good bot, bad bot, ugly bot. battle of the bots!

Download Good Bot, Bad Bot, Ugly Bot. Battle of the Bots!

Post on 28-Jan-2017

222 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • SESSION ID:

    #RSAC

    John Ellis

    Good Bot, Bad Bot, Ugly Bot.Battle of the Bots!

    TTA-R08

    Chief Strategist, Cyber Security (APJ)

    Akamai Technologies

    @zenofsecurity

  • #RSAC

    About me

    Kiwi (New Zealander)

    20+ years experience in IT security (trained sheep to hack)

    Have worked in defence, telecommunications and banking

    Consider myself a student, but love to share what I know

    9 years in Singapore, and see were still trying to find the Asian solution to the Asian problem (talk to me afterwards if you want to know more).

    Still trying to learn Mandarin.might one day get there

    2

  • #RSAC

    Cyber buzz bingo

    Cyber SaaS Threat Intel Cloud BOYD

    IoTCyber Kill

    ChainInnovation Big Data Breach

    TTPs Signal to noise Cross-Platform SMAC Next-gen

    APT China Data DrivenThought

    LeadersCyber Attack

    BOT Game Changer PaaS Cyber Crime Hacktivist

  • #RSAC

    What is a bot?

    A software application that automates tasks that are simple and structurally repetitive at much higher rates or precision than a human.

  • #RSAC

    Bot trends & environment

    44% Human traffic 56% Bot traffic

    22% fraud activity

    3.5% Hacking tools

    3% scrapers

    0.5% Spammers

    Bad BotsAccount for 29% of all

    website visits

    Good BotsAccount for 27% of all

    website visits

    Source: Incapsula / Akamai

    Search engine, crawlers, spider bots

    Vulnerability scanner, Site performance bots

    Partner bots

    Aggregator, media bots

    Hacker, Fraud botsScraper bots

    DDoS bots

    Spam bots

    Good Bad

  • #RSAC

    Good bots

    Search engine optimization (SEO)

    Marketing

    Vulnerability ScannersPerformance analysis tools

  • #RSAC

    Bad bots

    Vulnerability scannersFraud

    DDoS attacks

    Malware

    Spam (it aint ham)

    Scrapers (your competitors)

    Did I mention malware?

  • #RSAC

    Ugly naughty bots

    Want to know everything about you

    Too Friendly

    Crawlers

    Malicious? Maybe, Maybe not

    Scrapers

    Price Aggregators

  • #RSAC

    SPAM Bots

    9

    Target marketingImprove SEO Malware distribution

    Fraud

  • #RSAC

    Scraper Bots (an example)

    10

    Aggregator Website

    Scraping Service / Tools

  • #RSAC

    Commercial Scraping Services / Tools

    11

    kimono

  • #RSAC

    The BOT evolution

    12

    Desktop

    Server

    Cloud

    Mobile

    Internet of Things (IoT)

  • #RSAC

    DDoS Bots

    13

    Source: Akamai SOTI Security Report Q1 2015

    DDoS attacks instances plotted over time Q113-Q115

  • #RSAC

    Top 10 Source Countries for DDoS Attacks

    14

    Russia5.95%

    France6.03%

    U.K.6.17%

    Korea6.23%

    India6.93%

    Spain7.29%

    Italy8.38%

    U.S.12.18%

    German17.3%

    China23.45%

    China

    1.4 billion people

    642 million people online

    Over 50% of systems infected with viruses

    9 out 10 Windows systems pirated

    70% of Windows systems never patched

  • #RSAC

    DDoS 4 Bitcoin (DD4BC)

    Who, What, Where & How

    DD4BC (DDoS For Bitcoins)

    Online ransom group

    Not ransomware

    No other attribution

    Publicly available DDoS toolkits &

    rented botnets in the underground

    Who are the targets?

    15

    74%

    15%

    4%7% Banking&CreditUnions

    Gaming

    Media&Entertainment

    PaymentProcessing

  • #RSAC

    Great Canon (GC) of China

    16

    An in-path system, capable of

    injecting traffic and directly

    suppressing traffic

    Acting as a full man-in-the-

    middle for targeted flows

    Harnesses legitamate web

    browsing traffic for attack

    capability and capacity

    Source: https://citizenlab.org/wp-content/uploads/2009/10/ChinasGreatCannon.pdf

    Coding error provides clue as to how to detect and filter traffic. Example of cat and mouse game

    Targets of http get flood DDoS attack

  • #RSAC

    Value of a hacked PC (Brian Kerbs)

    17Source: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

    Reputation hacking

    Virtual goods

    Webmail

    Web Server Bot activity

    Spam zombieDDoS extortion zombie

    Click fraud zombieAnonymization proxy

    Captcha solving zombie

    Account credentials

    Ebay / paypal fake auctionOnline gaming credsSkype / VoIP creds

    Website / FTP credsClient side encrypt certs

    Financial credentials

    Bank account dataCredit card data

    Stock trading account dataMutual fund account data

    Hostage attacks

    Email account ransomFake antivirusRansomware

    Web cam extortion

    Phishing siteMalware download siteWarez / Piracy server

    Child pornography serverSpam site

    Webmail spamStranded aboard scam

    Harvesting email accountsHarvesting associated

    accounts

    Online gaming charactersOnline gaming goods

    PC game licensesOS licence keys

    FacebookTwitterLinkedinGoogle+

    Spam zombieDDoS extortion zombie

    Click fraud zombieAnonymization proxy

    Captcha solving zombie

  • #RSAC

    Using Botnets to access market insights

    18

    Investors

    Managers / Analysts

    Legion / infantry / operators

    Legal return on investment

    Illegal access to information

    Source: Interpol

  • #RSAC

    Account checkers and Fraud

    19

    Builds tools server

    Cultivate list of open proxies

    Acquire compromised logins

    Check / alter compromised accounts

    Make fraudulent purchase

    1

    2

    3

    4

    5

    How does this evil deed typically happen?

    Source: https://www.akamai.com/us/en/multimedia/documents/infosec/akamai-security-and-compliance-account-checkers-and-fraud.pdf

    Compromise web server

    Use bulletproof hosting with

    proxies

    did someone mention the

    cloud?

    Load scriptsready to go

    Obtain list of web proxies

    Open proxies allow route

    around IP blacklists

    Proxies need to be of

    sufficient length to mask

    attack

    Attackers obtain harvested /

    stolen credentials from sites

    such as pastebin, or from

    underground sites.

    Many underground forums

    sell such information

    Attackers use variety of tools to rapidly check the validity of the accounts.

    Accounts that work are marked, and the attackers log in using the credentials.

    Once logged in, the attackers can collect the users personal data and credit card information to use for further fraud

    Attackers may modify the shipping address of the victim and make purchases with their stored information.

    The merchandise is sent to an address near the attacker and picked up.

    Recently gift cards, both physical and electronic have been key items for purchase as they are easily available, difficult to trace and easy to transport.

  • #RSAC

    Account checkers and Fraud

    20

  • #RSAC

    How to manage em BOTS

  • #RSAC

    Block, Mitigate or Manage?

    Blocking BOTS causes them to go underground, mutate and harder to detect

    Management strategies vary depending on the nature of the BOT and its goal

    Not sure if bot......or

    Stupid human?

  • #RSAC

    TTPs for the Good, Bad and UglyA

    ggre

    ssiv

    enes

    s

    Degrees of Desirability

    Terminate with extreme prejudice

    Client ValidationWelcome Bots

    Reduce Impact

    Desirable Undesirable

  • #RSAC

    Avoid data theft and downtime by extending the

    security perimeter outside the data-center and

    protect from increasing frequency, scale and

    sophistication of web attacks.

    Solution Landscape (what can you buy)From a technology perspective:

    BOT Detection Methods

    BO

    T R

    esp

    on

    se M

    eth

    od

    s

    Cloud WAFs

    Cloud BOT Mgt.

    BOT Obfuscation

    On Prem WAFs

    Alert/Deny

    CAPTCHA

    HTML Obscuring/

    Rewriting

    Slow BOT/ Serve Alt./

    etc.

    No BOT Detection

    Rate Based Detection Cross CustomerHeader/IP Based Tracking

    Cross CustomerFingerprint Based Tracking

    Advanced BOT Evasion Traps

  • #RSAC

    Avoid data theft and downtime by extending the

    security perimeter outside the data-center and

    protect from increasing frequency, scale and

    sophistication of web attacks.

    Cooking your BOT management program

    Detection

    MitigationLearnings

  • #RSAC

    Bot Detection Methods

    Client reputation

    Client and browser fingerprinting

    HTTP header anomaly detection

    JavaScript Injection

    JS BOT evasion traps

    Behavioral Analysis

  • #RSAC

    Bot Response Methods

    IP blocking

    Geo blocking

    Rate controls

    Web Application Firewall Rules

    Obfuscation for HTML, JS, URL and Form

    Serve slow, stale, alternate, tar pit

    CAPTCHA challenge

  • #RSAC

    Bot Learnings

    BOT scoring, categorization and trends

    Crowd sourcing of new BOTS www.botopedia.org

    Resource usage by BOT

    Input into evolving your detection and mitigation tactics

    Understand the cost of your mitigation strategies

    http://www.botopedia.org/

  • #RSAC

    Avoid data theft and downtime by extending the

    security perimete

Recommended

View more >