1 / 37

Protecting against computerized corporate espionage

Protecting against computerized corporate espionage. How to harden your corporate practices. Jarno Niemelä jarno.niemela@f-secure.com twitter:@jarnomn. What Is Computerized Espionage. Spying on a target by using a computer as a tool for it

ifeoma-valencia
Télécharger la présentation

Protecting against computerized corporate espionage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting against computerized corporate espionage • How to harden your corporate practices Jarno Niemelä jarno.niemela@f-secure.com twitter:@jarnomn

  2. What Is Computerized Espionage • Spying on a target by using a computer as a tool for it • Targets are chosen because the have something of value • Or are associated with an interesting target • Attacks are impersonal and very personal at the same time • Victim and attacker can be on different sides of the globe • But at the same time attacker has tailored the attack to person

  3. Typical Computerized Espionage Case • Victim gets an email or a message over some social network • The content looks like a regular business mail or a link • However it contains exploit code with a trojan payload • Victim reads a document or clicks link and the payload is executed • Payload connects back to attackers C&C network • Computer is under spies control • Spy will mine computer for anything interesting • Anything of value in system, or to be used to infect others

  4. What’s The Catch? This Sounds Like Any Other Malware • Nowadays, users are careful, they don’t open just anything • Thus the catch is in getting users trust • To do this the spies study victimin order to slip past peoples guard. Just like in physical espionage • Thus Facebook, Linkedin, Twitter, etc are spies favorite tools

  5. What Are The Spies After For? • Corporate secrets of course • But if those are not available, then anything that helps them [1] • Travel tickets, hotel invoices and other time/location info • Banking info and scans of documents, f.ex passport • Job applications, legal documents • Email, sms messages, address books and other communication • If current victim is not interesting, maybe someone he knows is • And thus current victim can be impersonated online

  6. Attack Vectors • Attack over email attachment • Attack externally visible server and continue to internal network • Attack from supplier web page • Steal user credentials • Attacks over business related files

  7. Attacks Over Email • Employee at Digital Bond received credible looking mail from his boss [2] • The mail contained correct names, correct lingo and had a link to PDF file related to targets field • Digitalbond is a SCADA security vendor, and thus has very interesting clients from spy point of view • The attachment actually was a ZIP filewhich contained an EXE • The EXE was a backdoor which was notdetected by any AV vendor

  8. Mass Email Campaigns • “Nitro” industrial espionage is a typical example of mass email attack [3] • The attackers had a list of contacts with various level of info • If connection between two contacts was known • The attack emails pretended to be meeting invites from known contacts • Otherwise the attack emails pretended to be “security updates” • Attackers mined proprietary designs, formulas, and manufacturing processes • And any email and contact info that could be used find new targets

  9. Attacks On Externally Visible Servers • Hacker broke into HBGary Federal web server using SQL injection • SQL access allowed attackers to download passwords file • One of passwords allowed SSH access to server connected to internal network • After this hacker had access to full corporate network • Access to all email, twitter • Thus access to password reset onGoogle, iCloud, etc services • Greg Hoglunds email account was used tosocial engineer password to rootkit.com

  10. Watering Hole: Attacks Over Industry Contacts • Many interesting targets are well protected • Thus attackers may focus on less protected supply chain [4] • European aeronautical parts suppliers web site was hacked [5] • The site was injected with 0-Day exploit for Internet Explorer • Thus any customer of that company who use IE could be targeted • IE exploit was actually rather crude way to using supplier • Attackers could have infected PDF documents or SDK installers

  11. Attacks Over Business Related Files • Non-PDF business related files are trusted to high degree • ESET discovered Autocad Worm that was used to steal 10000s of docs [6] • Acad/Medre.A is Autocad based worm that infects other autocad files • Medre.A had infected a template in Peru that local businesses had to use • Thus almost everyone in that industry got infected • After infection Medre.A collected Autocad files from system and emailedthem to list of email accounts in China (163.com and qq.com) • Medre.A also tries to steal Outlook PST files

  12. C&C • After successful attack the attacker needs to be able to talk to the payload • Which means that he needs some way to communicate • HTTP(s) C&C (simple domain, fast flux, compromised site) • Skype, IRC, Messenger, ICQ, etc chat connections • Twitter, facebook, social networks • FTP, Dropbox, file-leave, file sharing sites • SMTP • Anything else that looks like regular user activity

  13. Data Exfiltration • After attacker has C&C he needs some way to get data out • Most common approach is to use C&C channel and HTTP • But sometimes attackers get creative [7] [8] [9] • Print “error pages” that contain encoded information and dumpster dive • Leak information in DNS queries, payload 240 bytes per query • Leak info in ping ICMP packages • Open VOIP connection and emulate analog modem • Use IE or other web browser to make network connections tobypass firewall

  14. Protection: Get your basics right • Attackers are using malware, so basic malware defense takes you a long way [10] • Harden workstations and servers • Harden your network especially outgoing data • Make sure external servers contain only what is needed • Make sure systems are up to date and well configured • Use security software • Use gateway filtering • Etc, good basic admin work

  15. Hardening workstations and servers • In 2011 I covered this topic in detail at T2 • The previous material is included with these slides • The key points that you have to take care of • Prevent hostile content from reaching clients • Prevent exploits from working • Prevent malware access inside system • Prevent malware communicating to C&C • Above all make sure information and systems are isolated • Add custom user agent to your browsers to “watermark” legitimate traffic

  16. Hardening Network • Isolate everything in network, no inbound to clients no outbound from server • Allow email only over company mail server • Don’t allow mail sending without user authentication • Don’t allow any other outbound traffic except HTTP(s) • Allow HTTP(s) only over company proxy • Don’t allow external DNS servers, don’t allow ping to external hosts • Set up DNS white listing and landing page for unknown domains • Do these configurations also to laptop software firewalls • Common trick is to leak info when not in corporate network

  17. DNS Is Botnets Achilles Heel • Bot is uselessifitcannotconnect to C&C • Providedthatyouarenotfacingexoticattacksuch as Flame • Basicallyallbotsdousedomainnames for C&C • Thusrestricting DNS resolutionwilltakeyou a long way • I am collecting a list of domainsusedbydocumentexploits • 8953 domains out of 9035 donotbelong in Alexa top 1M list of domains • Whichmeansthatrestricting DNS resolution is veryeffective

  18. Ok So Basics Are Done, The fun part begins • You have to assume that attacker gets past your defenses • Prevent access to sensitive information and systems • Buy time for detection systems to react • Minimize damage even if attack is not detected • Detect the breach • According to Trustware there is average 156 days between initial breach and discovery [11] • This is way too long, we need to lay traps for attackers

  19. Know What You Are Protecting • Document files • Business plans, price offers, pricing, patent applications, HR records • Source code • Files on developer desktops, source code repositories • Email files • Mergers, financial information before release, etc insider info • Intra web • Customer Relations Info • Any services that you have webified • Active directory • User accounts • Web servers • Especially if you are subcontractor, your customer might be the real target

  20. Protect Documents, Use Rights Management • Windows Rights Management Services (RMS) provides transparent document protection [12] • With RMS all protected documents are stored in encrypted form • To open a document Word/Excel/etc must request key from RMS server • RMS server authenticates user against domain account • If account checks ok and user has rights the server returns a key • Thus if document is stolen it cannot be read • Also documents can be restricted by a person or a group • Third party vendors like GigaTrust can expand rights managementto non-Microsoft documents and iPhone/iPad devices [13]

  21. Protect Access To Source Code • Isolate development from desktop • Run development in separate Virtual machine session • Have a VPN that serves only that virtual machine • Alternatively use some form of terminal service, VNC or RDP for example • Protect access to source code repository • User accesses need to be tightly controlled, no universal read access • Use data leakage prevention software [14] • Configure all source code as non-transferable from the workstation • Of course DLP can be circumvented, but it is additional protection

  22. Protect Your Internal Web Applications • Make attackers life bit more difficult. Lock access only to a one browser • Use Kerberos authentication for all internal web pages • Set client firewall to allow only correct browser to use HTTP/S to intra • Configure the intra server only to accept company custom user agent • Thus the attacker needs to take over the browser or fake it 100% • Have log alerts for partially successful authentications • It’s very unlikely that attacker would get everything right

  23. Protect External Web From Inside Attacks • Being attack vector at your customer will be bad for business relations • Thus you have to protect your external servers from insider attacks • Isolate external facing servers from internal network • Allow admin access only from specified hosts and IP addresses • Don’t do direct changes, use content management • Do all changes to CMS that has auditing and change logging • Have server to periodically pull updates from CMS • Do automated consistency checks between CMS and public server • Set alert if there are differences between intended and actual content

  24. Protect Your Email • Most recorded email thefts happen by stealing the mail files • Issue email certificates for all users, and lock the certs with password • Thus almost all critical email will have transparent encryption • And to read them spy has to be able to steal the certificate • Block or set warnings on programmatic access to mail client • Also remember to control access to .PST, etc files

  25. BYOD • Itwouldbenice to bewithout BYOD • Ifyouhave to allowuserdevices, doitsafely • Laptops, Phones and PDAsshouldhaveown WIFI • Requirethatmailservercanenforcepolicies • Mandatory PIN orotherlockcode • Allowonlycoupledays of email • Allowonlyonemonth of caldendar in the future • Userights management on everythingthatsupportsit

  26. Detect Breaches And Information Leaks Even if you fail at prevention, game is not lost Spy still has to be send the goods out of your network Most companies focus on preventing intrusion While what you should really focus is to prevent data from escaping

  27. Set Data Exfiltration Honeypots • Create fake routes out of the company that give alarm if someone uses them • Fake smtp.company.com mail server that accepts mail but does not forward • Capture all HTTP traffic that does not go through correct proxy • Capture all DNS traffic that does not go to your DNS server • Capture all ping ICMP traffic

  28. How To Build Honeypots • All you need is Linux IPTables or a good router, python and a spare server • Route all unwanted traffic to honeypot server • Create fake services with python that answer ok, log and send alarm email • HTTP example http://fragments.turtlemeat.com/pythonwebserver.php • SMTP http://muffinresearch.co.uk/archives/2010/10/15/fake-smtp-server-with-python/ • DNS http://code.activestate.com/recipes/491264-mini-fake-dns-server/

  29. Monitor Traffic That Is Allowed To Go Through • Due to privacy reasons I don’t advice reading content, but justtraffic inspection will reveal if there is need to start investigation • Monitor DNS queries for unusual patterns • 10s of queries different subdomains in same domain • Queries to domains not in .fi or in Alexa top 1M space • Monitor Ping requests (even if you are blocking it) • Normal users do not try to send frequent ping traffic to odd destinations • HTTP requests that do not have company standard HTTP user agent • Whitelist known self update destinations (apple, dell, google, etc)

  30. Monitor For Unusual Process Activity • Spies often use tools that normal users don’t execute ever or almost ever • cmd.exe /c “some command” • Runs specified command in command shell. Used by some exploits and backdoors • Focus on things not used by installers. F.ex cmd.exe /c “dir” • Certmgr.exe (especially certmgr.exe -add) • Used to add certificates to trusted certificates • Used by some backdoors to better hide in system from forensic investigation • Bcdedit.exe (bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS) • Used to modify boot configuration, and disable code signing protection on boot • Netsh (especially netsh.exe firewall) • Used by malware to disable or alter Windows firewall

  31. Monitor File Access Behavior On Clients • Regular users have rather uniform access patterns • Documents are accessed with Word, Outlook, Explorer and Backup softwares • Source code is accessed with Eclipse, Visual Studio, etc • So unknown application accessing given file type is rare, and interesting • Build alert system to monitor unknown applications accessing critical data • Why does %appdata%/Protector-vvxb.exe read document files?

  32. Simple Example For Monitoring Activity • Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645 • With Process Monitor we see all file creations and other interesting events • Startprocessmonitor and filterdesiredevents to bevisible • Dumpresults to disk and convert to XML • Parse the result for anything out of the ordinary and alertadmin

  33. Setting Up Process Monitor • Save configuration to ProcmonConfiguration.pmc

  34. Demo Using Process Monitor • I implemented a simpletool to parseprocessmonitorlogs • And alert on anythingunusual • The toolcouldbedeployed on alluserworkstations • It’s ”demo” quality, souse at yourownrisk

  35. Conclusion • Youcannottrustthatyoucanalwayspreventinfections • Thuscorporatesecurity and defence in depth is a must • Wheneverpossiblemake data difficult for malware to steal • Whenthatfailsmake data readableonly in yourenvironment • Invest in monitoring • Whenyouknowpatterns of yourvalidusers • Spybreaking the patternswillbedetected

  36. References • [1] http://www.nartv.org/mirror/shadows-in-the-cloud.pdf • [2] https://www.digitalbond.com/2012/06/07/spear-phishing-attempt/ • [3] http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf • [4] http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/ • [5] http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf • [6] http://www.eset.com/fileadmin/Images/US/Docs/Business/white_Papers/ESET_ACAD_Medre_A_whitepaper.pdf

  37. References • [7] http://www.iamit.org/blog/2012/01/advanced-data-exfiltration/ • [8] http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf • [9] http://www.kentonborn.com/sites/default/files/data_exfil.pdf • [10] http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf • [11] http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf • [12] http://en.wikipedia.org/wiki/Rights_Management_Services • [13] http://www.gigatrust.com/desktop_client.shtml • [14] http://www.mydlp.com/

More Related