Embed Size (px)
Citation preview
TODAY’S THREAT SCENARIOS
NSM NORCERT
30.10.2014, Espen Busman
Coordinator
Contact: [email protected] (admin) 02497 or [email protected] (incidents)
NORWEGIAN NATIONAL SECURITY AUTHORITY SLIDE 1
AGENDA
NSM NorCERT – a quick whois lookup (LLS)
Threats and trends
What’s the problem?
Some examples
Incident response
Countermeasures
SLIDE 2 NORWEGIAN NATIONAL SECURITY AUTHORITY
NSM NorCERT- whois?
SLIDE 3
Detection, 24/7 Operations Centre, Analysis, Exercises, outreach.
NORWEGIAN NATIONAL SECURITY AUTHORITY
NorCERT NORWEGIAN COMPUTER EMERGENCY RESPONSE TEAM
Is Norway’s national CERT and centre for handling ICT-attacks on important national infrastructure.
TTOC 24/7
Alerts on attacks, threats and vulnerabilities
National PoC
National and international co-operation
Runs the sensor network (VDI)
SLIDE 4 NORWEGIAN NATIONAL SECURITY AUTHORITY
5
DETECTION (VDI)
TECHNOLOGY INFRASTRUCTURE DATA COLLECTION
DATA CORRELATION
INCIDENT HANDLING 24/7 MONITORING CO-ORDINATING
ESCALATION
NETWORKS- AND SYSTEMS ANALYSIS MALWARE ANALYSIS
FORENSICS
NorCERT
TECHNICAL ANALYSIS
TECHNICAL THREATS
OPERATIONS CENTRE
HOW NSM NORCERT WORKS
Handle Detect Analyse
OUTREACH
Reach out
CO-OPERATION REPORTING
PRESENTATIONS EXERCISES
NORWEGIAN NATIONAL SECURITY AUTHORITY
What do we see?
SLIDE 6
Threats and trends
NORWEGIAN NATIONAL SECURITY AUTHORITY
SLIDE 7 NORWEGIAN NATIONAL SECURITY AUTHORITY
62
THREAT SCALE
Espionage Sabotage
Financial crime
Pranks
Crisis / War
Political protests
8
Society in general
National security
Chaotic actors
Advanced Persistent Threats
NORWEGIAN NATIONAL SECURITY AUTHORITY
SLIDE 9
THIS HAS A GOOD CHANCE OF WORKING
NORWEGIAN NATIONAL SECURITY AUTHORITY
SLIDE 10 NORWEGIAN NATIONAL SECURITY AUTHORITY
What’s happening?
SLIDE 11
DDoS, waterholing, digital espionage.
NORWEGIAN NATIONAL SECURITY AUTHORITY
TRENDS
DDoS on the increase
Login credentials
Increased number of serious vulnerabilities
Waterholing / strategic web compromise
Increased use of compromised e-mail accounts in spearphishing
SLIDE 12 NORWEGIAN NATIONAL SECURITY AUTHORITY
DDoS SUMMER 2014
DDoS attacks against multiple NorCERT-members on July 8
Affected companies handled it themselves together with their ISPs
IRC-chatting with TTOC at NorCERT
DDoS-technique used was “wordpress pingback reflection”
NorCERT TTOC issued an alert, including possible mitigation techniques: • Filter out requests that include wordpress-references • Block foreign source addresses • Block/filter upstream/ISP
FinansCERT issued a situation update, including tech specs and recommendations, as well as a template for filing the case with the police
SLIDE 13 NORWEGIAN NATIONAL SECURITY AUTHORITY
DDoS: PROTOCOLS
Open DNS resolvers used for DDoS-attacks
Several CHARGEN - cases
Notable increase in DDoS-attacks by exploiting NTP-servers earlier this year • UDP port 123 • cmd “monlist” returns a list of the last 600 clients that connected to the server • Potential amplification in excess of 5000 times!
Thousands of Norwegian servers vulnerable • Norwegian IPs used in several attacks • Alerted the ISPs
SLIDE 14 NORWEGIAN NATIONAL SECURITY AUTHORITY
DIGITAL ESPIONAGE: MIRAGE
Several spearphishing campaigns against Norwegian authorities • E-mail with BAD attachements • Several appear to be FWed
Threat actor possibly also interested in financial institutions • IOCs shared with FinansCERT
and finance sector
Threat actor uses compromised e-mail accounts • Accessed via webmail with stolen
credentials
SLIDE 15 NORWEGIAN NATIONAL SECURITY AUTHORITY
DIGITAL ESPIONAGE: TURLA/SNAKE/UROBUROS
Sophisticated malware linked to Agent.BTZ
Several reports • G Data: Uroburos • BAE Systems: Snake campaign • Symantec/Kaspersky: Turla
NSM NorCERT has been following this threat • Close co-operation with potential
targets • No compromises uncovered to date • Multiple strategic web compromises /
waterhole attacks detected
SLIDE 16 NORWEGIAN NATIONAL SECURITY AUTHORITY
WATERHOLE ATTACK AGAINST NORWEGIAN COMPANY
Company websites compromised • Visitors redirected to site controlled by threat actor • Visitors were profiled (Javascript) • No comprises uncovered • Redirect discovered in VDI
Technical analysis indicates similarities with a previous spearphishing campaign against VDI-member • Compromised company is a supplier to the VDI-member • Runs an application for contact administration etc
NorCERT assisted on-site • Rapid sensor set up
SLIDE 17 NORWEGIAN NATIONAL SECURITY AUTHORITY
WATERHOLE ATTACK AGAINST NORWEGIAN COMPANY
Threat actor accessed IT-infrastructure via stolen VPN-credentials • One of which had domain admin rights
RDP/SMB access to all clients on internal network
1338 e-mails exfiltrated • Including details on the incident response (in Norwegian) • Threat actor changes tactics • OP SEC!
SLIDE 18 NORWEGIAN NATIONAL SECURITY AUTHORITY
NORWEGIAN COMPANY COMPROMISED
Company discovered it themselves and contacted NSM NorCERT
Exchange-server filled to the brim with data ready for exfiltration
NSM NorCERT assisted with forensics and log analysis
A vulnerability in ColdFusion enabled threat actor to install a web shell called “China chopper”
SLIDE 19 NORWEGIAN NATIONAL SECURITY AUTHORITY
And what can we do?
SLIDE 20
What’s the problem?
NORWEGIAN NATIONAL SECURITY AUTHORITY
HANDLING DIGITAL ESPIONAGE?
Know your assets!
Common reaction to incidents:
“We don’t have anything of value”
“We don’t understand why this happened to us”
SLIDE 21 NORWEGIAN NATIONAL SECURITY AUTHORITY
PROACTIVE SERVICES FROM NSM NORCERT
NorCERT Domain Name Server • DNS-service w/ “blacklisting” • Launches in November
Vulnerability scanning • SHODAN, usikkert.no and Dagbladet have done it • Multiple initiatives within IT-security, such as Shadowserver/Underworld • Demands some legal clarifications • Launches in November
SLIDE 22 NORWEGIAN NATIONAL SECURITY AUTHORITY
4 EFFICIENT COUNTERMEASURES
Update soft- and hardware
Install security updates as quickly as possible
Be conscientious about admin rights • End users hardly need them
Block non-authorized programs
HOT TIP – DEP, SEHOP, ASLR and EMET enhance your protection against unknown vulnerabilites and 0-days
SLIDE 23 NORWEGIAN NATIONAL SECURITY AUTHORITY
DETECTING DIGITAL ESPIONAGE
Traffic logs • Web traffic logs • Proxy logs w/ SSL-inspection • Netflow • DNS logging / Passive DNS • Web access logs on your own web
servers
Authentication logs
Administration logs
Security logs
E-mail logs
SLIDE 24 NORWEGIAN NATIONAL SECURITY AUTHORITY
WHAT DO WE NEED TO HELP?
Quick summary and timeline of the incident • Assessment, how serious is the incident?
Suspicious e-mails: • Copy of the e-mail including headers and attachments • Attachments zipped and password protected, or PGP-encrypted
End user clicked on suspicious link: • Copy of web traffic logs (proxy logs) • DNS/PassivDNS-logs • FireWall logs
End user visited an infected website: • Copy of web traffic logs (proxy logs) • Copy of downloaded malware
Overview of possibly compromised equipment • Secure memory and harddrive before turning unit off or beginning
investigation
SLIDE 25 NORWEGIAN NATIONAL SECURITY AUTHORITY
CLEAN UP AFTER BREACH
Plan and execute clean ups in a controlled fashion! • Hire a MSSP if you lack the necessary know-how
Isolate compromised systems from the network
Secure memory dump and disc image of compromised systems
Reinstall clean back ups
Change all passwords!
SLIDE 26 NORWEGIAN NATIONAL SECURITY AUTHORITY
MORE ON OUR WEBSITE: nsm.stat.no/publikasjoner
SLIDE 27 NORWEGIAN NATIONAL SECURITY AUTHORITY
NASJONAL SIKKERHETSMYNDIGHET – SIKRE SAMFUNNSVERDIER 28
NorCERT, Nasjonal sikkerhetsmyndighet (NSM) www.cert.no, www.nsm.stat.no Incidents: [email protected] Admin: [email protected]
Thank you!
@NorCERT
