cyber kill chain vs. cyber criminals

Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Dr. Stefan Frei & Francisco Artés @stefan_frei @franklyfranc

Trusted Advice. Measured.

THE FLIGHT TO ABU DHABI TOOK LONGER THAN TESTING IPS.

§  Professional § Research Director @ NSS Labs § Research Analyst Director @ Secunia §  Senior Researcher & Pentester @ ISS X-‐Force

§  Contact §  Email: [email protected] §  TwiKer: @stefan_frei

Speaker – Dr. Stefan Frei

§  Professional § Research Director @ NSS Labs § CSO/CISO

§  Trace3 §  Deluxe Entertainment §  Electronic Arts

§  Contact §  Email: [email protected] §  TwiKer: @franklyfranc

Speaker – Mr. Francisco Artés

ABSTRACT Cybercriminals persistently challenge the security of organiza4ons through the rapid implementa4on of diverse aKack methodologies, state of the art malware, and innova4ve evasion techniques. In response organiza4ons deploy and rely on mul4ple layers of diverse security technologies. This talk examines the aKackers' kill chain and the measured effec4veness of typical defense technologies such as Next Genera4on Firewalls, Intrusion Preven4on Systems IPS, An4virus/Malware Detec4on, and browsers internal protec4on. Empirical data on the effec4veness of security products derived from NSS Labs harsh real world tes4ng is presented together with a live demonstra4on of successful evasion of malware detec4on. We find a considerable gap of protec4on levels within/and across different security product groups. Using Maltego complex correla4ons between undetected exploits, crimware kits, and affected so^ware vendor and products are demonstrated.

§  How we get aKacked §  Layered Defense §  Results from NSS Labs’ tes4ng §  Demonstra4on of Exploit vs. Layered Defense §  Conclusion

Agenda

AKack Kill Chain – AKacker vs. Defender

off premise

server desktop desktop

Prepare(A:ack((Method/Tools(

attack detection / prevention

Detec.on(Evasion(

Target(Exploita.on(

Value(Extrac.on(

breach detection

AKackers View

Defenders View

AKack Kill Chain – Understanding the AKacker

off premise




Detec.on(Evasion(

Target(Exploita.on(

Value(Extrac.on(

breach detection

Understand the threat and the aKackers mo4va4on & methods ⌃

AKack Kill Chain – Understanding Evasion

off premise




Detec.on(Evasion(

Target(Exploita.on(

Value(Extrac.on(

breach detection

Understand how malware bypasses detec4on

Assess the effec4veness of layered defenses

⌃⌃

AKack Kill Chain – If preven4on failed

off premise




Detec.on(Evasion(

Target(Exploita.on(

Value(Extrac.on(

breach detection

Detect & neutralize

⌃

The Changing Threat Environment

Vandalism

Author of

Tools

TheD Personal Gain

Personal Fame

Curiosity

Script-‐ Kiddy

Hobbyist Hacker

Expert

Tools created by experts now used by less-‐skilled criminals,

for personal gain

Fastest growing segment

Mo4

va4o

n

AKackers’ Exper4se

§  Cybercriminals developed formidable tools Easy to use development tools, Q&A, and service level agreements just as in every mature industry

§  Detec4on Evasion and Resilience By design, malware is developed and deployed with detec4on evasion in mind

Malware Development & Tools

1.  Create malicious tool

2.  Obfuscate malware, create permuta4ons

3.  Test against detec4on engines

4.  Deploy undetected samples Q & A

3

Evasion 2

Development 1

Deployment 4

1 x

10,000 x

5,000 x

Malware Development Process

Malware offered for $249 with a Service Level Agreement and replacement warranty if the crea4on is detected by any anP-‐virus within 9 months

Underground Market

Any enterprise can become a vic1m of a3ack: at any 1me, for any reason, and without being specifically targeted.

Results in a high degree of aTack automaPon from systema4c iden4fica4on of targets to fully automated exploita4on

Leads to an increase in opportunisPc aTacks as the a=acker no longer needs exper4se or special skills ⌃

The Availability of Malware Tools

Automated vulnerability scanners and aKack tools cannot differen4ate if you consider yourself a high-‐risk target or not.

How effec1ve is the defense ? How do we know?

Key Security Technologies available: §  Network Firewall §  Next Genera4on Firewall §  Intrusion Preven4on Systems (IPS) §  An4virus / An4malware §  Browser Protec4on

Our Response: Layered Security

⌃

We respond and rely on layered security

Firewall

IPS

Firewall

IPS

on premise off premise server desktop laptop

Per

imet

er

Layered Defense -‐ Perimeter

Firewall

IPS

Firewall

IPS

An4 Virus

Browser URL Block

An4 Virus

Browser URL Block


Per

imet

er

Hos

t bas

ed

Layered Defense – Host Based

on premise off premise

Firewall

IPS

An4 Virus

Browser URL Block

An4 Virus

Browser URL Block


Per

imet

er

Hos

t bas

ed

Layered Defense – Direct AKack

direct attack

Firewall

IPS



Per

imet

er

Hos

t bas

ed

Layered Defense – Indirect AKack

direct attack

Firewall

IPS

indirect attack indirect attack

Firewall

IPS

An4 Virus

Browser URL Block

An4 Virus

Browser URL Block


server desktop laptop

Per

imet

er

Hos

t bas

ed

Layered Defense – Side channel AKack

direct attack

Firewall

IPS

indirect attack indirect attack

Firewall

IPS

An4 Virus

Browser URL Block

An4 Virus

Browser URL Block

sidechannel attack


Or any of these:

We are doing this:

Wizard-‐like knowledge…

.. sadly, security tes4ng is not that simple

Engineering Workflow ..

It’s more like this -‐

§ Mul4-‐million dollar research and tes4ng facility in Aus4n, Texas

§  Capable of 24 x 7 tes4ng §  Global research network captures Internet threats, zero-‐days & trends live, as they arise

Where does the data come from?

To determine the security effec4veness of devices, the following metrics were used:

1.  Exploit Block Performance 2.  An4 Evasion Performance 3.  Performance & Leakage 4.  Stability & Reliability

Security Test Metrics

§ The same types of aKack as used by modern cyber criminals

§ U4lizing mul4ple commercial, open source and proprietary tools as appropriate

§ More than 1,400 exploits, tested such that § a reverse shell is returned, allowing the aKacker to execute arbitrary commands

§ a malicious payload is installed § a system is rendered unresponsive

Metric

1 Exploit Block Performance

§  Providing exploit protec4on without factoring in evasion/obfusca4on is misleading

§  Addi4onal test cases are generated for each appropriate evasion technique. •  At TCP, IP, and applica4on protocol level •  Fragmenta4on, Segmenta4on, Obfusca4on, Encoding, Compression and all combina4ons thereof

Metric

2 An4 Evasion Performance

§  Trade-‐off between security effec4veness and performance Ensure vendors don’t take security shortcuts to maintain or improve performance

§  Evaluated based upon three traffic types Based on hundreds of metrics such as connec4on rates, latency, delta in performance with different packet sizes and HTTP response sizes, stateful/connec4on tracking capabili4es, .. §  a mix of perimeter traffic common in enterprises §  a mix of internal traffic common

in enterprises §  21KB HTTP response traffic

Metric

3 Performance and Leakage

§  Long-‐term stability is par4cularly important for an in-‐line device Verify the stability of the device under test

§  Tests the ability to maintain security effec4veness under normal & malicious traffic load Products that are not able to sustain legi4mate traffic (or which crash) while under hos4le aKack will not pass

Metric

4 Stability & Reliability

§  Security Effec4veness combines measured cost of ownership, security protec4on, performance, leakage, and stability

§  Security Value Map (SVM) shows security effec4veness and value (cost per protected Mbps) of tested product configura4ons

§  Customizable SVM is customizable to reflect individual weights of the different factors

Security Effec4veness

NSS Labs tested: Network Firewalls Q3/2012

Intrusion Preven4on Systems Q3/2012

End-‐point An4virus Suites Q4/2012

Browsers Q3/2012

Next Genera4on Firewalls Q4/2012

6

15

13

4

6

Network Firewalls

§  Three of the six products tested crashed when subjected to our stability tests This lack of resilience is alarming and indicates the presence of a vulnerability that could be exploited

§  Performance claims in vendor datasheets are generally grossly overstated Performance based on RFC-‐2544 (UDP) does not reflect real world environments

§  Five of the six products failed the TCP Split Handshake test Allowing an aKacker to reverse the flow and bypass security. Four vendors released a patch within a month

¤

§  Longstanding, tried, and field proven technology, such as firewalls, can s4ll fail on basic networking aKacks

§  AKacks never expire – security devices must maintain protec4on for the complete range of aKacks

§  Independent tests are valuable to iden4fy, and have vendors remediate shortcomings

¤ Network Firewalls

0"

50"

100"

150"

200"

250"

300"

350"

400"

IBM"GX"7800"

Junipe

r"SRX

"3600"

Junipe

r"IDP

"8200"

Tipp

ing"P

oint"

PaloAlto"PA"5020"

SonicW

all"

McAfee"M8000"

McAfee"M80000"

ForFGa

te"3240C

"

Ston

esoI

"1302"

CheckPoint"12600"

Sourcefire"3D

8260"

Sourcefire"8120"

Sourcefire"8250"

Sourcefire"Virtu

al"

Mean"74"exploits"

§  Exploit block rate varies between 77% and 98%

§  Tuning of the IPS policy makes a difference, up to 50% less protec4on with default policy

§  Evasion detec4on has improved considerably, all but one vendor tested passed

Undetected Exploits (0f 1,486 tested)

Intrusion Preven4on Systems IPS

¤

714$

244$

89$52$

29$ 11$ 3$ 0$ 0$ 0$0$

100$

200$

300$

400$

500$

600$

700$

800$

1$ 2$ 3$ 4$ 5$ 6$ 7$ 8$ 9$ 10$

Num

ber$o

f$Exploits$

Number$of$IPS$vendors$

Three$exploits$that$are$undetected$by$7$of$10$vendors$IPSs$

Unique Exploits undetected by N Vendors IPS

§  Correla4on of undetected exploits between vendors products

§  Only a small set of exploits is required to successfully bypass all IPS products

§  Only one combina4on of different IPS products blocked all exploits

Intrusion Preven4on Systems IPS

¤

0%# 10%# 20%# 30%# 40%# 50%# 60%# 70%# 80%# 90%# 100%#

Total#Defense#

Panda#

Norman#

F=Secure#

MicrosoC#

Avira#

McAfee#

Trend#Micro#

ESET#

AVG#

Norton#

Avast#

Kaspersky#

Percent undetected exploits (of 144 exploits tested)

¤ End-‐Point An4virus

§  AV products differ up to 58% in block performance

§  Many products failed to detect exploits over HTTPS that were detected over HTTP

§  Keeping AV up-‐to-‐date does not yield adequate protec4on, s4ll many old exploits remain undetected

§  Browsers offer the largest aKack surface in most enterprise networks

§  Browsers are the most common vector for malware installa4ons

§  NSS Labs con4nuously measures browsers block performance since 2011

¤

VM1

Software Stacks

VM2 VM3 VM4

URL Feeds

Browser Block Performance

Suspicious URL block performance

¤ Browser Block Performance

§  Internet Explorer maintained a malware block rate of 95%

§  Firefox and Safari’s block rate was just under 6% §  Chrome’s block rate varied from 13% to 74%

¤

94%$

28%$

5%$

5%$

0%$ 20%$ 40%$ 60%$ 80%$ 100%$

Internet$Explorer$

Chrome$

Firefox$

Safari$

Percent$blocked$URLs$

Browser Block Performance

x x

Opportunity for Cybercriminals

exploit availability

# targets

# exploits

=

undetected exploits

Undetected Exploits

Exploits that bypass our defense layers (IPS, NGFW, An4virus, ..)

Sadly enough, these exploits exist and are plen4ful ..

undetected exploits

Exploits for prevalent programs

prevalent & vulnerable programs

Exploits that hit popular programs with large market share

Exploits for popular programs are a dangerous beast ..


undetected exploits

Proven and readily available exploits


exploits available in crimeware kits

Exploits that hit popular programs with large market share

Exploits that are readily available in crimeware kits or penetra4on tes4ng tools

Make them readily available for everyone with a criminal mid calls for disaster!


undetected exploits

Failure of the security industry


exploits available in crimeware kits

Security products failing to detect these exploits are hardly acceptable

Demonstra4on

Undetected Exploits vs. Metasploit

Correla4on of exploits not detected by IPS/NGFW with exploits available in Metasploit Many publicly available and easy to use exploits bypass detec4on

Undetected exploits available in Metasploit

Undetected exploits

26% of 866 Metasploit exploits are not detected by at least one IPS/NGFW

Correla4on of undetected Exploits

Exploits available in crimeware kits are s4ll undetected by IPS or NGFW engines. 43 of 117 exploits that could be aKributed to crimeware kits bypassed detec4on of 9 of 23 detec4on engines

Undetected exploits from crimeware kits

IPS/NGFW devices that missed exploits Crimeware kits

Eleonore

Phoenix

Undetected Exploits vs. AKacked Vendor

Correla4on of exploits not detected by IPS or NGFW with the so^ware vendors of the programs targeted by these exploits Most undetected exploits target Microso^ products – relevant exploits go undetected!

Microso^ Exploits against Microso^ products

Correla4on of undetected Exploits

Many exploits are not detected by several IPS engines 714 of 1,486 exploits tested are not detected by at least one IPS engine, 40% or 286 by at least two IPS engines

Undetected by one IPS

Undetected by mul4ple IPS Bubble size

indicates number of IPS engines not detec4ng given exploit

Combined Failure Rate

Attacker Target Layered Defense

Failure Rate

Device A Device B

Failure Rate

PA PA¢B

10%

Combined Failure Rate

PB

10%

PA¢B = PA . PB = 1% (?) ?

§  Failures are correlated, they are not independent events

§  The combined failure rate is typically considerably higher

PA¢B ≠ PA . PB

PA¢B > PA PB

Correla4on Fallacy -‐ Rethink your risk assessment

§  Vendor claims on the effec4veness or performance of products are frequently overstated, or based on non-‐realis4c assump4ons

§  Several network firewall products tested crashed when subjected to our stability tests

§  An4virus does not prevent a dedicated aKacker from compromising a target

§  Several products failed detec4on of exploits when switching from HTTP to HTTPS

Conclusion & Findings

§  There is no product or combina4on of products tested by NSS Labs that provide 100% protec4on

§  Assume that you are already compromised §  Organiza4ons should complement preven4on with breach detec4on and SIEM to iden4fy and act on successful security breaches in a 4mely manner

§  Access to independent informa4on on security product effec4veness and performance is important

Recommenda4ons

§  Technology alone cannot provide the highest protec4on

§  Competent and mo4vated security personal is key to effec4ve security – and make the best use of the tools

Complexity

Thank you [email protected] [email protected]

Trusted Advice. Measured.

§  Network Firewall Group Test 2011 hKps://www.nsslabs.com/reports/network-‐firewall-‐group-‐test-‐2011 or hKp://bit.ly/RzLX3a

§  IPS Compara4ve Analysis 2012 hKps://www.nsslabs.com/reports/ips-‐compara4ve-‐analysis-‐2012 or hKp://bit.ly/SvHwQ

§  Consumer AV/EPP Compara4ve Analysis -‐ Exploit Protec4on hKps://www.nsslabs.com/reports/consumer-‐avepp-‐compara4ve-‐analysis-‐exploit-‐protec4on or hKp://bit.ly/S5Mqs7

§  Is Your Browser Puyng You At Risk? hKps://www.nsslabs.com/reports/your-‐browser-‐puyng-‐you-‐risk-‐part-‐1-‐general-‐malware-‐blocking or hKp://bit.ly/SvGHur

§  Targeted Persistent AKack (TPA) hKps://www.nsslabs.com/reports/analysis-‐brief-‐targeted-‐persistent-‐aKack-‐tpa-‐misunderstood-‐security-‐threat-‐every-‐enterprise or hKp://bit.ly/SvGO99

Resources

cyber kill chain vs. cyber criminals

Government & Nonprofit