340 likes | 357 Vues
Explore the evolving landscape of cybersecurity threats, from worms to hacking tools, and strategies to safeguard against new attacks. Delve into risk assessment models, current threats, and emerging challenges in safeguarding confidentiality, integrity, and availability.
E N D
Security Holes • Richard Johnson • NCAR/UCAR Security Administrator • WESTNET, June 22-24, 2005
Introduction • Hacking tools and associated security risks • Are we protecting against more attacks, or against new threats? • New to us • Realization of theory
Outline • Background • Thinking and talking about security • Typical current threats • Worms & kiddies • Waves of the near future, new threats • Combined attacks, targeted economic attacks
Background:Risk • Risk is a function, perhaps non-linear • f ( Threat [attacker], Vulnerability [exploit], Asset [target dollar & time value] ) • Assign weights, make linear approximation, come up with relative measures • Or wave hands in a relative way • Still a long way away from actuarial quality
Background:Threat Models • What do attackers want? • Hosts, Credentials, Data • Target of opportunity or target of choice • Low hanging fruit • Extensive effort
Background:Vulnerabilities • Typical vulnerabilities • Buffer overflows • UI feature design errors • Code quality typically poor
Background:Security Goals (C I A) • Confidentiality • FERPA, HIPAA, Mandatory breach disclosures, Privacy law • Integrity • SOX, Research results • Availability • Key goal for most institutions • Loss of confidentiality and integrity lead to availability loss during cleanup
Current Threats:Overview • Let’s look at things from perspective of threat • Risk is dependent on site-specific assets • How we got here • Worms • Kiddies
Current Threats:Past Predictions • 1998, Randy Marchany, vt.edu • Client trojans will be the next big thing • 2002, Steve Linford and spamhaus.org volunteers • Worm writers in league with spammers • Perhaps our worries will be as accurate
Current Threats:Worms 1 • Mostly MS Windows phenomenon. Why? • Large population • Highly vulnerable population • Insanely bad ‘feature’ design, Poor engineering choices, Poor code quality, Sporadic patching • Vulnerabilities not unique to Windows, but combination spells disaster
Current Threats:Worms 2 • Typical attacker goals • Showing off • Botnets (zombies) for spamming, phishing, dDoS extortion • Typical behavior • Promiscuous, Opportunistic, Spread widely and rapidly
Current Threats:Worms 3 • Prevention • Anti-virus, Anti-spyware, Firewalls, Patching, Switching OS • Detection • Anti-virus, Anti-spyware, IDS, Honeypots, User complaints about slowness, External reports • Cleanup • Anti-virus removal tools, spyware removal tools, some reinstallation
Current Threats:Kiddies 1 • Mostly shell problem on UNIX-like systems. Why? • Tradition/culture • Available tools, kits • Poor administration practices • Vulnerabilities not unique to UNIX-like systems
Current Threats:Kiddies 2 • Typical attacker goals • Showing off • Botnets (zombies) for carding, dDoS extortion • Typical behavior • Brute force credentials attempts • Attended exploit runs
Current Threats:Kiddies 3 • Prevention • Firewalls, Patching, Hardened credentials (one-time passwords) • Detection • External notification, Honeypots, IDS, Users notice strange processes, Log entry changes • Cleanup • Patching, credentials changes, process killing, reinstallation
Current Threats:Strange Dichotomy • Kiddies on UNIX-like systems • Mostly attended exploits • Worms on MS Windows systems • Automated exploits • This is driven by culture, and will change under economic pressure
New Threats:Overview • What big holes are going to bite us next? • Changes in worms • Changes in kiddie behavior • Combined arms
New Threats:Worms 1 • Short-order botnets • Creating botnets to order rather than renting portions of larger nets • Adapation to avoid notice by... • Anti-virus companies • ISPs hosting binary repositories
New Threats:Worms 2 • Infectors modified from toolkits to avoid anti-virus signatures • Infects only in specified nets or domains • Infects only up to number of desired zombies (1k, 5k, 10k, ...) • Infectors less likely to be noticed and added to anti-virus signature databases • Auxiliary payload sites less likely to be noticed and shut down
New Threats:Worms 3 • Prevention • Anti-virus, Anti-spyware, Firewalls, Patching, Switching OS • Detection • Anti-virus, Anti-spyware, IDS, Honeypots, User complaints about slowness, External reports, Traffic anomaly flagging • Cleanup • Anti-virus removal tools, spyware removal tools, reinstallation
New Threats:Worms 4 • Recent example of this technique change • UK NISCC warning about systematic targeting of UK government and commercial systems
New Threats:Kiddies 1 • Kiddies growing up, getting jobs • Geosci/Supercomputer compromises • Israeli Commercial Espionage
New Threats:Kiddies 2 • Geosci/Supercomputer compromises • Goals • Hosts & credentials for further attacks • Noisy attacks as lottery & diversion • Training • Organized crime “East of Prague” feeding exploits and techniques
Current Threats:Kiddies 4 • Israeli Commercial Espionage Case • Israeli private detective agencies hired cracker in london to compromise competitors of their clients • Targeted attacks against specific MS Windows machines • Specifically delivered trojan with social engineering to encourage install
Current Threats:Kiddies 5 • Uncovering the Commercial Espionage Ring • Trojan’s author used it to to compromise famous author ex-father-in-law’s machine • Trojan’s author left money trail to data dump and aux. payload sites • Without those kiddie tradecraft mistakes (personal involvement, money trail), this case would not have been broken
Current Threats:Combined Arms 1 • Breaking the dichotomy between kiddies and worms • Goals • Showing off • Espionage • Economic disruption
Current Threats:Combined Arms 2 • Specifically designed trojans • Content from target, “Porn” or “payroll” hooks, Target primed for delivery of a presentation • Covert channels for communication • Pivot APIs for control through multiple covert hops on varied architectures
Current Threats:Combined Arms 3 • Interesting “new” techniques • Drivers are not as well audited as rest of OSes are yet • Firewire DMA • USB false registration
Current Threats:Combined Arms 4 • Demonstration of chem plant toxic release • Plant has corporate net with firewall between it and Internet • Plant has separate process control net, not connected to corporate net or Internet • Goal: Seize control workstations, and release toxic gas into city to force evacuation
Current Threats:Combined Arms 4 • How it was engineered • Web search used to find corporate MS Office docs • Copy of legit presentation trojaned with embedded web scripts to run in unrestricted local context (exploit of a misfeature) • Trojan emailed “from” boss to subordinate with request for review
Current Threats:Combined Arms 5 • How it was engineered, cont. • Trojan compromises user’s workstation, calls out in encrypted covert channel (slack created at end of some packets, etc.) • Attacker pivots through workstation to compromise user’s account on domain controller • Then pivots to database server, and compromises it via stored procedure hole
Current Threats:Combined Arms 6 • How it was engineered, cont. • Oracle licenses are expensive • Database server has connections to process control net as well as corp. net • Process control workstations are not patched, and fall to direct network exploits • Boom.
New Threats:Summary • Worms becoming less promiscuous • Limits anti-virus effectiveness • Attackers increasingly motivated financially • Market is maturing, labor specializing, techniques are percolating down • Increasing confluence of techniques for combined attacks
Moving Onwards • Software quality won’t improve • Attackers will continue to diversify • Detection will increasingly be a matter of • Anomaly detection in flows, traffic content • Counterintelligence including honeypots • Cleanup will increasingly involve rebuilds