defending workstations - cyber security webinar part 2
TRANSCRIPT
© F-Secure Confidential1
DEFENDINGWORKSTATIONS
CYBER SECURITYWEBINAR PART 2
JARNO NIEMELÄF-SECURE
4TH OF JUNE 2015
Attackers Have Bosses And Budgets Too (@philvenables)
Attackers may seem omnipotent After all they need to find only one hole, and the defender has to plug them all
In reality attackers are very constrained Without vulnerability there is no exploit Commodity exploits work out of the box only on default configuration Anything that requires custom work is expensive Attackers comfort zone is unmodified Windows or OSX
Break the attackers budget Anything out of the ordinary will force the attacker to do custom work https://www.troopers.de/media/filer_public/12/29/12298918-04d6-4f26-96d3-4205d09dd70d/andreas_lindhdefendereconomics.pdf
© F-Secure2
Mechanics Of Document Exploit Attack
In principle document exploit attacks are very simple
The original document that the victim receives contains an exploit Document reader is taken over and has the same access as the user
Drop payload EXE to some location and execute it
After which the exploited word, acrobat, etc process crashes
Dropped payload drops a clean document
Clean document is loaded to give user the document he was expecting
After which the payload is free to continue in the background
Usually the next action is to connect to C&C, or wait until trigger
© F-Secure3
Mechanics Of Browser Based Attack
Attacker either directly takes over a web site or uses malwertizing
The compromised web site contains hidden Iframe or plain redirect
Typically one redirect is followed by another
The redirected site contains exploit kit
The exploit kit analyses browser signature and selects suitable exploit
User’s browser is served exploit which takes it over
After that the story continues the same way as with document exploit
© F-Secure4
Install MalwareIn order to persist, the attacker needs
To drop a malware and run it
Thus he needs a write access
And ability to execute dropped files
The location needs to be writable by normal user, but still one that user does not pay attention to
%TEMP% C:\users\USER (%userprofile%) C:\users\USER\AppData\Roaming
(%appdata%) C:\users\USER\AppData\LocalLow C:\ProgramData\ C:\Program Files\ C:\, D:\, E:\, F:\, etc root of any drive
this will stop autorun worms c:\Users\USER\AppData\Roaming\
Microsoft\Windows\Start Menu\Startup\ c:\$Recycle.Bin\ C:\recovery
Resources Needed By Attacker
Contact To be exploited the web browser, PDF reader, etc must load the content
Exploitability The feature that is targeted by exploit must be enabled
Landing Attacker must be able to drop and execute malware Otherwise he will go down with the crashing program
Communication Without C&C the dropped payload is most likely to be useless
© F-Secure6
Prevent Contact With Hostile Material
Attacks are unique only once Thus any hostile domain is identified and blacklisted in no time
Use HTTP connection blocking, scanning and filtering to prevent contact Web reputation filters our any known attack domain Content scanning identifies exploits and known dropped components Content filtering will drop flash,java,Silverlight,exe from unknown domains
Filter out suspicious attachments from email EXEs are straight out Consider custom stripping for documents, etc
© F-Secure7
Make Sure What Is Running Is Patched
© F-Secure8http://www.verizonenterprise.com/DBIR/2015/
Yeah, everyone knows that IT should deploy all patches ASAP But what about software that users have installed without IT’s knowledge?
If vulnerable software is deployed, it does not matter is it 0-day or not
Verizon reports that 10 vulnerabilities accounted for almost 97% of attacks
Minimize Vulnerable Attack Surface
Disable all unnecessary content from web browsers Disable Java and ActiveX unless you need them for something If you really need Java, whitelist specific sites Block Flash, Silverlight, etc or use click to play If users accept it install no-script with sensible defaults
Disable unnecessary features from office software Disable all multimedia, etc plugins from word, excel, Acrobat Do you really need PDF or document that runs Flash or ActiveX Disable Javascript from Acrobat In general, strip out features that users don’t need
© F-Secure9
Harden Process Memory Handling
Harden memory handling of any application that processes external data Any process that serves network Acrord32 and other PDF readers Winzip,7Zip, etc Excel, Powerpoint, Word, Outlook, Winword.exe Exlorer.exe, iexplore.exe, Firefox, Chrome Skype.exe, Wmplayer.exe, VLC, and any other video player
For Windows use Microsoft EMET It is possible to write exploits so that they bypass EMET
But then attacker has to knowingly try to circumvent EMET
For Linux use GRSecurity
© F-Secure10
Configure Your End Point Right
You probably have read blogs about “AV being useless”
Partly it is due for being 99% perfect is not enough
And blocking espionage is especially difficult
But in corporates it’s mainly due to AV being used wrong
Cloud queries are switched off
Web traffic filtering and scanning is switched off
Behavioral heuristics are switched off
Which means about 90% of protection is disabled
© F-Secure11
Make Sure You Have A Proper Behavior IDS
If exploit runs, it is very unlikely that scanner detects dropped files
But that’s ok, that’s why proper end point security has behavior IDS Detect change in exploited application behavior Detect file appearing to disk without good reason to do so Detect launching unknown file from unusual location Etc things that are out of place
A good IDS is one of the most valuable parts of a proper client based protection
Other important feature is detections that target things needed by exploits Exploits tend to need libraries and function calls that are not used in clean code Exploit:SWF/Salama, Exploit:Java/Majava, Exploit:Java/Katala, Exploit:Java/Kavala
© F-Secure12
Pretend To Be Malware Analyst
Malware tends to act nice when Analysts are around A lot of malware check for signs of analysis environment If malware thinks it is being investigated it does not do anything
This makes analysts more difficult, but it can be turned against malware Add telltale signs of analysis environment to your system And a lot of malware will fail to run
However some malware like W32/Rombertik do retaliate So make sure you have proper backups Although I prefer “Format C:” over malware hiding on my system
© F-Secure13
Faking Malware Analysis Environment
Copy registry keys from VMWare tools installation”HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum” field ”0” Value ”VMWare”
”HKEY_LOCAL_MACHINE\SOFTWARE\VMWare, inc.\VMWare Tools ” field ”InstallPath” Value ”c:\prog…”
© F-Secure14
Create dummy processes•Vbox.exe•Vmware.exe•wireshark.exe•regshot.exe•procmon.exe•filemon.exe•regmon.exe•procdump.exe•cports.exe•procexp.exe•squid.exe•dumpcap.exe•sbiectrl.exe
Create dummy files•C:\Program Files\WinPcap\rpcapd.exe•C:\Program Files\WireShark\rawshark.exe•C:\Program Files\Ethereal\ethereal.html•C:\Program Files\wireshark\wireshark.exe•C:\Program Files\Microsoft Network Monitor3\netmon.exe•C:\program files\ollydbg\Ollydbg.exe•C:\program files\sysinternals\Procmon.exe•C:\program files\sysinternals\Procexp.exe•C:\program files\sysinternals\Diskmon.exe•C:\program files\sysinternals\Autoruns.exe•C:\program files\debugging tools for windows\Windbg.exe
Conclusion Unless attacker go after you personally, he is very restricted
Common criminals - lack know-how and interest for hard targets
Espionage operators also have budgets, and go for easy ROI
That is, attackers prefer to mass produce their attacks
Attackers are very dependent on the victim using standard configuration So make your setup unique
Avoid being hit by mass production, require artisanal attacks
© F-Secure15
QUESTIONS?
16
THANK YOU FOR YOUR PARTICIPATION!
17
STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES:
21 September 2015 at 11.00 EET: “Defending servers”
15 October 2015 at 11.00 EET: “Defending network”
9 November 2015 at 11.00 EET: “Responding to an incident”
3 December 2015 at 11.00 EET: “Building secure systems”
The Recording will be available at the BUSINESS SECURITY INSIDER
https://business.f-secure.com