CLOUD SECURITY: PROTECTING YOUR CLOUD-BASED IT INFRASTRUCTURE Stephen Coty Chief Security Evangelist
Threats in the Cloud are Increasing With Adoption Increase in attack frequency Traditional on-premises threats are moving to the cloud Majority of cloud incidents were related to web application attacks, brute force attacks, and vulnerability scans Brute force attacks and vulnerability scans are now occurring at near-equivalent rates in both cloud and on-premises environments Malware/Botnet is increasing year over year
Cloud Attacks With the Biggest Change Cloud environments saw significant increases with brute force attacks climbing from 30% to 44% of customers, and vulnerability scans increasing from 27% to 44% Malware/botnet attacks, historically the most common attacks in the onpremises datacenter, are on the rise in CHP environments
Honeypots Designs The honeypot data cited was gathered using Low-interaction Simulates high level services Medium Interaction Delivers form pages and collects Keystrokes SCADA Simulates a (Supervisory Control And Data Acquisition) system Web application software that emulates a vulnerable OS and application Fictitious business domains have been created to redirect traffic to what would be considered a legitimate business These particular honeypots monitored connections to common ports and gathered statistics on IP, country, and malware, if submitted
Honeypot Findings Highest volume of attacks occurred in Europe Attacks against Microsoft DS accounted for over 51% of the overall attack vectors Database services have been a consistent target 14% of the malware loaded on the Honeypots was considered undetectable by AV Underscores the importance of a defense in depth strategy for the need to secure your enterprise and cloud infrastructure
Global Analysis
Industry Analysis - Financial
Industry Analysis - Healthcare
Emerging Groups
Tools of the Trade
HOW DO WE DEFEND AGAINST THESE ATTACKS
Security Architecture Firewall/ACL Intrusion Detection Deep Packet Forensics Netflow Analysis Network NAC DDOS Scanner Vulnerabilities Log Mgmt SDLC Patch Mgmt Server/App Mail/Web Filter Scanner Backup Anti-Virus Encryption GPG/PGP FIM Host Anti Malware IAM Central Storage
Data Correlation is the Key
Content is King alert tcp $EXTERNAL_NET any -> any any (msg:"heartbleed Scan Detected - Heartbeat"; flow:to_server,established; content:" 00 0f "; rawbytes; classtype:successful-recon-limited; sid:4560000004; rev: 1;) alert tcp $EXTERNAL_NET any -> any any (msg:"heartbleed Scan Detected - Metasploit - Pattern 1"; flow:to_server,established; content:" 18 03 02 00 03 01 "; rawbytes; classtype:heartbleed-information-leak; sid: 4560000005; rev:1;) alert tcp $EXTERNAL_NET any -> any any (msg:"heartbleed Scan Detected - Mal Pattern 2"; flow:to_server,established; content:" 18 03 01 00 03 01 "; rawbytes; classtype:heartbleed-information-leak; sid: 4560000006; rev:1;) alert tcp $EXTERNAL_NET any -> any any (msg:"heartbleed Scan Detected - Mal Pattern 3"; flow:to_server,established; content:" 18 03 03 00 03 01 "; rawbytes; classtype:heartbleed-information-leak; sid: 4560000007; rev:1;)
THREAT INTELLIGENCE
Why Honeypots? Honeypots give us a unique data set Simulates vulnerable systems without the risk of real data loss Gives the ability to collect intelligence from malicious attackers Allows for collection of various different attacks based on system Helps identify what industry specific targets are out there
Samples of Malware detected If an attacker were using the collected malware to launch an attack against an individual or an enterprise it would be theoretically run in this order. 1. Ping Sweep 2. Port Reconnaissance 3. Exploit a Vulnerability 4. Check for Shares or Networked Drives 5. Load Malware 6. Load Worm 7. Load Remote Access Trojan for full Control
Partnering with other Researchers
Associations
Monitoring the Social Media Accounts
Following IRC and Forums
Tracking and Predicting the Next Move He is a guy from a European country/ (Russia) His handle or nick is madd3 Using ICQ 416417 as a tool of communication (illegal transaction) A simple /whois command to the nick provided us with good information 85.17.139.13 (Leaseweb) ircname : John Smith channels : #chatroom server : irc.private-life.biz [Life Server] Check this out user has another room. #attackroom4 We can confirm that Athena version 2.3.5 is being use to attack other sites. 2,300 infected Users Cracked Software is available in forums As of today 1 BTC to $618.00 or 361.66
Forums to Follow darkode.com & exploit.in- Russian
CLOUD SECURITY BEST PRACTICES
Cloud Environments 101
How the Hypervisor functions In this model the processor provides 4 levels, also known as rings, which are arranged in a hierarchical fashion from Ring 0 to Ring 3. Only 0, 1 and 3 have privilege, some kernel designs demote curtain privileged components to ring 2 The operating system runs in ring 0 with the operating system kernel controlling access to the underlying hardware To assist virtualization, VT and Pacifica insert a new privilege level beneath Ring 0. Both add nine new machine code instructions that only work at "Ring -1," intended to be used by the hypervisor
Cloud Server Architecture VM Servers are designed so that the hypervisor (or monitor, or Virtual Machine Manager) is the only fully privileged entity in the system, and has an extremely small footprint. It controls only the most basic resources of the system, including CPU and memory usage, privilege checks, and hardware interrupts
Nine Best Practices of Cloud Security 1. Secure your code 2. Create access management policies 3. Adopt a patch management approach 4. Review logs regularly 5. Build a security toolkit 6. Stay informed of the latest vulnerabilities that may affect you 7. Understand your cloud service providers security model 8. Understand the shared security responsibility 9. Know your adversaries
1. Secure Your Code Test inputs that are open to the Internet Add delays to your code to confuse bots Use encryption when you can Test libraries Scan plugins Scan your code after every update Limit privileges Stay informed
2. Create Access Management Policies Identify data infrastructure that requires access Define roles and responsibilities Simplify access controls (KISS) Continually audit access Start with a least privilege access model
3. Adopt a Patch Management Approach Inventory all production systems Devise a plan for standardization, if possible Compare reported vulnerabilities to production infrastructure Classify the risk based on vulnerability and likelihood Test patches before you release into production Setup a regular patching schedule Keep informed, follow bugtraqer Follow a SDLC
4. Importance of Log Management and Review Monitoring for malicious activity Forensic investigations Compliance needs System performance All sources of log data is collected Data types (Windows, Syslog) Review process Live monitoring Correlation logic
5. Build a Security Toolkit Recommended Security Solutions Antivirus IP tables/firewall Backups FIM Intrusion Detection System Malware Detection Web Application Firewalls Anomaly behavior via netflow Future Deep Packet Forensics
6. Stay Informed of the Latest Vulnerabilities Websites to follow http://www.securityfocus.com http://www.exploit-db.com http://seclists.org/fulldisclosure/ http://www.securitybloggersnetwork.com/ http://cve.mitre.org/ http://nvd.nist.gov/ https://www.alertlogic.com/weekly-threat-report/
7. Understand Your Cloud Service Providers Security Model Review of Service Provider Responsibilities Hypervisor Example Questions to use when evaluating cloud service providers
8. Service Provider & Customer Responsibility Summary Apps Secure coding and best practices Software and virtual patching Configuration management Access management Application level attack monitoring Cloud Service Provider Responsibility Hosts Networks Hardened hypervisor System image library Root access for customer Logical network segmentation Perimeter security services External DDoS, spoofing, and scanning prevented Access management Patch management Configuration hardening Security monitoring Log analysis Network threat detection Security monitoring Customer Responsibility Provider Services Compute Storage DB Network
9. Understand your Adversaries
EXAMPLES OF SHARED RESPONSIBILITIES
Cloud Server Architecture VM Servers are designed so that the hypervisor (or monitor, or Virtual Machine Manager) is the only fully privileged entity in the system, and has an extremely small footprint. It controls only the most basic resources of the system, including CPU and memory usage, privilege checks, and hardware interrupts
How the Hypervisor functions In this model the processor provides 4 levels, also known as rings, which are arranged in a hierarchical fashion from Ring 0 to Ring 3. Only 0, 1 and 3 have privilege, some kernel designs demote curtain privileged components to ring 2 The operating system runs in ring 0 with the operating system kernel controlling access to the underlying hardware To assist virtualization, VT and Pacifica insert a new privilege level beneath Ring 0. Both add nine new machine code instructions that only work at "Ring -1," intended to be used by the hypervisor
Exploitation of the Hypervisor CVE-2014-1666 The PHYSDEVOP_{prepare,release}_msix operations are supposed to be controlled by dom0 access as it allows access to host and other vm's controlled by the host, but the necessary privilege level check was missing Two different functions were added to Xen in physdevop to manage resources for allocation and deallocation of msi-x devices This can easily result in malicious or misbehaving unprivileged guests, causing the host or other guests to malfunction. This can result in host-wide denial of service of all the vm s and the host itself In physdev.c the attacker has a function: ret_t do_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) This has a command in switch/case values which lead us to:
Exploitation of the Hypervisor CVE-2014-1666 Knowing the attacker has seg, bus, and devfn, functions are now being passed to pci_prepare_msix which is Figure 1 The attacker first has to pass the pos check for pci_find_cap_offset. If there's nothing there then they have to pass the pci_get_pdev check Figure 1 Check out pci_find_cap_offset
Application Exploitation Without Secure Coding WordPress: 162,000 legitimate sites used for DDos attack Exploited the XML-RPC Protocol Pingback enabled sites were exploited - Trackback - Pingbacks - Remote Access via mobile devices Generated over 24 million hits at a rate of 3,000 hits per second Random query of?4137049=643182 bypasses cache and forces full page reloads Check logs for POST requests to the XML-RPC file
Application Exploitation Without Secure Coding This June 0Day allows an attacker to remotely remove and modify files stored on the server without authentication TimThumb,written by Ben Gilbanks, is a simple, flexible, PHP script that resizes images. You give it a bunch of parameters, and it spits out a thumbnail image that you can display on your site. Looking at the type of vulnerabilities that hackers were trying to exploit, we saw a clear preference for Remote File Inclusion vulnerabilities, which accounted for 96% of all vulnerability types Patch was released in Q3 Source: WhiteHat Security
To Follow our Research Twitter: - @AlertLogic - @StephenCoty Blog: - https://www.alertlogic.com/resources/blog Newsletter: - https://www.alertlogic.com/weekly-threat-report/ Websites to follow http://www.securityfocus.com http://www.exploit-db.com http://seclists.org/fulldisclosure/ http://www.securitybloggersnetwork.com/ http://cve.mitre.org/ http://nvd.nist.gov/ https://www.alertlogic.com/weekly-threat-report/ Cloud Security Report - https://www.alertlogic.com/resources/cloud-security-report/ Zero Day Magazine - http://www.alertlogic.com/zerodaymagazine/
THANK YOU