On the basis of the force structures of various states were created special information
security troops to protect government information and communication systems.
The banks, large retail, the oil and gas sector and other large companies are
in the civilian sector. They protect are protected by us and other civilian commands.
Features targeted attack
usually are follows:
The
professional group is working and usually is motivated financially or by an
order. Random targets are rare, mostly segments of the
industries or individual companies are selected.
The most widely used vectors
is a combination a 0-day and social engineering.
If the attack was detected
and stopped, there is a high probability of a quick return on another vector.
Attack is coming to results.
The mail goal are corporate
secrets, source code, correspondence of top management.
After primary attack can be
lapse. Attacks are usually hidden, there is no any boast. The main priority is
to clean up logs and other trails.
We have to protect banks,
retail, insurance and others. I'll tell you about the practice and decisions.
The stroke of
attack
As usually
the attack develops by standard principles:
Exploration
and collection of data. The network is usually scanned, especially LinkedIn, so in the result we have hierarchy, employees and
their names, and communications. Using
technical methods are studied architecture networks , getting IP-addresses of services, information about
the hardware and software solutions and also about used remedies.
Choosing the attack vector we have the main question
malware delivery method for the DMZ. It can be anything: beginning from road
apple( a flesh card in store room) till
the site infection, which are visiting by people from company. Sometimes the
protection of the company is so strong that it is needed to use another targeted
attack to someone from security vendors
to get the delivery vector into the ultimate goal. At breaking RSA were stolen
master keys that are used to attack other companies.
Invasion is usually performed ,mostly, taken a control
under the one of network nodes. Software virus
downloads main modules and spreads it from this node, slowly
increasing influence and privileges on
the network.
• There is a consolidation of
influence. On this step suppressed the
activity of protective equipment, the malware gets almost complete control
needed to solve the problems.
• Searching of information. Usually infected by a staging
server for data storage, for example, the server of updates. It collects all
interesting information of the group and from it needed to retrieve information
from network. Often the process of data retrieval takes days and weeks.
Extracting. Intermediate server segments data, archives it, hiding it (uses steganography), then sends out.
Methods - up to the exotic, such as kneading important technical data in traffic.
• Hiding traces.
• Minimizing of the impact. Usually all active malware components are removed, and there is
only a small tab that can recreate or download the code in case of future
meetings.
Distraction
According to international
practice very often such attacks require masking, as they can be detected even
on the early stages of scanning in the form of atypical activity within the
network. For this very often is triggered powerful DDoS-attack on the target.
It distracts security experts from the goals and helps to hide the surgical
movement of this attack vector.
Examples of protective equipment:
• System class NG FW (Check
Point, Stonesoft, HP Tipping Point);
• Detection of potentially
dangerous files (sandbox) (Check Point, McAfee, FireEye);
• Special protection of web-based application (WAF) (Imperva
SecureSphere WAF, Radware AppWall, Fortinet Fortiweb);
• Detection of anomalies in
network traffic (StealthWatch, RSA NetWitness, Solera Networks);
• System analysis and
optimization settings DOE infrastructure (Algosec, Tufin, RedSeal, SkyBox);
• Safety Audit code (HP
Fortify, Digital Security ERPScan CheckCode, IBM AppScan Source);
• Fraud protection during the
access to online banking system (Versafe);
• Digital investigating
security incidents (Forensic Analysis and Incident Response) (AccessData);
• A system of protection against
DDoS (iron - Radware DefensePRO, ARBOR PRAVAIL, Check Point DDoS Protector;
service - Kaspersky DDoS Prevention, QRATOR HLL).
Countering
(theory)
1. During the collection of data traditionally used firewalls and systems of detection
and prevention of network attacks. The main problem - they do not define a slow
scan. NG FW (new generation firewalls) allow to correlate events in the
network, to compare parts of attacks and see the full picture. For example,
anomalies investigated by time of day, the traffic on the new ports and so on.
2. On the step of the invasion now are used traditional filtering requests,
intrusion prevention, antivirus, including "heavy" at the gateway. In
addition to systems NG FW still apply two methods - traps and sandbox.
Trap is a attractable service within the
network the main purpose of which is to take over the attack and to raise the
alarm. Sandboxes are working to block the intrusions as follows. Suppose a user
receives mail from the archive. Within three minutes before delivery to the
user sandbox "pumps" the archive. To begin, it appears that there are
three files, one - executable, it collects a piece using the other two, and
then creates a process and writes a registry key. The task - to simulate a
regular car, because many malicious programs detected perfectly hypervisor mode
and are not activated. In today's sandbox is a simulator of network activity
(even allowing malware to get "answers" from the command center), is
used as a static with disassembling and dynamic code analysis, to malware
proposes different environments - server, user, and so on, with standard images
directly from the current network. There is a GUI, which allows to see what the
code is doing what.
3.
If the invasion had passed, it is
necessary to locate the threat and prevent data extraction. Used for this
system to investigate incidents, analyzing logs and trace the spread of malware
on the network. If extraction was still - the same system helps to understand
exactly what was carried out. For example, Sony blocked the first attack on its
infrastructure to extract and began to celebrate, but, as you know, then there
were more vector.
4. At the next stage, it is already necessary to begin a formal investigation
and go to court. For the court needs evidence of attack. Ever tried to collect
them on the network? So, the same Forensic Analysis can make a mold of
infrastructure and create a detailed report on the current number, and then
close its digital signature. And American courts have already taken such
megatyazhёlye files with all the casts of memory, a list of processes, logs,
and so on as evidence. They can be slowly and quietly pick.
Countering (practice)
We have a customer - large retail chain – infrastructure of which is already several months under constant targeted attacks. Works a great botnet with a wide range of IP, attempts are used as to smuggle exploits, and good old brute force. All this is accompanied by waves of DDoS. Specifics on this occasion I can not tell until you can see the end of the attack (and even a couple of years so), so show what I would have done in the theory for the protection of such a system. In addition, what I would certainly be framed indehiscent service under brute force.
We have a customer - large retail chain – infrastructure of which is already several months under constant targeted attacks. Works a great botnet with a wide range of IP, attempts are used as to smuggle exploits, and good old brute force. All this is accompanied by waves of DDoS. Specifics on this occasion I can not tell until you can see the end of the attack (and even a couple of years so), so show what I would have done in the theory for the protection of such a system. In addition, what I would certainly be framed indehiscent service under brute force.
1: Update network protection to a new
generation, to analyze slow events, to see the non-standard algorithms for data collection and decrypt channels malware.
2.Control data streams
between hosts and establish control over this.
3.Prescribe restrictions in network rules.
4. Launched on a regular basis a system vulnerability scan - a set of
utilities that run on the network and try to attack everything that is bad. Got
to the standard list of outstanding exploits iron and unfully updated software.
5. Once a week look at optimizing settings - utilities that analyze network
rules on the nodes (including middleware), distribute them on priorities for
the performance, looking for explicit children shoals and help establish best
practice. Very useful, though quite expensive solutions. Help, by the way,
close the hole shot with application support intermediate devices due to
filtering.
6.Connect to data center cleaning, standing on the main channel in the event
of a powerful DDoS, to transfer the traffic to a maximum of 30 seconds.
7.Connect to the database of knowledge about the actions of hacker groups.
There are special commands that read hacking forums, pour small vulnerability
and so on, achieving credibility in this environment. They signal the new
methods and tools.
Algosec, example GUI to configure basic rules for the head of IT department (not
bezopasnik)
Protection code
If the company is
developing the code, the code itself often becomes a target for attacks, and
the introduction of bookmarks. For such situations, the system uses an
integrity check code analysis of references to it, modifying source card and so
on. In general, they allow us to understand when and who did not have to refer
to a specific site, but turned and sadded. In parallel, static analysis is
performed for vulnerabilities.
Protecting
Users
One of the most common
modern vectors in the banking sector - the attack is not on the server part,
and for equipment users. Common example - a trojan that can by clicking on the
button to submit the form to substitute account for transfer of funds and the
amount of payment. Some banks in their IB based on the fact that the user
equipment is certainly unreliable, and have protection against such attacks on
its side.
Cases
Problem cases in security
- as to whether the success of a fact not occurred attack. For example, there
is the situation with Infostruktura (Lithuania). The company provides
communication services to the Government of Lithuania. AMS uses the entire
range of sites to protect the government and some commercial structures (over
200 sites). Uses AppWall, DP, Alteon, more than 2 years reflecting the attacks
at all levels. The only provider, to stand at a massive attack on Lithuania
during the European Forum werelast year. But, of course it is the best defense - even when the attack does not occur,
because it is too expensive.
Summary
Attacks on large
companies - not myths. Right now one of our customer experiences several dozen
different attacks per day, another week already protected from DDoS, some more
has consistently catch interesting files from the sandbox. Theoretically, with
due attention, the race shield and sword in the field of information security
is a continuous process, and the balance is met. The only effective
vulnerability - people.Social engineering is the most effective and timeless technique.
And the task of user training, plus regular exercise is not only on our
technical side, but also on the side of the customer's personnel.
No comments:
Post a Comment