Post on 28-May-2020
Matthias Schmidt
TECHNICAL SECURITY
AT A LARGE COMPANY
Studied CS @ Univ Marburg 2001 - 2007
Diploma thesis about Network Security
5 years assistant at Distributed
Systems Group 2007 - 2012
Security
Virtualization
Grid Computing
Head of Technical Security Joined 1&1 in 2012
Security Architecture
Operating Systems Security
Digital Forensics
Malware/Reverse Engineering
Trainings
2
Welcome, Who am I!
18.01.2018
Why we care about Information Security
3
Figures
7 Data Centers on 2 continents
90,000 server at 1&1
60,000 server at Strato
Hosting of more than 20 million domains
Networking
Global connectivity more than 300 GBit/s
70 GBit/s outbound peak load traffic
About 9 billion page impressions per month
More than 5 billion e-mails per month
9,000 TeraByte monthly traffic volume
3
18.01.2018
TECHNICAL SECURITY
General Introduction
4
Flickr. CarbonNYC. CC-BY-2.0
18.01.2018
Focus Topics & Services
5
Technical Security
Cross-Sectional
Consulting
Legacy Migration Projects
PKI
My Secure Workday
Secure Services
…
Application Security
SSLC
Maturity Model
Pentests
Network
Security
Infrastructure Scan
VLAN hardening
Pentests
Office Security
Malware protection
Sandbox Analysis
Memory forensics
Pentests
Infrastructure Security
Hardening
Forensics
SIEM
Pentests
IDS
Comm
CERT
Trainings
Incident Management
18.01.2018
Application Security and its Challenges in corporate Environments
6
Secure Software Development Lifecycle (SSDLC)
Structured way of developing secure software
Predefined set of Life-Cycle Tasks and requirements
Developed an own tool for it https://securityrat.github.io/
Penetration tests
For new applications
For legacy applications
Cover recurring events (PCI DSS/De-Mail re-certification)
Challenges
Secure development in agile environments
Pentests scalability
Third-party software/dependencies
Remember, the cloud is just someone else’s computer
18.01.2018
Infrastructure Security and Digital Forensics
7
Are we affected by $vulnerability?
Simple for hundreds, complex for tens of thousands of systems
We scan at large scale
Zmap, nmap, SSL/TLS scanner, enterprise solutions, …
Volatile and non-volatile Forensic investigations on
Servers
Workstations
Mobile devices
18.01.2018
ADVANCED WORKSTATION
PROTECTION
Signature-based Anti-Virus is dead or …
9 18.01.2018
Office Security
10 18.01.2018
Incident Response Process
18.01.201811
Detection
Prevention
Mitigation Assessment
AnalysisGoal:
Automated
Threat
Treatment
Reduce
Response
Time
Reduce
Resolution
Time
Reduce
Incident
Impact
Reduce
Incident
Probability
There is an Entire Industry behind it…
18.01.201812
So, what do you think that you are worth?
18.01.201813
Now, why does this happen? Don‘t we have anti-virus scanners?
2 18.01.2018
They sometimes fail…
18.01.201815
• Different names
• Different strings
• Different hashes
• Damn!
Poly- and metamorphic malware and the obfuscation curse
18.01.201816
Most modern malware is polymorphic and uses anti-analysis and anti-
detection techniques like
Encryption
Packing
Code/Binary Obfuscation
Virtualization
Anti-debugging
…
Many malware families even are metamorphic (= self-mutating)
Use a new encryption key with every replication cycle
Rotate different obfuscation schemes
Reload code at runtime
Use self-modifying code practices
…
Long story short…
18.01.201817
18.01.201818
Incident Response Infrastructure
Anti-Virus
Server
Malware
Analysis
System
IDS
Ticket System
alerts
IOCs
Alert Database
Operator
IOC Server
request
Workstation
SIEM
Live Forensics
System
Generic Incident Analysis Procedure
18.01.201821
• Anti-Virus \IDS Alert
• User reports„weird“ behavior
AL
E
R
T
• Check forobviousFP signs
• Assessvictimcriticality
• Assesspotentialthreatimpact
TR
I
A
G
E
• Gatherevidence(memorydump, networktraces, …)
• Filter, correlate, andanalyzeevidence
AN
A
L
Y
S
I
S
A typical Incident Analysis Case (1)
18.01.201822
Email with link
to alleged
Winrar installer
Download
trojanized
Winrar ISO
Extract
Winrar.exe
from Winrar.iso
\Users\xxx\Downloads\WinRAR.iso
\Windows\Prefetch\7ZFM.EXE-7C92DCA0.pf\Users\xxx\AppData\Local\Temp\7zOC95DD566\WinRAR.exe\Users\xxx\Downloads\WinRAR\WinRAR.exe
A typical Incident Analysis Case (2)
18.01.201823
Drop, install,
and start
malicious
Service
\Windows\Prefetch\WINRAR.EXE-72EEBF17.pf
\Users\xxx\AppData\Local\Temp\103191234\ic-0.ba8738946c7218.exe\Windows\Prefetch\SC.EXE-4502142D.pf\Windows\Prefetch\NET.EXE-7F832A3A.pf\Windows\Prefetch\IC-0.0C4A2901A2643.EXE-653CBD5D.pf
#Im System wurde ein Dienst installiert.#Dienstname: --#Dienstdateiname: C:\Users\xxx\AppData\Local\Temp\103191234\ic-0.0c4a2901a2643.exe /wl 1#Diensttyp: Benutzermodusdienst#Dienststarttyp: Manuell starten#Dienstkonto: LocalSystem
Execute
trojanized
Winrar.exe
A typical Incident Analysis Case (3)
18.01.201824
Drop and
deploy kernel-
mode Rootkit
Establish C2
Channel
Disable AV via
Powershell
Script
\Windows\Prefetch\POWERSHELL.EXE-59FC8F3D.pf
#PowerShell#HostName=ConsoleHost#HostApplication=powershell.exe -Command & {Add-MpPreference -ExclusionPath@('C:\WINDOWS\system32\drivers\3ee09e28c6d8f3de176caff9ab413c18.sys')}
#Im System wurde ein Dienst installiert.#Dienstname: 3ee09e28c6d8f3de176caff9ab413c18#Dienstdateiname: C:\WINDOWS\system32\drivers\3ee09e28c6d8f3de176caff9ab413c18.sys#Diensttyp: Kernelmodustreiber#Dienststarttyp: Systemstart
172.xxx.xxx.xxx:63401 45.32.xxx.xxx:80 CLOSED 8708 svchost.exe
Incident Response Toolchain - Threat Intelligence Handling with MISP
18.01.201825
Incident Response Toolchain - Impact Assessment with Bloodhound
18.01.201826
Incident Response Toolchain - Live Forensics with Rekall and GRR
18.01.201827
Some Facts & Figures
18.01.201828
Category Type Records
Malware Analyzed unique malware samples 20.995
Malware Malware samples and analysis results 4,6 TB
Threat Intelligence Gathered Threat Intelligence 40 GB
Threat Intelligence Extracted Indicators of Compromise (IOCs) 478.000
Threat Intelligence Generated IDS Rules (SNORT) 26.600
Privilege Monitoring Monitored user and service accounts 13.200
Privilege Monitoring Monitored workstation and servers objects 9.900
Privilege Monitoring Monitored privilege-groups 28.000
Privilege Monitoring Recorded user sessions 11.000
Privilege Monitoring Monitored privilege relations 806.000
TLS CIPHER DISTRIBUTION
Of Ciphers, Key length and more
18.01.201831
History, Statements and Challenges
18.01.201832
In 2013 Edward Snowden revealed top secret documents to the public
Xkeyscore, PRISM, Tempora, …
The world reacted with “Let’s encrypt everything”
Encrypt everything – Does it work?
Incoming SMTP Connections Europe
30%
37%
70%70%
63%
30%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2013 2016 2018
TLS PLAIN
18.01.201833
Encrypt everything – Does it work? (2)
Outgoing SMTP Connections (CW 3/2018)
93%
86%
7%
14%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
EU US
TLS PLAIN
18.01.201834
TLS Cipher Distribution – Incoming
Top 3 TLS cipher suites, one MX incoming
69%
23%
8%ECDHE-RSA/AES-128-GCM/AEAD
DHE-RSA/AES-128-CBC/SHA1
ECDHE-RSA/AES-128-CBC/SHA1
209766
70542
23445
0
50000
100000
150000
200000
250000
1 2 318.01.201835
TLS Cipher Distribution – Incoming (2)
… everything else
54%
11%
9%
9%
4%
4%
3%3%
2%1%
0%DHE-RSA/AES-128-GCM/AEAD
RSA/AES-128-CBC/SHA1
RSA/3DES-CBC/SHA1
RSA/AES-128-GCM/AEAD
ECDHE-RSA/AES-256-CBC/SHA1
DHE-RSA/AES-256-CBC/SHA1
RSA/AES-256-CBC/SHA1
ECDHE-RSA/AES-256-GCM/AEAD
ECDHE-RSA/3DES-CBC/SHA1
ECDHE-RSA/AES-128-CBC/SHA256
DHE-RSA/3DES-CBC/SHA1
18.01.201836
TLS Cipher Distribution – Outgoing
Top 4 TLS cipher suites, one mailer outgoing
72%
13%
10%
5%
ECDHE-RSA/AES-128-GCM/AEAD
ECDHE-RSA/AES-256-CBC/SHA384
ECDHE-RSA/AES-256-GCM/AEAD
DHE-RSA/AES-128-GCM/AEAD
1714309
299244 233268127030
0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
1800000
2000000
1 2 3 418.01.201837
TLS Cipher Distribution – Outgoing (2)
… everything else
35%
23%
8%
8%
7%
5%
5%
3%
2%1%
1% 1% 0% 0%0% 0% 0%
DHE-RSA/AES-128-CBC/SHA1
DHE-RSA/AES-256-GCM/AEAD
RSA/AES-128-CBC/SHA1
DHE-RSA/AES-256-CBC/SHA256
ECDHE-RSA/AES-128-CBC/SHA1RSA/AES-128-GCM/AEAD
ECDHE-RSA/AES-256-CBC/SHA1DHE-RSA/AES-256-CBC/SHA1
RSA/AES-256-CBC/SHA256
RSA/AES-256-GCM/AEAD
RSA/AES-128-CBC/SHA256
ECDHE-RSA/AES-128-CBC/SHA256DHE-RSA/CAMELLIA-256-CBC/SHA1ECDHE-RSA/3DES-CBC/SHA1
18.01.201838
Certificates signed by an official CA?
90%
10%
Valid CA
"Invalid CA"
18.01.201839
WIDE AREA NETWORK
40
Flickr. Abode of Chaos. CC-BY-2.0
18.01.2018
Denial Of Service Attacks
41
Denial of Service (DoS) attacks are known since 20 years
Academia solved the problem decades ago
Google Scholar shows > 540k results for DoS protection
However, they are not gone as of today
Different Types of Attacks
SYN Floods
UDP Floods
• NTP Amplification Attacks
• DNS Amplification Attacks
18.01.2018
Denial Of Service Attacks (cont.)
42
Selected Examples of incoming (D)DoS attacks
UDP NTP Amplification
34 GBit/s with 7M Packets/s
10 GBit/s with 1M Packets/s
Simple UDP Floods
15 GBit/s with 2M Packets/s
DNS Amplification
98 Gbit/s with 9M Packets/s
18.01.2018
Denial Of Service Attacks (cont.)
18.01.201843
Denial Of Service Attacks – Countermeasures
44
QoS enabled on the local switch
Filter malicious traffic on the local distribution router
Blackhole the target’s IP address
Scrub traffic
18.01.2018
CONCLUSIONS
45 18.01.2018
Conclusions
46
Technical measures are good,
security awareness is better
18.01.2018
The End and thanks for your Attention
47
Dr. Matthias SchmidtHead of Technical Security
matthias.schmidt@1und1.de
Q & A
18.01.2018