이충구부장 - Apps & Security 총괄 / IXIA Korea 지능형지속공격을위한진화된테스트방법. -Next Generation Security Validation

Transcription

1 이충구부장 - Apps & Security 총괄 / IXIA Korea 지능형지속공격을위한진화된테스트방법 -Next Generation Security Validation 1

2 App PLANET

3 앱플래닛 변화무쌍한세상 매일생겨나는수백만에이르는다양한앱 데이터접속을위한앱커뮤니케이션

4 모바일멀웨어는가장빠르게진화하고있다 How does it change the threat landscape 수백만의폰사용자, Tablet/PC 사용자 BYOD 로인한신뢰받지않은네트워크와내부네트워크로의접속 모바일멜웨어의급속한진화

5 APT (Advanced Persistent Threats) -Understanding each phase

6 Phase 1, 2: 엔트리포인트 정보수집 / Recon and Phishing

7 Phase 1, 2: 엔트리포인트 스미싱 Many url s on mobile phones are shortened by agencies like Bit.Ly Websites look different Mobile phones. SMS, Whatsapp, Viber messages, easier to generate click

8 최신스미싱기법

9 Phase 3: 최초침입및백도어생성 Knock Knock Shocking Video Knock Knock Bank Confirmation Knock Knock World Cup Stream App WELCOME BOSS

10 Phase 4, 5: 권한획득및유틸리티설치 Extract personal information Install Utilities Dig Deeper into the system Corrupt/Encrypt or Hide Data Make you a Bot Do Nothing

11 Phase 6: 데이터유출 Leakage through Video cams Recording Keystrokes/History Record meeting/call data SMS copiers like SMSZombie Variable Behaviour(Polymorphism) Date Leakage in APT- Has many forms

12 정교한 APT 의창조물 - Malnets Zombie Devices Malnets are now a reality Rootaged devices with powerful LTE GTP encapsulated/ssl encapsulated difficult to identify

13 Kill-Chain -Validating each phase

14 차세대보안테스트 Validation of APT and Botnets Recon-Information Gathering ( 정찰 / 정보수집 ) Validate Phishing/Spam Social Networking ( 스피어피싱 / 스팸 ) Validate Validate User Information Malware Installations ( 권한획득 / 유틸리티 ) Validate Intrusions and Backdoors ( 침입 / 백도어 ) Information Exfiltration Lateral Movements ( 정보유출 ) Validate Further Destruction Persistence ( 지속적관리 - 멀넷 )

15 Validation: Phishing and Spam Test APT Step 1- Phishing and Spam generation 다른타입의피싱 생성 새로운변종스팸생성 -Pictured Spam, Scrambled Spam 100 가지이상의피싱기술가진대규모피싱생성

16 Validation: Malware/Exploit and Vulnerability APT Step 2- User compromise and Bot to C&C message simulation Malware/Vulnerability delivery through various apps. Facebook, Gmail, SMTP, Youtube every app/protocol can be a delivery vehicle. Simulate Bot to C&C communication.

17 Validatioin: Data Leakage, Data Ex-filteration, Lateral Movements APT Step 3- Data Leakage and Persistency Leakage simulation through encrypted and non-encrypted apps. Data Leakage policy validation Lawful Interception efficiency Assessments

18 Every Malware, Every Virus s, Every Exploits Can be Hidden APT Advanced Polymorphic evasive attacks IP Fragmentation

19 DDoS Simulation by IXIA BreakingPoint 19 OLD DDOS Assessments Layer 3 IP / ICMP DDoS IP Frag Attack DDoS ICMP Request Flood Attack DDoS ICMP Response Flood Attack Layer 4 UDP LOIC UDP53 DoS Attack DDoS UDP Fragmentation DDoS Non-Spoofed UDP Flood DDoS UDP Flood Layer 4 TCP DDoS SYN Flood DDoS PSH-ACK Attack DDoS Fake Session Attack DDOS SYN-ACK Flood Attack DDoS Rcv Wnd Size Next Generation DDOS Layer 7 Apps DDoS DNS Reflect - Attack DDoS DNS Reflect - Zombie LOIC HTTP DoS Attack DDoS SIP Invite Flood DDoS Redirect DDoS DNS Flood DDoS Excessive GET POST DDoS Slow POST DDoS Recursive GET DDOS NTP Unique DDoS SlowLoris DDoS Smurf Attack DDoS TDL4 CC HTTP Flood MultiVERB DDoS RUDY DDoS LOIC TCP8080 DoS Attack

20 Pre-Built Botnet Life cycle Simulations Cutwail Zeus SpyEye ZeroAccess Duqu BlackEnergy TDL4 PushDO TDW Customization in Application Editor

21 무엇을해야하나요? Robust Networks LDAP/DHCP/DNS Proxy Services/LAN Network WAN Tap IPS/Firewall/SLB/IPSec GW DMZ Firewall - LAN Edge Core LAN Database Internet IDS Systems Sandboxes Log Server/SIEM Inside Entity Hardware Infrastructure Forensic and Investigation Efficient Network Design Active Directory DHCP VPN Web Proxy IDS/IPS Firewall/Router ACL IPSec Gateways HIDS/HIPS Endpoint Protections Redundant Hardware Robust Logging Proxy Logs Authentication Logs IDS Alerts Host-based Logs Firewall Logs Full Content Traffic Captures Netflow Server Event Logs Workstation Event Logs Common Central Logging Proper Network Segmentation Well Defined DMZ Wifi and Wireless Zoning IP Address Schemas Public Facing device control Overview of NW Infrastructure

22 Test Validation - Diverse Application Traffic Emulation

23 전형적인테스트방법 RFC 2544: Right Standard, Wrong Time UDP traffic to measure maximum throughput & latency across a range of frame sizes Introduced 1999, No value for content aware devices RFC 3511 : False Sense of Security Benchmarking methodology for stateful firewall Performance Issued in 2003, however HTTP is NOT an Application X

24 어떤 Application 을테스트할것인가? Applications Layer 1: Cat 5, Fiber, Wifi Layer 2: Ethernet Layer 3: IPv4, IPv6 Layer 4: TCP, UDP Layer 7: HTTP RFC 2544 RFC 3511 Applications Drive Business

25 익시아 (IXIA) 의도전과제 More devices GLOBAL Connecting from more places Accessing more data From more sources And attacks continue to rise..and you can see less of it and now its all moving And your users want it all now And it has to be fast And it has to work over wireless always

26 Case Study 1 Banking Enterprise NGFW Deployment Target: Single Vendor Deployment Enterprise had four district use cases All vender NGFW advertised as 10Gbps NGFW 3 Days to Quantifiable Data TCP baseline test Web Partner Portal Office Vendor A Vendor B Vendor C Trading Vendor A Vendor B Vendor C Avg Sec effectiveness * 48% 52% 28% *BreakingPoint Strike Level l0-5

27 Content Aware Device Performance Testing Demonstration NGFW 10GbE 10GbE Client/Server Client/Server

28 Content Aware Device Performance Test

29 Case Study 2 Service Provider DDoS Appliance Valid Users /Attacker Internal Network DDoS Defenses Appliance POC Time to detect and mitigate (secs) Mitigation speed Vendor A Vendor B Vendor C Syn flood UDP flood 13 ND 15 DNS flood SMTP flood SIP flood LOIC Slowloris Excessive get post ND Sockstress Botnet TDL ND Botnet Evil ND 15 ND Botnet Rudy ND 10 ND ND=Not Detected

30 Case Study 3 Financial Exchange DDoS Traffic Volumetric DDoS traffic Directed to target web servers Cloud-Based DDoS Protection DDoS Traffic Volumetric DDoS Traffic re-directed by DDoS Service Provider 1-Arm Testing Web-based Application Traffic http transactional traffic Between BreakingPoint client and target web servers Good Application Traffic Transactional web-based Application traffic through DDoS Service Provider DDoS Service Provider Target Web Servers BreakingPoint Load Generation DDoS Defenses Validation

31 A step beyond NAT Validation DNS Validation Proxy Validation Anti DDOS Validation FW Validation DLP/DPI Validation ADC Validation DHCP Validation Data Center Validation Local DNS NGFW IPS/ SPAM ADC WAN Opt Data Center NAT Proxy Anti DDOS DPI/DLP SSL/HTTP Proxy IDS DHCP 네트워크구성요소의인증

32 Testing Solution - 익시아 (IXIA) Point Overview

33 테스트가두렵나요? We Now Need I know to Test, how to, Assess what and to and Validate when to But we Don t know how to, what to and when to 어플리케이션과보안 네트워크인프라리질리언시 사이버보안트레이닝 Pre-created, pre-packaged profiles, configurations and scenarios Popular Botnets of the world Advanced Persistent Threats Canned Enterprise and Datacenter Application Mixes Service provider Mix from around the world Resiliency Labs Lawful Intercept validations Information Security validations Cyber Range Labs SLA/QoE/QoS 인증

34 Perfectstorm has everything in L47 that Ixia has Voice & Video Network Security Application Storage Wireless/LTE Holistic Network and Datacenter Assessments Datacenter Device and Service Evaluation Service and SLA Assurance Device and Application Test and QOE/QOS Assessment Device Test and Evaluation Resiliency Testing IP Security V4/V6 Transition Mobile Scale and Security Assessments

35 How Ixia Helps : 다양한가상시나리오를통한인증 LDAP/DHCP/DNS SIEM/IDS Services/LAN Network WAN Firewall/IPS/SLB/VPN Firewall - LAN Edge Tap Core Internet IDS Systems Sandboxes Log Server Ixia BPS as a traffic generator: Baseline Network Traffic Device validation with Realistic Application traffic Practice every stage of APT Mitigations Phishing Attack Malware Delivery Data Ex-filteration Lateral Movements Continuously improve Attack Detection Time(ADT) Continuous practice of C.D.A.R cycle (Detect ->Collect -> Assess -> Remediate Database Inside Entity

36 PerfectStorm ONE 통합테스팅솔루션

37 Application and Threat Intelligence (ATI) Simulation and Testing Applications & Security Real Attacks 6,000+ live security attacks 35,000+ pieces of live malware 180+ evasions classes DDoS and botnet simulation Custom attacks Research and frequent updates Real-World Applications 250+ application protocols Social, peer-to-peer, voice, video Web, SSL, enterprise applications, Gaming Mobile Storage workloads Custom applications Frequent updates 26 biweekly updates NEW applications NEW DDoS/APT

38 END-TO-END PRODUCT FAMILY Founded in 1997 IP Testing Wireless Testing Acquired June 2009 Increased Router Testing Acquired Oct 2009 Wi-Fi, WLAN Testing Acquired July 2011 Network Visibility Acquired Jun-e 2012 Actionable Security Intelligence (ASI) Acquired August 2012

39 Application Performance and Security Resilience 감사합니다