Glasnost or Tyranny?Peering Point. ISP Backbone. Attacked Server. Enterprise. Web Server. Features....
Transcript of Glasnost or Tyranny?Peering Point. ISP Backbone. Attacked Server. Enterprise. Web Server. Features....
Glasnost or Tyranny?You Can Have Secure and Open Networks!
Steven Hurst CISSP
Director - AT&T Security Services and TechnologyAT&T Chief Security Office
© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary
AT&T is a proud sponsor of StaySafe Online
Everything is Moving to IP
Wireless data traffic quadruples every year (Web, video, image sharing, messaging)
48 millionInternet users
More than 1.3 billion
Internet users
130Web sites
More than 135 million
Web sites200 million
Web sites
253 millionemail
addresses
More than 1.6 billion
email addresses
More than 2 billion
email addresses
1993 1996 1998 Today 2010 2011
2 billionInternet users
IP-enabled Devices on the Global IP Network
Page 4
AT&T Global IP NetworkAn Incredible Vantage Point!
Network Security Threats
Social Engineering
“Data Leakage”• Lost/Stolen Laptops,
Unsecured Servers
Spam for Hire
Insider Threats
Phishing, Sniffing,Keylogging, etc.
Distributed Denial of Service
Botnets
Page 5
Page 6
Example-Internet Anomalies Tracked by AT&TSignificant increase in sources scanning port 23/tcp
Page 7
Scan Activity Targeting TelnetThe characteristics that highlight the activity
Unique source IP addresses scanning
Number of
probes
Page 8
Early Indications of Worm ActivityEvolution and status of worm variants
VariantB++
Feb 06
VariantC
Mar 05
New Variant
DMar 17
© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary
New Variant
EApril 07
Variant C/DActivation Variant E
Self deleteMay 03
Out of Cycle RPC Patch, MS08-067
(Advisory on Oct 23)
In Cycle SMB Patch, MS08-068
Early indicator
RPC scanning
Nov 4
Early Indicator
SMB scanning
VariantA
Nov 21
Increased scanning from Downadup.A and other malware
VariantB
Dec 29
Downadup.B and other malware
spreading
Indicators of the StormWorm(W32/Nuwar, Trojan.Peacomm) active on changing udp ports
Storm Worm Tracker
Storm worm transitions to
new port
Storm worm continuing to utilize ports
11275/udp and 16275/udp
AT&T Threat Recon Index (TRI)
DownAdUp/Conficker
Activity
Pop-up spam
Activity
Downward Trend
- SASSER Diminishin
g
Page 10
Page 11
3 2591,037
4,147
16,667
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
T11.5 M bps
OC3155 M bps
OC12622 M bps
OC482.4 Gbps
OC19210 Gbps
Num
ber o
f Bot
s (6
00K
bps
uplo
ad)
Power Required to
Disrupt a Business
Power Required to
Disrupt Typical ISP or
Hosting Provider
Illustrative Power of BotnetsJust a few bots can disrupt business operations
© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary
Page 12
Track CoverageDamageSystem AccessScanningReconnaissance
Indications andWarning Threshold
(Defense)
Preventive Phase(Defense)
Reactive Phase (Defense)
Web-Based Information
Collection
SocialEngineering
BroadNetworkMapping
TargetedScan
Service Vulnerability Exploitation
PasswordGuessing
DDOS Zombie Code
Installation
System FileDelete
Log File Changes
Use of Stolen Accountsfor Attack
• Observe & recognize anomalies as messengers of impending security event
• Develop situational awareness
• Identify vulnerabilities
• Implement layers of security to update stance
• Execute security policies
• Contain and remediate
• Perform forensics to diagnose event
• Update security stance
Cyber Attack StrategyAdversary Performs Reconnaissance to Exploit Vulnerabilities
Page 13
NOTES:• One day of activity• Actual size could be at least 10-20x larger• This report only covers top 10 active IRC-based botnets.
Top 10 Potential BotsPotential threats identified, yet still active and waiting
© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary
Top 20 Billboard for 20090818 * Generated Wed Aug 19 00:03:04 2009Name Members Servers DomainsDarkwarez070323 3427 1 41390Day060531 59073 9 32Evilpacket060823 30803 6 238unnamed 7182 67 380Letmein060206 16686 21 151Nadersamar061220 16271 9 42Fucuzzy060731 6035 26 237Foolishfoe070227 7202 17 173Frf1Dns2go060613 9546 6 76Debelizombi060928 847 3 503Others 17108 133 1342
Enterprise DMZ
Enterprise DMZ
Internet
• Internet Protect• Distributed Denial of Service (DDoS) Defense
Network BasedSecurity Data
Center(NB-SDC)
EnterpriseSecurity Responsibility
Reduced Enterprise Investment(People, Capital, Software)
AT&T IP Backbone
AT&T Security Node
Network-Based Security ServicesProtection in the Provider Core
Enterprise Intranet
Attacker
IDS/IPSSecure Email,
Web…
AT&T Approach For Cyber SecurityObserve, Protect, and Prevent
Page 15
Planning
Research
Assessment
Certification and accreditation (C&A)
Testing
Training
Authentication
Firewall
Intrusion detection and prevention
Antivirus
AntiSPAM
Collection
Analyze
Report
Act
Security Engineering and Operations
Network Protection
Situational Awareness
Observe
Observe, track, and report enterprise security anomalies in real-time.
Protect
Prevent
Perimeter protection of the network with self protecting network.
Proactive engineering and operations.
24/7 Situational Cyber Security
Awareness
Management Servers, Consoles,
and Database
Customized Event Parsers and
Consolidators
IDS Alarms
Firewall Logs
DLP Alarms
Netflow
Internet Alarms
DDOS Detection
VPN Logs
Honey Pots
Server Alarms
Proxy Logs
~600 Million Events/Day
AT&T Enterprise and Internet Feeds
AT&T Global Network Operations Center
~170 Alerts/Day
~40 Cases/Day
Threat Management
Interface
AT&T Custom Database Technology
Daytona Data Mining System
Providing Real-Time Security Management
16
Slide 17
Security Operations Center (SOC)
24x7 Discovery● via GNOC hotline● via Incident Response Mailbox● via Threat Management System
100+ years of Security Focus
Back-Up to Redundant SOC
Network SecurityLayered ‘Threat Protection’
Security Event & Threat Analysis
Internet Embedded Defenses
WAN Traffic Analysis
Network Embedded Gateways
Premises Security Devices
18 © 2009 AT&T Intellectual Property. All rights reserved.
Proxy Proxy
Customersvia AT&T
AT&TCBB
Flow Analysis
Packet CaptureVulnerability Analysis
Intrepid/Vanguard
Forensics
Packet CaptureVulnerability Analysis
Intrepid/Vanguard
ForensicsFirewall,IDS/IPS,URL,AV
Firewall,IDS/IPS,URL,AV
AVMSAVMS
Secure NodeArchitecture
Scrubber
Scrubber
Scrubber
DDoS Protections
Clean Pipe
SOC – Threat Intelligence
Security Functions:FirewallIDS/IPS
URL/ Web filteringLogging/Reporting
Anti-virusUser Authentication
Email scanningDDoSDLP
Slide 19
Alert Summary
Alert Details Port Watch
Alert Summary
AT&T Internet Protect®
AT&T BusinessDirect® Portal & Reporting
Including:
• Top Talkers Sending Traffic into Your Network
• TCP or UDP Protocol Distribution of Traffic Coming into Your Network
AT&T Private Intranet Protect Service
Page 22
AT&T Distributed Denial of Service (DDoS) Defense Multiple Points of Vulnerability
Zombies on innocent
computersAS
AS
AS
Peering PointISP
Backbone
Attacked Server
Enterprise
Web Server
Features Benefits
• Accurately identify attacks in seconds
• Immediately mitigate a broad range of DoS and DDoS attacks
• Dedicated, Shared, or Subscription options
• Defense against attacks designed specifically to disable infrastructure resources, applications and businesses
• Secures availability and ensures business continuity
Bot Controller
Page 23
AT&T Distributed Denial of Service (DDoS) Defense Multiple Points of Vulnerability
Zombies on innocent
computersAS
AS
AS
Peering PointISP
Backbone
Attacked Server
Enterprise
Web Server
Server-level DDoS attacks
Infrastructure-level DDoS attacks
Features Benefits
• Accurately identify attacks in seconds
• Immediately mitigate a broad range of DoS and DDoS attacks
• Dedicated, Shared, or Subscription options
• Defense against attacks designed specifically to disable infrastructure resources, applications and businesses
• Secures availability and ensures business continuity
Bandwidth-level DDoS attacks
Page 24
AT&T Distributed Denial of Service (DDoS) Defense Multiple Points of Vulnerability
Zombies on innocent
computersAS
AS
AS
Peering PointISP
Backbone
Attacked Server
Enterprise
Web Server
DDoS attack mitigated
Infrastructure-level DDoS attacks
Features Benefits
• Accurately identify attacks in seconds
• Immediately mitigate a broad range of DoS and DDoS attacks
• Dedicated, Shared, or Subscription options
• Defense against attacks designed specifically to disable infrastructure resources, applications and businesses
• Secures availability and ensures business continuity
DDoS Scrubber
Page 25
• Employ the network as the first line of defense• Utilize AT&T’s predictive security capabilities • Implement a defense-in-depth strategy• Use a Risk-Based approach • Apply reactive to proactive to predictive to adaptive • Provide a broad portfolio of security services
AT&T’s Security Capabilities How we protect your network infrastructure
Quick Facts about AT&T Managed Security• End to end Security Capabilities - from end point to the cloud• Security integrated with AT&T services as appropriate• “In the Cloud” security industry recognition• More than 1,500 world-class security experts and
support professionals• SAS70 and PCI Compliant services• Customer access to reports and tools via AT&T
BusinessDirect® Portal
Page 25 © 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary
Page 26
Thank You!
Page 27
Threat Management
Attack & Traffic InformationGeneral InternetCustomer’s VPNBroader customer network
MitigationInternet attackGeneral network attackThreat, Intelligence, Operations
On-Going Protection-
FirewallsTake advantage of AT&T’s networkProtect the perimeterProtect the edge
ContentEmailWeb ActivityContent ProtectionUser Authentication
Custom or Other Specific Needs
AT&T Managed Security Services
© 2009 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Proprietary
Network-Based FirewallPremises-Based FirewallEnd-Point Security
Secure Email GatewayWeb SecurityData Leakage ProtectionToken Authentication
Security Professional Services
AT&T Managed Services-
AT&T Internet Protect®
Private Intranet ProtectIntrusion Detection Services
DDoS Defense & My Internet ProtectIntrusion Prevention ServicesFully Managed 24X7 Security Operations
TH
REA
TS
Secu
rity