cyber-securitycyber-threatsWHAT THEY ARE, WHAT THEY ARE NOT
CYBER
Internet scenario 1307TLDs
butlengthofPSlistis7890◦ publicsuffixlistisaninitiativeofMozilla
dataasof15May2016
May2016 2
picturefrominternet-map.net
CYBER
Internet infrastructure 73792autonomoussystems(May2015)◦ https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
ASsdefineameshedsystem
May2016 3
CYBER
about securitySECURITY
May2016 4
CYBER
about securitySECURITY
physical
May2016 4
CYBER
about securitySECURITY
physical
information(oldacceptation)
May2016 4
CYBER
about securitySECURITY
physical
information(oldacceptation)
(inter)network
May2016 4
CYBER
about securitySECURITY
physical
information(oldacceptation)
(inter)network
cyber
May2016 4
CYBER
about securitySECURITY
physical
information(oldacceptation)
(inter)network
cyber
cyber(newacceptation)
May2016 4
CYBER
information and network security strongly overlap Informationsecurity(#infosec)◦ ISO/IEC27000:2009
◦ Preservationofconfidentiality,integrityandavailabilityofinformation◦ Inaddition,alsootherproperties,suchasauthenticity,accountability,non-repudiationandreliability
◦ CNSS(2010)◦ Theprotectionofinformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,
modification,ordestructioninordertoprovideconfidentiality,integrity,andavailability
◦ ISACA(2008)◦ Ensuresthatonlyauthorizedusers(confidentiality)haveaccesstoaccurateandcompleteinformation(integrity)
whenrequired(availability)
Networksecurity◦ Theprotectionoftheinformationthatmaybereachablethroughanetwork◦ Themeasuresfortheproperfunctioningofthenetworkandthatcontrastabusesandattacks
May2016 5
CYBER
cyber-security thecyber-securityattractedtheattentionofalloperatorsfollowingthedevelopmentoftechnologiesforthe(inter)networkingandfortheremotemonitoringandcontrolinindustry◦ e.g.,theSCADA(SupervisoryControlandDataAcquisition)technology
affectsbothcomputerandphysicalsecurity
themoderncyberneticswasbornin1948,whentheAmericanphilosopher/mathematicianNorbertWienerdefineditas"thescientificstudyofcontrolandcommunicationintheanimalandthemachine"
thecyberthreathasbeentakenseriouslybygovernmentsaroundtheworld;inItaly:◦ DPCM24/01/2013:Direttivarecanteindirizziperlaprotezioneciberneticaelasicurezzainformaticanazionale
◦ DPCM27/01/2014:Strategianazionaleperlasicurezzacibernetica
May2016 6
CYBER
cybersecurity = computer security
May2016 7
CYBER
cyber threats
May2016 8
CYBER
cyber threats
May2016 8
CYBER
cyber threats
May2016 8
CYBER
March 2016 Cyber Attacks Statistics (source: hackmageddon.com)
May2016 9
CYBER
March 2016 Cyber Attacks Statistics (source: hackmageddon.com)
May2016 9
CYBER
March 2016 Cyber Attacks Statistics (source: hackmageddon.com)
May2016 9
CYBER
March 2016 Cyber Attacks Statistics (source: hackmageddon.com)
May2016 9
CYBER
March 2016 Cyber Attacks Statistics (source: hackmageddon.com)
May2016 9
CYBER
advanced persistent threats (APT) Setofstealthyandcontinuouscomputerhackingprocesses,oftenorchestratedbyhuman(s)targetingaspecificentity(Wikipedia)◦ usuallytargetsorganizationsand/ornationsforbusinessorpoliticalmotives◦ APTprocessesrequireahighdegreeofcovertnessoveralongperiodoftime
Advanced:operatorsbehindthethreathaveafullspectrumofintelligence-gatheringtechniquesattheirdisposal
Persistent:operatorsgiveprioritytoaspecifictask,ratherthanopportunisticallyseekinginformationforfinancialorothergain◦ Thisdistinctionimpliesthattheattackersareguidedbyexternalentities◦ Thetargetingisconductedthroughcontinuousmonitoringandinteractioninordertoachievethedefinedobjectives
Threat:APTsareathreatbecausetheyhavebothcapabilityandintent.◦ APTattacksareexecutedbycoordinatedhumanactions,ratherthanbymindlessandautomatedpiecesofcode
May2016 10
CYBER
a possible APT methodology 1/2 1. Initialcompromise:performedbyuseofsocialengineeringand
spearphishing,overemail,usingzero-dayviruses.Anotherpopularinfectionmethodwasplantingmalwareonawebsitethatthevictimemployeeswillbelikelytovisit.
2. EstablishFoothold:plantremoteadministrationsoftwareinvictim'snetwork,createnetworkbackdoorsandtunnelsallowingstealthaccesstoitsinfrastructure.
3. EscalatePrivileges:useexploitsandpasswordcrackingtoacquireadministratorprivilegesovervictim'scomputerandpossiblyexpandittoWindowsdomainadministratoraccounts.
4. InternalReconnaissance:collectinformationonsurroundinginfrastructure,trustrelationships,Windowsdomainstructure.
May2016 11
CYBER
a possible APT methodology 2/2 5. MoveLaterally:expandcontroltootherworkstations,serversand
infrastructureelementsandperformdataharvestingonthem.
6. MaintainPresence:ensurecontinuedcontroloveraccesschannelsandcredentialsacquiredinprevioussteps.
7. CompleteMission:exfiltratestolendatafromvictim'snetwork.
ithasbeentheChinesemethodologyin2004-2013,accordingMandiant(aFireEyeco.):http://intelreport.mandiant.com/ bestpracticesfordetectingandmitigatingadvancedpersistentthreats(Gartner,2015)https://www.gartner.com/doc/3043819/best-practices-detecting-mitigating-advanced oneofthemostimportantpubliclyavailableguidelinestofightingtargetedcyberthreats:http://www.asd.gov.au/infosec/mitigationstrategies.htm
May2016 12
CYBER
many recent studies on APTsmostsecurityfirmscopingwithAPTs
May2016 13
CYBER
typical targets1. Financialsystems2. Utilitiesandindustrialequipment3. Aviation4. Consumerdevices5. Largecorporations6. Automobiles7. Government
May2016 14
CYBER
Cyber Threat Management
May2016 X
CYBER
threats (unordered partial list)
Backdoors Denial-of-serviceattack Direct-accessattacks Eavesdropping Spoofing(fromARPtoapplicationlevel) Tampering Repudiation Informationdisclosure Privilegeescalation
Exploits SocialengineeringandTrojans Indirectattacks Webapplications(attacksto) Malware(broadcategory)
May2016 15
thetaskofcategorizingthreatsisanimpossiblemission,duetothemultipleconceptuallevelsandrolesofthemthatcreatemanyassociationsIS-A,HAS-A,IMPLIES,andotherrelationships
CYBER
typical network attacks
Eavesdropping
Scanning(preliminarytorealattack)◦ idlescan◦ portscan
Denial-of-serviceattack(includingsmurf,SYN-flood,…)
Spoofing(DNS,ARP,IP,…)
Maninthemiddle/inthebrowser
Bufferoverflow(stack,heap,formatstringattack,…)◦ rememberheartbleed?
SQLinjection
Replayattacks
Poisoning(DNScache,ARPcache,…)
May2016 16
manyattacksmakesensebothatlocalnetworkandatinter-networklevel
CYBER
SSL/TLS: heartbeat & heartbleed
May2016 17
CYBER
credential stealing BruceSchneier(CRYPTO-GRAM,May2016) Themostcommonwayhackersofallstripes,fromcriminalstohacktiviststoforeigngovernments,breakintonetworksisbystealingandusingavalidcredential.Basically,theystealpasswords,setupman-in-the-middleattackstopiggy-backonlegitimatelogins,orengageinclevererattackstomasqueradeasauthorizedusers.It'samoreeffectiveavenueofattackinmanyways:itdoesn'tinvolvefindingazero-dayorunpatchedvulnerability,there'slesschanceofdiscovery,anditgivestheattackermoreflexibilityintechnique. RobJoyce(UsenixEnigmasecurityconference,Jan2016.https://youtu.be/bDJb8WOJYdA) Alotofpeoplethinkthatnationstatesarerunningtheiroperationsonzerodays,butit'snotthatcommon.Forbigcorporatenetworks,persistenceandfocuswillgetyouinwithoutazeroday;therearesomanymorevectorsthatareeasier,lessrisky,andmoreproductive.
Stealingavalidcredentialandusingittoaccessanetworkiseasier,lessrisky,andultimatelymoreproductivethanusinganexistingvulnerability,evenazero-day.
May2016 18
CYBER
cryptography for the #infosec confidentiality◦ symmetric(block/stream)ciphers,possiblybasedonpublic-keyciphersforthekeyexchange,orsecuredDiffie-Hellman
dataintegrityandauthenticity◦ MAC,HMAC◦ keyed/unkeyedstronglycollisionresistanthashfunctions
authenticationandnonrepudiation◦ public-keycryptographyanddigitalsignatures◦ challenge-responsetechniques◦ thirdpartiesbased(e.g.,Kerberos)
overall:usingnonces,timestamps,CSPRNG realcrypto-systems:basedonstandardsecureprotocols(SSH,SSL/TLS,IPSec,Kerberosetc.)andonstandarddigitalcertificates(X509,issuedbyCertificateAuthorities)
May2016 19
CYBER
attack models against #infosecpassive(eavesdropping,usedportsanalysis)
MITM(specialcase:man-in-the-browser,MITB)
replay,reflectionetc.
breakingthecryptography◦ bruteforce(shortkeysordictionarybased)◦ (second)pre-imageattacks(birthdayparadox,crackstation.net,…)◦ chosen/knownplain/ciphertext(possibleadaptive)
◦ lunchtimeattack(chosenciphertext)◦ known-plaintextattackusedtodecryptEnigma
May2016 20
CYBER
October2015 D-Hdeclinestarted?
Fromtheabstract:Afteraweek-longprecomputationforaspecified512-bitgroup,wecancomputearbitrarydiscretelogsinthatgroupinaboutaminute.
May2016 21
CYBER
cyber-security at different level attackscanbemadeatallthelevelsoftheTCP/IPstack
eachattackcanbeaningredientofabroaderattack◦ thehigherinthestack,thebroadertheattack
May2016 22
Top Related