Presentation Title Placeholder€¦ · App services Access Credential theft Credential stuffing...
Transcript of Presentation Title Placeholder€¦ · App services Access Credential theft Credential stuffing...
@dunsany
Principal Threat Researcher Evangelist
20+ years in InfoSec—CISSP, GLEG
President and founder of the Seattle chapter of InfraGard
27 years in IT
Specialist in Compliance/Audit, Web App Security, and Network Security
Author and Speaker
The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE
What do Apps mean to Public Sector Orgs?
App Security survey of 3,135 IT sec pros
US, Canada, United Kingdom, Brazil, China, Germany, India
Across 14 industries
of web apps
considered
mission critical
Apps Importance
34% 760 9.93web apps
in use in an
organization
web app
environments/
frameworks
in use
Average
32% 680 9.32PublicSector
7%
16%
19%
35%
58%
69%
57%
58%
80%
Project management
Developer tools
Financial apps
Social apps
Backup and storage
Office suites
Doc management and collaboration
Remote access
Communication apps
F5 Ponemon Survey
What Happens When Apps Are Attacked?
TLS
Access
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Abuse of functionality
Man-in-the-middleDDoS
Malware
API attacks
InjectionCross-site scripting
Cross-site request forgery
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
App services
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Network
DDoS
Cross-site scripting
Dictionary attacks
TLSCertificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Cross-site scripting
DNS
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Network
Dictionary attacks
Abuse of functionality
Man-in-the-middleDDoS
Malware
API attacks
InjectionCross-site scripting
Cross-site request forgery
App services
Access
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Top 20 targeted ports:
Russian IPs targeting SIPSSH port and/or Rockwell ICS targeting distributed across lots of IPs and countries
Port Service
5060 SIP
445 SMB
2222SSH & Rockwell ICS
443 HTTPS
3389 RDP
1433 SQL Server
22 SSH
80 HTTP
3306 MySQL
23 Telnet
5061 Secure SIP
54184
5900 VNC
8291 MikroTik
7547 TR069
5902 VNC-2
8080 HTTP
25 SMTP
139 Netbios
8545 JSON
Country
Estonia
Netherlands
US
France
Russia
China
Canada
South Korea
Ukraine
58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Injection → PHP & SQL
81%
8%
3%
2%
1%
0%
0%
0%
0%
PHP
SQL
Admin
Comments
ASP
Exchweb
Cart
Betablock
Affiliates
2018 Application Attacks Injection → PHP
2019 Application Attacks Injection
• Web code injection and form jacking attacks like Magecart
• RCE vulnerabilities in • ThinkPHP CVE-2018-10225 • Oracle Web Logic CVE-2017-
10271• ElasticSearch CVE-2014-3120
• Jenkins CLI SignedObject Deserialization CVE-2017-1000353
• Network Weathermap cacti plug-in CVE-2013-3739
• Oracle WebLogic WLS Security Component CVE-2017-10271
Access(mostly
phishing and email)
Web(mostly
injection)
Industry
36%
23%
23%
9%
9%
Web Breaches
Accidents/Misconfig
Access-related (Phishing, email)
Malware/Ransomware
Physical theft
Attack
1. Mobile Apps
2. Direct APIs
Basic Security Fails
1. Authentication
2. Injection
3. Permissions
2011
2018
2019
Aug 2018 – SalesForce
Mar 2018 – Google
Mar 2018 – Binance
Apr 2018 – RSA Conference App
Aug 2018 – T-Mobile
Sep 2018 – Apple MDM
Sep 2018 – British Airways
Oct 2018 – Girl Scouts
Oct 2018 – Quoine
Nov 2017 – Nov 2018: US Postal Service
Oct 2018 – Github
Jan 2018 – Tinder
Sep 2018 – Facebook
Aug 2017 – Instagram
Mar 2015 – Tinder
July 2018 – Venmo
Feb 2017 – WordPress
Feb 2019 - RequestBin
2017
2016
2015
Sep 2011 – Westfield
2012
2013
2014
Basic Security Control Failures
1. Exposed DB with weak/no auth
2. Weak Access Control
3. Configuration Error
2011
2018
2019
Dow Jones High Risk watchlist DB
China surveillance program DB
Kremlin DBs
Ascension DB
Oklahoma FBI files DB
2017
2016
2015
2012
2013
2014
Hadoop
Guardzilla records DB
Telsa AWS acct
Alteryx DB
Aggregate IQ DB
Verizon customer DB
Robotics manufacture for cars DB
GoDaddy architecture
IPv6 ISP DB
Tea Party DB
Booze Allen and Pentagon DB
JC Penny
Stein Mart DB
Title Nine Sports DB
North American Power and Gas DB
Integrated Practice Solutions DB
Capital Digestive Care DB
RNC voter DB
Accenture’s Cloud Platform
Army Intelligence and Security Command DB
DOD Surveillance DB
Credit Repair Service DB
Viacom’s master controls
Dow Jones/WSJ/Barrons customer DB
WWE Fan DB
Uber Github account
Mexican voter DB
Microsoft Business Productivity Online Suite
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Social Media• Interests / interest groups
• Friends, Family and relationship information
• Style of speaking
• Writing style
• Work history
• Education
• Comments on links
• Important life event dates
• Places visited
• Favorite sites, movies, TV shows, books,
quotes
• Photographs
• Hacked “Private” account data
People Search Engines • Facebook information
• Email address (which leads to possible
usernames)
• Education, income / salary range
• Phone numbers
• Age / Age range
• Race
• Home address
• Middle name, maiden name, spouse and
family names
Company Research• Who works there
• Tech infrastructure
• Types of endpoints (PC/Mac/OS
• SEC filings
• Lawsuit filings
• Aggregator search tools for
corporations
• Individuals & department
names
• business partners & affiliates
• IP space
• WHOIS info
• Email addresses and format
Mis configurations• Server names
• Private network addresses
• Email addresses
• Usernames
• DNS servers
• Self-signed certs
• Email headers
• Web servers
• Web cookies
• Web applications
APT’s / Nation-states That Phish
?
2.5 hrs
4 hrs
10-19 min
For-profit cyber criminals
10 hrs
Email sent from North Korean APT related to Bangladesh Bank heist.
Email sent from North Korean ATP in Sony compromise.
Phishing emails are 3 times more likely to have a malicious link than a malicious attachment.
3XMALICIOUS
LINK
MALICIOUS
FILE
Encryption is an Attacker Disguise
of phishing domains use HTTPS to appear more legitimate
93%
Majority of Malware Hides in Encryption
of all Internet traffic is encrypted70%
of malware phones home over port 44368%
Affected Devices
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
13Bots
SORA
OWARI
UPnPProxy
OMNI
RoamingMantis
Wicked
VPNFilter
DaddyL33t
Josho
Tokyo
Extendo
Hakai
Akiru / Saikin
2Bot
Brickerbot
Gr1n
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Radiation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3BotsSatori Fam
Amnesia
Persirai
7BotsMasuta
PureMasuta
Hide ‘N Seek
JenX
OMG
DoubleDoor
Katrina
1BotCrash override
1BotGafgyt
Family
2BotsDarlloz
Marcher
1BotPsyb0t
4BotsHajime
Trickbot
IRC Telnet
Annie
CCTVDVRs
WAPsSet-Top BoxesMedia Center
Android
Wireless ChipsetsNVR Surveillance
Busybox Platforms
Smart TVs
VoIP DevicesCable Modems
ICS
84% Discoveredsince Mirai
SOHO routersiOS
IP Cameras
6Bots
Death
Okane
Anarchy
Torii
Yasaku
Thanos
5Bots
Vermelho
Miori
IZIH9
APEP
SEFA
Yowai
Common IoT Set Up
• Investigating airport incident in Europe +
BASHLITE on a DVR digital signage
solution (same timeframe as Dyn DNS
DDoS attack).
• Service and host managed by 3rd party
• 39 active threat actors
• Numerous log entries show incoming
attacks
• Mirai, shellshock, brute force
• Sierra Wireless device
Oct 2016: Cellular Gateway Discovered
Note: System owner sent drives to us for forensic
analysis and authorized scanning of their network.
Sierra Wireless Cellular Gateways
WAN IP
166.139.19.193
PUBLIC GPS COORDINATES
40° 49’ 51.5” N
47° 26’ 03.5” W
DEFAULT
PASSWORD
*****
NO DEPENDENCY
on any vulnerability
within the hardware
or software.
Bruteforce
attack(s) are
unnecessary.
SierraWireless.com Case Studies
St John Ambulance, Western Australia
California Highway Patrol, California
Ventura County Fire Department,
California
South Bay Regional Public
Communications Authority (SBRPCA),
California
West Metro Fire Protection District,
Colorado
Westminster Police Department,
Colorado
Danish National Police, Denmark
Acadian Ambulance Service, Louisiana
& Texas
East Baton Rouge Parish Emergency
Medical Services (EMS), Louisiana
Mississippi Highway Safety Patrol
Gem Ambulance, New Jersey
City of Charlotte, North Carolina
Dickinson Police Department (DPD),
Texas
Fairfax's Urban Search and Rescue
Team, Virginia
South Wales Police, Wales
City of Yakima, Washington
Seattle Fire Department, Washington
GPS Data Logging (TAIP) TRACCAR – Open Source Fleet Software
Fleet / Vehicle Tracking
DISCLOSED 10/16/2018
SIERRA
WIRELESS LS300
Weak
Authentication
SIERRA
WIRELESS GX450
Weak
Authentication
SIERRA
WIRELESS ES440
Weak
Authentication
MOXA ONCELL
G3xxx
No
Authentication
DIGI TRANSPORT
WR44
Weak
Authentication
CradlePoint
Hard coded tech
support back door
RFC2324:
Hyper Text Coffee Pot
Control Protocol
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-19T20:31:04.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 56946, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-23T12:16:41.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 49180, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:04:52.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }
{ "_id" : { "protocol" : "http", "timestamp" : { "$date" : "2018-07-25T10:14:46.000-0700" }, "source_ip" : "185.112.249.24", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 40755, "destination_port" : 80, }
{ "_id" : {"protocol" : "http", "timestamp" : { "$date" : "2018-07-28T06:29:53.000-0700" }, "source_ip" : "185.112.249.28", "session_http" : { "request" : { "body" : "", "header" : [ [ "accept", "*/*" ], [ "user-agent", "Keurig K575 Coffee Maker" ] ], "verb" : "GET", "path" : "/" } }, "source_port" : 50225, "destination_port" : 80, }
Various
dynamic /
private
source ports
49152 - 65535
Thingbot Attack Type
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
1Bot
Brickerbot
2Bots
WireX
Reaper
3Bots
Mirai
BigBrother
Rediation
1Bot
Remaiten
1BotMoon
1Bot
Aidra
1Bot
Hydra
3Bots
Satori Fam
Amnesia
Persirai
1Bot
Crash
override
1Bot
Gafgyt
Family
2Bots
Darlloz
Marcher
1Bot
Psyb0t
4Bots
Hajime
Trickbot
IRC Telnet
Annie
DNS Hijack
DDoSPDoS
Proxy ServersUnknown…Rent-a-bot
Install-a-botMulti-purpose BotFraud trojanICS protocol monitoring
Tor NodeSniffer
Credential Collector
Shifting to multi-purpose
Crypto-miner
13Bots
SORA
OWARI
UPnPProxy
OMNI
Roaming
Mantis
Wicked
VPNFilter
DaddyL33t
Josho
Tokyo
Extendo
Hakai
Akiru / Saikin
7BotsJenX
OMG
Masuta
PureMasuta
Hide ‘N Seek
DoubleDoor
Katrina
6Bots
Death
Okane
Anarchy
Torii
Yasaku
Thanos
6Bots
Vermelho
Miori
IZIH9
APEP
SEFA
Yowai
Public Sector Average
F5 Ponemon Survey
9.08
6.57
8.54
7.19
8.77
4.05
9.64
5.07
0 2 4 6 8 10 12
Leakage Confid Info
Leakage of PII
Tampering with App
DoS of App
18%
22%
25%
26%
39%
52%
Cross-site Request Forgery
Clickjack
SQL Injection
Cross-site Scripting
Web Fraud
DDoS
Credential Theft
F5 Ponemon Survey
78%
1UnderstandYourEnvironment
CISO’S #1 MISSION
PreventDowntime
EVERYONE’S #1 CHALLENGE
Visibility
0%
4%
11%
17%
18%
18%
0% 5% 10% 15% 20% 25% 30%
Head of Quality Assurance
Compliance Officer
CISO or CSO
Head of Application Development
No One Person or Department
Business Units (LOB)
CIO or CTO
F5 Ponemon Survey
31%
Reduce Your Attack Surface
2
Sub domains hosting other versions of the main
application site
Dynamic web page generators
HTTP headersand cookies
Admin interfacesApps/files linked
to the app
Web service methods
Helper apps on client
(java, flash)
Server-side features such as search
Web pages and directories
Shells, Perl/PHP
Data entry forms
Administrative and monitoring stubs
and tools
Events of the application—triggered
server-side code
Backend connections through the server (injection)
APIs
Cookies/state tracking mechanisms
Data/active content pools—the data that populates and
drives pages
Vuln released
Continuous improvement
Firewall what you can’t fix
Applicable?
Test
Apply & Retest
1.7
0.8
0.5
0.40.5
1.4
0.9
0.6
0.2
0.3
2014 2015 2016 2017 2018
Average Days Between Vulnerability Releases
Critical High
9-12 hours
Prioritize Defenses Based on Attacks
3
Focus OpEx & CapEx spend
4%
2%
4%
6%
7%
8%
22%
19%
29%
Traditional Network Firewall
Next-Generation Firewall
Web Fraud Detection
Intrusion Prevention System (IPS)
Anti-DDoS
Anti-Malware Software
Penetration Testing
Application Scanning
Web App Firewall (WAF)
F5 Ponemon Survey
Phishing success without training.33%
Phishing success with training.13%
Sys Admins
Execs
Identities
Desktops
HR
Accounting
Laptops
Phones
Data
Apps
MoneyIP71%of phishing impersonates 10 organizations