CyberCrime in the Cloud and How to defend Yourself
-
Upload
alert-logic -
Category
Internet
-
view
194 -
download
0
Transcript of CyberCrime in the Cloud and How to defend Yourself
![Page 1: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/1.jpg)
Cybercrime in the Cloudand how to defend yourself
Stephen CotyChief Security Evangelist
![Page 2: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/2.jpg)
Threats in the Cloud are Increasing With Adoption
• Increase in attack frequency
• Traditional on-premises threats are moving
to the cloud
• Majority of cloud incidents were related to
web application attacks, brute force attacks,
and vulnerability scans
• Brute force attacks and vulnerability scans
are now occurring at near-equivalent rates in
both cloud and on-premises environments
• Malware/Botnet is increasing year over year
![Page 3: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/3.jpg)
Cloud Attacks With the Biggest Change
• Cloud environments saw significant increases with brute force attacks climbing from 30% to 44% of customers, and vulnerability scans increasing from 27% to 44%
• Malware/botnet attacks, historically the most common attacks in the on-premises datacenter, are on the rise in CHP environments
![Page 4: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/4.jpg)
Why Honeypots
Honeypots give us a unique data set
Simulates vulnerable systems without the risk of real data loss
Gives the ability to collect intelligence from malicious attackers
Allows for collection of various different attacks based on system
Helps identify what industry specific targets are out there
![Page 5: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/5.jpg)
Honeypot Designs
• The honeypot data cited was gathered using
- Low-interaction – Simulates high level services
- Medium Interaction – Delivers form pages and collects Keystrokes
- SCADA – Simulates a (Supervisory Control And Data Acquisition) system
- Web application software that emulates a vulnerable OS and application
• Fictitious business domains have been created to redirect traffic to what would be considered a legitimate business
• These particular honeypots monitored connections to common ports and gathered statistics on IP, country, and malware, if submitted
![Page 6: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/6.jpg)
Global Analysis
![Page 7: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/7.jpg)
The Technology
![Page 8: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/8.jpg)
Firewall/ACL IntrusionDetection
Deep PacketForensics
Network DDOS
NetflowAnalysis
Backup
Patch MgmtVulnerabilities
Server/App
Log Mgmt SDLC
Anti-Virus Encryption GPG/PGP
Host Anti Malware
FIM
NAC Scanner
Mail/Web Filter Scanner
IAM Central Storage
http://aws.amazon.com/security/security-resources/
Security Architecture
![Page 9: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/9.jpg)
Data Correlation is the Key
![Page 10: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/10.jpg)
SIEM Operations
8.2 MillionPer Day
40,000Per Month
![Page 11: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/11.jpg)
The People
![Page 12: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/12.jpg)
Enterprise Cyber Security Teams
Monitor and Maintain non-managed hardware
deployment uptime
Operational Implementation of all security infrastructure
Incident Response Team
Collect and Maintain content for all non-managed devices
Cyber Security Awareness Program
Network and Application Penetration Testing and
Audit Team
![Page 13: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/13.jpg)
24x7 Security Operations Center and Intelligence
Monitor intrusion detection and vulnerability scan
activity
Search for Industry trends and deliver intelligence on
lost or stolen data
Collect data from OSINT and Underground Sources to deliver Intelligence and
Content
Identify and implement required policy
changes
Escalate incidents and provide guidance to the response team to
quickly mitigate Incidents
Monitor for Zero-Day and New and
Emerging attacks
Cross product correlate data sources
to find anomalies
![Page 14: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/14.jpg)
Monitoring the Social Media Accounts
![Page 15: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/15.jpg)
![Page 16: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/16.jpg)
Following IRC and Forums
![Page 17: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/17.jpg)
Tracking and Predicting the Next Move
• He is a guy from a European country/ (Russia)• His handle or nick is madd3• Using ICQ 416417 as a tool of communication (illegal
transaction) • A simple /whois command to the nick provided us with
good information • 85.17.139.13 (Leaseweb)• ircname : John Smith• channels : #chatroom• server : irc.private-life.biz [Life Server] • Check this out user has another room. #attackroom4 • We can confirm that Athena version 2.3.5 is being use
to attack other sites. • 2,300 infected Users• Cracked Software is available in forums• As of today 1 BTC to $618.00 or £361.66
![Page 18: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/18.jpg)
Forums to Follow – darkode.com & exploit.in- Russian
Forums to Follow – darkode.com & exploit.in- Russian
![Page 19: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/19.jpg)
Cloud Security Best Practices
![Page 20: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/20.jpg)
Cloud Environments 101
![Page 21: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/21.jpg)
Eight Best Practices of Cloud Security
1. Secure your code
2. Create access management policies
3. Adopt a patch management approach
4. Review logs regularly
5. Build a security toolkit
6. Stay informed of the latest vulnerabilities that may affect you
7. Understand your cloud service providers security model
8. Understand the shared security responsibility
![Page 22: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/22.jpg)
1. Secure Your Code
• Test inputs that are open to the Internet
• Add delays to your code to confuse bots
• Use encryption when you can
• Test libraries
• Scan plugins
• Scan your code after every update
• Limit privileges
• Stay informed
![Page 23: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/23.jpg)
2. Create Access Management Policies
• Identify data infrastructure that requires access
• Define roles and responsibilities
• Simplify access controls (KISS)
• Continually audit access
• Start with a least privilege access model
![Page 24: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/24.jpg)
3. Adopt a Patch Management Approach
• Inventory all production systems
• Devise a plan for standardization, if possible
• Compare reported vulnerabilities to production infrastructure
• Classify the risk based on vulnerability and likelihood
• Test patches before you release into production
• Setup a regular patching schedule
• Keep informed, follow bugtraqer
• Follow a SDLC
![Page 25: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/25.jpg)
4. Importance of Log Management and Review
• Monitoring for malicious activity
• Forensic investigations
• Compliance needs
• System performance
• All sources of log data is collected• Data types (Windows, Syslog)• Review process• Live monitoring• Correlation logic
![Page 26: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/26.jpg)
5. Build a Security Toolkit
• Recommended Security Solutions- Antivirus
- IP tables
- Intrusion Detection System
- Malware Detection
- Web Application Firewalls
- Anomaly behavior via netflow
- Future Deep Packet Forensics
![Page 27: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/27.jpg)
6. Stay Informed of the Latest Vulnerabilities
• Websites to follow- http://www.securityfocus.com
- http://www.exploit-db.com
- http://seclists.org/fulldisclosure/
- http://www.securitybloggersnetwork.com/
![Page 28: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/28.jpg)
7. Understand Your Cloud Service Providers Security Model
• Review of Service Provider Responsibilities
• Hypervisor Example
• Questions to use when evaluating cloud service providers
![Page 29: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/29.jpg)
8. Service Provider & Customer Responsibility Summary
CloudService Provider
Responsibility
FoundationServices
Hosts
• Logical network segmentation• Perimeter security services• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor• System image library• Root access for customer
• Access management• Patch management• Configuration hardening• Security monitoring• Log analysis
Apps
• Secure coding and best practices• Software and virtual patching• Configuration management
• Access management• Application level attack monitoring
• Network threat detection
• Security monitoringNetworks
CustomerResponsibility
Compute Storage DB Network
![Page 30: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/30.jpg)
Examples of Shared Responsibilities
![Page 31: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/31.jpg)
Cloud Server Architecture
• VM Servers are designed so that the hypervisor (or monitor, or Virtual Machine Manager) is the only fully privileged entity in the system, and has an extremely small footprint.
• It controls only the most basic resources of the system, including CPU and memory usage, privilege checks, and hardware interrupts
![Page 32: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/32.jpg)
How the Hypervisor functions
• In this model the processor provides 4 levels, also known as rings, which are arranged in a hierarchical fashion from Ring
0 to Ring 3. Only 0, 1 and 3 have privilege, some kernel designs demote curtain privileged components to ring 2
• The operating system runs in ring 0 with the operating system kernel controlling access to the underlying hardware
• To assist virtualization, VT and Pacifica insert a new privilege level beneath Ring 0. Both add nine new machine code
instructions that only work at "Ring -1," intended to be used by the hypervisor
![Page 33: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/33.jpg)
Application Exploitation – Without Secure Coding
WordPress: 162,000 legitimate sites used for DDos attack
•Exploited the XML-RPC Protocol
•Pingback enabled sites were exploited- Trackback
- Pingbacks
- Remote Access via mobile devices
•Generated over 24 million hits at a rate of 3,000 hits per second
•Random query of “?4137049=643182” bypasses cache and forces full page reloads
•Check logs for POST requests to the XML-RPC file
![Page 34: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/34.jpg)
Application Exploitation – Without Secure Coding
• This June 0Day allows an attacker to remotely remove and modify files stored on the server without authentication
• TimThumb ,written by Ben Gilbanks, is a simple, flexible, PHP script that resizes images. You give it a bunch of parameters, and it spits out a thumbnail image that you can display on your site.
• Looking at the type of vulnerabilities that hackers were trying to exploit, we saw a clear preference for Remote File Inclusion vulnerabilities, which accounted for 96% of all vulnerability types
• Patch was released in Q3
![Page 35: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/35.jpg)
6. Stay Informed of the Latest Vulnerabilities
• Websites to follow- http://www.securityfocus.com
- http://www.exploit-db.com
- http://seclists.org/fulldisclosure/
- http://www.securitybloggersnetwork.com/
![Page 36: CyberCrime in the Cloud and How to defend Yourself](https://reader030.fdocuments.in/reader030/viewer/2022032616/55a6fc071a28abcb0d8b4721/html5/thumbnails/36.jpg)
Thank you.