AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash...

21
Live Demo: Get Complete Security Visibility in Under 1 Hour

description

Due to the recent, well-publicized events involving celebrities and their private photos, the phrase “brute-force attack” has become the web’s newest buzzword. As an IT professional, it’s vital that you detect brute force attacks as quickly as possible so you can shut them down before the damage is done. Join us for a live demo, where we’ll demonstrate a brute force attack (simulated, of course!) and show how AlienVault USM can help you detect an (attempted) intruder and investigate the attack. You'll learn: How attackers can use brute force attacks to gain access to your network Measures you can take to better secure your environment and prevent these attacks How AlienVault USM alerts you immediately of brute force attack attempts, giving you valuable time to shut it down How to use AlienVault USM to investigate an attack and identify compromised assets

Transcript of AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash...

Page 1: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

Live Demo: Get Complete Security Visibility in Under 1 Hour

Page 2: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

About AlienVault

AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against

today’s modern threats

Page 3: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

How Brute Force attacks work

Why detecting these attacks quickly is key

Measures you can take to prevent these attacks

Demo: How to detect and investigate Brute Force attacks with AlienVault USM

Bonus: How to detect the Bash (Shellshock) vulnerability with AlienVault USM

Agenda

Page 4: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Simply put, a brute force attack consists of an attacker using preconfigured values, trying them against an authentication method, and then analyzing the responses

• Usually performed via a script

• Sometimes with specialized hardware

• Modern day network-connected applications (email, domain access, etc.) will have policies to thwart simple brute force attacks

• Captcha

• Retry limit / delay

• Account lockout

• Password Requirements (length, complexity, etc.)

How To, Brute?

Page 5: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Dictionary Attack

• Is not this

• List of common passwords used

• Software available today that will run through these lists (l0phtcrack, Brutus, John the Ripper)

• Successful due to the amount of simple (or generic) passwords used

• Can be thwarted with robust password policies

• One random character in known words (i.e. “Suc3cess”) could defeat this attack

Basic Brute Force Attacks

Page 6: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Rainbow Table Attack

• A form of dictionary attack

• Uses pre-computed password hashes in a database

• Takes longer to set up, but the attack is executed faster

• Requires more storage than usual so, as storage costs went down, this method became more popular

• EASILY thwarted by salting the password hash

• Random data used when creating password hash

• Requires hash dictionary to be recomputed for every password sought, rendering pre-computation infeasible

Basic Brute Force Attacks

Page 7: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Exploit in authentication of Apple iCloud’s “Find My iPhone” allowed attackers to gain access to iCloud backups

• One of many sources for the recently leaked “personal” celebrity photos

• No limit set on the amount of retries in the FindMyiPhone feature

• Allowed attackers to attempt as many passwords as they wanted to with no immediate repercussions (account lockout, delay, captcha, etc.)

Basic Brute Force Example - Recent iCloud Breach

Page 8: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

If the attack is at this stage, there is not much you can do aside from hoping that someone implemented hash salting and/or a very large key space

• Attacker steals encrypted file with all of your (or your organization’s) passwords

• Attacker now has all of the time in the world to “guess” your passwords

• Although passwords may be encrypted, the data is on the attacker’s hardware so its not subject to retry limits

• This is usually when purpose built “cracking machines” come into play.

• Loaded with GPUs and/or custom processors

• More horsepower, the faster the crack

Offline Brute Force Method

Page 9: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• The earlier you catch the threat, the less time an attacker has to exhaust password list or key space

- Allows you to put in place measures to block this certain attack

o Block a specific IP

o Shutdown, move, or obfuscate port used

- Also gives you a chance to prevent future (possibly related) attacks

Catching These Threats Quickly Is Key

Page 10: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Brute Force Attacks are one of the few attacks detected by volume rather than type.

• In your web server (or proprietary app) logs, you’ll see a huge amount of authentication attempts

- Usually originating from the same IP address but, with modern tech, its easy for an attacker to mask actual IP address

• Malformed (or just unusual looking) referring urls

- i.e http://user:[email protected]/login.html)

• User names and/or password attempts run sequentially

• We will show you how USM easily detects these threats

How To Detect These Attacks

Page 11: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• We all forget our passwords and sometimes try over and over again, usually with caps lock on…

• Multiple login attempts from the same IP, trying the same credentials over and over again could simply be something like a mobile device, trying to access email with an old password

• Brute force attack activity looks quite different from this, though, and that consideration is reflected in our correlation directives

- I am not able to try my username/password 300 times in 15 seconds but a computer can…

False Positives

Page 12: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Require that your users create robust passwords

- Minimum length

- Required characters (!, @, #, $, etc)

- Nothing simple or common

• Password Retry limit/delay

- Not implementing can be the biggest mistake made (iCloud)

• Captchas (everybody LOVES those)

• Binding specific logins to particular IP addresses

• Blocking IPs when multiple failed login attempts come from them

Prevention

Page 13: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Account lockouts are actually not the greatest idea

- DDoS

- Truly Malicious actors will just keep locking the account out if there is an expiration period

- Authentication attempt results can be used to find which account names are valid

o Only valid accounts will lock…

- Ineffective when:

o Password attempts are slow rolled

o Same password is used against many usernames

Prevention

Page 14: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

Asset Discovery• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software

Inventory

Vulnerability Assessment• Network Vulnerability Testing• Remediation Verification Threat Detection• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

Behavioral Monitoring• Log Collection• Netflow Analysis• Service Availability Monitoring

Security Intelligence• SIEM Event Correlation• Incident Response

Page 15: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

DEMO TIME!

Page 16: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Affects Bash (Default command shell for Linux, Unix and OS X).

• Execute arbitrary commands formatting an environmental variable

• Web Servers that make calls to the bash shell• Network Services and daemons that use shell scripts with

environmental variables.

ShellShock – What it is, Why should I care?

How It Works

Who Is At Risk?

Page 17: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Send a ping command to attackers machine

• Multiple Malware installs identified.

• Connection to a C&C Server

• IRC Bot Connection

Back To The Lab…

Page 18: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Username/Passwords on the binary• Possible brute force attack• Known Supported commands:

PINGGETLOCALIPSCANNERHOLDJUNK (Dos Flood)UDP (Dos Flood)TCP (Dos Flood)KILLATTK

• Hundreds of victims already identified.

AlienVault Labs Research

Page 19: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

• Malicious Sources added to OTX• Threat intelligence:

• Multiple IDS Signatures Including:2019231 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI2019232 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers2019233 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in ClientBody2019234 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 22019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 152019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67

• Correlation Directives to Detect and Alarm:Exploitation & Installation, Service Exploit, Bash - CVE-2014-6271Reconnaissance & Probing, Service Exploit, Bash - CVE-2014-6271

Detect And Respond

Page 20: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

@AlienVault

DEMO TIME!

Page 21: AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

More Questions? Email

[email protected]

NOW FOR SOME Q&A…

Test Drive AlienVault USMDownload a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Product Sandbox

http://www.alienvault.com/live-demo-site