BTI 7261: Threat Landscape · BTI 7261: Threat Landscape 10/21. Data and code The central goal for...
Transcript of BTI 7261: Threat Landscape · BTI 7261: Threat Landscape 10/21. Data and code The central goal for...
BTI 7261: Threat Landscape
Christian Grothoff
BFH
3.5.2019
Cyber attacks and actors
Software vulnerabilities
Example: Protocol vulnerability
Example: Architecture vulnerability
BTI 7261: Threat Landscape 1/21
Part I: Cyber Attacks and Actors
BTI 7261: Threat Landscape 2/21
Attacker origins
I InsiderI Ex-insider (“disgruntled former employee”)I CompetitorI HacktivistI CriminalI State actorI Researcher
BTI 7261: Threat Landscape 3/21
Attacker origins
I InsiderI Ex-insider (“disgruntled former employee”)I CompetitorI HacktivistI CriminalI State actorI Researcher
BTI 7261: Threat Landscape 3/21
Attacker objectives
I FameI Stealing information (business secrets, credentials)I Modifying information (e.g. bank transactions)I Abusing infected systems (e.g. spamming)I Attacking other systems (origin obfuscation)I Hiding (avoid detection, achieve long-term persistence)I Contact command and control (C2) for instructions
BTI 7261: Threat Landscape 4/21
Attacker objectives
I FameI Stealing information (business secrets, credentials)I Modifying information (e.g. bank transactions)I Abusing infected systems (e.g. spamming)I Attacking other systems (origin obfuscation)I Hiding (avoid detection, achieve long-term persistence)I Contact command and control (C2) for instructions
BTI 7261: Threat Landscape 4/21
Vulnerability origins
I Hardware (host, network)I Software (host, network)I HumansI Environment
BTI 7261: Threat Landscape 5/21
Vulnerability origins
I Hardware (host, network)I Software (host, network)I HumansI Environment
BTI 7261: Threat Landscape 5/21
Attack strategies
I Large scale attack: attack a large, untargeted population. Even if the successrate is low, the absolute number of infections and the resulting revenue can behigh. (“cyber crime”)
I Targeted attack: attack a few, selected users or their machines. Selecthigh-value target first, then learn about it as much as possible for a precisionstrike (“Advanced persistent threat”)
BTI 7261: Threat Landscape 6/21
Defense strategies
I Access control (physical, logical)I Deterrance (legal, counter-attacks, auditing, accounting)I RedundancyI ObfuscationI Comprehension (simplification, transparency, education)I Monkey wrench / havocI Defense-in-depth
BTI 7261: Threat Landscape 7/21
Defense strategies
I Access control (physical, logical)I Deterrance (legal, counter-attacks, auditing, accounting)I RedundancyI ObfuscationI Comprehension (simplification, transparency, education)I Monkey wrench / havocI Defense-in-depth
BTI 7261: Threat Landscape 7/21
Part II: Software vulnerabilities
BTI 7261: Threat Landscape 8/21
Technical vulnerabilities
There are many types of technical vulnerabilities in various parts of an IT system:I Misconfigured firewallsI Hardware bugsI Automatically executed software from CD/USB stick on old W32 systemsI etc.
The probabily most important class of technical vulnerabilities are software bugs.
BTI 7261: Threat Landscape 9/21
Typical bugs
Software is often used to display data obtained over the network:1. User downloads file (PDF, MP4, etc.)2. User selects software to open file3. Software parses file4. Bug ⇒ malicious code execution
Common bugs include problems in the parsing or rendering logic, or scriptingfunctionality supported by the document format in combination with aninterpreter that is insufficiently sandboxed.
BTI 7261: Threat Landscape 10/21
Data and code
The central goal for an attack is to turn data into code. Memory of a processcontains data and code! Thus:I Existing code may interpret the data (intentionally or unintentionally),
thereby allowing certain code sequences to be executed.I Existing code may be caused to jump to the data (once data page is set to
executable).I Execution may be passed to another program (shell, interpreter) that will
parse and run it.
BTI 7261: Threat Landscape 11/21
Example exploit: SQL injection
In a PHP script, hopefully far, far away:
SELECT (user, first_name, last_name)FROM studentsWHERE (user == ’$user’);
Input:
Robert’); DROP TABLE students;--
BTI 7261: Threat Landscape 12/21
XKCD
BTI 7261: Threat Landscape 13/21
Vulnerability timeline
BTI 7261: Threat Landscape 14/21
Capitalism
BTI 7261: Threat Landscape 15/21
Part III: Example: Protocol vulnerability
BTI 7261: Threat Landscape 16/21
Guiding questions “Making the Theoretical Possible”
I What is the root cause of the vulnerability exploited in the attack?I What does the attack achieve?I Summarize the attack (how does it work?, capture every step!)I Comment on the different “levels” of breaking a hash function (i.e. what is
achieved in the attack that goes beyond finding an arbitrary collision).
BTI 7261: Threat Landscape 17/21
MD5: Making the Theoretical Possible
25c3, 2008
BTI 7261: Threat Landscape 18/21
Part IV: Example: Architecture vulnerability
BTI 7261: Threat Landscape 19/21
Guiding questions “SSL and the Future of Authenticity”
I What is fundamentally wrong with the current CA model?I What is the idea of “trust agility”, and is it reasonable?I Understand the notion of “perspectives”. Evaluate strengths and weaknesses
of the perspective model.
BTI 7261: Threat Landscape 20/21
SSL and the Future of Authenticity
BlackHat 2011
BTI 7261: Threat Landscape 21/21