Securing your Cloud Environment v2

Securing your Cloud Environment

1 Confidential | Copyright 2012 Trend Micro Inc.

Jon Noble Director, Strategic Alliances & [email protected]

mailto:[email protected]

Agenda• Securing your cloud environment– (The boring half)

• Why, Who and What…– (Hopefully the less boring half!)

Source: https://www.flickr.com/photos/flissphil/

Trend Micro• Our History

– 26 years focused on security software, now largest pure-play…

– …with 5200+ employees, 38 business units worldwide.

• Our Focus– Comprehensive security across the data center &

cloud…

• Our Customers– Helping thousands of customers around the world…– …protect millions of servers (physical, virtual, cloud).

#1 in Server Security*

* Source: IDC Worldwide Endpoint Security 2014-2018 Forecast and 2013 Vendor Shares, Figure 2, doc #250210, August 2014

Traditional Defences

Source: https://www.flickr.com/photos/flissphil/

DC Secure ZoneSoftware agent based, multiple solutions required.

Network SecurityPhysical Appliance based

Physical Segregation with Multiple Solutions

Firewall

IDS/IPS

Web Reputation

Traditional Security Internal trust model

Why Traditional Security Doesn’t Work…

Insufficient visibility into East-West traffic & inter-VM attacks Static policies cannot keep up with dynamic workloads

Service provisioning is slow, complex & error-proneDisparate security solutions and lack of uniform policies across

clouds creates an operational nightmare

Copyright 2014 Trend Micro Inc. 7

Security for the Cloud World..

Source: https://www.flickr.com/photos/fdecomite/

8

FW

DPI

web

FW

DPI

web

FW

DPI

web

FW

DPI

web

FW

DPI

web

FW

DPI

web

FW

DPI

web

Dynamic Virtual Security Zero Trust Model - Self defending whatever location

Security Controls specific to the workload:- IDS/IPS, AV, FW, Log Inspection, File Integrity and web reputation.

Any Hypervisor or Cloud Environment

Agent Based ProtectionPhysical Machines

Single Console & Policy Set across all physical, virtual and cloud environments

Agentless Protection

10

Leverage VMWare APIs to provide agentless security

Reduced CPU/Memory/Storage Usage

Deep Security Virtual Appliance scans network / file access at Hypervisor Level

Instant-On Protection

ESX/NSX

SAN

Ideals for Cloud Security• Build a protection ‘bubble’ around every machine

– Use same controls that used to be done at the perimeter– AV / Firewall / IDS&IPS / Virtual Patching / Web Reputation– Log Inspection, Integrity Monitoring, Data Encryption– Linux is just as vulnerable as windows!

• Utilize Hypervisor features if possible (ESX / NSX)• Utilize Cloud context awareness if possible (AWS / Azure etc)• Utilize any in built security controls (access groups, firewalls, 2 factor

authentication etc)• Feed all logs and events to a SIEM, and actually look at the logs!

Challenges for Cloud Security• Context Awareness

– Where is my workload? Which DC / Zone / Public Cloud Provider? Does it have the right policy?

• Management– Multiple solutions can require multiple consoles– Many ‘traditional’ security solutions don’t fit in a virtualised / cloud

environment– Ensuring Security components are auto-configured in on-demand

environments– Consider a single solution that offers multiple functionalities

• Containers…

Payment Card Industry (PCI)

Protected Health Information (PHI)

Personally Identifiable Information (PII)

Intellectual Property (IP)

NEW THREATS CREATED EVERY SECOND90% ORGANIZATIONS HAVE

ACTIVE MALWARE55%2 NOT EVEN AWARE OF INTRUSIONS

COMMERCIAL EXPLOIT KITS USED BY VIRTUALLY ALL EASTERN EUROPEAN CYBERCRIMINALS

AVERAGE INSURANCE PAYOUT FROM DATA BREACH$3.7M

Why you need to care….

Some High Profile Breaches…

Source: http://www.databreachtoday.com/

So I got compromised… What Happens Next?• It depends on the attacker…• Individuals will probably just poke around / cause

havoc / launch attacks from your machine...• Hacktivists will probably release details and go

public...• Organised Criminals will steal as much data as

possible to sell on the ‘Deep Web’…

What they are looking for…

Confidential | Copyright 2015 Trend Micro Inc.

Source: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

Organised Crime?

Victim

The Boss

Mercenary Attackers

Data Fencing

The Captain Garant

Bullet Proof Hoster

Crime Syndicate (Simplified)

Yes…. This is a ‘channel model’..

$4

Victim Blackhat SEOAttacker

$10

Attacker

Keywords(Botherder)

$2

CompromisedSites (Hacker)

$6$10

Programmer$10

Cryptor$10

Virtest$5

Worm

Exploit Kit

Bot Reseller$1 $1

$1

Traffic DirectionSystem

$5

Garant$10

SQL InjectionKit

$3

Carder$4

Money Mule

Droppers$1

Card Creator$2

Bullet ProofHoster

$5

Crime Syndicate (Detailed)

SLAs… Guarantees of non-detection... Support Contracts!!!

Confidential | Copyright 2015 Trend Micro Inc.Confidential | Copyright 2015 Trend Micro Inc.

Surface Web• i.e. Clearnet• What conventional

search engines can index

• What Standard Web browsers can access

Surface Web

21Confidential | Copyright 2015 Trend Micro Inc.

Deep Web 101

22Confidential | Copyright 2015 Trend Micro Inc.

Connections between Trusted Peers

Dark Web


I asked if I could look for some more sites…

“the deep web hosts also content that we do not want to share with regular employees, like for example pornographic material or even abnormal and illegal segments of this category, malicious code, instructions for bombs etc.”

…. “But you must ensure that you do not store any illegal material on a Trend Micro hard disk in a normal unsecured network. In case of a seize of a regular Trend Micro hard disk there must not be the risk of illegal material. You have to take full personal responsibility for the ethical and legal correct handling of the content.”


So you want to get started..3 month online course on ‘Carding’

• Month 1 : learn how to access a database containing stolen credit card credentials. what to do when a purchase made with a stolen credit card is approved and if their money mules fail.

• Month 2 : trainees learn how to (physically) clone cards and create banking Trojans (Proxy and Remota variants, along with other banking Trojans with reverse-connection capabilities).

• Month 3 : Learn to create crypters using AutoIt, Visual Basic® 6.0, and Visual Basic .NET (VB.NET) as well as set up a ZeuS or Solar botnet, among others. $75, including tools and hosted VPS


Not a Developer?

Crypto-RansomwareVawtrak

Just buy some code…


Ultra Hackers Tools for salePrice is 0.0797 BTC (bitcoin) = $25Virus Builders

1. Nathan's Image Worm2. Dr. VBS Virus Maker3. p0ke's WormGen v2.04. Vbswg 2 Beta5. Virus-O-Matic Virus Maker

DoSers, DDoSers, Flooders and Nukers 1. rDoS2. zDoS3. Site Hog v14. Panther Mode 25. Final Fortune 2.4Scanners 1. DD7 Port Scanner2. SuperScan 4.03. Trojan Hunter v1.54. ProPort v2.25. Bitching Threads v3.1

Fake Programs 1. PayPal Money Hack2. Windows 7 Serial Generator3. COD MW2 Keygen4. COD MW2 Key Generator5. DDoSeR 3.6

Cracking Tools1.VNC Crack2.Access Driver3.Attack Toolkit v4.1 & source code included4.Ares5.BrutusAnalysis :· OllyDbg 1.10 & Plugins - Modified by SLV *NEW*· W32Dasm 8.93 - Patched *NEW*· PEiD 0.93 + Plugins *NEW*· RDG Packer Detector v0.5.6 Beta - English *NEW*Rebuilding :· ImpRec 1.6 - Fixed by MaRKuS_TH-DJM/SnD *NEW*· Revirgin 1.5 - Fixed *NEW*· LordPE De Luxe B *NEW*

LIST OF SOFTWARE INCLUDED IN THIS PACKAGE:

Host Booters1. MeTuS Delphi 2.82. XR Host Booter 2.13. Metus 2.0 GB Edition4. BioZombie v1.55. Host Booter and SpammerStealers1. Dark Screen Stealer V22. Dark IP Stealer3. Lab Stealer4. 1337 Steam Stealer5. Multi Password Stealer v1.6

Remote Administration Tools/Trojans1. Cerberus 1.03.4 BETA2. Turkojan 4 GOLD3. Beast 2.074. Shark v3.0.05. Archelaus Beta

Binders:1. Albertino Binder2. BlackHole Binder3. F.B.I. Binder4. Predator 1.65. PureBiND3R by d3will

HEX Editor :· Biew v5.6.2· Hiew v7.10 *NEW*· WinHex v12.5 *NEW*Decompilers :· DeDe 3.50.04· VB ?Decompiler? Lite v0.4 *NEW*· FlasmUnpackers :· ACProtect - ACStripper· ASPack - ASPackDie· ASProtect > Stripper 2.07 Final & Stripper 2.11 RC2 *NEW*· DBPE > UnDBPEKeygenning : *NEW*· TMG Ripper Studio 0.02 *NEW*

Packers :· FSG 2.0· MEW 11 1.2 SE· UPX 1.25 & GUI *NEW*· SLVc0deProtector 0.61 *NEW*· ARM Protector v0.3 *NEW*· WinUpack v0.31 Beta *NEW*Patchers :· dUP 2 *NEW*· CodeFusion 3.0· Universal Patcher Pro v2.0· Universal Patcher v1.7 *NEW*· Universal Loader Creator v1.2 *NEW*

Crypters1. Carb0n Crypter v1.82. Fly Crypter v2.2 3. JCrypter4. Triloko Crypter5. Halloween Crypter6. Deh Crypter7. Hatrex Crypter8. Octrix Crypter9. NewHacks Crypter10. Refruncy Crypter

100’s of Items…


Do some online training…


Don’t use your own server…

“Borrow” someone else’scompromised server via RDP…


Don’t pay for it either…


Stolen Credit Cards..

Laundering your cash afterwards…



… Then doing a runner…


If things get really bad…• Overnight shipping via

Fedex…• Handguns shipped inside

power tools• Rifles inside computer

cases... • Glock 19 - $470• AK47 - $800• Glock 17 & Silencer - $1600• Barret .50Cal - $6500


Or if you don’t want to get your hands dirty…


Want to “relax” afterwards?


Further Reading• http://www.trendmicro.com/vinfo/us/security/res

earch-and-analysis/research• http://blog.trendmicro.com/• http://countermeasures.trendmicro.eu/• http://krebsonsecurity.com/• https://www.youtube.com/watch?v=zt0ojsOMNgs

‘The Internet of Thingies’ – Pen Test Partners

http://blog.trendmicro.com/





http://countermeasures.trendmicro.eu/




https://www.youtube.com/watch?v=zt0ojsOMNgs



Thank You

Technology

Securing your Cloud Environment v2