operation safety net: best practices to address online, mobile … · 2016. 9. 27. · ⬜ an...

Operation Safety Net: Best Practices to Address Online, Mobile and Telephony Threats Dennis Dayman Vice Chairperson, M3AAWG

LACNIC 26 | San Jose, Costa Rica | September 2016

0 1 1 1 0 1 0 1 1 1 0 0 1 P R E V E N T 1 0 0 0 1 0 1 0 0 1 1 T R A C K 0 1 0 1 0 0 0 0 1 0 0 1 1 1 0 1 0 0 1 U P D A T E 1 1 0 0 1 1 0 0 1 1 0 R E P O R T 0 1 1 0 0 0 1 E D U C A T E 0 0 1 0 1 S H A R E

Others in the room…

⬜  Jesse Sowell ●  Cybersecurity Fellow Stanford University ●  Advisor to the M3AAWG Chairperson

⬜ Matthew “The Stith” Stith ●  Rackspace ●  Hosting

⬜  Tobias Knech ●  Abusix ●  Threat Intelligence

⬜ Greg Kraios ●  250 OK ●  Senders and abuse@

2


Who worked on this?

⬜  The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against botnets, malware, spam, viruses, DoS attacks and other online exploitation. We are the largest global industry association, with more than 200 members worldwide, bringing together all the stakeholders in the online community in a confidential, open forum. We develop cooperative approaches for fighting online abuse.

⬜  The London Action Plan (LAP) UCENet (Unsolicited Communications

Enforcement Network) was founded in 2004 with the purpose of promoting international spam enforcement cooperation. Since inception, UCENet has expanded its mandate to include additional online and mobile threats, including malware, SMS spam and Do-Not-Call. UCENet membership includes representatives from the government regulatory and enforcement community and interested industry members.

4


PURPOSE OF THE REPORT

⬜ To provide a plain language description of the threats facing businesses, network providers and consumers in the online and mobile threat environment

⬜ To suggest best practices for industry and

governments to address these threats

5


6

BACKGROUND ⬜ October 2011: members of UCENet and

M3AAWG presented to the OECD Committee on Consumer Policy (CCP) on addressing future online threats.

⬜ October 2012: ●  First best practices to Address Online and

Mobile Threats was published


BestPrac*cestoAddressOnline,MobileandTelephonyThreats

MalwareandBotnets

PhishingandSocial

EngineeringIPandDNS

MobileandVoiceThreats

Best Practices to Address Online, Mobile and Telephony Threats, 2012

7


8

2015 NEW REPORT ⬜ An update was needed and we then published

Operation Safety-Net: Best Practices to Address Online, Mobile and Telephony Threats


Operation Safety-Net: Best Practices to Address Online, Mobile and Telephony

Threats

Updated:Malwareand

Botnets

Updated:Phishingand

SocialEngineering

Updated:IPandDNS

Updated:MobileandVoiceThreats

New:VoIPandVoiceTelephonyFraud

New:Caller-IDSpoofing

New:AbuseissuesforHosGngand

CloudServices

New:Online

Harassment


9


NEW/UPDATED DOCUMENTS SINCE LACNIC 25

⬜ M3AAWG Best Current Practices For Building and Operating a Spamtrap, Ver. 1.2.0

⬜ Using Generic Top Level Domain

Registration Information (WHOIS Data) in Anti-Abuse Operations

⬜ M3AAWG Introduction to Traffic Analysis

10


LOCATION OF M3AAWG MATERIALS ⬜  The documents and materials here will help the industry fight online abuse,

implement proven best practices to protect the ecosystem and end-users, and encourage the development of a safer online environment for all.

⬜  These documents have been developed and published by M3AAWG,

sometimes jointly with other industry organizations, and we encourage sharing them with other professionals, public policy advisors and those interested in safeguarding the Internet.

⬜  BCPs in this presentation comprise a representative sample of M3AAWG

BCPs, but definitely not all of them ⬜  http://www.m3aawg.org/for-the-industry

11


THE EVOLUTION OF ONLINE THREATS ⬜  Since 2006 there has been significant evolution of online threats and

the emergence of novel attack ⬜  The tools used to defraud and steal in the online and mobile

environment today are increasingly sophisticated ⬜  The OECD, UCENet, M3AAWG and other international organizations

have been effective in developing public-private coordination and cross-organizational collaboration

⬜ Globally, there continues to be a need for stronger, more

comprehensive legislation and regulatory regimes, cross-border cooperation, and implementation of best practices

12


Opera*onSafety-Net:BestPrac*cestoAddressOnline,

MobileandTelephonyThreats

MalwareandBotnets

PhishingandSocial

EngineeringIPandDNS


AbuseIssuesforHosGngandCloudServices

OnlineHarassment


13


MALWARE AND BOTNET THREATS ⬜ Global spam volume has dropped recently, but

use of social media is now increasing through use of “clickjacking” or “likejacking” ●  In 2013 web-based attacks were up 23 percent over

2012 and 1 in 8 websites had a critical vulnerability ⬜ Badly spelled, implausible email has been

replaced by tailored phishing techniques ⬜ Recent threats against the Apple OSX and iOS

operating systems represent the propagation of malware onto new platforms

14


THE FUTURE OF MALWARE AND BOTNET THREATS ⬜ Mobile malware expected to be the driver of

growth in both technical innovation and the volume of attacks

⬜ Malicious ransomware attacks are also increasing, fueled by the growth in virtual currency

⬜ Growth in cloud-based corporate applications is also expected to create new attack surfaces

15

Prevention Detection Remediation


MALWARE AND BOTNET BEST PRACTICES

⬜ Prevention ●  Choose a Secure and Current Operating System ●  Stay Patched and Up-To-Date ●  Run an Antivirus Program ●  Use a Firewall ●  Use Strong Passwords ●  Make Regular Backups ●  Don’t Routinely Run As An Administrator ●  Disable JavaScript (Or Use NoScript) ●  Block Known Malicious Domain Names in DNS ●  Filter/Defang Potentially Dangerous E-mail ●  Assume Any USB Thumb Drive Has Been “Booby Trapped”

16



MALWARE AND BOTNET BEST PRACTICES

⬜ Detection ●  Be aware when a local scan detects something ●  Take notice when your system begins to behave strangely ●  Take action if your ISP tells you that your system is doing bad things

⬜ Remediation

●  Clean in place ●  Rollback ●  Complete reinstallation ●  Replace the system

17



MALWARE AND BOTNET BEST PRACTICES FOR INDUSTRY AND GOVERNMENT 1.  Detect and Notify (ISP-to-User) 2.  Raise Awareness 3.  Implement Legal and Regulatory frameworks 4.  Seek Industry and Government-Led

Collaboration 5.  Follow the industry best practices of blocking

outgoing mail (port 25) from any computer on your network other than your own mail servers

18


Operation Safety-Net: Best Practices to Address

Online, Mobile and Telephony Threats



MalwareandBotnets Phishingand

SocialEngineering

IPandDNSMobileand

VoiceThreats


OnlineHarassment

24


PHISHING AND SOCIAL ENGINEERING

⬜ Attacks can lead to massive data breaches where customer information or intellectual property is stolen, or a company’s data is purposefully destroyed.

⬜  In 2014 phishing resulted in an estimated global

loss of $5 Billion USD.

25


PHISHING AND SOCIAL ENGINEERING THREATS ⬜ Phishing has increased in sophistication, growing

from simple access to e-mail and consumer bank accounts to current targets of corporate “super user” accounts and corporate bank information.

⬜ Phishers now counterfeit e-mail or social media messages and Web pages that are indistinguishable from authentic ones.

⬜ Phishing is usually only the first step. Once access is obtained thieves used other tools, like malware, to steal sensitive information.

26


PHISHING AND SOCIAL ENGINEERING BEST PRACTICES FOR INDUSTRY AND GOVERNMENT ⬜ Prevention ●  Outbound lure delivery prevention ●  Inbound spam filtering ●  Browser and other blocking

⬜ Detection ●  Educate consumers and employees ●  Track and report rejected e-mail and referring URLs ●  Track and control outbound as well as inbound spam ●  Implement credential reuse identification and report

suspicious login attempts or use ●  Install specialized software 27


PHISHING AND SOCIAL ENGINEERING BEST PRACTICES FOR INDUSTRY AND GOVERNMENT ⬜ Report ●  Alert customers, employees, constituents and anti-

phishing organizations ●  Establish easy to remember reporting websites or e-

mail addresses ⬜ Conduct joint corporate and law enforcement

investigations ⬜ Conduct user/victim education ⬜ Establish and use Industry and Government

information sharing and advocacy groups

28


29




MalwareandBotnets

PhishingandSocial

Engineering IPandDNS



OnlineHarassment


36


DOMAIN NAME AND IP EXPLOITS

37

⬜ Resolver exploits/cache poisoning: cybercriminals introduce forged data to redirect web and other traffic to false versions of sites


RESOLVER EXPLOITS AND BEST PRACTICES ⬜ Best Practices: ●  Support the worldwide deployment of

DNSSEC ●  Use Transaction SIGnature (TSIG) for all

online DNS updates and for server-to-server “zone transfer” operations

●  Keep your DNS software patched up to date ●  Educate network and system managers

38


DNS MALWARE AND BEST PRACTICES ⬜  “DNS Changer”: substitutes a controlled DNS

resolvers for the user’s ISP’s own resolvers, allowing the owner to create and manage falsified answers to queries

⬜ Best Practices: ●  Encourage networks to share feeds of top caches ●  Provide the feeds to all vetted anti-abuse researchers ●  Develop metrics based on that aggregated data to help identify

cybercriminals ●  Establish best practices for anonymization sufficient to prevent

connecting users, their ISPs and their DNS activity ●  Educate the public to limit social engineering attacks

39


DNS REGISTRATION AND BEST PRACTICES ⬜ DNS Registration Abuse: Cybercriminals use

stolen credit cards to register domains, use high speed automated registration, or use resellers or proxies

⬜ Best Practices: ●  Establish and monitor ‘Know Your Customer’

programs to prevent abuse of domain assignment ●  Implement mandatory HTTPS and multi-factor

authentication ●  Improve reputation algorithms to include domain age ●  Work closely with advocacy groups to address issues

40


WEB AND SERVER DNS BEST PRACTICES ⬜ Web redirects: cybercriminals redirect web traffic

to malicious sites or infect legitimate domains with malicious files

⬜ Best Practices: ●  Conduct URL reputation testing ●  Support blocking compromised legitimate domains

that serve malicious content, notify rapidly, retest and delist

●  Encourage URL shortener services to check all redirects and

●  Develop educational resources for industry and users

41


42


43




MalwareandBotnets

PhishingandSocial

EngineeringIPandDNS Mobileand

VoiceThreats

VoIPandVoiceTelephonyFraud

CallerIDSpoofing


OnlineHarassment


52


MOBILE, VOIP AND TELEPHONY

⬜ Consumers are increasingly using their mobile devices to access online accounts, make purchases and conduct financial transactions.

⬜ Widespread growth of Internet telephony and mobile-broadband means Voice over Internet Protocol (VoIP) and Telephony threats are on the rise.

53


MOBILE MALWARE AND BEST PRACTICES ⬜ Malicious apps: users install apps containing

hidden malware, sometimes from reputable app stores. These apps may install spyware, download pay-per-download content or send pay-per-use SMS messages.

⬜ Best Practices: ●  Develop facilities for reporting and encourage use ●  Collaborate, and exchange threat and abuse data with

international, government, industry and specialized prevention groups

●  Evaluate mobile security solutions ●  Educate consumers

54


BASEBAND THREATS AND BEST PRACTICES

⬜ Baseband Threats: the primary criterion for network reception is signal strength, so by transmitting a stronger signal an attacker can force the mobile station to connect to a rogue base station.

⬜ Best Practice: ●  Monitor sessions that do not have mutual

authentication and notify manufacturers and users.

55


VOIP, TELEPHONY AND BEST PRACTICES ⬜ Robocall scams: new technology enables

automated fraud callers to hide or “spoof” outgoing phone numbers to trick targets

⬜ Telephony Denial of Service (TDoS): automated calls are used to overwhelm a system so legitimate calls can’t get through

⬜ Best Practices: ●  Set honeypot traps to detect system abuse ●  Perform analytics to identify problem calling patterns ●  Encourage use of Customer Premises Equipment (CPE) ●  Implement Industry best practices and standards ●  Enact and enforce anti-fraud and ‘do not call’ rules

56




MalwareandBotnets

PhishingandSocial

EngineeringIPandDNS


AbuseIssuesforHos*ngandCloudServices

OnlineHarassment


61


HOSTING AND CLOUD ⬜ Hosting: specialized companies provide

businesses access to websites, files, intranets, and provide Internet access via multiple connected servers as opposed to one single or virtual server.

⬜ Cloud Computing: the storage and access of data and programs over the Internet instead of using your computer's hard drive.

⬜ Cloud services and hosting allows businesses to decrease capital costs, increase agility and divest non-essential infrastructure

62


HOSTING AND CLOUD THREATS ⬜ Exploits of hosting and cloud services are on the

rise and include: ●  spam, ●  spamvertising, ●  phishing, hacked websites, ●  DDoS (Distributed Denial of Service attacks), ●  port scanning for exploitable vulnerabilities, ●  defaced webpages, ●  copyright/trademark infringement, and ●  malware.

63


HOSTING AND CLOUD BEST PRACTICES ⬜  Prevent abuse at the network edge:

●  Consider hardware-based intrusion detection systems (IDS) ●  Use software-based security scans and firewalls ●  Maximize customer contact and protect identity ●  Strengthen customer passwords

⬜  Detection and Identification: ●  Use confidential client identifiers ●  Establish role accounts for network domains ●  Maintain accurate SWIP and IP WHOIS records ●  Set up Feedback Loops (FBLs) and automated reports

⬜  Remediation: ●  Respond swiftly and effectively

64




MalwareandBotnets

PhishingandSocial

EngineeringIPandDNS Mobileand

VoiceThreats

AbuseIssuesforHosGngandCloudServices Online

Harassment


75


ONLINE HARASSMENT ⬜  Online harassment can range from embarrassing or cruel

online posts or digital pictures, to online threats, bullying, and negative comments, to stalking through emails, websites, social networks and text messages.

⬜  Every age group is vulnerable to online harassment which is a growing problem in schools on college campuses and even in the workplace.

⬜  There have been attempts to regulate and write law to deal with some aspects of this issue, but overall this is an area that is in need of further examination and best practice development.

76


ONLINE HARASSMENT THREATS ⬜  Cyberstalking – Essentially stalking online. This can

take many forms including e-mail, web site posts or comments, cell phone texts, etc

⬜  Cyberbullying – Basically cyberstalking, but related more to kids and teens

⬜  Doxing – the posting of someone else’s personal information online

⬜  SWATting – Making a fake call to police to invoke an armed response, usually by the SWAT Team

⬜  Trolling – Online users attempt to incite reaction by posting intentionally aggressive comments

77


ONLINE HARASSMENT BEST PRACTICES

⬜ There have been attempts to regulate and write law to deal with some aspects of this issue, but overall this is an area that is in need of further examination and best practice development.

78


KEY BEST PRACTICES ⬜ Best Practices to address the changing threat

landscape: ●  Educate consumers to be more proactive in securing

their own devices ●  Service providers should implement recommended

security technologies and practices without delay ●  Governments should ensure modern regulatory and

legislative environments are in place and enforced, and to work with international organizations to champion collaborative efforts

82


M3AAWG Meetings More information please contact: Graciela Martinez [email protected] Meeting Schedule http://www.m3aawg.org/upcoming-meetings More Information on Our Organizations or Questions: Jerry Upton, Executive Director, at [email protected] https://www.m3aawg.org/contact-us

83


BoF Panel

⬜ Malware and Botnets ⬜ Phishing and Social Engineering ⬜ IP and DNS ⬜ Mobile and Voice Threats ⬜ Abuse issues for Hosting and Cloud Services ⬜ Online Harassment ⬜ VoIP and Voice Telephony Fraud ⬜ Caller-ID Spoofing

84


BoF questions to be Answered

⬜ What problems are you facing?

⬜ How have your problems evolved?

⬜ What practices help to resolve your problems?

⬜ What prevents you from putting practices in place?

⬜ Or whatever is on your mind…

85


Thank you! http://www.m3aawg.org @maawg

86

operation safety net: best practices to address online, mobile … · 2016. 9. 27. · ⬜ an...

Documents