Defending Against 1,000,000 Cyber Attacks

Michael Banks | Rendition InfoSec

$whoamiMichael Banks (@4MikeBanks)

• Information Security Consultant

• SigO

$./disclaimer.py | OVAMO | IANAL | TINLA

OVAMO: Opinions and Views of this presentation are my own and not of any of my employers

IANAL: I am not a lawyer

TINLA: This is not legal advice

Overview • Background

• Cyber Attacks

• Numbers

• Project Slam

• take-a-ways

$./Background.py

$./helloWorld.py

Standard Form - 86

$./traceRoute.py --myLifeandData“Hacking of Government Computers Exposed 21.5 Million People” –NY Times

$./drill.py | grep “WTF”“…OPM, for example thwarts 10 million confirmed intrusion attempts targeting our network.” - KATHERINE ARCHULETA

$./theme.py

1. Need more talent.

2. <insert org here> faces MILLIONS of cyber attacks…

3. The inevitable:

Cyber Pearl Harbor

$./CyberAttacks.py

Who are you asking?

$./cyberAttacks.py --congress18 U.S.C. § 1030.

Computer Fraud & Abuse Act “Fraud and related activity in connection with computers: (a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access…”

$./cyberAttacks.py --dodDOD Joint Terminology for

Cyberspace Operations

“A hostile act using computer or related

networks or systems, and intended to disrupt and/ or

destroy an adversary’s critical cyber systems, assets, or functions.”

$./cyberAttacks.py --defineAudience

18 U.S.C. § 1030.Computer Fraud & Abuse Act

DOD Joint Terminology for Cyberspace Operations

$./Numbers.py

$./numbers.py --shhh“Officials said Saturday that over 62,000 cyberattacks

had been registered in a single day…”

“…70 million hacker attacks on the servers…”

“The Kingdom had experienced

more than 60 million cyber-

attacks last year…”

“..systems automatically detect and prevent more than 10 million attacks, from

tens of thousands of locations, including millions of attacks where the attacker

has valid credentials. That’s over 4 billion attacks prevented last year alone…”

$./numbers.py

“Up to 300 Million Cyber Attacks on XXX (3LA) Data Centers Take Place Each Day”

$./numbers.py --includeReality

What do they even mean and how are they calculating these.

$./numbers.py --strangeAddition

Media/Public• SSH Brute Force Attempt• Wordlist of 10,000• 1 IP (x.x.x.x)• 3 Mins• Unsuccessful Login

• Reported as:• 10,000 Rapid Sophisticated

Cyber Attacks Thwarted

Analyst/Community• SSH Brute Force Attempt• Wordlist of 10,000• 1 IP (x.x.x.x)• 3 Mins• Unsuccessful Login

• Reported as:• 1 Failed Attempted

Intrusion Event

$./numbers.py --strangeAddition

Media/Public• All Port nMap Scan• 65535 Ports• 1 IP (x.x.x.x)• 1 Min

• Reported as:• Over 65,000 Rapid

Sophisticated Cyber Attacks Thwarted

Analyst/Community• All Port nMap Scan• 65535 Ports• 1 IP (x.x.x.x)• 1 Min

• Reported as:• No Report (”We get

scanned all the time”)

$./ProjectSlam.py

$./projectSlam.py

A project designed to research

adversary behavior and utilize the

data captured to generate wordlists,

blacklists, and methodologies of

various threat actors that can be

provided back to the public.

$./projectSlam.py

• v1 (2016)

• Kippo-0.9

• Debian 8

• Cloud Based Deployment

• Geographically Located in New York

• Public Accessible Ports: 22, 80, 443

$./projectSlam.py

• Username / Pass (Wordlist)

• Source IP (Location)

• Full TTY Sessions

• A!! D@ Toolz

$./projectSlam.py

• v2 (2017) – a full interaction honeypot to

enumerate more information from the attacker.

• Docker (Pre-Populated)

$./projectSlam.py

~4,000 Every Day

~1.4 Million in a year

$./projectSlam.py

Trailing 20 Weeks

$./projectSlam.py

$./projectSlam.py

$./projectSlam.py

Usernames Count

1. root 499,111

2. admin 13,496

3. Administrator 1,428

4. support 1,046

5. user 954

6. test 739

7. ubnt 666

8. guest 525

Usernames Count

9. oracle 390

10. ftpuser 359

11. PlcmSpIp 355

12. pi 324

13. postgres 264

14. operator 221

15. git 214

$./projectSlam.py

Passwords Count1. 123456 3,6832. admin 3,6063. password 3,2834. root 3,0425. 1234 2,9896. 12345 2,8767. test 2,7228. 123 2,5759. !@ 2,51810. 1 2,478

Passwords Count11. p@ssw0rd 2,44812. wubao 2,36613. root123 2,34714. jiamima 2,31115. !q@w 2,27216. ! 2,26317. !qaz@wsx 2,25118. idc!@ 2,19619. admin!@ 2,18120. support 750

$./projectSlam.py

Trailing 20 Weeks

$./projectSlam.py |whatsNext

$./projectSlam.py |whatsNext

• Report for 2016 (Jan ‘17)• Full Report• Wordlist• IP List

• Deployment for 2017 (Jan-Dec)

• Report for 2017 (Jan ‘18)• Full Report• Wordlist• IP List

$TakeHome.py

$TakeHome.py

• Partial Wordlist

• Partial IP List

$TakeHome.py

Github.com/mikebanks/projectSlam

$Conclusion.py

• Don’t use simple passwords

• Use unique usernames• Reset default credentials• Where possible use 2FA

$Questions.py |audience

RenditionInfoSec.com@4MikeBanks | Michael@RenditionInfoSec.com | (847) 208-2393

MichaelBanks.org