“Aurora” Response Recommendations - Qualys...“Aurora” Response Recommendations February...
Transcript of “Aurora” Response Recommendations - Qualys...“Aurora” Response Recommendations February...
“Aurora”ResponseRecommendations
February17th,2010PreparedbyAlexStamos,Partner
Version1.0
Courtesyof
©2010iSECPartners,Inc. PublicandNon‐Confidential
BackgroundOnJanuary12th,2010Googlepubliclyrevealedthattheywerethevictimofa“highlysophisticatedandtargetedattackonourcorporateinfrastructureoriginatingfromChinathatresultedinthetheftofintellectualpropertyfromGoogle.”1Googlewasnottheonlycompanyaffectedbythisattack;atthetimeGooglenotifiedover30othercompaniesofinfectionbythismalware.Inthetimesincethen,furtherinvestigationshaveuncoveredthatoveronehundredcompaniesmayhavebeentargeted,althoughit’sdifficulttoascertainhowcloselyrelatedtheseattackersaretoGoogle’sassailants.iSECPartnershasbeeninvestigatingthisattackwithseveralvictims,andhasfoundanumberofcommonoversightsandvulnerabilitiesthatenabledtheseattackerstobesuccessful.TherehasbeenagreatdealofdiscussionaroundtheAurora2malwaresuiteduetothelargeamountofinformationreleasedbytheanti‐virusvendors3.WhilefindingandinvestigatinganinfectionbyAuroraisanimportantcomponentofrespondingtothisincident,webelieveitisimportanttotakeintoaccounttheoverallactionsofthepeoplebehindtheseattackswhenconsideringhowtorespond.Despitethediversityofvictimsintheseattacks,wehaveseenacommonpatternintheattacks,whichgenerallyproceedlikethis:
1. Theattackersociallyengineersavictim,ofteninanoverseasoffice,tovisitamaliciouswebsite.2. Thiswebsiteusesabrowservulnerabilitytoloadcustommalwareontheinitialvictim’smachine.3. Themalwarecallsouttoacontrolserver,likelyidentifiedbyadynamicDNSaddress.4. TheattackerescalateshisprivilegeonthecorporateWindowsnetwork,usingcachedorlocaladministrator
credentials.5. TheattackerattemptstoaccessanActiveDirectoryservertoobtainthepassworddatabase,whichcanbe
crackedonsiteoroffsite.6. TheattackerusescrackedcredentialstoobtainVPNaccess,orcreatesafakeuserintheVPNaccessserver.7. Atthispoint,theattackvariesbaseduponthevictim.Theattackermaystealadministratorcredentialstoaccess
productionsystems,obtainsourcecodefromasourcerepository,accessdatahostedatthevictim,orexploreIntranetsitesforvaluableintellectualproperty.
InthisdocumentweoutlineourrecommendationsfororganizationsthathavenotbeencontactedorfoundevidenceofanAurorainfection.Knownaffectedorganizationscancontactusforhelpputtingtogetheramoreaggressiveincidentresponseplan.
1http://googleblog.blogspot.com/2010/01/new‐approach‐to‐china.html2AKATrojan.Hydraq3http://www.symantec.com/connect/blogs/trojanhydraq‐incident
©2010iSECPartners,Inc. PublicandNon‐Confidential
TacticalRecommendationsThesearerecommendedstepsITandsecurityteamscantaketodetectthetypeofmaliciousactivityexemplifiedbytheAuroraincident.
1. LogandinspectDNStraffic.ThemosteffectivesurveillancemechanismfortrackingtheautomatedandmanualattackshasbeenmonitoringofinternalDNSqueries.DNSisacommoncontrolchannelformalware,andtheseattackershaveshownanaffinityforusingdynamicDNSproviderstoprovidecontrolinformationinDNSresponsesallowingtheattackerstoquicklymovecommandandcontrolserversaheadofinvestigators.Inresponsetothisincidentwearerecommendingthatpotentialvictims:
a. EnableloggingontheirlocalDNSrespondersandcentrallyaggregatetherequestandresponsebodies
b. MonitorandauditallrequestsfordynamicDNSnames
c. InvestigatedevicesmakingsuspiciousorrepeatedqueriestodynamicDNSnames
2. Establishinternalnetworksurveillancecapability.Withouttheabilitytoinspectandcaptureinternalnetworktrafficitisextremelydifficulttotracethistypeofattack.Thequickestsolutionthatcouldprovidethiscapabilitywouldbethedeploymentofsoftware‐basedIntrusionDetectionSystem(IDS)sensorsinsidethecorporatefirewalls,possiblyusingafreeplatformsuchasSnort.Inthelongrunthiscapabilitycouldbereplacedbyacommercialproductormanagedservice,althoughsomeofourclientshavehaddifficultyeffectingrulechangesintheirmanagedIDSsensorsquickenoughtobeeffective.
3. Controlinboundandoutboundnetworktraffic.TheinitialrouteofinfectionforalloftheknownattackshasbeenthroughexploitingflawsinInternetExplorerorAdobeAcrobatusingcontenthostedonexternalservers.Althoughtheseexploitswere“0‐days”andundetectablebyrulesetbasedmalwarescanners,victimswithextensivecontrolsaroundInternetaccessbyworkstations,laptopsandservershavebeenabletorespondmorequicklytotheseattacks,controloutboundcontrolchannelsanduselogdatatotrackdowninfectedhosts.Westronglyrecommendthatallcompaniespreparingforthislevelofadversarydeploycontent‐scanningwebproxieswithextensive,long‐livedloggingofrequests.DNSresolutionshouldhappenontheseproxies,andadvancedclientsshouldutilizeSSLinterceptioncapabilitybydeployingacorporateCA.
4. Expandlogaggregation.Thecompanieswiththemosteffectiveresponsetotheseattackshaveutilizedtheircentrallogaggregationmechanismstotracktheactionsoftheseattackers.Thestorageoflogdatainmultiplesystemscanseriouslyhamperinvestigationeffortsandwearestronglyrecommendingthatclientscreateacentralloggingcapabilitydedicatedtosecuritymonitoringandincidentresponse.Werecommendthatthesecuritylogaggregationsystemcontainatleasttheselogs:
a. SecurityandSystemeventlogsfromWindowsmemberservers.
b. Security,System,andApplicationeventlogsfromDomainControllers.
c. LoginandSSHlogsfromUNIXservers.
d. DNSrequestandresponserecordsfromalllocalresolvers.
e. AlertsfrominternalIDSsensors.
f. Requestlogsfromwebproxydevices.
g. WebaccesslogsfromIntranetsitesandapplications.
©2010iSECPartners,Inc. PublicandNon‐Confidential
5. ExpandWindowsendpointcontrol.NetworkswithlooselymanagedWindowsdesktopsandlaptopsareespeciallyvulnerabletoattacksagainstendusers.Werecommendthatsecuritysensitiveorganizations:
a. Disabletheuseoflocaladministratoraccessforday‐to‐dayactivities.Inmostorganizationslocaladministratoraccessshouldbeeliminatedforalmostallemployeesontheircorporate‐managedsystems.
b. Utilizeapatchsolutionthatcanupdatenon‐Microsoftproducts.ManagingthepatchlevelsofpopularproductssuchasAdobeFlash,Reader,MozillaFirefoxandSunJavaiskeytopreventingcommonexploitsfromworkingonyourusers.
c. Considerapplicationwhitelistingtechnologies.
6. AuditVPNaccessandenrollment.Wehavefoundevidencethattheseattackersprefertoestablishremoteaccessvia“legitimate”VPNportalsinsteadofalwaysrelyingonthecontrolchannelsfortheircustommalware.ItisadvisabletobeginauditingyourVPNaccessserversforunexpectedusersandtoconsiderprotectionsthatpreventattackersfromeasilyissuingthemselvesVPNaccessoncetheycompromiseasmallnumberofuseraccounts.
7. Testmalwarescanningagainstknownrootkits.Ourinvestigationshaveshownthattheattackersarewillingtousevariantsofstandardrootkitsintheirattacksalongsidetheircustomcode,suchasTLD3.Werecommendthatorganizationstesttheeffectivenessoftheirmalwarecontrolmechanismsbyintentionallyinfectingamanagedsystemwithcommonrootkitsandrunninga“fullscan”.
©2010iSECPartners,Inc. PublicandNon‐Confidential
StrategicRecommendationsThesearelongertermrecommendationstohelpprepareforthistypeofadvanced,targetedthreat.Thislistisinnowayexhaustive,butrepresentsseveralissuesthatwecommonlyseeinclientnetworks.
1. Buildasecurityoperationsteam.Manyofoursuggestionswillresultinthecreationofmuchlargerdatasetsofuseforquicklyfindingandrespondingtoattackersinsideofacompany’sperimeter.Unfortunately,thisdataisuselessifthereisnostafftomonitororrespondtoanomalies.Apropersecurityoperationsteamisrelatedtobutstandsapartfromsecurityarchitectureandauditfunctions.Itisimportantthatsecurityoperationsemployeesaregrantedaccesstoproductionsystemsandloggingfacilitiesandareabletoquicklyretrievedatafrommonitoringsystems.
2. Secureyouroverseasoffices.Manyofthecompaniesinvolvedhavefoundthatalargeportionoftheirinfectedworkstationsoriginatedinanoverseasoffice.Thepreferredrouteofattackseemstobeviasocialnetworksandchatchannels,whichareeffectiveinsociallyengineeringtheseemployeesintoclickingonamaliciouslinkoropeninganinfectedfile.ItisimportantforcentralITsecurityteamstoevaluatewhatITfunctionsareabsolutelyrequiredforthefunctioningoftheirremoteofficesandtorestrictinternalnetworkaccesstothoseresources.Morerestrictivecompaniesshouldconsiderwhichsocialnetworksandchatmechanismsshouldbeprovidedforuseoncorporatesystems.
3. Classifyandcatalogsensitivedata.Victimsofthesetypesofattackswhodonotunderstandthedispositionoftheircriticaldataandsystemsstartatadisadvantage.Havingthislistinhandatthestartofanincidentresponsecanguidetheresponderstothesystemsofgreatestimporttothevictimandattacker.
4. SecureyourActiveDirectorynetwork.AthemeofmanyoftheseintrusionshasbeenaconcertedeffortbytheattackerstoutilizethecorporateActiveDirectoryforesttogainprivilegeacrossthenetwork.Theattackersarequitepatient,andhaveutilizedsoftwarethatwaitsinthebackgroundforauseofaNTLMcredentialbyadomainadminforoneofseveralservicesonthemachine(RDP,SMB,DCOM)thatthencapturestheNTLMhashforcracking.Oncetheyhavethishash,theattackerisabletopulltheentireActiveDirectorydatabaseforofflinepre‐computeddictionarycracking.ThereareseveralstepstosecuringyourADforestfromtheseattackers:
a. MakeDomainAdministratoraccountloginssmartcard‐only.Thisconfigurationgreatlyreducestheriskoftheftandmisuseofadministratorcredentials.Ifbackuploginswithpasswordsarerequired,theyshouldbedistinctaccountslimitedtoconsoleloginonly.
b. Donotusesharedlocalaccounts.Theuseoflocal(non‐Domain)accountswithasharedpasswordisacommontechniqueincorporateITenvironments,especiallywhenmachinesareimagedfromacommoncorporatebuild.UnfortunatelysharedaccountscaneasilybecrackedbyofflinecomputingresourcesortheNTLMhashusedasapasswordequivalent.
c. BewareofusingDomainAdminaccountsinautomatedprocesses.ManyITdepartmentsusesystemmanagementandsecuritydevicesthatregularlylogintoWindowsclientsandserverstocheckforpatchlevels,configurationcomplianceortoperformlogaggregation.Whethertheseloginsareperformedbydedicateddevicesorsoftwareinstalledonadomainmemberserver,itisoftenpossibleforanattackertodowngradetheauthenticationhandshaketoNTLMandperformabrute‐forceattacktoretrievethedomainadminpassword.Theseprocessesshouldbeconfiguredtousenon‐Administratorusers
©2010iSECPartners,Inc. PublicandNon‐Confidential
wheneverpossible.ConsiderupgradingsuchsystemstoWindows7orWindowsServer2008R2andusingGPOtoauditorrestrictNTLMtraffictoremoteservers.
d. SetGPOtoreduceauthenticationattackdanger.ThereareseveralActiveDirectorygrouppolicysettingsthatcanincreasethedifficultyofattackinglocalanddomaincredentials.Althoughthedetailsofthesesettingsgobeyondthescopeofthisdocument,thereareseveralexcellentpublicresourcesforWindowshardening4.ImportantsettingstohardenincludetheNoLMHash5,LDAPSigning,DCOMPacketSecurityandLANManagerAuthenticationLevel6policies.
e. AuditDomainusersforunusualpermissions.Attackerswhogainescalatedprivilegesonadomainoftencreateuseraccountsandjointhemtounusualgroups,suchasBackupAdmins,ordirectlygrantthemselvesprivilegesunnecessaryfornormaluse.ThereareseveralcommercialtoolsforauditinganActiveDirectoryforpermissionissues,whichcanbeusefulinfindingoutlieraccounts.
f. Deployread‐onlydomaincontrollersinoverseasoffices.ActiveDirectoryforestswiththeWindows2008functionallevelhavetheoptionofdeployingread‐onlyActiveDirectoryservers.ThisisacriticalsecurityenhancementtoWindowsnetworksthatisappropriateforuseinsemi‐trustedphysicalenvironments.Itshouldbenoted,however,thatpassworddatabasecrackingtechniquesarealsoavailableagainstread‐onlydomaincontrollers.
g. ConsideranexternalForestwithatwo‐waytrustforremoteoffices.AdministrativesecurityboundariesinADareenforcedattheForest,nottheDomainlevel.CreatingdistinctADForestswithtwo‐waytrustsandSIDFilterQuarantine7enabled(thedefault)allowsseamlessKerberosauthenticationbetweenallsystemswhilepreventingelevationofprivilegeattacksthatarepossiblebetweensystemsinthesameForest.Alternatively,ActiveDirectoryFederationServicescanbeusedtoenableuser‐transparent,cross‐Forestresourceaccesswithevenmorelimitedinterconnectivityandtrust.
4http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml5http://support.microsoft.com/kb/2996566http://technet.microsoft.com/en‐us/library/dd560653(WS.10).aspx7http://technet.microsoft.com/en‐us/library/cc772633(WS.10).aspx
©2010iSECPartners,Inc. PublicandNon‐Confidential
LessonsLearned
Althoughnoneoftheattacksortechniqueusedinthisseriesofattacksareparticularlynovel,theskillset,patienceandtenacityoftheattackersismuchgreaterthanmostenterprisesareequippedtodealwith.Herearesomegenerallessonsthatwecantakefromtheseattacks:
• Attackersareignoringthefrontdoor.Despitethefocusofthesecurityindustryandenterprisesecurityteamsonproductionnetworksandapplications,attackershavelearnedthat“backdoor”attacksagainstendusersaremuchmoreeffectiveatgainingaccesstomajorcorporations.Itisgenerallymuchhardertosecureinternalcorporatethanproductionnetworks,andinternalandexternalsecurityteamswillneedtorefocusondesigningtrustworthycorporateITenvironments.
• CurrentAnti‐Virussolutionsarenotworking.Allofthevictimswehaveworkedwithhadalreadydeployedenterprise‐wideanti‐virussolutions,noneofwhichpreventedtheinitialattacksortheescalationofprivilegewithinthenetwork.Anti‐virustestsaremostlyrule‐based,andthemajorityofheuristicdetectionmechanismscanbeeasilybypassedifanattackeriscustomizinghismalwareforthatproduct.EnterpriseITdepartmentsshouldnotrelyonthepromisesoftheirvendorsorthirdparties,andshouldverifytheeffectivenessoftheirAVsolutionbytestingitagainstknownadvancedmalwareandrootkits.
• Patchingsometimesisnotenough.Thevulnerabilitiesexploitedduringthisattackwere0‐days,meaningnopatchormitigationdirectionswereavailabletocorrecttheseflaws.Promptandverifiablepatchingisstillakeycomponentofanyinformationsecurityplan,butITgroupsshouldkeepinmindthatadvancedattackerswilloftenbeabletofindnewflawsincomplicatedend‐userproductslikewebbrowsers,officesuitesanddocumentreaders.
• Youmightbeplayinginthebigleagues.Themostinterestingaspectofthisincidentisthatanumberofsmalltomediumsizedcompaniesnowjointheranksofmajordefensecontractors,utilitiesandmajorsoftwarevendorsaspotentialvictimsofextremelyadvancedattackers.Thisisconcerningformanyreasons,nottheleastofwhichisthatevenmostFortune‐500companieswillnotbeabletoassemblesecurityteamswiththediversityofskillsnecessarytorespondtothistypeofincident.ItisextremelyunlikelythatSMBswillbeabletoproperlyprepareforthesethreatsalone,openingthedoorformoreeffectiveproductandmanagedservicesolutionsthanwhatiscurrentlyavailable.
VersionHistory0.9–InitialDraft(Feb9,2010)0.91–Addedlessonslearned(Feb12,2010)0.92–AddedadditionalWinhardeningtips(Feb15,2010)
©2010iSECPartners,Inc. PublicandNon‐Confidential
1.0–Smallfixes,firstpublicrelease(Feb17,2010)