Risk Mitigation for SpamBotInfections Bot Infectio… · Mitigation: Practice basic computer...

Risk Mitigation for SpamBot Infections

Copyright©2016,CyberGreen Dec2016

Agenda

1. Introduction2. AboutSpamBot Infections3. Mitigationrecommendationsforspamandother

botnetinfections4. Makingthecaseforimplementingmitigationsand

securingemailservices

2 Copyright©2016,CyberGreen Dec2016

Introduction

WhencyberinfrastructureisinsecurethereisarisktotheglobalInternetcommunitySecuringallend-usercomputingdevicesiscriticaltobusinessproductivity,butoftenoverlooked• Devicesnotproperlysecuredareeasilycompromised,

thencontrolledbythirdpartiesaspartofa“botnet”• Whenbotnetssendspamandviruses,itcan

representarisknotjusttotheorganizationthatownsthosedevices,buttothebroaderInternetcommunity


About CyberGreen

• Globalnon-profitandcollaborativeorganizationfocusedonhelpingimprovethehealthofglobalCyberEcosystem

• WorkingtoprovidereliablemetricsandmitigationbestpracticeinformationtoCyberSecurityIncidentResponseTeams(CSIRTs),networkoperators,andpolicymakers

• Mission:helpCSIRTsandothersfocusremediationeffortsonthemostimportantriskso Helpunderstandwhereimprovementscanbemadeo Howwecanachieveamoresustainable,secure,and

resilientcyberecosystem


Copyright (c) 2016, CyberGreen

Thesematerialsaredistributedunderthefollowinglicense:Permissiontouse,copy,modify,and/ordistributethesematerialsforanypurposewithorwithoutfeeisherebygranted,providedthattheabovecopyrightnoticeandthispermissionnoticeappearinallcopies.THEMATERIALISPROVIDED"ASIS"ANDTHEAUTHORDISCLAIMSALLWARRANTIESWITHREGARDTOTHISMATERIALINCLUDINGALLIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESS.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYSPECIAL,DIRECT,INDIRECT,ORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTINGFROMLOSSOFUSE,DATAORPROFITS,WHETHERINANACTIONOFCONTRACT,NEGLIGENCEOROTHERTORTIOUSACTION,ARISINGOUTOFORINCONNECTIONWITHTHEUSEORPERFORMANCEOFTHISMATERIAL.


About Spambot Infections


What is a Botnet?

AbotnetisacollectionofcomputerswhichinteracttoaccomplishsomedistributedactivityontheInternetBotnetsaretypicallycompromiseddevicesthatareunderthecontrolofanunauthorizedandanonymousperson,oftencalledabotnetherderOwnersofcompromiseddevicesgenerallyhavenoideasomeoneelsecontrolstheirdevice


Spambotnetssendspamandmalware,deliveringamaliciouspayloadeitherthroughafileattachedtospammessagesorbyembeddingalinktoaninfectedwebsiteCriminalsusebothtraditionalemail,instantmessages(IMS)andtextmessagesintheirspamcampaignsAcompanywithmanycompromiseddevicesthatarepartofspambotnetshasa“spambot infection”

Spam Botnet Infections


The spambot cycle


Risks posed by spambots

Acompromisedmachineinabotnetmayhaveothermalwareinstalled,spreadmalwaretoothermachinesinyournetworkortoothertargetsoutsideyournetwork• Adversariesgetfurtherinsideyour

network• Servicedegradation,interruption

orfailure• Usercredentialsorothersensitive

dataexposedBotnetscanaffectWindows,MacandLinuxoperatingsystems,aswellasmobiledevices10 Copyright©2016,CyberGreen Dec2016

Spambots in Distributed Denial of Service (DDoS) attacks

InDDoSattacks,theattackerabusestensofthousandsofspambot devicestocreatelargefloodsoftrafficwiththegoalofexhaustingthevictim'sbandwidthDDoSattacksalsoabusetheUserDatagramProtocol(UDP)traffic,usingprotocolssuchasDNSallowspoofingofsenderIPaddresses• UDPrespondstorequests

withoutvalidationofsenderidentity,i.e.IPaddress

• UDPtrafficcanbespoofed(i.e.haveamisleadingapparentsourceIPaddress):attackercanhidetrueidentity



Real life botnet infection

Ahospital[1] hadabotnetinfectionsosevere,activityfrominfectedmachinesinterruptedthehospitalscomputernetworkwithimpactsincluding:• Doorstooperatingroomswouldnotopen• Pagerswereinterrupted• Computersintheintensive

careunitwereshutdown

[1]http://www.eweek.com/c/a/Security/DOJ-Indicts-Hacker-for-Hospital-Botnet-Attack(accessed9/16)

Real spambot in DDoS attack

In2009,[2] anInternetServiceProviderwasonthereceivingendofa25Gb/sDDoSattack(DNSamplificationandreflection),whichpeakedat30Gb/sinaggregate• Overonemillionspambotnetinfecteddevices

wereusedinthisattack,whichtotallyfloodedthevictim’snetworkandtookthemoffline,therebydisruptingtheirbusiness

[2]http://www.team-cymru.org/Open-Resolver-Challenge.html (accessed9/16)



Potential impacts from spambotinfections

Productivity• Sendingspamandvirusesconsumesprocessingpowerand

bandwidthoninfectedhosts,causingpoorperformance• Inlargeinfections,spambotnetscanconsumeenough

bandwidththatservicesaredisruptedforlegitimateusers,aparticularconcernfor:

— Seasonaloperations,e.g.onlineretailerswheremostsaleshappenbetweenThanksgivingandNewYears

— Timesensitiveoperations,e.g.healthcare,collegeswithlimitedonlineregistrationperiodsoronlinewageringonsportingevents,etc.

Other potential spambot infection impacts

Brand• Lossofreputationwithcustomersandpartners• Becomingknownasa“spammagnet”inglobalcommunityTechnical• Networkservicesinterrupted• “Blacklist”andisolationofinfectednetworkbynetwork

providersfromtherestofInternetaspartoftheInternetcommunity’sefforttostopemailspamming


Mitigate risks from spambot infections



Mitigation options vary by environment

NotallmitigationbestpracticesareappropriateforallenvironmentsCyberGreenprovidesinformationrelevanttofourbasicenvironmentalprofilesLookfortheseiconstofindmitigationsforyourenvironment

1.

2.

3.

4.


Find out if your network is already infected with botnets

ShadowserverwillprovideanynetworkwithdailyreportsonthebotnetinfectionsseenforaspecificIPv4orIPv6addressblock:http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

Note:ShadowserverscanswillonlyhitIPspacethatisnotfirewalledandtheydonotclaim100%accuracyintheirCommand&Controldownloads,sotheremaybefalsepositivesinShadowserverIRCintelligence

Is your IP address part of a blacklist?

IdentifyyourIPv4orIPv6addressbyvisitingthesewebsites:• http://ipv4.whatismyv6.com/• http://ipv6.whatismyv6.com/

CheckthoseIPsathttp://multirbl.valli.org/• OrclickonindividualIPaddresslinksthatappear

onthesite



Stay alert for new or increasing infections

Acompletelistofalltechniquesisbeyondthescopeofthisdocument• Shadowserver hasacomprehensivelistoftoolsand

techniquestomonitoryournetworkanddetectbotnets

https://www.shadowserver.org/wiki/pmwiki.php/Information/BotnetDetection


Mitigation: Notify users and clean up infected machines on your network

Allorganizations,includingISPs,needtocleanupinfectedhostsUse“nukeandpave”tobesurethedeviceissecure:1. Reformatorreinstallsystemfromscratchusingoriginalmedia2. Ensurethatoperatingsystempatchesareapplied3. Ensureadequatehostprotections(anti-virusandhostfirewall)are

installedandconfiguredwithupdatedsignatures/definitions4. Restoreuserfilesandapplicationsfromcleanbackupsororiginalmedia.

Besuretopatch*all*installedapplicationsDoeachstepBEFOREconnectingthehosttotheInternetIfyoudon’talreadyhavethissoftwareavailablelocallyonyournetwork,youshouldconnecttotheInternetviaahardwarefirewalled-connectiontodownloadsoftwareand/orupdates

ISPs: Communicate with customers

CommunicatewithcustomersaboutwhatyouaredoingandWHY,usingthesenotificationmethods• Email• Phonecalls• In-browsernotificationssuchas

“walledgardens”(i.e.notifycustomer“youraccountistemporarilysuspendeddueto…”)

Activelyeducatecustomersaboutthethreats,theirresponsibilityascomputerowners,andmeasurestakenbyISPtoreducerisks



Mitigation: Practice basic computer hygiene

PracticingbasiccomputerhygieneisessentialtoreducingtheriskofallmalwareinfectionsItalsoenablesyoutorecoverquicklywhenacomputerdoesbecomeinfectedBasiccomputerhygieneprotectsagainstmanydifferenttypesofmalwareusedtocreatetoday’sbotnets


Computer hygiene: Backups

Regular,completebackupsofalldevicesanddataareessentialMultiplegenerationsofbackupsshouldberetained:• Ifmostrecentbackupis

nogood,apriorversionexists

• Minimizesamountofdatathatmaybelost


Computer hygiene: Host-based firewall

Modernoperatingsystemscomewithabasichost-basedfirewallthatshouldbeturnedonBEFOREthecomputerisconnectedtotheInternet,particularlyifthereisnoseparatefirewallatthepointofconnectiontotheInternetStand-alonefirewallapplicationsfromreputablefirewallvendors:• http://www.pcmag.com/article2/0,2817,2487059,00.asp

• http://www.techradar.com/news/software/applications/the-best-free-firewall-software-of-2015-stop-malware-before-it-gets-you-1284587

• http://www.techradar.com/news/software/applications/7-of-the-best-linux-firewalls-697177


Computer hygiene: Anti-virus

Ifyoudon’talreadyhaveanti-virus(AV)software,orifyoubelieveacomputerisinfectedbutyourcurrentAVdoesnotdetectavirus,findanAVhere:• http://www.pcmag.com/article2/0,2817,2388652,00.asp• http://www.techradar.com/news/software/applications/be

st-free-antivirus-1321277

DONOTrunMORETHANONEanti-virusatatimeIfyouwanttotryrunningmultipleproducts,downloadone,runit,uninstallit,downloadthenext,runit,uninstallit,etc.


Computer hygiene: Images with secure configurations

BuildOperatingSystemimageswithsecureconfigurations,i.e.withanti-virusandfirewallsalreadyinstalled• Greatlyreducestimeneededtocompletelyrebuild

acomputerfromatrustedsource• Oftentheonlywaytoensureallmalwareis

eliminatedonadeviceandthatitisabletoprotectitselffromre-infection


Computer hygiene: Protect mobile devices

MobiledevicesmaybeinfectedandusedasSpambots,particularlyiftheyconnecttoinsecurelyconfiguredwirelessnetworks(Wi-Fi)MobiledevicesmayalsosendSMStextmessagesthroughcellularnetworkstoothermobiledevicesorPremiumSMSnumbers• Highvolumeusagemayresult

inadditionalcharges• PremiumSMSnumbersalways

resultinadditionalcharges


Computer hygiene: Protect mobile devices

MitigationsformobilesimilartoPCs:• Alwayskeepdeviceoperatingsystemandinstalled

applicationsup-to-date• Don'tdownloadorinstallsoftwarefromnon-approved

sources• BeawareofflashscammessageswithfakeAVorother

contentthatdirectsyoutoafakestorewithfakeAVorothermalicioussoftware

• AskcellprovidertoblockallPremiumSMSmessagestomobiledevice


Mitigation: Implement email authentication with SPF and DKIM

SenderPolicyFramework(SPF)andDomainKeysIdentifiedMail(DKIM)emailauthenticationprotocolsthatmakeitharderforspammersandcybercriminalstospoofwhereanemailcomesfrom

Domainswithemailauthenticationarelessattractivetophishers

• Lesslikelytobeblacklistedbyspamfilters

• Ensureslegitimateemailfromthatdomainisdelivered


Mitigation: Implement email authentication with SPF

SPFallowsdomainownerstospecifywhichmailserversareusedtosendemailfromthatdomain

• Providesamechanismtoallowreceivingmailexchangerstocheckthatincomingmailfromadomaincomesfromahostauthorizedbythatdomain'sadministrators

SPFspecifications,configurationanddeploymentinformation:https://tools.ietf.org/html/rfc7208

http://www.openspf.org/Project_Overview

https://www.digitalocean.com/community/tutorials/how-to-use-an-spf-record-to-prevent-spoofing-improve-e-mail-reliability


Mitigation: Implement email authentication with DKIM

DKIMallowsmessagestobetransmittedinawaythatcanbeverifiedthroughcryptographicauthenticationbymailboxprovider• EmailproviderswhovalidateDKIMsignaturescanuse

informationaboutsignertolimitspam,spoofing,andphishing

• DKIMcanensuremessagesnotmodifiedortamperedwithintransit

DKIMspecifications,configurationanddeploymentdetails:https://tools.ietf.org/html/rfc6376http://dkim.org/


Mitigation: Implement secure configuration of email services

TheMessagingAnti-AbuseWorkingGroup(MAAWG)recommendationstoimplementasecureconfigurationofemailservicesfocuson:• LockingdownaccesstoSMTPport25• RequiringauthenticationforemailasprovidedinInternet

EngineeringTaskForce(IETF)RFC2254• Useemailsubmissionservicesonport587asdescribedin

IATFRFCRecommendationsavailableat:https://www.m3aawg.org/sites/default/files/document/MAAWG_Port25rec0511.pdf


Additional configurations for ISPs

Blockemailportsatthecustomer’smodem,i.e.blockoutboundport25topreventdirect-to-mxspamBlockoutboundport25fromresidentialuserstoanymailserverotherthantheISP’s;thisforcesspambotstouseISP-ownedmailserversPerformoutboundspamfilteringandbotdetectiononISPmailservers- thiscanbeparticularlyeffectiveinconjunctionwiththepriorblockingtactics


Other mitigations for ISPs

Ifblockingportsisn’tpossible,ensurethatrecipientscandistinguishresidentialIPaddressesfromcommercialonesAssignreverseDNStoresidentialIPsthatmarksthemassuch,andpublishthenamingconventionProactivelyprovideresidentialCIDRblockliststoblocklist providerssuchastheSpamhaus PolicyBlockList(PBL)athttps://www.spamhaus.org/pbl/RatelimitUDPfragments


Mitigation: Implement RFC 7489 DMARC

IETFRFC7489,“Domain-basedMessageAuthentication,Reporting,andConformance(DMARC)

DMARCdesignedtohelpcombatspamandphishingbyenablingemailsendersandreceiverstodeterminewhetherornotagivenmessageislegitimatelyfromthesender,andwhattodoifitisn’tBuildsonwidelydeployedDKIMandSPFvalidationsystems:ifmessagesatisfieschecksitissentthroughtorecipient,otherwiseit’squarantinedorrejected


DMARC

DMARCissupportedbyallfourmajoremailproviders:Google,Microsoft,YahooandAOL.IthasalsobeenimplementedbyserviceslikeFacebook,PayPal,AmazonandTwitter.MoreinformationaboutDMARCisavailableat:• https://dmarc.org/• https://dmarc.org/overview/• https://dmarcguide.globalcyberalliance.org• https://tools.ietf.org/html/rfc7489


Verify your fix

Afterimplementingyourmitigationmeasures,monitoryourinfrastructuretopreventre-occurrencebysubscribingtofreereportsfromShadowserver:https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork

Additional resources about spambots

• CheckyourlocalCERTandyourAVvendorannouncementsforidentifiedmalwareinfection

• https://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets

• http://www.senki.org/sp-security/monitoring-network-malware-spam-botnet-infections/

• https://www.spamhaus.org/


Making the case for implementing mitigations for spam botnet infections



Making the case for mitigations

HelpeveryoneunderstandthelevelofeffortneededtoimprovecyberhealthintheircommunityWhyshouldyouimplementthemitigationsinyourenvironment?1. ItistherightthingtodoasagoodInternetneighbor2. Yourorganizationmaybenexttobe

attackedLet’sjointogetherandstopbadguysfromwinning!


Changing risk landscape

Increasedneedtodemonstrate“duecare”• Obtainingcyberinsurance• Complyingwithriskframeworkstowinbusinesswith

local/nationalgovernmentsandlargecorporationsIfwe(you!)don’tdoabetterjobofsecuringourowninfrastructureandreducingcyberrisk,governmentregulationmayforceadditionalmandatesand/orpenalties


Anticipated organizational benefits

Increasedproductivity• FewerserviceinterruptionsandfailuresImprovednetworkperformance• Existingnetworkmorereliableandresilient,with

greatercapacityImprovedbrandreputation• Technicalreliabilityand

securityasellingpointtocustomers


More anticipated benefits

Decreasedbudgetuncertainty• FewerunanticipatedusagecostsforIT• Budgetcanbeusedasplanned,e.g.upgrading

technicalcapability/capacity,personnel,etc.Systemadminsmayspendlesstimespenttryingtodealwithunexpectedproblems• Mayimprovetheirproductivityand

reduceunexpectedovertime

Benefits for ISPs and Email Providers

IdentifythepartyresponsibleforsubmittedmessagesReducedcostsforabusehelpdesk,customersupport,andnetworkoperationscentersImproveddeliverabilityforlegitimateemailmessages,duetoreducedriskofbeingblacklistedNewabilities:• Enforceacceptableusepolicies,termsofserviceforemail

submission• Monitorandlimittransmissionrates,percustomerand/orin

aggregate• Offerpremiumtiersofservicetocustomerswithbusiness

needtooperateemailserverswithdirectaccesstoport2545 Copyright©2016,CyberGreen Dec2016


What do you need to implement these mitigations?

Commandsandconfigurationdetailsformostimportantmitigationsarepublicallyavailable• Noadditionalsoftwaremustbepurchased• Implementingmitigationsdoesnotrequireanyspecial

knowledge,skills,orabilities

Note:AllmitigationsshouldbecarefullyreviewedinlightofyourspecificbusinessrequirementsandinfrastructureenvironmentbeforeproceedingAllorganizationalchangemanagementprocesses,includingtesting,shouldbefollowed


How long will mitigations take?

CleanrestoreofahostmaytakeanhourortwowhensecureOSimagesreadilyavailableforautomaticrebuild• Doesnotincludetimetoinstallorrestoreuser

applicationsanddata,assumingdatawasbackedupManualinstallationfrommediawilltakeseveralhoursperhostISPsandlargeentitiescanautomateadministrationofchangesviaconfigurationmanagementsystemswithtaskexecution(Salt,Ansible)


TechnicalteamsmayneedseveraldaystoweekstoplanandexecuteeachindividualcomponentofthesecureconfigurationforemailservicesrecommendedbyMAAWGortoimplementDMARC

Bonus:withnorealmaintenance,therecurringcostiseffectivelyzero!

How long will it take?

Acknowledgement


CyberGreenwouldliketothanktheexpertswhomadethecreationofthisdocumentpossible:

Writtenby:- LaurinBuchanan,AppliedVisions,Inc.– SecureDecisionsDivision

ContributedandReviewedby:- MattCarothers,CoxCommunications- Baiba Kaskina,CERT.LV- MotoKawasaki,JPCERT/CC- ArtManion,CERT/CC- Yoshinobu Matsuzaki,IIJ- JoeStSauver,Farsight Security- DavidWatson,ShadowServer Foundation

Disclaimer:CyberGreenbelievesthisguidanceandtheadvicefromourexpertsshouldbeofbenefittoanyonemitigatingariskconditions,butitisnotadvicespecifictoanyreaderornetwork.Ultimately,eachreaderisresponsibleforimplementinghisorherownnetwork remediationstrategyandweassumenoresponsibilityorliabilitytherefore.

Formoreinformationaboutriskmitigationbestpractices

pleasecontact:[email protected]


Risk Mitigation for SpamBotInfections Bot Infectio… · Mitigation: Practice basic computer...

Documents

Transcript of Risk Mitigation for SpamBotInfections Bot Infectio… · Mitigation: Practice basic computer...