Glasnost or Tyranny?Peering Point. ISP Backbone. Attacked Server. Enterprise. Web Server. Features....

Glasnost or Tyranny?You Can Have Secure and Open Networks!

Steven Hurst CISSP

Director - AT&T Security Services and TechnologyAT&T Chief Security Office

© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary

AT&T is a proud sponsor of StaySafe Online

Everything is Moving to IP

Wireless data traffic quadruples every year (Web, video, image sharing, messaging)

48 millionInternet users

More than 1.3 billion

Internet users

130Web sites

More than 135 million

Web sites200 million

Web sites

253 millionemail

addresses

More than 1.6 billion

email addresses

More than 2 billion

email addresses

1993 1996 1998 Today 2010 2011

2 billionInternet users

IP-enabled Devices on the Global IP Network

AT&T Global IP NetworkAn Incredible Vantage Point!

Network Security Threats

Social Engineering

“Data Leakage”• Lost/Stolen Laptops,

Unsecured Servers

Spam for Hire

Insider Threats

Phishing, Sniffing,Keylogging, etc.

Distributed Denial of Service

Botnets

Example-Internet Anomalies Tracked by AT&TSignificant increase in sources scanning port 23/tcp

Scan Activity Targeting TelnetThe characteristics that highlight the activity

Unique source IP addresses scanning

Number of

probes

Early Indications of Worm ActivityEvolution and status of worm variants

VariantB++

Feb 06

VariantC

Mar 05

New Variant

DMar 17


New Variant

EApril 07

Variant C/DActivation Variant E

Self deleteMay 03

Out of Cycle RPC Patch, MS08-067

(Advisory on Oct 23)

In Cycle SMB Patch, MS08-068

Early indicator

RPC scanning

Nov 4

Early Indicator

SMB scanning

VariantA

Nov 21

Increased scanning from Downadup.A and other malware

VariantB

Dec 29

Downadup.B and other malware

spreading

Indicators of the StormWorm(W32/Nuwar, Trojan.Peacomm) active on changing udp ports

Storm Worm Tracker

Storm worm transitions to

new port

Storm worm continuing to utilize ports

11275/udp and 16275/udp

AT&T Threat Recon Index (TRI)

DownAdUp/Conficker

Activity

Pop-up spam

Activity

Downward Trend

- SASSER Diminishin

g

3 2591,037

4,147

16,667

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

18,000

T11.5 M bps

OC3155 M bps

OC12622 M bps

OC482.4 Gbps

OC19210 Gbps

Num

ber o

f Bot

s (6

00K

bps

uplo

ad)

Power Required to

Disrupt a Business

Power Required to

Disrupt Typical ISP or

Hosting Provider

Illustrative Power of BotnetsJust a few bots can disrupt business operations


Track CoverageDamageSystem AccessScanningReconnaissance

Indications andWarning Threshold

(Defense)

Preventive Phase(Defense)

Reactive Phase (Defense)

Web-Based Information

Collection

SocialEngineering

BroadNetworkMapping

TargetedScan

Service Vulnerability Exploitation

PasswordGuessing

DDOS Zombie Code

Installation

System FileDelete

Log File Changes

Use of Stolen Accountsfor Attack

• Observe & recognize anomalies as messengers of impending security event

• Develop situational awareness

• Identify vulnerabilities

• Implement layers of security to update stance

• Execute security policies

• Contain and remediate

• Perform forensics to diagnose event

• Update security stance

Cyber Attack StrategyAdversary Performs Reconnaissance to Exploit Vulnerabilities

NOTES:• One day of activity• Actual size could be at least 10-20x larger• This report only covers top 10 active IRC-based botnets.

Top 10 Potential BotsPotential threats identified, yet still active and waiting


Top 20 Billboard for 20090818 * Generated Wed Aug 19 00:03:04 2009Name Members Servers DomainsDarkwarez070323 3427 1 41390Day060531 59073 9 32Evilpacket060823 30803 6 238unnamed 7182 67 380Letmein060206 16686 21 151Nadersamar061220 16271 9 42Fucuzzy060731 6035 26 237Foolishfoe070227 7202 17 173Frf1Dns2go060613 9546 6 76Debelizombi060928 847 3 503Others 17108 133 1342

Enterprise DMZ

Enterprise DMZ

Internet

• Internet Protect• Distributed Denial of Service (DDoS) Defense

Network BasedSecurity Data

Center(NB-SDC)

EnterpriseSecurity Responsibility

Reduced Enterprise Investment(People, Capital, Software)

AT&T IP Backbone

AT&T Security Node

Network-Based Security ServicesProtection in the Provider Core

Enterprise Intranet

Attacker

IDS/IPSSecure Email,

Web…

AT&T Approach For Cyber SecurityObserve, Protect, and Prevent

Planning

Research

Assessment

Certification and accreditation (C&A)

Testing

Training

Authentication

Firewall

Intrusion detection and prevention

Antivirus

AntiSPAM

Collection

Analyze

Report

Act

Security Engineering and Operations

Network Protection

Situational Awareness

Observe

Observe, track, and report enterprise security anomalies in real-time.

Protect

Prevent

Perimeter protection of the network with self protecting network.

Proactive engineering and operations.

24/7 Situational Cyber Security

Awareness

Management Servers, Consoles,

and Database

Customized Event Parsers and

Consolidators

IDS Alarms

Firewall Logs

DLP Alarms

Netflow

Internet Alarms

DDOS Detection

VPN Logs

Honey Pots

Server Alarms

Proxy Logs

~600 Million Events/Day

AT&T Enterprise and Internet Feeds

AT&T Global Network Operations Center

~170 Alerts/Day

~40 Cases/Day

Threat Management

Interface

AT&T Custom Database Technology

Daytona Data Mining System

Providing Real-Time Security Management

16

Security Operations Center (SOC)

24x7 Discovery● via GNOC hotline● via Incident Response Mailbox● via Threat Management System

100+ years of Security Focus

Back-Up to Redundant SOC

Network SecurityLayered ‘Threat Protection’

Security Event & Threat Analysis

Internet Embedded Defenses

WAN Traffic Analysis

Network Embedded Gateways

Premises Security Devices

18 © 2009 AT&T Intellectual Property. All rights reserved.

Proxy Proxy

Customersvia AT&T

AT&TCBB

Flow Analysis

Packet CaptureVulnerability Analysis

Intrepid/Vanguard

Forensics

Packet CaptureVulnerability Analysis

Intrepid/Vanguard

ForensicsFirewall,IDS/IPS,URL,AV

Firewall,IDS/IPS,URL,AV

AVMSAVMS

Secure NodeArchitecture

Scrubber

Scrubber

Scrubber

DDoS Protections

Clean Pipe

SOC – Threat Intelligence

Security Functions:FirewallIDS/IPS

URL/ Web filteringLogging/Reporting

Anti-virusUser Authentication

Email scanningDDoSDLP

Slide 19

Alert Summary

Alert Details Port Watch

Alert Summary

AT&T Internet Protect®

AT&T BusinessDirect® Portal & Reporting

Including:

• Top Talkers Sending Traffic into Your Network

• TCP or UDP Protocol Distribution of Traffic Coming into Your Network

AT&T Private Intranet Protect Service

AT&T Distributed Denial of Service (DDoS) Defense Multiple Points of Vulnerability

Zombies on innocent

computersAS

AS

AS

Peering PointISP

Backbone

Attacked Server

Enterprise

Web Server

Features Benefits

• Accurately identify attacks in seconds

• Immediately mitigate a broad range of DoS and DDoS attacks

• Dedicated, Shared, or Subscription options

• Defense against attacks designed specifically to disable infrastructure resources, applications and businesses

• Secures availability and ensures business continuity

Bot Controller


Zombies on innocent

computersAS

AS

AS

Peering PointISP

Backbone

Attacked Server

Enterprise

Web Server

Server-level DDoS attacks

Infrastructure-level DDoS attacks

Features Benefits






Bandwidth-level DDoS attacks


Zombies on innocent

computersAS

AS

AS

Peering PointISP

Backbone

Attacked Server

Enterprise

Web Server

DDoS attack mitigated

Infrastructure-level DDoS attacks

Features Benefits






DDoS Scrubber

• Employ the network as the first line of defense• Utilize AT&T’s predictive security capabilities • Implement a defense-in-depth strategy• Use a Risk-Based approach • Apply reactive to proactive to predictive to adaptive • Provide a broad portfolio of security services

AT&T’s Security Capabilities How we protect your network infrastructure

Quick Facts about AT&T Managed Security• End to end Security Capabilities - from end point to the cloud• Security integrated with AT&T services as appropriate• “In the Cloud” security industry recognition• More than 1,500 world-class security experts and

support professionals• SAS70 and PCI Compliant services• Customer access to reports and tools via AT&T

BusinessDirect® Portal

Page 25 © 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary

Thank You!

Threat Management

Attack & Traffic InformationGeneral InternetCustomer’s VPNBroader customer network

MitigationInternet attackGeneral network attackThreat, Intelligence, Operations

On-Going Protection-

FirewallsTake advantage of AT&T’s networkProtect the perimeterProtect the edge

ContentEmailWeb ActivityContent ProtectionUser Authentication

Custom or Other Specific Needs

AT&T Managed Security Services


Network-Based FirewallPremises-Based FirewallEnd-Point Security

Secure Email GatewayWeb SecurityData Leakage ProtectionToken Authentication

Security Professional Services

AT&T Managed Services-

AT&T Internet Protect®

Private Intranet ProtectIntrusion Detection Services

DDoS Defense & My Internet ProtectIntrusion Prevention ServicesFully Managed 24X7 Security Operations

TH

REA

TS

Secu

rity

Glasnost or Tyranny?Peering Point. ISP Backbone. Attacked Server. Enterprise. Web Server. Features....

Documents

Transcript of Glasnost or Tyranny?Peering Point. ISP Backbone. Attacked Server. Enterprise. Web Server. Features....