Post on 22-Jan-2018
#MDBW17
Davi Ottenheimer, Product Security
Managing Cloud Security Design and Implementationin a Ransomware World
#MDBW17
Security is Evolution
● Evolution is the process not a destination
● Escalation a function of competitions
● Economics impacts risk mitigation
#MDBW17
#MDBW17
Security is Evolution
● Audit everything (Check your health)
● People who could behave responsibly may not
● BitCoin “mining” changed behavior economics
● Authentication hygiene still is top threat to security
#MDBW17
#MDBW17
Ignaz Semmelweis
1847 “Savior of mothers”
discovered hand washing
standards can drop childbed
fever from 30% to 1%
“There is one cause,
all that matters is
cleanliness”Source: http://www.pbs.org/newshour/updates/ignaz-semmelweis-doctor-prescribed-hand-washing/
#MDBW17
Economics of “Getting Bit”
● Mining with AWS keys is wasteful
○ 1 instance per day is ~$8 cost for ~$2 mined (variable)
○ ~$6/day loss per instance
○ “Better use of dollars to buy coins instead of instance time”
● Stolen AWS key shifts waste to victims
○ Attacker spins victim instances ASAP
○ $10,000/hour victim cost burden
○ $2,500/hour attacker profit
#MDBW17
RANSOMWARE!
● Use of access to
deny access,
unless ransom paid
● US gov: 4,000/day
ransomware
attacks in 2016
(300% over 2015)
Source: https://www.justice.gov/criminal-ccips/file/872771/
#MDBW17
Source: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx#enterprise
RANSOMWARE!
#MDBW17
Ransomware Evolution
1994 2004 2007 2010 2014
Botnets
Adware
Spyware
Rogueware
For-Profit
“Advanced
Persistent”
Key & Cert
GPCODE CRYPTOLOCKERCRYPTOVIRUS
1989
AIDS
...
Viruses
Worms
Trojans
CRYPTOWALLTORRENTLOCKER
TESLACRYPTLOCKER
R.I.P. Tron
1998
R.I.P. Hagbard
1989
LOCKY
“KGB Hack”> DM 100K + drugs over 3 years
> Burned to death
> http://phrack.org/issues/25/10.html
#MDBW17
An Economics PerspectiveX
● Old-method experienced cost inflation
○ Cloud agility = DDoS more expensive
○ Expensive race condition for pay
● New-method experienced cost deflation
○ Scan/Exploit kits (easy to find victims)
○ Social engineering kits (easy to phish)
○ Key management kits (easy to encrypt)
○ Monetization kits (easy to extort)
“I’ve never actually stormed a castle, but I’ve
taken a bunch of siege-management courses.”
#MDBW17
Big DDoS attacks affect some AWS customers,
but chief Andy Jassy assures cloud is secure
● DDoS targeted Dynamic Network Services (Dyn)
● Dyn one of many AWS DNS providers
● AWS services (Shield) help, and 3rd party too but…
“...agility single biggest reason
enterprise move to cloud”
2016 Q4 Akamai “State of the Internet” Report:
● 7 of 10 biggest (300+ Gbps) DDoS in history happened in 2016
● 3 of 10 were in 2016 Q4
Sources: https://www.geekwire.com/2016/big-ddos-attacks-hit-amazon-web-services-customers-jassy-assures-cloud-secure/,
https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/
#MDBW17
2008 Terry Childs Case
● San Francisco City Government Loses Control of Cloud
○ Emergency Services (Fire, Police, etc.)
○ “Almost Included Utilities” (Wastewater Treatment)
● Own Administrator (Childs) Charged With DoS
○ Deadman Traps on Switches (Erase Config)
○ Encrypted Storage (Fiber Tap at Core Led to Hidden Servers)
○ Withheld “Keys” From Staff and Management
● Found Guilty by Court
○ “His boss’ boss was an authorized user, could not be legally denied access”
○ Jury included 13 Year Network Admin and CCIE
Source: http://www.computerworld.com/article/2468913/cybercrime-hacking/terry-childs-found-guilty-of-san-francisco-fiberwan-lockout.html
#MDBW17
1. Seek vulnerable access
2. Lock and/or Encrypt
3. Extort
How Ransomware Works
Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/
#MDBW17
Seek Vulnerable Access
1. Find a foothold using credential (or even non-credentialed)
• Internet facing services
• User devices
• Platforms (github, pastebin, facebook, etc.)
2. Pivot and traverse
• Gather credentials
• Elevate privileges
• Find valuable data
North
South
East
West
Users
Apps
User
Dir
User
Dir
#MDBW17
Lock and/or encrypt
• Anything believed to be valuable to target
• Any backups (prevent restores)
• Using modern algorithms (AES256)
• Unique keys on remote infrastructure
#MDBW17
Extort
• Name of “Replaced” DB
• README
• ReadmePlease
• PLEASE_READ
• IHAVEYOURDATA
• WARNING
• WARNING_ALERT
• PWNED
• PWNED_SECURE_YOUR_STUFF_SILLY
• DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB
• to_get_DB_back_send_1BTC_to_1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD
● Amount
○ 0.1 BTC
○ 0.15 BTC
○ 0.2 BTC
○ 0.25 BTC
○ 0.5 BTC
○ 1 BTC
Source: https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=0
{
"_id" : ObjectId("9854a4532b5e63f722fcc9da"),
"mail" : "user@domain.com",
"note" : "SEND 0.1 BTC TO THIS ADDRESS 1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD AND
CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"
}
#MDBW17
Are You Ready?
● Asset Management Lifecycle
● Dependencies on Providers
● Incident Response Procedures
● Disaster Recovery Plan (Backups!)
● Identity and Access Management
○ Components
○ Standards*
● AES256
● TLS1.2
● FIPS 140-2
*https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
{● PCI/DSS
● SOC2
● ISO 27000x
● HIPAA-HITECH
● GDPR
● FedRamp (NIST 800-53)
#MDBW17
Design Considerations
● Critical Severity Vulnerability○ Remediate Immediately (R = 0)
○ Patch Within 24 hours (e.g. HEARTBLEED)
● High Severity (R = 5 Days)
● Medium Severity (R = 60 Days)
● Low Severity ○ Business Impact Analysis
○ Customer Impact Analysis
#MDBW17
Design Considerations (RFC2904)X
● Authentication
● Authorization
● Accounting
Source: https://tools.ietf.org/html/rfc2904
#MDBW17
Security Design Review Services
• Providers*
• AWS Trusted Advisor, Inspector
• Azure Security Center
• GCP Cloud Security Scanner
• Self
• Scan for Accidental Secret Leaks (“Github Commit Crawler”)
• Detect and Identify Assets (API Call, OVF Scan)
• Assess Configurations (SCAP, XCCDF, SSLcheck)
*https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data
#MDBW17
Implementation Example 1
• Is authentication disabled?
> if (db.adminCommand('getCmdLineOpts').parsed.security === undefined ||
db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined ||
db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){
print("NO AUTH! NO AUTH!")}else{print("Good work, Auth enabled")}
• Is a default port listening (27017, 29017)?
> db.adminCommand('getCmdLineOpts').parsed.net.port
Source: https://docs.mongodb.com/manual/reference/default-mongodb-port/
#MDBW17
Implementation Example 2
Service connected to wide area network lacking any
“security group” or firewall?
1. On system outside network, grab mongodb client
> wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz
> tar -zxf mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz -C 3.4 --strip-components=1
2. Test by connecting to Internet hostname
> ~/3.4/bin/mongo --host <urmongodb_host_name> --port <urmongodb_port>
#MDBW17
Implementation Example 2
• Bind to localhost by default in v3.5.8
• IP Whitelisting option in v3.6
• Associate IP addresses/ranges to auth roles
• If IP fail, then authentication fail
• Can restrict __system user to authenticate from only cluster nodes
#MDBW17
Design Improvement Cycles
● Daily Full Credential Scan of Any New Instance
● Weekly Full Credential Scan of Builds Prior to Staging
● Quarterly “Approved Scanning Vendor” (ASV) Report
● Biannually
○ “Full” Penetration Test
○ Code Review
#MDBW17