Transcription
TECHNICAL SECURITYAT A LARGE COMPANYMatthias Schmidt
Welcome, Who am I! Studied CS @ Univ Marburg 5 years assistant at DistributedSystems Group 18.01.20182007 - 2012SecurityVirtualizationGrid ComputingHead of Technical Security 22001 - 2007Diploma thesis about Network SecurityJoined 1&1 in 2012Security ArchitectureOperating Systems SecurityDigital ForensicsMalware/Reverse EngineeringTrainings
Why we care about Information Security Figures 7 Data Centers on 2 continents90,000 server at 1&160,000 server at StratoHosting of more than 20 million domains Networking Global connectivity more than 300 GBit/s70 GBit/s outbound peak load trafficAbout 9 billion page impressions per monthMore than 5 billion e-mails per month9,000 TeraByte monthly traffic volume3318.01.2018
Flickr. CarbonNYC. CC-BY-2.0General IntroductionTECHNICAL SECURITY418.01.2018
Focus Topics & etworkSecurityOffice eningCERTPKIMaturity sMy ntestsPentestsSecureServices t
Application Security and its Challenges in corporate Environments Secure Software Development Lifecycle (SSDLC) Structured way of developing secure software Predefined set of Life-Cycle Tasks and requirements Developed an own tool for it https://securityrat.github.io/ Penetration tests For new applications For legacy applications Cover recurring events (PCI DSS/De-Mail re-certification) Challenges 6Secure development in agile environmentsPentests scalabilityThird-party software/dependenciesRemember, the cloud is just someone else’s computer18.01.2018
Infrastructure Security and Digital Forensics Are we affected by vulnerability? Simple for hundreds, complex for tens of thousands of systems We scan at large scale Zmap, nmap, SSL/TLS scanner, enterprise solutions, Volatile and non-volatile Forensic investigations on Servers Workstations Mobile devices718.01.2018
Signature-based Anti-Virus is dead or ADVANCED WORKSTATIONPROTECTION918.01.2018
Office Security1018.01.2018
Incident Response sessmentReduceResolutionTime
There is an Entire Industry behind it 1218.01.2018
So, what do you think that you are worth?1318.01.2018
Now, why does this happen? Don‘t we have anti-virus scanners?218.01.2018
They sometimes fail 1518.01.2018 Different namesDifferent stringsDifferent hashesDamn!
Poly- and metamorphic malware and the obfuscation curse Most modern malware is polymorphic and uses anti-analysis and antidetection techniques like EncryptionPackingCode/Binary ObfuscationVirtualizationAnti-debugging Many malware families even are metamorphic ( self-mutating) 16Use a new encryption key with every replication cycleRotate different obfuscation schemesReload code at runtimeUse self-modifying code practices 18.01.2018
Long story short 1718.01.2018
Incident Response InfrastructureOperatorLive ForensicsSystemrequestTicket SystemWorkstationalertsAlert tem1818.01.2018IOC ServerIDS
Generic Incident Analysis ProcedureALERT21 AntiVirus \IDS Alert Userreports„weird“behavior18.01.2018TRIAGE Check forobviousFP signs Assessvictimcriticality AssesspotentialthreatimpactANALYSIS Gatherevidence(memorydump,networktraces, ) Filter,correlate,andanalyzeevidence
A typical Incident Analysis Case (1)Email with linkto allegedWinrar installerDownloadtrojanizedWinrar efrom 6\WinRAR.exe\Users\xxx\Downloads\WinRAR\WinRAR.exe
A typical Incident Analysis Case trojanizedWinrar.exeDrop, install,and A2643.EXE653CBD5D.pf#Im System wurde ein Dienst installiert.#Dienstname: 103191234\ic-0.0c4a2901a2643.exe /wl 1#Diensttyp: Benutzermodusdienst#Dienststarttyp: Manuell starten#Dienstkonto: LocalSystem
A typical Incident Analysis Case (3)Disable AV viaPowershellScriptDrop anddeploy kernelmode RootkitEstablish pf#PowerShell#HostName ConsoleHost#HostApplication powershell.exe -Command& {Add-MpPreference e28c6d8f3de176caff9ab413c18.sys')}#Im System wurde ein Dienst \3ee09e28c6d8f3de176caff9ab413c18.sys#Diensttyp: Kernelmodustreiber#Dienststarttyp: Systemstart172.xxx.xxx.xxx:63401 45.32.xxx.xxx:80CLOSED8708 svchost.exe2418.01.2018
Incident Response Toolchain - Threat Intelligence Handling with MISP2518.01.2018
Incident Response Toolchain - Impact Assessment with Bloodhound2618.01.2018
Incident Response Toolchain - Live Forensics with Rekall and GRR2718.01.2018
Some Facts & FiguresCategoryTypeMalwareAnalyzed unique malware samples20.995MalwareMalware samples and analysis results4,6 TBThreat IntelligenceGathered Threat Intelligence40 GBThreat IntelligenceExtracted Indicators of Compromise (IOCs)Threat IntelligenceGenerated IDS Rules (SNORT)Privilege Monitoring Monitored user and service accountsPrivilege Monitoring Monitored workstation and servers objectsRecords478.00026.60013.2009.900Privilege Monitoring Monitored privilege-groups28.000Privilege Monitoring Recorded user sessions11.000Privilege Monitoring Monitored privilege relations2818.01.2018806.000
Of Ciphers, Key length and moreTLS CIPHER DISTRIBUTION3118.01.2018
History, Statements and Challenges In 2013 Edward Snowden revealed top secret documents to the public Xkeyscore, PRISM, Tempora, The world reacted with “Let’s encrypt everything”3218.01.2018
Encrypt everything – Does it work? Incoming SMTP Connections 20132016TLS3318.01.2018PLAIN2018
Encrypt everything – Does it work? (2) Outgoing SMTP Connections (CW %EUUSTLS3418.01.2018PLAIN
TLS Cipher Distribution – Incoming Top 3 TLS cipher suites, one MX 620000015000010000070542500002344503518.01.2018123
TLS Cipher Distribution – Incoming (2) everything S-128CBC/SHA256DHE-RSA/3DES-CBC/SHA1
TLS Cipher Distribution – Outgoing Top 4 TLS cipher suites, one mailer 000012703003718.01.20181234
TLS Cipher Distribution – Outgoing (2) everything else1% 1% 0% 0% 0% -RSA/3DES-CBC/SHA1
Certificates signed by an official CA?10%Valid CA"Invalid CA"90%3918.01.2018
Flickr. Abode of Chaos. CC-BY-2.0WIDE AREA NETWORK4018.01.2018
Denial Of Service Attacks Denial of Service (DoS) attacks are known since 20 years Academia solved the problem decades ago Google Scholar shows 540k results for DoS protection However, they are not gone as of today Different Types of Attacks SYN Floods UDP Floods NTP Amplification Attacks DNS Amplification Attacks4118.01.2018
Denial Of Service Attacks (cont.) Selected Examples of incoming (D)DoS attacks UDP NTP Amplification 34 GBit/s with 7M Packets/s 10 GBit/s with 1M Packets/s Simple UDP Floods 15 GBit/s with 2M Packets/s DNS Amplification 98 Gbit/s with 9M Packets/s4218.01.2018
Denial Of Service Attacks (cont.)4318.01.2018
Denial Of Service Attacks – Countermeasures QoS enabled on the local switch Filter malicious traffic on the local distribution router Blackhole the target’s IP address Scrub traffic4418.01.2018
CONCLUSIONS4518.01.2018
ConclusionsTechnical measures are good,security awareness is better4618.01.2018
The End and thanks for your AttentionDr. Matthias SchmidtQ&A4718.01.2018Head of Technical Securitymatthias.schmidt@1und1.de
Incident Response Process 11 18.01.2018 Detection Prevention Mitigation Assessment Goal: Analysis Automated Threat Treatment Reduce Response Time Reduce Resolution Time Reduce Incident Impact . ECDHE-RSA/AES-128-GCM/AEAD DHE-RSA/AES-128-CBC/SHA1 ECDHE-RSA/AES-128-CBC/SHA1 209766 70542 23445 0 50000 100000 150000
