AISA - v6 - Damien Manuel
-
Upload
damien-manuel -
Category
Documents
-
view
170 -
download
2
Transcript of AISA - v6 - Damien Manuel
Corporate Partners
Are bad guys hiding in your “Secure” traffic?
• The world has changed
• Threat taxonomy
• Why decrypt SSL traffic?
• What to decrypt
• Where to decrypt it
• Use cases
• Privacy issues
• Recommendations
Corporate Partners
Source: # Netcraft.com, #2 http://www.internetworldstats.com, #3 http://smithsonian.yahoo.com & #4 IDC
1996 2015
Websites
Internet access
Internet users
Internet browsers
Search engines
75,000# to 650,000#3
28.8 to 33.6 Kbps
36 million#4
Netscape Navigator, IE3
Google.com didn’t exist Screen resolution 640 x 480
1 billion (Sep 2014) #
Up to 100 Mbps
3 billion#2
Firefox 37.01, Opera, Chrome, Safari, IE11
The World has Changed
Lycos, LookSmart, Hotbot, Yahoo!, Altavista, Infoseek, WebCrawler
Google, Bing, Yahoo!, DuckDuckGo, Baidu, Rambler, Naver etc…..
Corporate Partners
Removable Media Density
1996 2015
100
MB
720K
to 1.4
MBUp to 1TB USB3.0
Corporate Partners
Communication
1996 2015
Corporate Partners
Storage Density
1996 2015
660
MB
Up to 6 TB
Corporate Partners
1996 20152003
Stateful Firewalls
SIEM
IDS IPS HIPS
WAFUTM
Data Analytics
DLP
PC VIRUS
SPAM
INTERNET VIRUS
WORMS
DDoS
TROJANS
PHISHING SPYWARE
RANSOMWARE
MALVERTISING
WATERING HOLE
MOBILE ATTACKS
APT
1998 2000 2005 20102007
SSL Decryption
Security Changed, Threats Changed
Corporate Partners
Threat TaxonomyThe who and what!
Corporate Partners
Creative Exploiter
• Curious about systems and how they work
• Likes a challenge or puzzle to unlock
• Not necessarily malicious
Target: Any system, anything
Corporate Partners
John Draper
*Images from http://www.webcrunchers.com
Corporate Partners
Script Kiddie
• Typically using code developed by others
• Often lacks detailed programming skills
• Often students
Motivation: (Peer) recognition / bragging rights
Target: Universities, Schools, Websites, Devices
connected to the Internet
Corporate Partners
Corporate & Industrial Espionage
• Sponsored by individuals, organisations and
in some cases governments
Motivation: To obtain trade secrets or other
information for a competitive advantage
Target: Organisations in the same or similar
sectors / market segment. High Tech / R&D
Corporate Partners
The Insider – The bad side
• Disgruntled employee (current or former)
• Typically opportunistic, some are well planned
Motivation: Revenge, getting what they think they
deserve, solving a financial problem, the desire to
feel important
Target: Any organisation
Corporate Partners
The Insider – The moral dilemma
• Current or former employee
Motivation: Ethical, social, religious or moral
obligation to society and the broader community.
Correcting a mistake, providing governance where
none exists or providing transparency.
Target: Any organisation (typically government)
Corporate Partners
The Insider – The moral dilemma
Whistle-blowers
Mark Felt Frank Serpico
Edward
Snowden
Thomas Drake
Chelsea Manning
Jesselyn Radack
Corporate Partners
Hacktivism
• Data extraction and publication
• Distributed Denial of Service
• Doxing
• Seeks very public recognition to be considered
successful
Motivation: Political or social
Target: Any corporation, government or individual
Logo source: Anonymous
Corporate Partners
Corporate Partners
Corporate Partners
• 1200 emails .sa (Saudi Arabia)
• 251,831 Sydney (3rd highest City)
• 213,847 Melbourne
• 118,857 Brisbane
• 88,754 Perth
• 700 Australian government officials and police
• 15,000 .gov / .mil
Corporate Partners
Cyber Vigilante
• DIY justice
• Companies / individuals “hack back”
Motivation: Political, social justice and compliance
with social norms “the norm police”
Target: Corporations, governments, individuals,
and attackers
Corporate Partners
Nation Sponsored
• The new and until recently, hidden landscape
in warfare
Motivation: Seeks access to sensitive business
/ diplomatic data to gain a tactical advantage
Target: Any organisation with intellectual
property, research and development data &
strategic infrastructure.
Corporate Partners
Organised Crime
• Various organisational structures
• Outsources, just like legitimate organisations
• Expanding into new markets (carbon credits)
Motivation: Money, control and power
Target: Financial sector, end users of financial
services & home users
Corporate Partners
Terrorist Groups (Cyber Terrorists)
• Aim is to disrupt daily life
• Will go to any means necessary
Motivation: Ideologically driven from a religious,
political or cultural perspective
Target: Critical infrastructure, key systems, uniforms
& the general population
Corporate Partners
Imp
act
/ M
oti
vati
on
Available Resources
Destroy
Hurt
Annoyance
Low Medium High
Creative Exploiter
Cyber Terrorists
Hacktivism
TheInsider
Cyb
er
Vig
ilan
teOrganised Crime
Nation Sponsored
Scri
pt
Kid
die
“50% of network attacks will use SSL by 2017 to
bypass controls”
Corporate Partners
Internet users encrypting their online
communications has doubled in
North America, and quadrupled in
Latin America and Europe over just
the past year.
Sandvine, “Global Internet Phenomena Report,” May 2014.
Corporate Partners
SSL Trends & Statistics
Weekly
Top 50 Most Visited sites - 69% HTTPS
Top 10 Most Visited Sites – 100% HTTPS
Daily
750M Domain / IP rating requests - HTTP
110M Domain / IP rating requests – HTTPS
30K Unique / Unknown Executable Applications - HTTPS
Corporate Partners
SSL Trends & Statistics
Weekly
• 1.1M Sites Classified Potentially Unwanted Software
24% - Enterprise Users 76% - Consumer Users
• +40,000 Requests Newly-Classified Malicious HTTPS Sites
• 100,000 Requests to Command and Control HTTPS Sites
35% from Enterprise Users
Corporate Partners
Let’s Look at it another way from other sources
(Source: Alexa.com)
Or, 14 of the top 15 English Websites use only HTTPS
Corporate Partners
Encryption masks data exfiltration
Not necessarily malicious...
Corporate Partners
Basics of SSL
2
1
1. Request key exchange
3
4
2. X.509 Cert containing public key
3. Confirms Cert with Certificate Authority
4. Random symmetric key, encrypted with the server’s
public key.
Corporate Partners
So why don’t people Decrypt?
Perception that volume of
encrypted traffic is insignificant
Performance considerations
Workload considerations
Privacy considerations
Corporate Partners
What to Decrypt?
Webmail Content needs to be inspected to be scanned by the defense in depth
security deployment.
Social Media Common channels of malware infection or sensitive content leakage.
Web Browsing Search engines and general web application traffic which is SSL enabled
by default. To enforce acceptable use policies and protect data.
File Sharing A popular medium for sensitive files to be leaked or malicious file to be
downloaded.
SaaS Enforce tighter policies, strong likelihood these contain sensitive data (HR,
CRM etc.).
“To net it out, if an application has access to protected or critical data you
should decrypt and inspect its traffic” Mike Rothman, Analyst and President, Neurosis
Corporate Partners
Where to Decrypt?
• SSL/TLS decryption and re-encryption is processor intensive
• While some security solutions provide SSL decryption and/or encryption as an optional feature, it is rarely enabled
• Typical performance decreases over 50%*
Intrusion
Prevention
Next Gen
FirewallForensics *NSS Labs Analyst Brief: Significant SSL Performance Loss
Leaves Much Room for Improvement, John W. Pirc
Corporate Partners
Where to Decrypt?
FirewallApplication classification requires
visibility into network packets
Inline for ingress & egress
Performance degradation
Secure Web
GatewayFiltering policy enforcement
Integration with anti-malware
Can decrypt SSL
Performance degradation
DLPDetection of sensitive data requires
visibilityNo decryption capabilities
IPSSignature matching requires
visibility into network/app data
Limited decryption capabilities
Dedicated
SSL Decryption
Device
Decrypt & encrypt very fast
Policy-based actions
Categorisation support
High performance
Able to feed multiple security
devices
Additional infrastructure
Corporate Partners
Use Cases - Enforcing Policy
• Impossible to enforce policies when you can’t see traffic– Implications for
• Firewalls
• Web security gateways
• Intrusion detection & prevention (IPS / IDS)
• Data loss prevention (DLP)
• Network-based malware sandboxing
• Major considerations– Throughput & user experience
– Granular implementation of policies (protocol, user/group, application, and web site category)
Corporate Partners
Use Cases - Monitoring and Forensics
• In this case we are not re-encrypting or quickly discarding data
– Goal may be to derive meta data for analysis, or complete
record of data flow
• Decrypted traffic may become data at rest
• Introduces many issues that require consultation from HR,
legal groups
• Risk analysis needs to be performed on these policies
Corporate Partners
Issues Under Australian Law
In both cases, organisations can ensure
compliance with:
Transparent and clearly communicated
policies.
Effective controls in technology to
implement policies.
HopgoodGanim: SSL visibility: A legal
analysis, Hayden Delaney
Telecommunications (Interception
and Access) Act 1979
Decrypting SSL traffic without
users’ or customers’ knowledge is
arguably “interception”.
Privacy Act 1988
Contains “Australian Privacy
Principles” which govern
collection, use and disclosure of
private information - implications
for decrypting “private” traffic.
Corporate Partners
Recommendations -Technology
Dedicated devices solve many of the
technology issues associated with encrypted
traffic management
– Performance is critical!
– Single point of decryption
Policy-based enforcement
– Using Host categories, IP addresses, CA
status, Subject/Domain Name and more
– Decides to decrypt or not based on category of
service being accessed over SSL
More than just HTTPS
– All ports
– Protocols
– Cipher suites
Corporate Partners
Recommendations - Policy
Consultation! This is not only a security
conversation
– Security teams
– Human resources
– Legal
– Executive stakeholders
Transparent communication about the
inspection of traffic and collection of use of
data in
– Employment agreements
– Freely available policy documents
Access and process controls
– Access to tools
– Access to data
Consult some more!
Corporate Partners
Additional Resources
Gartner: Security Leaders Must Address
Threats From Rising SSL Traffic, Jeremy
D'Hoinne, Adam Hils
Neurosis, L.L.C.: Security and Privacy on
the Encrypted Network
HopgoodGanim: SSL visibility: A legal
analysis, Hayden Delaney
The Visibility Void: Attacks through
HTTPS a vulnerability for enterprises