There has been a rapid increase in demand for security solutions that can defend against Advanced Persistent Threats (APTs). Why? Because today, cyber criminals don’t use a specific attack to compromise targeted networks.
Successful attacks are typically made up of a number of chained exploits. A hacker may start with social engineering, deliver malware through phishing and gain internal access through compromised machines. Once the hacker has established a foothold into the internal network, he may spread rootkits through a hidden torrent like environment to communicate under the radar and steal information.
Defending against attacks like this is difficult to detect and to remediate. Point productions may catch a piece of the puzzle however you will need the complete picture to deal with sophisticated attacks. Solutions must have network wide visibility, which typically can be accomplished through logging, packet capture or network analysis. Logging requires security tools such as firewalls and IPS appliances spread across the network sending logs to a centralized system for event correlation and reporting. Analyzing packets usually requires collectors analyzing a tremendous amount of data obtained from key network segments. Network security and performance analytics can be obtained directly from network devices capable of providing NetFlow such as routers and firewalls.
Of the three methods, network analysis is becoming an extremely attractive method to defend against advanced threats since NetFlow can be harvested from existing devices.
What are the key reasons to invest in NetFlow when an organization has already invested in firewalls, anti-virus, IPS systems, and other security tools? Continue reading →
I get invited to review things from time to time. My latest invite was reviewing a cookbook style guide designed to be a reference for beginner and advance Nmap users. For those that are not familiar with Nmap, it’s an open-source tool built for network exploration and security auditing. Nmap users range from ethical penetration testers to evil hackers. There are dozens of tools that perform automated assessment functions however nothing beats a very skilled Nmap user.
The Nmap 6 cookbook a simple approach to providing the information. Each section is broken into commands, explaining how it works and ways to go beyond via “There’s more”. I wouldn’t recommend it as a leisure weekend read however great for the person looking to perform specific functions with Nmap. For example, if you want to brute force a MS SQL password, you can go to that section and find the command $ nmap –p3306 –script mysql –brute <target>.
I give this a thumb up to anybody using Nmap seeking a simple guide to execute specific actions or somebody looking to brush up on their knowledge. You can download it HERE. If you haven’t played with Nmap, go download it from http:/nmap.org or download the latest Backtrack toolset.
My buddy Aamir Lakhani posted about a really cool metadata tool called FOCA. The original post can be found HERE. Below is Aamir’s post about FOCA.
I would like to introduce you to one of my favorite network reconnaissance tools. It is called FOCA.
Did you know every time you create a document such as PowerPoint presentation, Microsoft Word document, or PDFs, metadata is left in the document?
What is metadata? metadata is data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected. metadata can be useful to attackers because it contains useful information about the system where the file was created such as:
Name of user logged into the system
Software that created the document
OS of the system that created the document
FOCA is a security audit tool that will examine metadata from domains. It uses search engines to find files on domains, or you can use your own local files.
If you are internet facing, you are vulnerable to Distributed Denial of Services or DDoS attacks. Attacking network services is on the rise as the price for computing power decreases and people become more dependent on technology. Studies from leading service providers show DDoS attacks have grown from 9 to 500 Gbps in the last five years. Botnets are becoming an underground commodity that can be rented for as low as 10 dollars an hour to launch strategic DDoSattacks. Governments are investing in military strategies based on the ability to interrupt enemy computer services through targeted DDoS attacks. These attacks are indeed a weapon of mass disruption.
Most customers who survive a DDoS attack will experience serious downtime and lost revenue. Older DDoS attacks primary involved saturating bandwidth and network services with bogus traffic. The latest trend of DDoS attacks are targeting applications, which are harder to detect and require less computing power to execute. Some DDoS attacks focus on security tools (example overloading TCP state tables) so the security defenses become bottlenecks and eventually the source of network failure. Other DDoS attacks target key infrastructure such as DNS or other critical services. The area of risk for DDoS is pretty much your entire network.
Companies tend to point blame at their service provider for external DDoS attacks. Service providers offer limited protection due to regulations and unable to deal with data once it leaves their control. There are companies such as Neustar, Prolexic and VeriSign that provide 24/7 DDoS monitoring services and help leading service providers battle DDoS attacks. While monitoring services is a good option, the best approach is to invest in your own DDoS defenses against insider threats, external flooding and targeted application attacks.
Advanced insider threats are difficult to identify. Standard security solutions leverage signature and behavior based technologies however most attackers have knowledge of these defenses. To bypass these solutions, attackers develop day zero targeted threats that throttle their activity to stay under the radar. One way to catch this behavior is leveraging NetFlow using tools like Lancope (more found HERE). Another way is monitoring packets on the wire using tools like NetWitness (more found HERE). Security Information and Event Management (SIEM) tools are a popular way to view events from multiple security solutions so administrators can quickly identify an attack (more found HERE). Best practice is monitoring the wire along with leveraging a management system aggregating events from all internal security devices.
External threats such as targeted DDoS attacks are tougher to deal with. Large vendors like Junipor and Cisco have partnered with the leader for this space, Arbor Networks to address the DDoS landscape (Example Cisco and Arbor released “Clean Pipes” explained HERE.) Arbor offers perimeter and cloud based solutions that address flooding and application attacks. They also offer correlation between their products, cloud updates from their security center and reputation scoring from their large client base. Their flagship solution is Prevail (see screenshots). Prevail makes it easy to understand traffic patterns, identify threats and react to attacks by switching from low to high interrogation of traffic for specific protection groups. Check out their website for more information on their solutions.
Viewing Protection Groups
Viewing Top Talkers
DDoS is a serious threat vector since standard security solutions focus on Integrity and Confidentiality but not Availability. My expectation is there will be a lot more DDoS attacks in the news. Hopefully it’s not your organization on the front page.
Today’s highlight – WIFI Pineapple Mark III Wireless Penetration Testing Tool.
There are many cool tools sold at conferences. One tool to check out is the WIFI Pineapple Mark III for around $100 dollars. Basically it’s a wireless honeypot using a man-in-the-middle attack to access data. The way it works is it listens for devices calling out for known wireless networks / SSIDs. The WIFI Pineapple will hear the request and clone the requested SSID so the device believes its connecting to a known trusted network.
An example is connecting an iPad on an airplane to the online network GOGO SSID. Some time later the user may be at a Starbucks and turn on the iPad that was used on the airplane. The iPad will beacon out “am I still on the airplane and can I re-connect to GOGO?”. The WIFI Pineapple will hear the request and reply back “I’m GOGO … welcome to the internet”. The iPad will auto-connect to the fake GOGO SSID without re-authenticating, which is really the WIFI Pineapple passing traffic through to another network while the hacker sits in the middle. Essentially, the WIFI Pineapple takes advantage of convenience services via auto connecting to known or trusted networks offered by most wireless devices.
The WIFI Pineapple is pretty easy to setup. It has two LAN interfaces (pass through and admin access). It provides auto DHCP 172.16.42.X to the administrative interface. To access the main interface, a GUI located at 172.16.42.1. From here, the pen tester can enable many tools as well as see who is connecting to the WIFI Pineapple. Network setup is pretty easy and designed to pass traffic through without systems knowing the difference from the fake SSID or real network.
Some built in tool highlights (in the release of software I’m running) are Karma, Snarf and DNS Spoofing. The GUI is pretty easy to get around. I used the WIFI Pineapple to capture cookies and replay in FireFox via the Add N Edit Cookies plugin. An example is capturing a Facebook cookie to accessing the victim’s Facebook account. An example of using cookies to access a gmail account can be found HERE regarding the cookie reply process.
For those wondering how to defend against this tool there are some options. VPN tunnels encrypt traffic from your device to its destination blocking visibility into traffic seen by the WIFE Pineapple (example using Anyconnect by Cisco). Also using data in motion / encryption technology for sensitive data will defend against this attack since the users must be authenticated to access the data contents that are captured by the man-in-the-middle. Disabling auto-connecting to networks may mean extra steps to establish network connectivity however will help in scenarios like this. The bad part about this attack is you may not auto-connect to known risky networks such as Starbucks however the WIFI Pineapple can clone any SSID including your home network.
Check out Hak5 for more details on this and other cool tools.
Some people believe people behind Cyber Crime are disgruntled teenage hackers looking to cause chaos for fun. In some cases that may be however the majority of Cyber Crime is performed by well-funded organized criminals. Yes, I’m talking about the godfather like people who robbed banks and distributed narcotics on the street corner prior to the computer age. Organized crime realized it’s faster to automate an attack against millions of virtual targets rather than physically deal with criminal activity. Who is really behind Cyber Crime and how do they operate? Lets take at look at a case study of popups to understand the Cyber Crime organization.
Cyber criminals behind popups can for the most part be looked at as two separate groups. The first group is the well-funded mafia. They develop fake Viagra as well as other illegal narcotics. The second group is the hackers. They identify ways to compromise systems and take advantage of people’s data. The Mafia utilizes hackers to push people to their products. They offer attractive compensation packages to hackers who can capture large audiences through automated attacks. Studies show organized crime may pay a hacker a portion of sales every week tax-free. A working vulnerability could compromise millions of systems in a short time which having a small percent of that number could quickly add up to large profits for all criminal parties.
A study by the Cisco IronPort tested this concept by ordering Viagra from a phony pharmacy. The team identified the phony pharmacy by clicking a popup from a botnet and ordered Viagra like a standard customer. They called a support line to test customer service, which was polite and extremely helpful. After a few days, a package showed up containing a Russian coupon magazine. Viagra was taped to a page inside the magazine. This is how the drugs were being smuggled passed customs. After testing, the IronPort team found the Viagra to be 110% legit including a logo stamped on each pill. The team received a follow up call asking about the quality of the product and if more was desired. The overall experience was receiving a better product than commercial stores at half the cost.
The IronPort team visited the mailing address of the phony pharmacy and found an abandoned building. When they reversed engineered the advertisement popup, they identified a botnet advertising for spamit.com. Research reveled spamit.com as a criminal entity paying hackers to advertise the phony pharmacy by any means. This picture shows a spamit payment system compensating for purchases led through spam. The image below was captured by the IronPort team while posing as a hacker looking to advertise through spamit.com.
Cyber Crime is an organized business and winning the war against security professionals. Cyber criminals have more funding and less restrictions than companies developing solutions to stop them. Cyber criminals have research and development laboratories that purchase and dissect the solutions we use to prevent them from breaching our systems. Cyber Crime pays a lot more than legit organizations, which means they have first class talent. Cyber Crime is automated and criminal activity is performed across boarders through Zombie systems hiding the creators. Who is attacking you? It’s not zero cool from the movie “hackers”, it’s the Corleone crime family from The Godfather.