flow of Money $$$

Worms

Tool and Toolkit Writers

Viruses

Trojans

Malware Writers

First Stage Abusers

Machine Harvesting

Information Harvesting

Hacker/Direct Attack

Internal Theft: Abuse of Privilege

Information Brokerage

Spammer

Phisher

Extortionist/ DDoS-for-Hire

Pharmer/DNS Poisoning

Identity Theft

Compromised Host and

Application

End Value

Financial Fraud

Commercial Sales

Fraudulent Sales

Click-Through Revenue

Espionage (Corporate/

Government)

Criminal Competition

Extorted Pay-Offs

Theft

Spyware

- Arbor Public

Enduring Financial Opportunities

Enduring criminal financial opportunities: §  DDoS §  Extortion §  Advertising click-through fraud §  Fraudulent sales §  Identity theft and financial fraud (phishing, stealing info from PCs, etc.) §  Theft of goods/services §  Espionage/theft of information §  Spam-based stock-market manipulation

Postulate:

Strong, Enduring Criminal Financial Opportunities Will Motivate Participants in the Threat Economy to Innovate to Overcome New Technology Barriers Placed in Their Way

- Arbor Public

Botnets - The #1 Online Security Threat

Botnets are the prime enablers of all these activities: §  DDoS §  Extortion §  Advertising click-through fraud §  Fraudulent sales §  Identity theft and financial fraud (phishing, stealing info from PCs, etc.) §  Theft of goods/services §  Espionage/theft of information §  Spam-based stock-market manipulation

Wikipedia on Botnets: . . . a collection of compromised computers (called zombie computers) [or bots] running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command

and control infrastructure.

- Arbor Public

DDoS Background

What is a Distributed Denial of Service attack? •  An attempt to consume finite resources, exploit

weaknesses in software design or implementation, or exploit lack of infrastructure capacity

•  Targets the availability and utility of computing and network resources

•  Attacks are almost always distributed for even more significant effect – i.e., DDoS

•  The collateral damage caused by an attack can be as bad, if not worse, than the attack itself

•  DDoS attacks are attacks against capacity and/or state

•  DDoS attacks affect availability! No availability, no applications/services/data/Internet! No revenue!

- Arbor Public

Confidentiality Integrity

Availability

Three Security Characteristics

§  The goal of security is to maintain these three characteristics

- Arbor Public

Three Security Characteristics

§  Primary goal of DDoS defense is maintaining availability

Confidentiality Integrity

Availability

- Arbor Public

Firewalls and IDS/’IPS’ don’t help!

§  It’s time to put the firewall and IDS/’IPS’ myth to rest!

Firewalls are policy-enforcement devices – they can’t help with DDoS, and in most cases, the policies applied to the firewalls have been devised with no visibility into network traffic, so the firewall rules bear little relation to what should actually be permitted and denied. IDS/’IPS’ are by definition always behind the attackers – in order to have a signature for something, you must have seen it before. IDS/’IPS’ have proven to be totally ineffective at dealing with application-layer compromises, which is how most hosts are botted and used for DDoS, spam, corporate espionage, identity theft, theft of intellectual property, etc. Firewalls & IDS/’IPS’ output reams of syslog which lacks context, and which nobody analyzes. It is almost impossible to relate this syslog output to network behaviors. End-customers subscribe to traditional managed security services based on firewalls and IDS/’IPS’, and still get compromised! Firewall & IDS/’IPS’ deployments cause performance & usability problems, and don’t scale, shouldn’t be deployed in front of servers!

- Arbor Public

Failure of Firewall and IPS in the IDC

§  Nearly half of all 2010 & 2011 WISR respondents have experienced a failure of their firewalls or IPS due to DDoS attack!

- Arbor Public

Botnet-enabled DDoS §  DDoS, both inbound and outbound - DDoS for hire is big business!

Multi-path DDoS attacks (miscreants learning about routeservers, distributed botnets helping). Multi-vector DDoS attacks - SYN-floods combined w/fragmented UDP, port 80 & port 22 (ssh), DNS reflection attacks (100gb/sec & higher!) DDoS/spam zombies being installed by Web- and email-delivered exploits Increased use of non-TCP/non-UDP protocols (IGMP, protocol 0, protocol 255) to bypass basic ACLs; miscreants learning about ToS bits, perform application-layer DDoS after prior reconnaissance of Web sites Spoofing used in a small fraction of attacks, but some of the more sophisticated/effective attacks are spoofed (Arbor TMS helps with this) Increased multi-path DDoS against network infrastructure devices (attempt to disrupt routing) Spammers launch DDoS attacks against anti-spam RBLs DDoS extortion commonplace, no longer against fringe businesses, but against online trading houses, banks, etc. Ideologically-motivated DDoS becoming more common, higher-profile. DDoS-enabled stock-market manipulation a reality – HKG Stock Exchange.

- Arbor Public

Worms/Self-propagating Malware to Recruit More Bots

§  Worms with network side-effects before, worms without network side-effects now

SQL Slammer was intended to compromise Microsoft SQL Server, not DoS the network! Blaster and successors also intended to compromise Windows boxes - they succeeded! Nachi was a twisted/misguided attempt to clean up and patch; ‘cure’ was worse than the disease, in many cases. Nachi ICMP & HTTP caused many outages, was a problem until Nachi self-destructed (tried tracerouting to/through the Internet from Windows, since 2003?) Many vulnerabilities over TCP/80, TCP/445, etc. - cannot filter with extended ACLs or the Windows network breaks Remember, the goal is to compromise hosts and turn them into bots; miscreants have learned to be quiet on the network, no longer cause DoS via the propagation vector Web-, document-, image-, email-, video-delivered malware via application-layer exploits are the new way to compromise hosts and turn them into bots AJAX/Web 2.0/Twitter/DNS botnets in the wild. Mobile, MANET-enabled bonets now here for Android– modern mobile phones are computers!

- Arbor Public

Subverting the Network Infrastructure

§  More emphasis on subverting the network itself (no longer just ‘black boxes’).

Cisco, Juniper, Huawei, Alcatel, etc. all of interest to the miscreants - routers can be used to launch DDoS, to act as VPN gateways for SPAM, to hijack traffic and perform MITM attacks As always, default/lame passwords like ‘cisco’ or ‘c1sc0’ lead to router compromise (many businesses and government agencies don’t use AAA). Miscreants love routers! They’re great DoS-generators! They’re great for tunneling miscreant traffic! They love switches for MITM! They love firewalls so that they can sniff traffic! There are hundreds of thousands of compromised network devices, from cablemodems to 12000s, on the Internet today - mainly not due to inherent security flaws (although we see this with some consumer-level devices), but because of poor administrative practices. DNS/name resolution a very popular target for DDoS, as a DDoS-enabler (open recursive nameservers as DDoS reflectors), to poison naming resolution in order to enable MITM attacks

- Arbor Public

Bot-Enabled Espionage, Theft, and Extortion

§  More targeted information-gathering/espionage activities.

Recent well-publicized university, bank, insurance-provider, government information compromises. Miscreants use this information for identity-theft - obtain credit cards, drain bank accounts, etc. Increasingly, DDoS/spam bots include formloggers/keyloggers, suss around for files to send back ‘home’, and so forth. They search documents and email for keywords (bank account info, credit card numbers, governmental ID numbers, etc.). ‘Spear-phishing’ on the rise - targeted SPAM with the aim of socially engineering specific enterprise employees to run malware, give up information, pay extortion money (customized death threats against employees and their families, anonymous email blackmail, bogus ‘subpoena’ service, etc.) There are ‘bots in the walls’

- Arbor Public

GPRS/EDGE/3G/LTE/WiMAX Bots Here Now!

§  Botted hosts on a wireless network can wreak havoc!

Outbound DDoS from botted hosts with wireless modems consumes scarce radio spectrum, site backhaul capacity, backbone capacity DNS-based DDoS and/or aggressive DNS lookups related to C&C/other attack vectors can cause collateral damage to non-scaled mobile DNS infrastructure NAT, firewalls, ‘IPS’, other stateful devices in the network greatly increase DDoS impact – net loss of security posture! Scanning behaviors of botted mobile hosts can knock over fragile IP stacks on RAN, SGSN, GGSN – many mobile networks have grown organically, not architecturally hardened, BCPs not implemented. Scanning behaviors ‘wake up’ radios in handsets, cause battery drain – help-desk calls, RMAs!

- Arbor Public

Background noise §  Rise in ‘background noise’ (portscans, low-level DDoS, leftover Slammer traffic

and Nachi ICMP, etc.) makes detection more difficult

Botnets have ordinarily used IRC over standard or non-standard ports as C&C - this is changing. We saw P2P-enabled botnets with encrypted C&C emerge in 2003 - now, we see well-formed HTTP/HTTPS being used as decentralized, P2P botnet C&C, very hard to pick out from normal Web traffic. Makes botnets far more resilient! AJAX and Web 2.0-type technologies offer many possiblities for layer-7 C&C, an emerging threat as ‘software as a service’ becomes more popular – see Twitter botnet discovered by Arbor (http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/) DNS also leveraged for C&C - DNS TXT records used to store botnet commands, bots query predefined TXT records periodically for instruction; bots code to look up nonsense-sounding domains which have not yet been registered, when the miscreant wants to activate the botnet, he registers the domain and sets up a C&C Web server to issue commands. Very sneaky! DNS ‘fast-flux’ used for agile botnet C&C Sometimes it’s hard to properly classify application-layer DDoS - can look like a legitimate ‘flash crowd’.

- Arbor Public

What is ‘Web 2.0’?

Loosely speaking, the term ‘Web 2.0’ refers to various types of hosted applications which facilitate social networking, information interchange, content syndication, and which in many cases are substitutes/replacements for traditional desktop applications. This model is very attractive to enterprises - leverages Web browser as a ‘universal client’, reduces amount of admin overhead (no client upgrade cycles), leverages economies of scale with blade servers, virtualization technologies.

- Arbor Public

Examples of Web 2.0 Applications

•  TypePad, LiveJournal, Blogger - hosted weblogging

•  Backpack, Campfire, Writeboard - hosted storage/chat/collaboration

•  JotSpot, SocialText - hosted wikis

•  YouTube - user-generated video content

•  Flickr - photos, tagging

•  MySpace, FaceBook, QQ - social networking

•  Windows Live!, Google Write, etc. - hosted business software

•  Second Life, MMORPGs - virtual worlds with virtual economies = real-world money!

•  Twitter – real-time status updates/’micro-blogging’

- Arbor Public

What is the problem?

To date, the ‘Web 2.0’ and online application communities have not generally been closely engaged with the traditional computer security community nor the network operational security community. This lack of engagement can have negative consequences for those who depend upon these applications - increasingly, this means enterprise users, not just consumers.

- Arbor Public

Blue Security vs. TypePad

During a large DDoS, BlueSecurity.com changed the DNS A record for their domain so that it pointed to their hosted TypePad weblog

Much excitement, significant (6-hour-plus) outage for all TypePad customers, including enterprises who use weblogs for customer communication, support, PR, etc.

Significant DDoS traffic for multiple SPs

Significant outages for literally millions of SOHO, small business, large enterprise customers worldwide

For hours, customers did not know what was happening or how to react - siloed communications channels.

- Arbor Public

Samy vs. MySpace

•  Samy wants to be a ‘hero’ to users on MySpace - after careful reflection, he determines that exploiting an XSS vulnerability on MySpace to create a browser-based ‘XSS worm’ is a good way to accomplish this goal.

•  Within 5 hours, Samy has 1,000,000+ friend requests from MySpace users - about 1/35th of the total userbase

•  Within 6 hours, MySpace is unreachable for most users

•  Approximately 2.5 hour outage, some capabilities removed from user profiles (embedded music movies, etc.).

•  Anecdotal reports of excessive traffic on broadband access networks help-desk calls (it’s kind of hard to call MySpace), etc.

•  Businesses use MySpace for PR, advertising - not just for teenagers!

- Arbor Public

Second Life, WoW ‘Virtual Worms’

•  Various exploits in Second Life, WoW used to create self-replicating code objects on multiple occasions - your avatar touches the object (like a floating gold ring), your PC is then leveraged to reproduce the viral objects!

•  First ones were stupid, simple ‘virtual DDoS’ - cost Linden Labs, Blizzard, their customers real-world time, effort, money!

•  Later PoC ‘virtual worms’ copied/stole virtual world intellectual property and currency- custom-designed avatars a big business, now the work is stolen! Online gold, weapons, etc. a big business in WoW, ‘virtual worms’ steal these from users!

•  Second Life is becoming a very important communications medium for PR, support, etc.; WoW is a game, but a big business in Asia (think ‘gold-farming’; people play WoW for a living, then sell characters, in-game gold, weapons, etc. to players).

- Arbor Public

Twitter/LiveJournal/Facebook DDoS Attacks

•  Apparently ideologically-motivated attacks (Russia/Abkhazia/Georgia) launched against weblogger recounting Russian/Georgian conflict on its one-year anniversary.

•  Facebook, Twitter, LiveJournal affected – LiveJournal now owned by TypePad, they gained experience from the Blue Security incident and were able to work with the opsec community quickly. Facebook recovered relatively quickly; Twitter weren’t ‘hooked up’ and it took some time to establish operational contacts, implement BCPs in the middle of an attack.

•  Twitter is a very popular mobile application! Handsets with Twitter clients doing lots of HTTP GETs, DNS queries, etc. trying to get to Twitter. Increased traffic, help-desk calls, etc.

•  Twitter is increasingly at the center of various ideological conflicts in the physical world, used to organize political activity, etc. – any service used this way is a target (i.e., most Web 2.0/social nets).

- Arbor Public

China Cascading DNS DDoS – May 2009

•  Frustrated game developer hires botmaster to DDoS rival – botmaster chooses to attack DNS (DNS is often the weakest link!)

•  DNS for target hosted by registrar without scalable DNS, no BCPs, no defense – hosts DNS for thousands of domains, including popular video-sharing application.

•  DNS for target, for video-sharing application, and thousands of other domains goes down

•  Video-sharing application written poorly – retries DNS queries at a high rate if no response received

•  DNS infrastructure of multiple SPs, enterprises throughout China DDoSed by over-active DNS queries from video-sharing application which can’t resolve video-sharing directory DNS due to original attack

•  No scalability, no BCPs, no defenses for broadband/enterprise DNS lead to widespread DNS outages across China!

- Arbor Public

The Web 2.0 Universal Browser Botnet

<* IMG SRC=”http://www.example.com/” >

§  Cross-Site Request Forgery (CRSF), same class of browser & site vulnerability as Cross-Site Scripting (XSS).

§  Stick a few links like the above in popular Web forums, social networking sites.

§  Millions of uncompromised machines become the ‘botnet’, launching ongoing layer-7 DDoS, unbeknownst to their users.

§  Rinse, repeat.

- Arbor Public

The Web 2.0 Universal Browser Botnet (continued)

§  Insert 10-15 instances of the HTML code per page, you get 10-15 connections/browser.

§  Get an application-layer amplification factor by abusing the victim’s search form - <* IMG SRC=”http://www.example.com/search?q=TERM1+AND+TERM2+AND+TERM3” >

§  Chew up the victim’s bandwidth by grabbing large files - <* IMG SRC=”http://www.example.com/bigimage.jpg” >

§  How does the victim defend against this? How does the SP defend the victim against this?

- Arbor Public

Emerging Voice Security Threats

- Arbor Public

§  1957 – Joe Engressia (aka ‘Joybubbles’) realizes that whistling at 2600Hz allows him to send end-of-billing control signals to the telephone network.

§  1969 - John Draper meets Dennie and Jemmie, who can obtain practically-free long-distance phone-calls by making creative use of the plastic whistle included in a box of Cap’n Crunch cereal. The whistle emits the same 2600Hz tone discovered by Joybubbles - after hearing the tone, the billing system no longer bills for call minutes even if the call is still active.

Draper was arrested in 1972 and again in 1975 for abusing the telephone network and for wire fraud, respectively.

Evolution of Voice Security Threats

- Arbor Public

§  1971 - Al Gilberston invents the ‘blue box’, is profiled in Esquire. The ‘blue box’ electronically mimics the 12 master tones which are used for control by the telephone switching network - generating various tones in sequence allows phreakers to make free phone calls, loop up local circuits, initiate party-line calls, etc.

Two early phreakers with the handles Berkeley Blue and Oak Toebark (they both share the same actual first name) were quite interested in ‘blue boxes’, too . . . .


- Arbor Public

§  1980 - Kevin Mitnick is remotely accessing landline and later early cellphone switching equipment. He impersonates telephone company personnel, Bellcore security managers, etc. and physically enters COs and other telco facilities to pilfer information about the telephone network. By the time he’s eventually caught (1987) , he has combined early computer network hacking with telco hacking and has manipulated phone switches in order to tap into the phone conversations of Secret Service agents and telco security personnel who are chasing him.

§  1990 - Kevin Poulsen manipulates phone switches for fun and profit, rerouting callers to a KIIS - Los Angeles call-in contest so that he can call in and ‘win’ a $40K Porsche.


- Arbor Public

§  1990 - On January 15th,114 nodes of AT&T’s long-distance network are down for 9 hours due to a bug in newly-uploaded SS7 failure-recovery code. A misplaced break command caused nodes to crash themselves upon receipt of an out-of-service message and then propagate the crash by sending out-of-service messages to adjacent nodes.

Inadequate testing of the error-recovery path led to the faulty code being uploaded - at the time, the incident was investigated as a possible deliberate attack on the telephone system, and it was widely acknowledged by telco and law enforcement that such an attack was in fact feasible.


- Arbor Public

§  From the 1980s onwards, key systems and PBXes have been prime targets for phone phreakers - outdials to commit toll-fraud, hacking voicemail systems accessible via WATS lines in order to build a ‘free’ message service, silent conferencing in order to eavesdrop, etc.

This has been a key enabler of both state-sponsored and corporate espionage.


- Arbor Public


- Arbor Public

What’s changed with TCP/IP?

§ Ubiquity § Interconnectivity § Mobility § Empowerment

- Arbor Public

What’s changed with TCP/IP?

§ Security Capabilities There are far more effective security mechanisms available in the TCP/IP world than in the closed world of proprietary systems. The challenge we face is incorporating them effectively into architectures and toolkits we can use in order to design, deploy, and operate systems.

- Arbor Public

Pervasive Security

§  Security is the heart of internetworking’s future; we have moved from an Internet of implicit trust to an Internet of pervasive distrust

§  Network design = security, security = network design

§  We can no longer differentiate network from security, they must be intertwined

What is security vs. network? QoS? Routing? Voice?

§  No packet can be trusted; all packets must earn that trust through a network device’s ability to inspect and enforce policy

- Arbor Public

Your next-generation handsets

- Arbor Public

Your next-generation handsets

§  Will come from a variety of sources, running a variety of OSes

§  Will have multiple modes of operation - CDMA, GSM, LTE, WiMAX, WiFi, etc. They will cross/eliminate perimeters.

§  Will have multiple forms of personal network/mesh technologies, a la Bluetooth, etc.

§  Will have VPN capabilities §  Will not necessarily be under the direct control of

carriers or IT departments (increasingly, these are personal devices)

§  Will be general-purpose computing devices, with all that entails

- Arbor Public

The shape of things to come

§  We are faced with multivector penetration/subversion threats to the voice infrastructure - this is already happening with softphones, it will become the norm for hardware phones, as well.

§  Mobile-/softphone-aware malware is here. Mobile operators, SIP, Skype, Vonage, and the like are all targets, others will follow. Spread via phishing, worms, email, and potentially VoIP traffic itself.

§  Toll fraud, SPIT, eavesdropping/wiretapping, voicemail forgery, real-time MitM two-way call interception/corruption, access to phone-integrated directories . . .

§  Application-layer resource-exhaustion attacks against the voice infrastructure (SBCs, cell nodes, WiFi Aps, switches, routers), power-exhaustion attacks against handsets . . .

§  Only a matter of time until we see compromised mobiles show up in botnets.

- Arbor Public

Convergence is a huge concern for SPs

§  For the first time, traditional router-jocks actually care

about the applications - “The voice service must stay up, no matter what!” This is a huge sea-change in the mindset of network operators

§  What happens to voice when it’s on the same network as DDoS attacks, and is potentially subject to them? What level of automation, scaling, clustering, virtualization is required to protect voice services in such an environment? How do we extend the ‘Clean Pipes’ paradigm to voice services?

- Arbor Public

New Attacks

§  Identity Attacks §  Power Drain Attacks §  Instant Messenger § Bluejacking § Bluesnarfing § Bluebugging § NFC

- Arbor Public

Identity Attacks

Voice Evolution

PSTN

Internet

IP Network

- Arbor Public

Identity Attacks

Where?

§  Local Device Access §  Network Access §  Remote Device Access §  Device to Device §  User to Device §  User to Application §  Call Integrity (control data) §  Call Integrity (Audio Data)

Identity (like security) must be addressed in layers

- Arbor Public

Identity Attacks

Example Credentials

§  None §  Tones §  Unique Static ID §  IP Address §  PIN §  Username/Password §  Certificates §  Biometrics

- Arbor Public

Identity Attacks

Examples

Duplicating Cell Phone Unique ID (other rogue phones)

• Impersonating Police

Manipulating Caller ID

Valid Device (but compromised)

• Credit Card Theft Scam

Keyloggers

Attackers will attempt to creatively manipulate all credentials

Spyware Worms/Viruses

Collision attacks (MD5 & SHA1)

- Arbor Public

New Attacks

Power Drain Attacks

Power drain attacks involve devices being put into constant high-power consumption mode. This power drain attack is

effective against wireless devices that are relying on battery power. The high-power consumption state causes the device

to quickly lose battery power and become useless without the battery being recharged.

Definition

- Arbor Public

Power Drain Attacks

Effectiveness?

§  Just as easy to jam wireless signal §  Could be used to discredit enterprise, Mobile

SP (reputation, SLAs, etc.), enhance physical attack.

§ We’ve seen these in the wild!

- Arbor Public

Instant Messenger Attacks

§  Adds listening service Makes the devices a continuous target while instant messenger or other presence application is active

§  Indicates when system is active §  Very prone to phishing/social engineering attacks §  SPIM §  Session Hijacking and impersonation

Accessibility and Identity

- Arbor Public


§ More devices (such as phones,PDAs) built on more robust underlying OSes

§  Device complexity prone to more significant coding problems

More malware paths (potentially less virus scanning) Trojan delivery, botted endpoints

Functionality and Coding Issues

- Arbor Public


§ Multi-function devices mean attacks can bridge network boundaries in new ways

§ Much larger number of potential zombies/bots

Blurring Network Boundaries

- Arbor Public

Bluejacking

§  Despite the scary name, ‘bluejacking’ is merely the sending of unsolicited text messages from one Bluetooth-enabled device to another

§  The first person known to do this used the handle ‘ajack’ on esato.com . . . he was in a bank, used his phone to detect a visible Nokia phone owned by another patron and sent it a message, ‘Buy Ericsson’. The name stuck.

§  Bluetooth devices have a ‘visible’ and a ‘hidden’ mode. Visible mode is similar to a WiFi broadcast SSID; this is the default setting for most Bluetooth devices.

§  Implementation deficiencies make it trivial to detect devices running in hidden mode . . .

§  Due to vulnerabilities in device OSes (not just phones - PDAs, laptops, etc.), this is a vector for worms and other forms of self-propagating malware.

- Arbor Public

Bluesnarfing

§  More insidious - bluesnarfing entails the use of tools to grab the phonebook, addressbook, and in some cases the entire memory contents of a Bluetooth-enabled device.

§  While the focus has been on phones, PDAs and general-purpose computers -i.e., laptops - may be vulnerable, as well.

§  What do people store in these devices - passwords, confidential information, access codes? What can be deduced from grabbing the entire memory contents of a device running an active VPN session?

§  This begs the question - if you can read, can you also potentially write?

§  In too many cases, the answer is. “Yes!”

- Arbor Public

Bluebugging

§  Bluebugging is the term used to describe ‘0wn1ng’ another Bluetooth-enabled device, particularly (but not limited to) a mobile phone.

§  The miscreants can send and receive SMS messages, place calls, receive calls, eavesdrop on calls, forward calls to other numbers, read and write address book and other information, gather files accessible via the device in question (VPN + SMB shares, anyone?), and potentially execute code of the attacker’s choice.

§  So far, this has been limited to mobile phones, but PDAs and general-purpose computers may also be vulnerable.

§  The implications are obvious . . . mobile botnets, anyone?

- Arbor Public

Not just Bluetooth

§  Buffer overflows, DoS vulnerabilities, weak IP stacks, etc. are issues on WiFi, wired interfaces.

§  All these attacks, and more, are of concern via other methods

§  Even though Bluetooth has an ostensible range of 10 meters, exploits using various types of antennas and amplifiers have been demonstrated at distances of over one mile (1.6km).

§  Again, the implications are obvious . . .

- Arbor Public

This isn’t speculation . . .

“The risk has arrived.” -- Ted Seely, SprintLink

- Arbor Public

Are We Doomed?

§ No! 80% of the security risks associated with VoIP are common to all forms of IP traffic . . . we have architectures, features, solutions, and BCP which apply. SP networking, security and voice teams need to learn, understand, and put this innovation into practice, as well as proactively collaborating, moving forward.

- Arbor Public

Architecture

- Arbor Public

Current Security Posture

- Arbor Public

GPRS/EDGE, WiMAX, 3G, LTE

- Arbor Public

Risks of Current Security Posture

- Arbor Public

Risks of Current Security Posture (cont.)

- Arbor Public

Network Visibility Can Help Improve the User Experience

- Arbor Public

The Right Tools for the Right Job

- Arbor Public

What’s Required to Do All This?

§  Dedicated headcount - OPEX to form an OPSEC team. Hire more good people ($$$) required; send existing personnel to training (Arbor offers courses on building SOCs). Cannot get around these requirements.

§  CAPEX commitment (not high for initial stages, leverage F/OSS tools, mainly).

§  Commitment from management to support and empower the OPSEC team and make it a viable career choice within the organization.

§  Goals for measurable improvement (SLAs, outages, ATLAS, etc.) within the first six months.

§  Hard work – i.e., ‘elbow-grease’.

- Arbor Public

The Right People for the Right Job

- Arbor Public

OPSEC Team Skill Requirements

§  The OPSEC Team needs to know …. –  Everything a Backbone Engineer knows –  Everything a Network Management Engineer knows –  Everything a Hosting/Content Engineer knows –  Everything an email postmaster knows –  Everything a DNS/DHCP/Addressing Engineer knows –  Everything a CERT Engineer knows –  Everything an Enterprise Infosec specialist knows

§  In essence – you are looking for super-engineers who are hybrid Backbone/Security Engineers!

- Arbor Public

Tips on Hiring OPSEC Team Talent

§  Hire experienced, certified people §  Document and verify processes §  Maintain latest infrastructure information §  Establish SLAs with customers and peers §  Test the continuity of operations regularly §  Maintain vendor support contracts §  Leverage analysis tools §  Create incentives for analyst development §  Plan and prepare for incident response §  Evaluate and measure for process improvement

- Arbor Public

PREPARATION Prep the network Create tools Test tools Prep procedures Train team Practice

IDENTIFICATION How do you know about the attack? What tools can you use? What’s your process for communication?

CLASSIFICATION What kind of attack is it? TRACEBACK

Where is the attack coming from? Where and how is it affecting the network?

REACTION What options do you have to remedy? Which option is the best under the circumstances?

POST MORTEM What was done? Can anything be done to prevent it? How can it be less painful in the future?

Six Phases of Incident Response

- Arbor Public

Goals You Can Achieve - Today!

§  Increase Network-Wide Visibility –  Pulling data from variety of sources –  Aggregation of data for further analysis &

baselining/trending §  Expedited Correlation Capabilities –  Ability to respond quickly; relatively real-time –  Device and system coverage –  Forensic capabilities

§  Enabling of Timely Reaction –  Reduction of incident impact on customers,

business –  Resulting improvement to service availability/

assurance

- Arbor Public

How to Achieve These Goals:

§  Perform real-time management and monitoring of network infrastructure with historical trending/baselining and real-time alerting

§  Enhance your information security posture through continuous monitoring and management, expert analysis of network telemetry and immediate response to potential security threats

§  Provide rapid resolution of security problems §  Offer a real-time view of your security posture §  Ensure optimal protection of mission-critical assets by

providing analysis and commentary needed to adjust defenses against emerging attacks

§  Protect your customers, infrastructure, and technology/resource investments

- Arbor Public

Must-Have Deliverables

§  Security monitoring for risk management §  Security posture risk analysis

§  Secure role-based portal access Real-time monitoring and status of incidents/tickets

§  Reports Security policy reports Security incident reports

Real-time on per-incident basis as well as weekly/monthly Information required to prepare a compliance-related audit

Service Level Agreement reports Monitoring for AUP Compliance Trends of security incidents and events Service-compliance reports for customers, management

- Arbor Public

Security Operations Center (SOC)

Management:

Incident, Problem, Change

§ Reports - Periodic

§ Monitoring SLA

Security policy

Plan for risk management

Establish SLA

Build Baseline

Process and tools

Assess security posture

Incident handling

Security Monitoring

Security Monitoring

For Risk Management

§  Compliance audits

§ Risk mitigation

§  Improvement analysis

Business Assets Complexity of Security Solutions

Analysis and Correlations

Security Experts

Security Deliverables

Risk Mitigation

Vulnerability Assessments

Reports Real-time and Periodic – Incident, Compliance, SLA

§ Portal with secure access

Visibility

- Arbor Public

The Ability to Answer These Types of Questions Equates to Success:

§  Are these traffic patterns normal for our

network? §  What is using up all of our bandwidth? §  Angry customers are calling - what happened? §  Why can’t we reach that server, network or AS? §  Has someone hijacked our routes? §  Are we peered with the right SPs? §  Should we change these BGP attributes or

policies? §  What’s the average packet size on our network?

- Arbor Public

The most important tools you have.

Architecture, Cross-functional Teamwork & Open Communications Across the Organization.

Security is not a product. Security is not a box which can be bolted onto the network. Security must be designed into the architecture at all 7 layers. There are no ‘silver bullets’; defense-in-depth is required. Every security professional must be a competent voice professional, networking engineering, and know a great deal about layer-7. Every voice professional must be a competent security professional, networking engineer, and know a great deal about layer-7. Every layer-7 professional must be a competent networking engineer, and know a great deal about voice, as well. Voice and security and layer-7 professionals must interact on an ongoing basis in the normal course of their day-to-day duties, including planning, development, and operations.

- Arbor Public

Moving forward together into the 1960s!

- Arbor Public

Q&A

Thank You!

Roland Dobbins <[email protected]> Solutions Architect +66-83-266-6344 BKK mobile +65-8396-3230 SIN mobile

The Internet Threat Horizon - mirror.die.net · 2012-11-07 · The Internet Threat Horizon Roland...

Documents

Transcript of The Internet Threat Horizon - mirror.die.net · 2012-11-07 · The Internet Threat Horizon Roland...