Alert Logic Cloud Security Summit

Agenda

• Key Findings: Cloud Security Report, Spring 2014• Alert Logic Customer Data• Honeypot Research

• Cloud Security Best Practices• What is Cloud Security• Top 7 Recommendations• Questions for your Service Provider

• Insights from the Real World• Q&A

Deliver Superior Security & Compliance Outcomes

forIT Infrastructure

from the Data Center

to the Cloudthrough

Security-as-a-Service

Key Findings: Cloud Security ReportSpring 2014

Cloud Environments 101

Cloud Adoption is Gaining Momentum

• Cloud market revenue will increase at a 36% annual rate• Analyst expect AWS revenues to hit $6 - $10 billion in

2014• Microsoft Azure reached $1 billion in Q4 2013• Oracle Cloud bookings increased by 35% in 2013• Gartner predicts 60% of banking institutions to migrate to

the cloud• Healthcare is expected to adopt cloud computing at a

21% year over year rate through 2017• VDI (Desktop as a Service) market reached $13.4 billion in

2013

Cloud Security Report Methodology

• Cloud threat data collected since 2011• Real world Incident data direct from customer environments• No Surveys or Lab environments• HoneyPot data collected from AL Global HoneyNet• Patented correlation engine

• Incident Occurrence• Incident Frequency• Threat Diversity

• GIAC-certified SOC analyst review each incident• Constantly refining threat content

• Custom content• 3rd party content

• 80% Service Providers / 20% On-Premise

Threats in the Cloud are Increasing With Adoption• Increase in attack frequency

• Traditional on-premises threats are now moving to the cloud

• Majority of cloud incidents were related to web application attacks, brute force attacks, and vulnerability scans

• Brute force attacks and vulnerability scans are now occurring at near-equivalent rates in both cloud and on-premises environments

• Malware/Botnet is increasing year over year

Cloud Attacks With the Biggest Change

• Cloud environments saw significant increases with brute force attacks climbing from 30% to 44% of customers, and vulnerability scans increasing from 27% to 44%

• Malware/botnet attacks, historically the most common attacks in the on-premises datacenter, are on the rise in CHP environments

Why Honeypots

• Honeypots give us a unique data set• Simulates vulnerable systems without the risk of real data

loss• Gives the ability to collect intelligence from malicious

attackers• Allows for collection of various different attacks based on

system• Helps identify what industry specific targets are out there

Honeypot Locations

Honeypot Designs

• The honeypot data cited was gathered using

• Low-interaction – Simulates high level services

• Medium Interaction – Delivers form pages and collects Keystrokes

• SCADA – Simulates a (Supervisory Control And Data Acquisition) system

• Web application software that emulates a vulnerable OS and application

• Fictitious business domains have been created to redirect traffic to what would be considered a legitimate business• These particular honeypots monitored connections to common

ports and gathered statistics on IP, country, and malware, if submitted

Honeypot Findings

• Attacks directed at CHPs have increased significantly• Web attacks and

vulnerability scans remain the frontrunners of CHP attack types• Underscores the importance

of a diversified security solution to meet the changing needs of cloud infrastructure

12%

11%

10%

51%

8%8%

HTTP MySQL MS-SQL Server

MS-DS Service RPC FTP

What are the Honeypots telling us? - Europe

35%

13%13%

13%

13%

13%MS-DS ServiceHTTPMySQLMS-SQL ServerRPCFTP

40%

22%

21%

10%

4% 2% 0% 0% 0%

RussiaBulgariaVenezuelaHungaryBrazilunclassifiedUnited StatesChinaCanada

77.19%

20.91%

1.81% 0.09% 0.01% 0.00%

Mal/Conficker-AW32/Confick-OW32/Confick-FTroj/Agent-UOBNo DetectionMal/PWS-JJ

What are the Honeypots telling us? - US

12%

13%

23%

51%

0% 0%

MS-SQL Server

MySQL

HTTP

MS-DS Service

RPC

FTP

91%

4% 2% 1%1%1%

Mal/Conficker-ATroj/Agent-UOBW32/Confick-OMal/Spy-YW32/Confick-CTroj/Dload-IK

32%

21%17%9%

6%6%

4%2% 3% China

United States

India

Russia

Korea

Romania

Vietnam

Brazil

Other

What are the Honeypots telling us? - Asia

4% 6%

4%

85%

1% 0%HTTP

MySQL

MS-SQL Server

MS-DS Service

RPC

FTP

63%15%

15%5% 1% 1%

United StatesJapanChinaVietnamNETHERLANDSARGENTINA

61.96%20.08%

13.53%0.04% 4.38%

Mal/Conficker-ATroj/Agent-UOBW32/Confick-CW32/Confick-DW32/Confick-O

Cloud Security Best Practices

Security in the Cloud is a Shared Responsibility

CustomerResponsibility

FoundationServices

Hosts

• Logical network segmentation• Perimeter security services• External DDoS, spoofing, and scanning

prevented

• Hardened hypervisor• System image library• Root access for customer

• Access management• Patch management• Configuration hardening• Security monitoring• Log analysis

Apps

• Secure coding and best practices

• Software and virtual patching• Configuration management

• Access management• Application level attack

monitoring

• Network threat detection

• Security monitoringNetworks

CloudService Provider

Responsibility

Compute Storage

DB Network

Seven Best Practices of Cloud Security

1. Secure your code2. Create access management policies3. Adopt a patch management approach4. Review logs regularly 5. Build a security toolkit6. Stay informed of the latest vulnerabilities that may

affect you7. Understand your cloud service providers security model

Secure Your Code

• Test inputs that are open to the Internet• Add delays to your code to confuse bots• Use Encryption when you can• Test Libraries• Scan Plugins• Scan your code after every update• Limit Privileges• Stay informed

Without Secure Coding

WordPress: 162,000 sites used for distributed denial of service attack• Pingback enabled sites can be used in DDOS

• Trackback• Pingbacks• Remote Access via mobile devices

• Random query of “?4137049=643182” bypasses cache and forces full page reloads• Request originated from legitimate sites

Without Secure Coding

• A total of 66 different WordPress plugins were targeted, out of which 8 received the lions share of attacks

• TimThumb is a simple, flexible, PHP script that resizes images. You give it a bunch of parameters, and it spits out a thumbnail image that you can display on your site.

• Looking at the type of vulnerabilities that hackers were trying to exploit, we saw a clear preference for Remote File Inclusion vulnerabilities, which accounted for 96% of all vulnerability types

Access Management Risks

• Customer A contracts web development to a third party• Creates access to the OS and web application for the contractor• 6 month contract for services• Work complete on schedule and under budget• Customer A does not pay contractor in a timely fashion• Contractor probes site and tests access• Customer A did not remove admin access rights granted to the

contractor• Contractor removes all work done and disables customer site• Customer calls provider to complain• Provider states that access rights are the customers responsibility

Create Access Management Policies

• Identify data infrastructure that requires access• Define roles and responsibilities• Simplify access controls (KISS)• Continually audit access• Start with a lease privilege access model

Adopt a Patch Management Approach

• Inventory all production systems• Devise a plan for standardization, if possible• Compare reported vulnerabilities to production

infrastructure• Classify the risk based on vulnerability and likelihood• Test Patches before you release into production• Setup a regular patching schedule• Keep informed, follow bugtraqer• Follow a SDLC

Log Review Scenarios

• Monitoring for malicious activity• Forensic investigations• Compliance needs• System performance

Review Logs Regularly

• All sources of log data is collected• Data types (Windows, Syslog)• Review process• Live monitoring• Correlation logic

Build a Security Toolkit

• Recommended Security Solutions• Antivirus• Intrusion Detection System• Malware Detection• Web Application Firewalls

Understand Your Cloud Service Providers Security Model

• Review of Service Provider Responsibilities• Hypervisor Example• Questions to use when evaluating cloud service providers

A Look at Service Provides Responsibilities

CloudService Provider

Responsibility

FoundationServices

Hosts

• Logical network segmentation• Perimeter security services• External DDoS, spoofing, and scanning

prevented

• Hardened hypervisor• System image library• Root access for customer

• Access management• Patch management• Configuration hardening• Security monitoring• Log analysis

Apps

• Secure coding and best practices

• Software and virtual patching• Configuration management

• Access management• Application level attack

monitoring

• Network threat detection

• Security monitoringNetworks

CustomerResponsibility

Compute Storage

DB Network

Secure Cloud Architecture

Cloud Server Architecture

• VM Servers are designed so that the hypervisor (or monitor, or Virtual Machine Manager) is the only fully privileged entity in the system, and has an extremely small footprint.

• It controls only the most basic resources of the system, including CPU and memory usage, privilege checks, and hardware interrupts

How the Hypervisor functions

• In this model the processor provides 4 levels, also known as rings, which are arranged in a hierarchical fashion from Ring 0 to Ring 3. Only 0, 1 and 3 have privilege, some kernel designs demote curtain privileged components to ring 2

• The operating system runs in ring 0 with the operating system kernel controlling access to the underlying hardware

• To assist virtualization, VT and Pacifica insert a new privilege level beneath Ring 0. Both add nine new machine code instructions that only work at "Ring -1," intended to be used by the hypervisor

Exploitation of the Hypervisor – CVE-2014-1666

• The PHYSDEVOP_{prepare,release}_msix operations are supposed to be controlled by dom0 access as it allows access to host and other vm's controlled by the host, but the necessary privilege level check was missing

• Two different functions were added to Xen in physdevop to manage resources for allocation and deallocation of msi-x devices

• This can easily result in malicious or misbehaving unprivileged guests, causing the host or other guests to malfunction. This can result in host-wide denial of service of all the vm’s and the host itself

• In physdev.c the attacker has a function:

• ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)

• This has a command in switch/case values which lead us to:

Exploitation of the Hypervisor – CVE-2014-1666• Knowing the attacker has seg, bus, and devfn, functions are now being passed to pci_prepare_msix which is Figure 1

• The attacker first has to pass the pos check for pci_find_cap_offset. If there's nothing there then they have to pass the pci_get_pdev check

Figure 1

Check out pci_find_cap_offset

Exploitation of the Hypervisor – CVE-2014-1666• An interesting function called pci_conf_read16 shows the attacker he now has flow control

• Now the decision becomes how do I use control to do something useful?

• This is used for low-level function calls for writing and reading directly to physical device ports.

• These functions will actually lead to inb/outb calls

• To achieve this the attacker has to make sure to follow the rules to reach x function

• The attackers now has ability of interacting with some lower level device i/o with controllable arguments.

• Scoping information for privilege escalation would be quiet difficult, but surely interesting as you do have access to privileged device i/o

Additional vulnerabilities – CVE-2014-1896

• libvchan (a library for inter-domain communication) does not correctly handle unusual or malicious contents in the xenstore ring. A malicious guest can exploit this to cause a libvchan-using facility to read or write past the end of the ring.

• libvchan-using facilities are vulnerable to denial of service and perhaps privilege escalation.

• All versions of libvchan are vulnerable

• Applying the appropriate attached patch resolves this issue.

• After the patch is applied to the Xen tree, any software which is statically linked against libvchan will need to be relinked against the new libvchan.a for the fix to take effect

• xsa86.patch Xen 4.2.x, 4.3.x, 4.4-RC series, and xen-unstable

• External reference:

• http://seclists.org/oss-sec/2014/q1/264

• https://bugzilla.redhat.com/show_bug.cgi?id=1062331

New and emerging threats targeting the Hypervisor

• Exploitation of a critical memory corruption• Affects systems with Intel CPU hardware• Allows a Guest to Host escape

• Execute arbitrary code on the host• Privileged domain permissions (“dom0”)• Direct access to hardware• Manages unprivileged domains (“domU”)

• Vulnerability exists in all virtual platforms using Intel architecture• Patch has been deployed

Memory corruption of the Hypervisor – CVE-2012-0217• Critical memory corruption vulnerability affecting Xen hypervisor discovered by Rafal Wojtczuk and Jan

Beulich in late 2012

• A local attacker within a guest virtual machine will be able to escape his restricted virtual environment and execute arbitrary code on the host system with permissions of the most privileged domain ("dom0") which has direct access to hardware and can manage unprivileged domains ("domU")

Questions to ask your Service Provider

1. What is the data encryption strategy and how is it implemented?

2. What is the hypervisor and provider infrastructure patching schedule?

3. What is the drive wiping standard used for recycled instances?

4. How does your provider support your implementation of endpoint security?

5. How do you isolate and safeguard my data from other customers?

6. How is user access monitored, modified and documented?

7. Regulatory requirements – PCI, SOX, SSAE16?

8. What is the provider’s back-up and disaster recovery strategy?

9. What visibility will the provider offer your organization into security processes and events affecting your data from both front and backend of your instance?

10. How does the provider ensure that legal actions taken against other tenants will not affect the privacy of your data?

What should you take away from this session

• Cloud adoption is on the rise• Attacks are growing with further cloud adoption• Organizations need to be prepared for new security

challenges in the cloud• Work closely with your cloud service provider• Keep informed of current vulnerabilities• Have a least privilege access model

Real World Insights

Q&A

Background on Alert Logic

Alert Logic: The Past Four Years...

2014Revenue Run

Rate

$11M $52M

Alert Logic is One of the fastest growing security

vendors in the industry

2010Revenue Run

Rate

Over 2,500 Organizations Worldwide Trust Alert Logic

250,000 devices managed

2.8 Petabytesof log data under

management

8.2 Millionsecurity events

correlated per day

40,000incidents identified

and reviewedper month

Recognized as Leading Cloud Security and Compliance Provider

Named Cool Vendorin Security Services 2013

Applications

Systems

Networks

Integrated Solutions Drive Better Security and Compliance

Products Automated Analysis

People & Process

• Delivered through an integrated security as a service solution

• Specifically designed for applications and infrastructure

• Easy, flexible deployment options for any environment

• Multi-factor correlation for fast, accurate results

• Dynamic security intelligence including third party feeds

• Content updated regularly across all solutions

• 24 x 7 coverage from certified experts

• Multi-disciplined, highly specialized team

• Effective response via repeatable engagement process

Appendix

Links to additional data

• http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php• https://bugzilla.redhat.com/show_bug.cgi?id=1062326• https://bugzilla.redhat.com/show_bug.cgi?id=1062329• https://bugzilla.redhat.com/show_bug.cgi?id=1062331• https://bugzilla.redhat.com/show_bug.cgi?id=1058395• http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-

privilege-escalation/• https://www.alertlogic.com/resources/cloud-security-report

/• http://seclists.org/oss-sec/2014/q1/264