Embed Size (px)
Citation preview
Protecting the irreplaceable | f-secure.comProtecting the irreplaceable | f-secure.com
How to harden your corporate practices
Jarno Niemelä [email protected] twitter:@jarnomn
Protecting against computerized corporate espionage
What Is Computerized Espionage
Spying on a target by using a computer as a tool for it
Targets are chosen because the have something of value
Attacks are impersonal and very personal at the same time
• Victim and attacker can be on different sides of the globe
• But at the same time attacker has tailored the attack to person
Typical Computerized Espionage Case
Victim gets an email or a message over some social network
• The content looks like a regular business mail or a link
• However it contains exploit code with a trojan payload
Victim reads a document or clicks link and the payload is executed
• Payload connects back to attackers C&C network
Spy will mine computer for anything interesting
What’s The Catch? This Sounds Like Any Other Malware
Nowadays, users are careful, they don’t open just anything
Thus the catch is in getting users trust
To do this the spies study victim
Thus Facebook, Linkedin, Twitter, etc are spies favorite tools
What Are The Spies After For?
Corporate secrets of course
But if those are not available, then anything that helps them*
• Travel tickets, hotel invoices and other time/location info
• Banking info and scans of documents, f.ex passport
• Job applications, legal documents
• Email, sms messages, address books and other communication
• Login credentials, especially admin credentials
If current victim is not interesting, maybe someone he knows is
And thus current victim can be impersonated online[1]http://www.nartv.org/mirror/shadows-in-the-cloud.pdf
Attack Vectors
Attack over email attachment
Attack externally visible server and continue to internal network
Attack from supplier web page
Using stolen user credentials
Attacks over business related files
Attacks Over Email
Employee at Digital Bond received credible looking mail from his boss*
Digitalbond is a SCADA security vendor, and thus has very interesting clients from spy point of view
The attachment actually was a ZIP file which contained an EXE
The EXE was a backdoor which was notdetected by any AV vendor
[1] https://www.digitalbond.com/2012/06/07/spear-phishing-attempt/
Watering Hole: Attacks Over Business Contacts
Many interesting targets are well protected
Thus attackers may focus sites visited by a target
CSR is a political think tank with very interesting members*
The site was injected with 0-Day exploit for Internet Explorer
CSR is just one example
• Aerospace parts suppliers
• Industrial process optimization
• Chinese language news sites that are hosted in US
• Tibetan activist sites
http://freebeacon.com/chinese-hackers-suspected-in-cyber-attack-on-council-on-foreign-relations/
Attacks Over Business Related Files
Non-PDF business related files are trusted to a high degree
ESET discovered Autocad Worm that was used to steal 10000s of docs*
Medre.A had infected a template in Peru that local businesses had to use
After infection Medre.A collected Autocad files mailed them to china
Medre.A also tries to steal Outlook PST files
http://freebeacon.com/chinese-hackers-suspected-in-cyber-attack-on-council-on-foreign-relations/
C&C
After successful attack the attacker needs to be able to talk to the payload
Which means that he needs some way to communicate
• HTTP(s) C&C (simple domain, fast flux, compromised site)
• Skype, IRC, Messenger, ICQ, etc chat connections
• Twitter, facebook, social networks
• FTP, Dropbox, file-leave, file sharing sites
• SMTP
• Anything else that looks like regular user activity
• For example embedding commands in JPEG or PNG is popular
Lateral Movement
In order to find interesting stuff attackers need to move
This means they need to be able to take over other hosts
Typical way for this is to crack user or admin password hash
After attacker has the password he can use psexec or “at” commandto execute files on a remote systems
Also remote login products commonly used by IT are frequenly used
Point of entryAdmin password hash
Another workstationBackdoor executed
Psexec
Data Exfiltration
After attacker has C&C he needs some way to get data out
Most common approach is to use C&C channel and HTTP
But sometimes attackers get creative*
• Print “error pages” that contain encoded information and dumpster dive
• Leak information in DNS queries, payload 240 bytes per query
• Leak info in ping ICMP packages
• Open VOIP connection and emulate analog modem
• Embed data in PNG or other image files and upload
[http://www.iamit.org/blog/2012/01/advanced-data-exfiltration/http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdfhttp://www.kentonborn.com/sites/default/files/data_exfil.pdf
Protection: Get your basics right
Attackers are using malware, so basic defense takes you a long way*
Harden workstations and servers
Harden your network especially outgoing data
Make sure external servers contain only what is needed
Make sure systems are up to date and well configured
Use security software
Use gateway filtering
Don’t have common admin account across systems
http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
Hardening Network
Prevent lateral movement within your network
• Isolate everything in network, no inbound to clients no outbound from server
• Block remote execution and RDP from other than admin network segment
• Allow user to login only to his workstations
Isolate email to approved business use only
• Allow email only over company mail server
• Don’t allow mail sending without user authentication
Control web traffic
• Don’t allow any other outbound traffic except HTTP(s)
• Allow HTTP(s) only over company proxy
• If local law allows alert on unusually high amount of uploads from workstation
Hardening Network
Prevent easy ways of contacting C&C
• Don’t allow external DNS servers, don’t allow ping to external hosts
• Set up DNS white listing and landing page for unknown domains
Do these configurations also to laptop software firewalls
• Common trick is to leak info when not in corporate network
DNS Is Botnets Achilles Heel
Bot is useless if it cannot connect to C&C
• Provided that you are not facing exotic attack such as Flame
Basically all bots do use domain names for C&C
Thus restricting DNS resolution will take you a long way
I am collecting a list of domains used by document exploits
8953 domains out of 9035 do not belong in Alexa top 1M list of domains
Which means that restricting DNS resolution is very effective
Filter Content With Known Exploits
There is no point in letting exploit content to reach it’s target
Thus use web content scanning to kill known exploits
• Flash, PDF, Java, Office documents
F-Secure CS and IS products also have very good exploit detection
Make Sure Your AV Client Is Configured Right
You probably have read blogs about “AV being useless”
Partly it is due for nothing being perfect 99% is not enough
But in corporates it’s mainly due to using AV wrong
• Real time protection network is switched off
• Behavioral heuristics are switched off
• Which means about 80% of protection is disabled
AV product needs to have a network connection
Harden Web Browsers And Other Client Software
Even better than filtering exploits is to disable unneeded content
Disable types of content that users don’t need
• Disable Java and ActiveX unless you need them for something
Block Flash, Javascript and videos from all unknown sites
• Install no-script, use click to play similar blocking
Harden office applications
• Install office file validation
• Block ActiveX and Flash components in office documents
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=2807http://blogs.technet.com/b/srd/archive/2011/03/16/blocking-exploit-attempts-of-the-recent-flash-0-day.aspx
Harden Client Application Memory Handling
Enhanced Mitigation Experience Toolkit
Harden memory handling of any application that processes external data
• Acrord32 and other PDF readers
• Winzip,7Zip, etc
• Excel, Powerpoint, Word, Outlook, Winword.exe
• Exlorer.exe, iexplore.exe, Firefox, Chrome
• Skype.exe
• Wmplayer.exe, VLC, and any other video player
It is possible to write exploits so that they bypass EMET
• But then attacker has to knowingly try to circumvent EMET
Sandbox Applications That Don’t Write Files
Clients that read external data should not write local files
Thus it makes sense to sandbox them with app sandbox
• Exploited application should not be able to break free
In reality sandboxes are not 100% reliable
Third party sandboxes
• Sandboxie.com, Winjail.com
Prevent File Creation To Locations Preferred By Malware
Most malware authors use exploit only as a dropper
• Actual infection is done by traditional bot client
If exploit can be prevented from creating files the attack will fail
In Windows 7 effective hiding requires admin privileges
• Thus malware authors prefer use locations where user can write
Blocking creation of files to locations preferred by malware authors
• Will kill a lot of exploit code
Locations Where File Creation Should Prevented
Change ACL to prevent users from writing and executing files to
• C:\users\USER (%userprofile%)
• C:\users\USER\AppData\Roaming (%appdata%)
• C:\users\USER\AppData\LocalLow
• C:\ProgramData\
• C:\Program Files\
• C:\, D:\, E:\, F:\, etc root of any drivethis will stop autorun worms
• c:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Startup\
Remember to allow directories, but these roots should not have files
Prevent Execution From Where There Are no Exes
Use Applocker to prevent execution from
• %HOT%,%REMOVABLE% (USB and other removable)
• c:\Users\USER\Documents\
• c:\$Recycle.Bin\
• C:\recovery
• C:\ProgramData\
• C:\system volume information\
• %APPDATA%, make exceptions for Google, Eclipse, etc
Alternative approach is to allow only program files and windows dir.
• Or even allow only signed files and make exceptions for others
• But this can be rather high maintenance as all programs are not signed and or run exes from stupid locations (I am looking at you Google
http://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx
Ok So Basics Are Done, The fun part begins
You have to assume that attacker gets past your defenses
Prevent access to sensitive information and systems
• Buy time for detection systems to react
• Minimize damage even if attack is not detected
Detect the breach
• According to Trustwave there is average 156 days between initial breach and discovery
• This is way too long, we need to lay traps for attackers
http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHat-DC-2010-Percoco-Global-Security-Report-2010-slides.pdf
Know What You Are Protecting
Intra web
• Customer Relations Info
• Any services that you have webified
Active directory
• User accounts
Web servers
• Especially if you are subcontractor, your customer might be the real target
Document files
• Business plans, price offers, pricing, patent applications, HR records
Source code
• Files on developer desktops, source code repositories
Email files
• Mergers, financial information before release, etc insider info
Protect Documents, Use Rights Management
Rights Management Services provides transparent document protection
With RMS all protected documents are stored in encrypted form
• To open a document Word/Excel/etc must request key from RMS server
• If user has rights the server returns a key
Thus if document is stolen it cannot be read
• Also documents can be restricted by a person or a group
• Third party vendors like GigaTrust can expand rights managementto non-Microsoft documents and iPhone/iPad devices
http://en.wikipedia.org/wiki/Rights_Management_Serviceshttp://www.gigatrust.com/desktop_client.shtml
Protect Access To Source Code
Isolate development from desktop
• Run development in separate Virtual machine session
• Have a VPN that serves only that virtual machine
• Alternatively use some form of terminal service, VNC or RDP for example
Protect access to source code repository
• User accesses need to be tightly controlled, no universal read access
Use data leakage prevention software
• Configure all source code as non-transferable from the workstation
• Of course DLP can be circumvented, but it is additional protection
http://www.mydlp.com/
Protect Your Internal Web Applications
Make attackers life a bit more difficult. Lock access only to a one browser
• Use Kerberos authentication for all internal web pages
• Set client firewall to allow only correct browser to use HTTP/S to intra
• Configure the intra server only to accept company custom user agent
Thus the attacker needs to take over the browser or fake it 100%
Have log alerts for partially successful authentications
• It’s very unlikely that attacker would get everything right
Protect External Web From Inside Attacks
Being attack vector at your customer will be bad for business
Thus you have to protect your external servers
Isolate external facing servers from internal network
Don’t do direct changes, use content management
• Do all changes to CMS that has auditing and change logging
Do automated consistency checks between CMS and server
Protect Your Email
Most recorded email thefts happen by stealing the mail files
Issue email certificates for all users, and lock the certs with password
• Thus almost all critical email will have transparent encryption
• And to read them spy has to be able to steal the certificate
Block or set warnings on programmatic access to mail client
Also remember to control access to .PST, etc files
BYOD
It would be nice to be without BYOD
If you have to allow user devices, do it safely
Laptops, Phones and PDAs should have own WIFI
Require that mail server can enforce policies
• Mandatory PIN or other lock code
• Allow only couple days of email
• Allow only one month of caldendar in the future
Use rights management on everything that supports it
Detect Breaches And Information Leaks
Even if you fail at prevention, game is not lost
Spy still has to be send the goods out of your network
Most companies focus on preventing intrusion
While what you should really focus is to prevent data from escaping
Set Data Exfiltration Honeypots
Create fake routes out of the company that give alarm if someone uses them
Fake smtp.company.com mail server that accepts mail but does not forward
Capture all HTTP traffic that does not go through correct proxy
Capture all DNS traffic that does not go to your DNS server
Capture all ping ICMP traffic
How To Build Honeypots
All you need is Linux IPTables or a good router, python and a spare server
Route all unwanted traffic to honeypot server
Create fake services with python that answer ok, log and send alarm email
• HTTP example http://fragments.turtlemeat.com/pythonwebserver.php
• SMTP http://muffinresearch.co.uk/archives/2010/10/15/fake-smtp-server-with-python/
• DNS http://code.activestate.com/recipes/491264-mini-fake-dns-server/
Monitor Traffic That Is Allowed To Go Through
Due to privacy reasons I don’t advice reading content, but justtraffic inspection will reveal if there is need to start investigation
Monitor DNS queries for unusual patterns
• 10s of queries different subdomains in same domain
• Queries to domains not in .fi or in Alexa top 1M space
Monitor Ping requests (even if you are blocking it)
• Normal users do not try to send frequent ping traffic to odd destinations
HTTP requests that do not have company standard HTTP user agent
• Whitelist known self update destinations (apple, dell, google, etc)
Conclusion
You cannot trust that you can always prevent infections
Thus corporate security and defense in depth is a must
• Whenever possible make data difficult for malware to steal
• When that fails make data readable only in your environment
Invest in monitoring
• When you know patterns of your valid users
• Spy breaking the patterns will be detected
