mining attackers mind
DESCRIPTION
Think like an attacker and take proactive approach to securityTRANSCRIPT
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
www.cyberoam.com
Our Products
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved.
Network Security Appliances - UTM, NGFW (Hardware & Virtual)
Modem Router Integrated Security appliance
Presenter: Cyberoam
Mining Attackers Mind
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Agenda
• Innovative technologies impacting complexity in security• Challenges to IT security administrators and gaps in security
infrastructure• Changing motivation of cyber criminals and evolving threat
engineering• Hacking into the mind of today's cyber criminal
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Innovative technology changes everythingInnovative technology changes everything
Social business
1 billion mobile workers
1 trillion Connected objects
Bring your own IT
Cloud and virtualization
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Innovative technology changes everythingInnovative technology changes everything
People Data Applications Infrastructure
… that requires a new approach… that requires a new approach
Employees
Hackers
Outsourcers
Suppliers
Consultants
Terrorists
Customers
SystemsApplications
Web Applications
Web 2.0
MobileApplications
Datacenters
PCs
Laptops
Mobile
Structured
Unstructured
At rest
In motion
Cloud
Non-traditional
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Administrators approachAdministrators approach
Most spend 50% of their security budgets on reactive tools and resources
No actionable information or outcome analysis on How can an attack happen
Security infrastructure has Gaps
Endpoint Suites
Network UTM
Application Security
Vulnerability Management
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Engineering for AttacksEngineering for Attacks
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
2,641,350
Security AttacksThe Average Company Faces per Week
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
If you think you are safe- Think AgainIf you think you are safe- Think Again
Source: IBM X-Force@ Research and Development
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
If you think you are safe- Think AgainIf you think you are safe- Think Again
Source: IBM X-Force@ Research and Development
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Script-Kiddy Undergraduate Expert Specialist
National Interest
PersonalGain
PersonalFame
Curiosity
Vandal
Thief
Spy
Trespasser
Author
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Motivations and sophistication are rapidly evolvingMotivations and sophistication are rapidly evolving
Monetary Gain
Organized crimeZeus
Espionage,Activism
Competitors and Hacktivists
Aurora
National Security
Nation-state actors
Stuxnet
Insiders and Script-kiddies
Code Red
Revenge,Curiosity
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Thinking like an attackerThinking like an attacker
Plan
Practice
Covering Tracks
Attack on defense
Organized community
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
5 Phases Hacker follows5 Phases Hacker follows
Reconnaissance
Preparatory phase Competitive
intelligence Time consuming Most important
Scanning
Network Mapping Check for open ports Banner Grabbing Identify open services Scanning for
vulnerabilities Prepare proxies
Gaining Access
Potential Damage logic or time bomb session Hijacking,
buffer overflows Targeted attack Brute force/Dictionary
attack
Maintaining access
Backdoor Trojans Rootkit Data trafer
Covering Tracks
Erasing contaminated logs
Cover for additional attack
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
ReconnaissanceReconnaissance
preparatory phase competitive intelligence Time consuming
Hacker’s list Result
Search Fine Web Employee contact information, Phone numbers, Business Partners, Recent Mergers
Search Engines Search employee group for sensitive information or Job related infromation
Whois Database Internet address, Domain names, Contact information, ARIN
Domain lookup IP address, Mail Server information
Ping, Traceroute, SMTP VRFY
Live IP, Round trip time, Possible Firewall, Valid Email addresses
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Defending ReconnaissanceDefending Reconnaissance
No way to prevent attackers from gaining Registration data
Avoid DNS leaking unnecessary information
Restrict Zone transfer
Use Slipt DNS and limit the amount of DNS information
Disable ping from WAN side on Firewall
Remember employees contact information can be used in social engineering
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
ScanningScanning
Hacker’s list Result
Network Mapping Network security assessment
Port Scanning Search for open well known ports
Banner Grabbing/OS finger printing
Search of operating system on end PC
Vulnerability Scanning Identify vulnerabilities of computing systems
Proxies Masking the traceback
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Defending ScanningDefending Scanning
Check the systems before hacker does
Scan, find and patch – Regular process
Change content of 404 Page
Edit server info properties – if you want to engage hacker and study behavior
Evade them using IPS at network level
Do not forget about UDP open ports
Check for traffic with known source ports- can be a disguise
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Gaining AccessGaining Access
Hacker’s List Result
Session Hijacking Sniffing, capturing passwords
Brute Force Strong against weak passwords
DNS poisoning Redirect traffic to another imitating website
Exploit Vulnerability Access to the restricted content, privilege elevation
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Defending Gaining AccessDefending Gaining Access
Complex passwords
Find vulnerabilities before hacker does
Scan Patch Test
DHCP snooping on L2 switches
Create separate management VLAN
All protocols must be encrypted
Use SSH, SSL, HTTPS
Use LDAPS instead of simple LDAP bind requests
Protect webservers against OWASP top vulnerabilities with WAF
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Maintaining accessMaintaining access
Hackers List Result
Backdoor Preinstalled or Backdoor soft wares are used by hackers to gain access to systems so that they can send in the malicious soft wares to that particular system.
Trojan horses Trojan horse is used as a dropper it will allow other hackers and worms to attack the network easily.
Root Kits Very hard to get detected
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Defending Maintaining accessDefending Maintaining access
Regular scanning
Regular monitoring of the data passing through the network
updated Antivirus with advanced Root kit removal capabilities
IPS should be capable to stop the bots getting connected to the command center
LAN to WAN should not be open for all the traffic
Outbound Spam filter should be included in the priority list
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Covering TracksCovering Tracks
Hackers list Result
Hide the entry points Difficult in passive monitoring to detect
Hide the logs Too many logs confuse the customers
Hide the data transfer logs Data transfer is done using the encrypted tunnels.
Difficult to predict Professional work
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Defending Covering TracksDefending Covering Tracks
Logs should be stored and multiple servers
Regular backup of the logs should be done to
Hackers usually clean and shut the service. SNMP will help.
Close monitoring of the logs may help
SIEM tools are better in those scenarios
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Analyze to LearnAnalyze to Learn
To protect a system, you have to learn how it can be attacked
Systems are resistant to changes once deployed
Thinking like attacker is not always easy- may sound counter productive
But hackers do that everyday
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Security EvaluationSecurity Evaluation
Threat Modeling Most power security engineering activities
Focus on actual Threat, not just vulnerabilities
Plans and reviews by offering deep insight into the methods attackers could use to manipulate service or servers
Weigh security decisions against other design goals
Understand attack vectors and conditions for successful attack
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Threat Priority
ImpactWhat is the impact to the business?
ResourceHow likely is the threat given the controls?
VulnerabilityHow could the threat
occur?
MitigationWhat is currently reducing the risk?
ThreatWhat are you afraid
of happening?
ResourceWhat are you trying
to protect?
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
10 Assumptions to get hacked easily10 Assumptions to get hacked easily
Allow everything from LAN to WAN
DMZ to LAN allowed by default
use very easy passwords
allow applications to use administrative passwords
no update of antivirus
Running unhardened application servers
Assume your security is fully secure
Assume Firewall can save you from all type of attacks
Do not patch servers, end machines or workstations
Allow users to use BYOD without corporate policy
Virtual network are secure by design
© Copyright 2014 Cyberoam Technologies Pvt. Ltd. All Rights Reserved. www.cyberoam.com
Thank you