defending against 1,000,000 cyber attacks by michael banks

Defending Against 1,000,000 Cyber Attacks

Michael Banks | Rendition InfoSec

$whoamiMichael Banks (@4MikeBanks)

• Information Security Consultant

• SigO

$./disclaimer.py | OVAMO | IANAL | TINLA

OVAMO: Opinions and Views of this presentation are my own and not of any of my employers

IANAL: I am not a lawyer

TINLA: This is not legal advice

• Background

• Cyber Attacks

• Numbers

• Project Slam

• take-a-ways

$./Overview.py

$./Background.py

$./helloWorld.py

Standard Form - 86

$./traceRoute.py --myLifeandData“Hacking of Government Computers Exposed 21.5 Million People” –NY Times

$./drill.py | grep “WTF”

“…OPM, for example thwarts 10 million confirmed intrusion attempts targeting our network.” - KATHERINE ARCHULETA

$./theme.py

1. Need more talent.

2. <insert org here> faces MILLIONS of cyber attacks…

3. The inevitable:

Cyber Pearl Harbor

$./CyberAttacks.py

Who are you asking?

$./cyberAttacks.py --congress18 U.S.C. § 1030.

Computer Fraud & Abuse Act “Fraud and related activity in connection with computers: (a) Whoever—

(1) having knowingly accessed a computer without authorization or exceeding authorized access…”

$./cyberAttacks.py --dodDOD Joint Terminology for

Cyberspace Operations

“A hostile act using computer or related

networks or systems, and intended to disrupt and/ or

destroy an adversary’s critical cyber systems, assets, or functions.”

$./cyberAttacks.py --defineAudience18 U.S.C. § 1030.

Computer Fraud & Abuse ActDOD Joint Terminology for

Cyberspace Operations

$./Numbers.py

$./numbers.py --shhh

“Officials said Saturday that over 62,000

cyberattacks had been registered in a single day…”

“…70 million hacker attacks on the servers…”

“The Kingdom had experienced more than 60

million cyber-attacks last

year…”

“..systems automatically detect and prevent more than 10 million attacks,

from tens of thousands of locations, including millions of attacks where the

attacker has valid credentials. That’s over 4 billion attacks prevented last

year alone…”

$./numbers.py

“Up to 300 Million Cyber Attacks on XXX (3LA) Data Centers Take Place Each Day”

$./numbers.py --includeReality

What do they even mean and how are they calculating these.

$./numbers.py --strangeAdditionMedia/Public

• SSH Brute Force Attempt• Wordlist of 10,000• 1 IP (x.x.x.x)• 3 Mins• Unsuccessful Login

• Reported as:• 10,000 Rapid Sophisticated

Cyber Attacks Thwarted

Analyst/Community• SSH Brute Force Attempt

• Wordlist of 10,000• 1 IP (x.x.x.x)• 3 Mins• Unsuccessful Login

• Reported as:• 1 Failed Attempted

Intrusion Event

$./numbers.py --strangeAdditionMedia/Public

• All Port nMap Scan• 65535 Ports• 1 IP (x.x.x.x)• 1 Min

• Reported as:• Over 65,000 Rapid

Sophisticated Cyber Attacks Thwarted

Analyst/Community• All Port nMap Scan

• 65535 Ports• 1 IP (x.x.x.x)• 1 Min

• Reported as:• No Report (”We get

scanned all the time”)

$./projectSlam.py

A project designed to research

adversary behavior and utilize the

data captured to generate wordlists,

blacklists, and methodologies of

various threat actors that can be

provided back to the public.

$./projectSlam.py

• v1 (2016)

• Kippo-0.9

• Debian 8

• Cloud Based Deployment

• Geographically Located in New York

• Public Accessible Ports:

• 22 (kippo), 80, 443, xxx (ssh)

$./projectSlam.py

• Username / Pass (Wordlist)

• Source IP (Location)

• Full TTY Sessions

• A!! D@ Toolz

$./projectSlam.py

• v2 (2017) – a full interaction honeypot to

enumerate more information from the attacker.

• Docker (Pre-Populated)

$./projectSlam.py

Trailing 27 Weeks

$./projectSlam.py

$./projectSlam.py

$./projectSlam.py

Usernames Count

1. root 543,328

2. admin 14,174

3. Administrator 1,428

4. support 1,154

5. user 1,028

6. test 856

7. ubnt 724

8. guest 582

Usernames Count

9. oracle 418

10. ftpuser 404

11. PlcmSpIp 400

12. pi 357

13. postgres 282

14. operator 248

15. git 241

$./projectSlam.py

Passwords Count1. 123456 4,0722. admin 3,9413. password 3,6304. root 3,3535. 1234 3,2926. 12345 3,1787. !@ 3,1058. test 2,9919. 123 2,84810. 1 2,750

Passwords Count11. p@ssw0rd 2,70612. wubao 2,64113. root123 2,59614. jiamima 2,56215. !q@w 2,52416. ! 2,52217. !qaz@wsx 2,49918. idc!@ 2,43919. admin!@ 2,42520. support 830

$./projectSlam.py

Trailing 27 Weeks

$./projectSlam.py

~4,000 Every Day

~1.4 Million in a year

$./projectSlam.py |whatsNext

$./projectSlam.py |whatsNext• Report for 2016 (Jan ‘17)

• Full Report• Wordlist• IP List & More

• Deployment for 2017 (Jan-Dec)

• Report for 2017 (Jan ‘18)• Full Report• Wordlist• IP List

$TakeHome.py

$TakeHome.py

Github.com/mikebanks/projectSlam

$TakeHome.py

•Partial Wordlist•Partial IP List

$TakeHome.py

Github.com/mikebanks/projectSlam

$Conclusion.py• Reset default credentials

• Where possible use 2FA

• Change your SSH port

• Don’t use simple passwords• Use unique usernames• Disable Root to login

$Questions.py |audience

RenditionInfoSec.com@4MikeBanks | Michael@RenditionInfoSec.com | (847) 208-2393

MichaelBanks.org