Risk Mitigation for SpamBotInfections Bot Infectio… · Mitigation: Practice basic computer...
Transcript of Risk Mitigation for SpamBotInfections Bot Infectio… · Mitigation: Practice basic computer...
Risk Mitigation for SpamBot Infections
Copyright©2016,CyberGreen Dec2016
Agenda
1. Introduction2. AboutSpamBot Infections3. Mitigationrecommendationsforspamandother
botnetinfections4. Makingthecaseforimplementingmitigationsand
securingemailservices
2 Copyright©2016,CyberGreen Dec2016
Introduction
WhencyberinfrastructureisinsecurethereisarisktotheglobalInternetcommunitySecuringallend-usercomputingdevicesiscriticaltobusinessproductivity,butoftenoverlooked• Devicesnotproperlysecuredareeasilycompromised,
thencontrolledbythirdpartiesaspartofa“botnet”• Whenbotnetssendspamandviruses,itcan
representarisknotjusttotheorganizationthatownsthosedevices,buttothebroaderInternetcommunity
3 Copyright©2016,CyberGreen Dec2016
About CyberGreen
• Globalnon-profitandcollaborativeorganizationfocusedonhelpingimprovethehealthofglobalCyberEcosystem
• WorkingtoprovidereliablemetricsandmitigationbestpracticeinformationtoCyberSecurityIncidentResponseTeams(CSIRTs),networkoperators,andpolicymakers
• Mission:helpCSIRTsandothersfocusremediationeffortsonthemostimportantriskso Helpunderstandwhereimprovementscanbemadeo Howwecanachieveamoresustainable,secure,and
resilientcyberecosystem
4 Copyright©2016,CyberGreen Dec2016
Copyright (c) 2016, CyberGreen
Thesematerialsaredistributedunderthefollowinglicense:Permissiontouse,copy,modify,and/ordistributethesematerialsforanypurposewithorwithoutfeeisherebygranted,providedthattheabovecopyrightnoticeandthispermissionnoticeappearinallcopies.THEMATERIALISPROVIDED"ASIS"ANDTHEAUTHORDISCLAIMSALLWARRANTIESWITHREGARDTOTHISMATERIALINCLUDINGALLIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESS.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYSPECIAL,DIRECT,INDIRECT,ORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTINGFROMLOSSOFUSE,DATAORPROFITS,WHETHERINANACTIONOFCONTRACT,NEGLIGENCEOROTHERTORTIOUSACTION,ARISINGOUTOFORINCONNECTIONWITHTHEUSEORPERFORMANCEOFTHISMATERIAL.
5 Copyright©2016,CyberGreen Dec2016
About Spambot Infections
6 Copyright©2016,CyberGreen Dec2016
What is a Botnet?
AbotnetisacollectionofcomputerswhichinteracttoaccomplishsomedistributedactivityontheInternetBotnetsaretypicallycompromiseddevicesthatareunderthecontrolofanunauthorizedandanonymousperson,oftencalledabotnetherderOwnersofcompromiseddevicesgenerallyhavenoideasomeoneelsecontrolstheirdevice
7 Copyright©2016,CyberGreen Dec2016
Spambotnetssendspamandmalware,deliveringamaliciouspayloadeitherthroughafileattachedtospammessagesorbyembeddingalinktoaninfectedwebsiteCriminalsusebothtraditionalemail,instantmessages(IMS)andtextmessagesintheirspamcampaignsAcompanywithmanycompromiseddevicesthatarepartofspambotnetshasa“spambot infection”
Spam Botnet Infections
8 Copyright©2016,CyberGreen Dec2016
The spambot cycle
9 Copyright©2016,CyberGreen Dec2016
Risks posed by spambots
Acompromisedmachineinabotnetmayhaveothermalwareinstalled,spreadmalwaretoothermachinesinyournetworkortoothertargetsoutsideyournetwork• Adversariesgetfurtherinsideyour
network• Servicedegradation,interruption
orfailure• Usercredentialsorothersensitive
dataexposedBotnetscanaffectWindows,MacandLinuxoperatingsystems,aswellasmobiledevices10 Copyright©2016,CyberGreen Dec2016
Spambots in Distributed Denial of Service (DDoS) attacks
InDDoSattacks,theattackerabusestensofthousandsofspambot devicestocreatelargefloodsoftrafficwiththegoalofexhaustingthevictim'sbandwidthDDoSattacksalsoabusetheUserDatagramProtocol(UDP)traffic,usingprotocolssuchasDNSallowspoofingofsenderIPaddresses• UDPrespondstorequests
withoutvalidationofsenderidentity,i.e.IPaddress
• UDPtrafficcanbespoofed(i.e.haveamisleadingapparentsourceIPaddress):attackercanhidetrueidentity
11 Copyright©2016,CyberGreen Dec2016
12 Copyright©2016,CyberGreen Dec2016
Real life botnet infection
Ahospital[1] hadabotnetinfectionsosevere,activityfrominfectedmachinesinterruptedthehospitalscomputernetworkwithimpactsincluding:• Doorstooperatingroomswouldnotopen• Pagerswereinterrupted• Computersintheintensive
careunitwereshutdown
[1]http://www.eweek.com/c/a/Security/DOJ-Indicts-Hacker-for-Hospital-Botnet-Attack(accessed9/16)
Real spambot in DDoS attack
In2009,[2] anInternetServiceProviderwasonthereceivingendofa25Gb/sDDoSattack(DNSamplificationandreflection),whichpeakedat30Gb/sinaggregate• Overonemillionspambotnetinfecteddevices
wereusedinthisattack,whichtotallyfloodedthevictim’snetworkandtookthemoffline,therebydisruptingtheirbusiness
[2]http://www.team-cymru.org/Open-Resolver-Challenge.html (accessed9/16)
13 Copyright©2016,CyberGreen Dec2016
14 Copyright©2016,CyberGreen Dec2016
Potential impacts from spambotinfections
Productivity• Sendingspamandvirusesconsumesprocessingpowerand
bandwidthoninfectedhosts,causingpoorperformance• Inlargeinfections,spambotnetscanconsumeenough
bandwidththatservicesaredisruptedforlegitimateusers,aparticularconcernfor:
— Seasonaloperations,e.g.onlineretailerswheremostsaleshappenbetweenThanksgivingandNewYears
— Timesensitiveoperations,e.g.healthcare,collegeswithlimitedonlineregistrationperiodsoronlinewageringonsportingevents,etc.
Other potential spambot infection impacts
Brand• Lossofreputationwithcustomersandpartners• Becomingknownasa“spammagnet”inglobalcommunityTechnical• Networkservicesinterrupted• “Blacklist”andisolationofinfectednetworkbynetwork
providersfromtherestofInternetaspartoftheInternetcommunity’sefforttostopemailspamming
15 Copyright©2016,CyberGreen Dec2016
Mitigate risks from spambot infections
16 Copyright©2016,CyberGreen Dec2016
17 Copyright©2016,CyberGreen Dec2016
Mitigation options vary by environment
NotallmitigationbestpracticesareappropriateforallenvironmentsCyberGreenprovidesinformationrelevanttofourbasicenvironmentalprofilesLookfortheseiconstofindmitigationsforyourenvironment
1.
2.
3.
4.
18 Copyright©2016,CyberGreen Dec2016
Find out if your network is already infected with botnets
ShadowserverwillprovideanynetworkwithdailyreportsonthebotnetinfectionsseenforaspecificIPv4orIPv6addressblock:http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
Note:ShadowserverscanswillonlyhitIPspacethatisnotfirewalledandtheydonotclaim100%accuracyintheirCommand&Controldownloads,sotheremaybefalsepositivesinShadowserverIRCintelligence
Is your IP address part of a blacklist?
IdentifyyourIPv4orIPv6addressbyvisitingthesewebsites:• http://ipv4.whatismyv6.com/• http://ipv6.whatismyv6.com/
CheckthoseIPsathttp://multirbl.valli.org/• OrclickonindividualIPaddresslinksthatappear
onthesite
19 Copyright©2016,CyberGreen Dec2016
20 Copyright©2016,CyberGreen Dec2016
Stay alert for new or increasing infections
Acompletelistofalltechniquesisbeyondthescopeofthisdocument• Shadowserver hasacomprehensivelistoftoolsand
techniquestomonitoryournetworkanddetectbotnets
https://www.shadowserver.org/wiki/pmwiki.php/Information/BotnetDetection
21 Copyright©2016,CyberGreen Dec2016
Mitigation: Notify users and clean up infected machines on your network
Allorganizations,includingISPs,needtocleanupinfectedhostsUse“nukeandpave”tobesurethedeviceissecure:1. Reformatorreinstallsystemfromscratchusingoriginalmedia2. Ensurethatoperatingsystempatchesareapplied3. Ensureadequatehostprotections(anti-virusandhostfirewall)are
installedandconfiguredwithupdatedsignatures/definitions4. Restoreuserfilesandapplicationsfromcleanbackupsororiginalmedia.
Besuretopatch*all*installedapplicationsDoeachstepBEFOREconnectingthehosttotheInternetIfyoudon’talreadyhavethissoftwareavailablelocallyonyournetwork,youshouldconnecttotheInternetviaahardwarefirewalled-connectiontodownloadsoftwareand/orupdates
ISPs: Communicate with customers
CommunicatewithcustomersaboutwhatyouaredoingandWHY,usingthesenotificationmethods• Email• Phonecalls• In-browsernotificationssuchas
“walledgardens”(i.e.notifycustomer“youraccountistemporarilysuspendeddueto…”)
Activelyeducatecustomersaboutthethreats,theirresponsibilityascomputerowners,andmeasurestakenbyISPtoreducerisks
22 Copyright©2016,CyberGreen Dec2016
23 Copyright©2016,CyberGreen Dec2016
Mitigation: Practice basic computer hygiene
PracticingbasiccomputerhygieneisessentialtoreducingtheriskofallmalwareinfectionsItalsoenablesyoutorecoverquicklywhenacomputerdoesbecomeinfectedBasiccomputerhygieneprotectsagainstmanydifferenttypesofmalwareusedtocreatetoday’sbotnets
24 Copyright©2016,CyberGreen Dec2016
Computer hygiene: Backups
Regular,completebackupsofalldevicesanddataareessentialMultiplegenerationsofbackupsshouldberetained:• Ifmostrecentbackupis
nogood,apriorversionexists
• Minimizesamountofdatathatmaybelost
25 Copyright©2016,CyberGreen Dec2016
Computer hygiene: Host-based firewall
Modernoperatingsystemscomewithabasichost-basedfirewallthatshouldbeturnedonBEFOREthecomputerisconnectedtotheInternet,particularlyifthereisnoseparatefirewallatthepointofconnectiontotheInternetStand-alonefirewallapplicationsfromreputablefirewallvendors:• http://www.pcmag.com/article2/0,2817,2487059,00.asp
• http://www.techradar.com/news/software/applications/the-best-free-firewall-software-of-2015-stop-malware-before-it-gets-you-1284587
• http://www.techradar.com/news/software/applications/7-of-the-best-linux-firewalls-697177
26 Copyright©2016,CyberGreen Dec2016
Computer hygiene: Anti-virus
Ifyoudon’talreadyhaveanti-virus(AV)software,orifyoubelieveacomputerisinfectedbutyourcurrentAVdoesnotdetectavirus,findanAVhere:• http://www.pcmag.com/article2/0,2817,2388652,00.asp• http://www.techradar.com/news/software/applications/be
st-free-antivirus-1321277
DONOTrunMORETHANONEanti-virusatatimeIfyouwanttotryrunningmultipleproducts,downloadone,runit,uninstallit,downloadthenext,runit,uninstallit,etc.
27 Copyright©2016,CyberGreen Dec2016
Computer hygiene: Images with secure configurations
BuildOperatingSystemimageswithsecureconfigurations,i.e.withanti-virusandfirewallsalreadyinstalled• Greatlyreducestimeneededtocompletelyrebuild
acomputerfromatrustedsource• Oftentheonlywaytoensureallmalwareis
eliminatedonadeviceandthatitisabletoprotectitselffromre-infection
28 Copyright©2016,CyberGreen Dec2016
Computer hygiene: Protect mobile devices
MobiledevicesmaybeinfectedandusedasSpambots,particularlyiftheyconnecttoinsecurelyconfiguredwirelessnetworks(Wi-Fi)MobiledevicesmayalsosendSMStextmessagesthroughcellularnetworkstoothermobiledevicesorPremiumSMSnumbers• Highvolumeusagemayresult
inadditionalcharges• PremiumSMSnumbersalways
resultinadditionalcharges
29 Copyright©2016,CyberGreen Dec2016
Computer hygiene: Protect mobile devices
MitigationsformobilesimilartoPCs:• Alwayskeepdeviceoperatingsystemandinstalled
applicationsup-to-date• Don'tdownloadorinstallsoftwarefromnon-approved
sources• BeawareofflashscammessageswithfakeAVorother
contentthatdirectsyoutoafakestorewithfakeAVorothermalicioussoftware
• AskcellprovidertoblockallPremiumSMSmessagestomobiledevice
30 Copyright©2016,CyberGreen Dec2016
Mitigation: Implement email authentication with SPF and DKIM
SenderPolicyFramework(SPF)andDomainKeysIdentifiedMail(DKIM)emailauthenticationprotocolsthatmakeitharderforspammersandcybercriminalstospoofwhereanemailcomesfrom
Domainswithemailauthenticationarelessattractivetophishers
• Lesslikelytobeblacklistedbyspamfilters
• Ensureslegitimateemailfromthatdomainisdelivered
31 Copyright©2016,CyberGreen Dec2016
Mitigation: Implement email authentication with SPF
SPFallowsdomainownerstospecifywhichmailserversareusedtosendemailfromthatdomain
• Providesamechanismtoallowreceivingmailexchangerstocheckthatincomingmailfromadomaincomesfromahostauthorizedbythatdomain'sadministrators
SPFspecifications,configurationanddeploymentinformation:https://tools.ietf.org/html/rfc7208
http://www.openspf.org/Project_Overview
https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability
32 Copyright©2016,CyberGreen Dec2016
Mitigation: Implement email authentication with DKIM
DKIMallowsmessagestobetransmittedinawaythatcanbeverifiedthroughcryptographicauthenticationbymailboxprovider• EmailproviderswhovalidateDKIMsignaturescanuse
informationaboutsignertolimitspam,spoofing,andphishing
• DKIMcanensuremessagesnotmodifiedortamperedwithintransit
DKIMspecifications,configurationanddeploymentdetails:https://tools.ietf.org/html/rfc6376http://dkim.org/
33 Copyright©2016,CyberGreen Dec2016
Mitigation: Implement secure configuration of email services
TheMessagingAnti-AbuseWorkingGroup(MAAWG)recommendationstoimplementasecureconfigurationofemailservicesfocuson:• LockingdownaccesstoSMTPport25• RequiringauthenticationforemailasprovidedinInternet
EngineeringTaskForce(IETF)RFC2254• Useemailsubmissionservicesonport587asdescribedin
IATFRFCRecommendationsavailableat:https://www.m3aawg.org/sites/default/files/document/MAAWG_Port25rec0511.pdf
34 Copyright©2016,CyberGreen Dec2016
Additional configurations for ISPs
Blockemailportsatthecustomer’smodem,i.e.blockoutboundport25topreventdirect-to-mxspamBlockoutboundport25fromresidentialuserstoanymailserverotherthantheISP’s;thisforcesspambotstouseISP-ownedmailserversPerformoutboundspamfilteringandbotdetectiononISPmailservers- thiscanbeparticularlyeffectiveinconjunctionwiththepriorblockingtactics
35 Copyright©2016,CyberGreen Dec2016
Other mitigations for ISPs
Ifblockingportsisn’tpossible,ensurethatrecipientscandistinguishresidentialIPaddressesfromcommercialonesAssignreverseDNStoresidentialIPsthatmarksthemassuch,andpublishthenamingconventionProactivelyprovideresidentialCIDRblockliststoblocklist providerssuchastheSpamhaus PolicyBlockList(PBL)athttps://www.spamhaus.org/pbl/RatelimitUDPfragments
36 Copyright©2016,CyberGreen Dec2016
Mitigation: Implement RFC 7489 DMARC
IETFRFC7489,“Domain-basedMessageAuthentication,Reporting,andConformance(DMARC)
DMARCdesignedtohelpcombatspamandphishingbyenablingemailsendersandreceiverstodeterminewhetherornotagivenmessageislegitimatelyfromthesender,andwhattodoifitisn’tBuildsonwidelydeployedDKIMandSPFvalidationsystems:ifmessagesatisfieschecksitissentthroughtorecipient,otherwiseit’squarantinedorrejected
37 Copyright©2016,CyberGreen Dec2016
DMARC
DMARCissupportedbyallfourmajoremailproviders:Google,Microsoft,YahooandAOL.IthasalsobeenimplementedbyserviceslikeFacebook,PayPal,AmazonandTwitter.MoreinformationaboutDMARCisavailableat:• https://dmarc.org/• https://dmarc.org/overview/• https://dmarcguide.globalcyberalliance.org• https://tools.ietf.org/html/rfc7489
38 Copyright©2016,CyberGreen Dec2016
Verify your fix
Afterimplementingyourmitigationmeasures,monitoryourinfrastructuretopreventre-occurrencebysubscribingtofreereportsfromShadowserver:https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork
Additional resources about spambots
• CheckyourlocalCERTandyourAVvendorannouncementsforidentifiedmalwareinfection
• https://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets
• http://www.senki.org/sp-security/monitoring-network-malware-spam-botnet-infections/
• https://www.spamhaus.org/
39 Copyright©2016,CyberGreen Dec2016
Making the case for implementing mitigations for spam botnet infections
40 Copyright©2016,CyberGreen Dec2016
41 Copyright©2016,CyberGreen Dec2016
Making the case for mitigations
HelpeveryoneunderstandthelevelofeffortneededtoimprovecyberhealthintheircommunityWhyshouldyouimplementthemitigationsinyourenvironment?1. ItistherightthingtodoasagoodInternetneighbor2. Yourorganizationmaybenexttobe
attackedLet’sjointogetherandstopbadguysfromwinning!
42 Copyright©2016,CyberGreen Dec2016
Changing risk landscape
Increasedneedtodemonstrate“duecare”• Obtainingcyberinsurance• Complyingwithriskframeworkstowinbusinesswith
local/nationalgovernmentsandlargecorporationsIfwe(you!)don’tdoabetterjobofsecuringourowninfrastructureandreducingcyberrisk,governmentregulationmayforceadditionalmandatesand/orpenalties
43 Copyright©2016,CyberGreen Dec2016
Anticipated organizational benefits
Increasedproductivity• FewerserviceinterruptionsandfailuresImprovednetworkperformance• Existingnetworkmorereliableandresilient,with
greatercapacityImprovedbrandreputation• Technicalreliabilityand
securityasellingpointtocustomers
44 Copyright©2016,CyberGreen Dec2016
More anticipated benefits
Decreasedbudgetuncertainty• FewerunanticipatedusagecostsforIT• Budgetcanbeusedasplanned,e.g.upgrading
technicalcapability/capacity,personnel,etc.Systemadminsmayspendlesstimespenttryingtodealwithunexpectedproblems• Mayimprovetheirproductivityand
reduceunexpectedovertime
Benefits for ISPs and Email Providers
IdentifythepartyresponsibleforsubmittedmessagesReducedcostsforabusehelpdesk,customersupport,andnetworkoperationscentersImproveddeliverabilityforlegitimateemailmessages,duetoreducedriskofbeingblacklistedNewabilities:• Enforceacceptableusepolicies,termsofserviceforemail
submission• Monitorandlimittransmissionrates,percustomerand/orin
aggregate• Offerpremiumtiersofservicetocustomerswithbusiness
needtooperateemailserverswithdirectaccesstoport2545 Copyright©2016,CyberGreen Dec2016
46 Copyright©2016,CyberGreen Dec2016
What do you need to implement these mitigations?
Commandsandconfigurationdetailsformostimportantmitigationsarepublicallyavailable• Noadditionalsoftwaremustbepurchased• Implementingmitigationsdoesnotrequireanyspecial
knowledge,skills,orabilities
Note:AllmitigationsshouldbecarefullyreviewedinlightofyourspecificbusinessrequirementsandinfrastructureenvironmentbeforeproceedingAllorganizationalchangemanagementprocesses,includingtesting,shouldbefollowed
47 Copyright©2016,CyberGreen Dec2016
How long will mitigations take?
CleanrestoreofahostmaytakeanhourortwowhensecureOSimagesreadilyavailableforautomaticrebuild• Doesnotincludetimetoinstallorrestoreuser
applicationsanddata,assumingdatawasbackedupManualinstallationfrommediawilltakeseveralhoursperhostISPsandlargeentitiescanautomateadministrationofchangesviaconfigurationmanagementsystemswithtaskexecution(Salt,Ansible)
48 Copyright©2016,CyberGreen Dec2016
TechnicalteamsmayneedseveraldaystoweekstoplanandexecuteeachindividualcomponentofthesecureconfigurationforemailservicesrecommendedbyMAAWGortoimplementDMARC
Bonus:withnorealmaintenance,therecurringcostiseffectivelyzero!
How long will it take?
Acknowledgement
49 Copyright©2016,CyberGreen Dec2016
CyberGreenwouldliketothanktheexpertswhomadethecreationofthisdocumentpossible:
Writtenby:- LaurinBuchanan,AppliedVisions,Inc.– SecureDecisionsDivision
ContributedandReviewedby:- MattCarothers,CoxCommunications- Baiba Kaskina,CERT.LV- MotoKawasaki,JPCERT/CC- ArtManion,CERT/CC- Yoshinobu Matsuzaki,IIJ- JoeStSauver,Farsight Security- DavidWatson,ShadowServer Foundation
Disclaimer:CyberGreenbelievesthisguidanceandtheadvicefromourexpertsshouldbeofbenefittoanyonemitigatingariskconditions,butitisnotadvicespecifictoanyreaderornetwork.Ultimately,eachreaderisresponsibleforimplementinghisorherownnetwork remediationstrategyandweassumenoresponsibilityorliabilitytherefore.
Formoreinformationaboutriskmitigationbestpractices
pleasecontact:[email protected]
50 Copyright©2016,CyberGreen Dec2016