560 likes | 588 Vues
Security Trends. Erik G. Mettala, Ph.D., Vice President, McAfee Research. Outline. Attack trends Vulnerability trends Today’s defensive posture Defensive trends. Attack Trends. Network Incidents are Increasing. Source: CMU Computer Emergency Response Team Last updated January 22, 2004.
E N D
Security Trends Erik G. Mettala, Ph.D., Vice President, McAfee Research
Outline • Attack trends • Vulnerability trends • Today’s defensive posture • Defensive trends
Network Incidents are Increasing Source: CMU Computer Emergency Response Team Last updated January 22, 2004
Discovered Virus Threats Per Day Source: McAfee AVERT
Machines Infected per Hour at Peak Source: McAfee AVERT
The Speed Of Attacks Accelerates SQL Slammer: • Blended threat exploits known vulnerability • Payload was single 404 byte UDP packet • Doubled every 8.5 seconds • Achieved full scanning rate (over 55 million scans per second) after approximately 3 minutes • Infected 90% vulnerable hosts worldwide within 10 minutes
Intrusion Attack Trends • McAfee AVERT • CMU CERT
Incident Response Cost is Increasing In billions [1] Blaster cost includes the cost of the near simultaneous Sobig.F virus Source: NetWorm.org
Threat Evolution: Malicious Code Human response impossible Automated response required, i.e., automated remediation and automated attribution “Sasser” Seconds Minutes Hours Days Weeks or months “Flash” Threats, i.e., Sasser Human response impossible Automated response unlikely Proactive blocking possible “Warhol” threats Human response difficult/impossible Automated response possible Blended threats e-mail Worms Human response possible Macro Viruses File Viruses Boot, Com Infectors Time Early 1990s Mid 1990s Late 1990s 2000 2003
Threat Impact on Emerging Targets Internet Backbone/ Broadband Physical Infrastructure/ SCADA Targets Wireless Infrastructure Web Services Threats Flash and Zero-Day Threats Major disruption to multiple networks Major disruption of B2B services sector-level impact Global Internet Disruption Impact to: Power Commun-ications Power Hydo Other infrastructure Warhol and Zero-Day Threats Short-term disruption of individual networks Short-term/ Localized Internet Disruption Blended Threats Disruption of internetworked SCADA DDoS Account theft/ corruption, DoS Disruption of targeted infrastructures Data theft/ corruption, DoS Targeted Hacking
Types of Attacks – Types of Defense • Anti-Virus • Anti-Spam • Anti-Virus • DDoS Defense • Host Intrusion Prevention • Network Intrusion Prevention • Anti-Phishing • Virus • Spam • Worm • DDoS • Host Intrusion • Network Intrusion • Phishing
Virus • What is a Virus?A virus is a manmade program or piece of code that causes an unexpected, usually negative, event. Viruses are often disguised games or images with clever marketing titles such as "Me, nude." • Viruses propagate through e-mail attachments, by automatic sending to e-mail lists, or through direct propagation techniques • Basic anatomy: • Propagation • Payload • Types: - File infecting - Metamorphic - Polymorphic - Memory resident - Exe, Scr, Vb, … - Gateway jumping
Spam • What is Spam? Unsolicited "junk" e-mail sent to large numbers of people to promote products or services. • Also refers to inappropriate promotional or commercial postings to discussion groups or bulletin boards. • Types: • Malicious Spam email with adult content, violence, security threats etc. • Advertising Spam email from legitimate organizations generally trying to sell something e.g. Amazon.com • Friendly Spam email jokes, chain letters, humorous URL links etc.
Worm • What is a Worm?Computer Worms are viruses that reside in the active memory of a computer and duplicate themselves. They may send copies of themselves to other computers, such as through email or Internet Relay Chat (IRC). • Basic anatomy: • Payload, transport • Types: • Zero day • Email, mass mailing • Memory resident
Trojan Horse • What is a Trojan Horse?A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. • Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses. • Types: • Root kits • Backdoors • Wooden horses
Network Intrusion • What is a Network Intrusion? A network or system attack from someone attempting to break into or compromise a system. Exploits vulnerabilities in the implementation of network protocols. • Types: - Targeted - Mass infector - Port probes - DNS Spoof - PC Anywhere Pings - TCP OS fingerprint • Shared systems & networks - ??? • Home LANs, hotels, airports, etc.
Host Intrusion • What is a Host Intrusion?A Host Intrusion is an attack that typically involves several related mechanisms that allow an outside, unauthorized user to gain access to your computer, whether a server or desktop. Once access is gained, the outsider has access to all information and services that are otherwise provided to authorized users or system administrators. • Typical exploits involve identity theft, credit card theft, theft of intellectual property • Types: • Encrypted attacks (SSL, VPN) • Buffer Overflow • Operating System Service Exploitation • Web Server exploits • Database Server exploits
Phishing • What is Phishing?Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.
Way back in the Summer of ‘03 • First successful execution or network release of flash virus’ (SQL Slammer) • Realized a propagation mechanism that had been conjectured in research • Had visible compression of the time between vulnerability announcement and exploitation release • Systematic cooperative exploitation of initial attack
Nachi worm and Lovsan Killer Downloader-DM Trojan gets media attention IRC-BBot remote access Trojan uses RPC vulnerability Vulnerability discovered in DCOM RPC, Microsoft posts MS03-026 RPCSS X focus (Chinese hacking group) forwards attack source code to public security lists Lovsan worm Unconfirmed incident of RPC exploit being used to execute NET SEND spam attack Timeline: W32/LovSan.worm & W32/Nachi.worm . . . Jul 16 Jul 25 Jul 29 Jul 31 Aug 2 Aug11 Aug 18
Summer of ’04 (Cicada) • Dominated by Bagle, NetSky, and MyDoom viruses • Three groups involved: Russians, Germans, and Polish • Hacker feeding frenzy
Bagle.A ? MyDoom.A NetSky.A War for Bragging Rights Fueled by Vulnerability Bulletins Vulnerability Bulletin
Bagle.N Bagle.G Bagle.C Bagle.A Bagle.M Bagle.L Bagle.O Bagle.J Bagle.B Bagle.D Bagle.Q Bagle.I Bagle.E Bagle.P Bagle.H Bagle.F Bagle.K ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? MyDoom.O MyDoom.F MyDoom.P MyDoom.E MyDoom.H MyDoom.D MyDoom.I MyDoom.J MyDoom.N MyDoom.K MyDoom.B MyDoom.Q MyDoom.L MyDoom.A MyDoom.G MyDoom.M MyDoom.C NetSky.G NetSky.M NetSky.E NetSky.B NetSky.C NetSky.H NetSky.A NetSky.D NetSky.I NetSky.L NetSky.K NetSky.F Sasser.A NetSky.P NetSky.Q NetSky.N NetSky.O NetSky.J War Continues - Only Modified By Release of New Vulnerability Bulletin Microsoft Security Bulletin MS04-011 Microsoft Security Bulletin MS03-032 Aug 20 Jan 18 Apr 13
Internet Storm CentrePort 135 traffic over the last 40 days (8/18/03)
Blended Threats • A blended threat is a security attack or threat that uses multiple methods and techniques to propagate an attack • Combine hacking, DoS, and worm-like propagation • Can rapidly compromise millions of machines • Often spread without human interaction • Require multiple layers of protection and response to neutralize
Blended Threat Types • Exploit software vulnerabilities • Email virus • Network virus/worm • Backdoors • Instant Messenger virus • Attack security software • Trojan horses • Network shares • Other digital data threats
Misuse of protocols Misuse of service ports DoS based on crafted payloads Bandwidth or Flood attacks ICMP echo request Flood TCP data segment Flood TCP SYN/RST Flood TCP SYN Floods TCP, UDP, ICMP floods Buffer Overflows Protocol Attacks SYN Flood ICMP echo reply flood UDP Flood Protocol Tunneling Backdoor Intrusions Low-bandwidth DoS/DDOS attacks Logic Attacks Land attack Ping of Death Teardrop Intrusion Threats
General Threat Evolution Attacks that Significantly shake the confidence in the Internet, i.e., Phishing and Cyber Terror Attacks Flash threats? Massive worm-driven DDoS? Critical infrastructure attacks? Blended threats Limited Warhol threats Worm-driven DDoS National credit hacking Infrastructure hacking e-mail worms DDoS Credit hacking 1st Generation Viruses Individual DoS Web defacement 1990s 2000 2005
Application Vulnerabilities are Increasing Source: CMU Computer Emergency Response Team Last updated January 22, 2004
Vulnerability Half-life For a critical vulnerability every 30 days the number of vulnerable systems is reduced by 50% Source: www.Qualsys.com Last updated May 7, 2004
Vulnerability Lifespan The lifespan of some vulnerabilities is unlimited Source: www.Qualsys.com Last updated May 7, 2004
SQL Slammer Vulnerability 35 30 25 20 15 10 5 0 Feb Mar Apr May Jun 2003
Vulnerability Timeline Time from Release to Attack What if Hackers had automated virus generators? 1990s 2003 2004 2005 Source: McAfee Research Last updated May 7, 2004
Message on Vulnerabilities • Once a vulnerability is discovered • It rarely, if ever goes away • Vulnerability population decreases over time • But remains a vector for propagation of new attacks • Time from Vulnerability identification to exploit is decreasing • Systematic? Or coincidental side effect of the web? • Secure Software? • Unlikely given commercial pressures to perform
Defensive Posture • Vulnerability Scanning • Patch Application • Security Policy & Enforcement • Anti-Virus • Anti-Spam • Anti-Phishing • Host Intrusion Prevention • Network Intrusion Prevention
Anti-Virus Posture • Many Anti-Virus tools available • Can’t be on the net without one • Over 80,000 known viruses • Approximately 20,000 in the wild • Far more in the zoo • Key issue is support • Time from virus release, to virus signature update publication
Anti-Spam Posture • Integrity analysis • Heuristics • Content filtering • Black lists • White lists • Bayesian filtering • Hybrid Approaches • Key issue is support
Anti-Phishing Posture • First anti-phishing attacks categorized in November, 2003 7 in first week 262 last month • Phishing emails, like spam, can be identified and filtered out of inbound email to stop employees from receiving them. • Response mechanisms are currently under development
Intrusion Detection Signature-based Detection Stateful Signature Detection Real-Time Signature Updates User-Defined Signatures Anomaly-based Detection Statistical Anomalies Protocol Anomalies Application Anomalies Buffer Overflow Detection Intrusion Identification Protocol Discovery Protocol Tunneling Intrusion Direction Insider Threat Intrusion Relevancy Selective blocking Intrusion Impact Assessment Verification of attack success and impact Intrusion Forensics Capture and Analysis In-Process; Post Attack Intrusion Protection Posture
Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics
Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics • Host intrusion prevention • Trusted computing platforms • BSD; Linux; Darwin; OS-X • Behavior blocking • Intrusion prediction • Impact assessment, recovery & remediation, and incident management
Evolving Security Capabilities Defensive Trends Network Intrusion Prevention Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics • Network intrusion prevention • Intrusion Prediction • Intrusion response & recovery • Forensic traceback, and source identification • Scalable, coordinated intrusion management mechanisms • Distributed DDoS protection • Intrusion detection for mobile ad-hoc networks (MANETs)
BSS A-bis BTS BSC BTS BTS Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics • Wireless intrusion prevention • Wireless Privacy - Crypto techniques for the wireless physical & link layers • Wireless Intrusion Detection – Device, Access Point • Wireless Firewall Solutions • Wireless Intrusion Response - • Low bandwidth protocols and low energy techniques • Efficient key management
Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Malicious Code Defense Malicious Code Defense Threats, Attacks, Vulnerabilities& Architectures Security Policy & Management High Performance Assurance & Forensics • Malicious code defense • Anti-Phishing Solutions • Malicious code detection; zero-day worm protection; malware technology & trends; static and dynamic malware analysis • Intrusion tolerance & self-regeneration; self-protecting data technologies • SPAM detection & blocking