Transcript Slide 1

Protecting against computerized
corporate espionage
• How to harden your
corporate practices
Jarno Niemelä
[email protected] twitter:@jarnomn
Protecting the irreplaceable | f-secure.com
What Is Computerized Espionage
• Spying on a target by using a computer as a tool for it
• Targets are chosen because the have something of value
• Or are associated with an interesting target
• Attacks are impersonal and very personal at the same time
• Victim and attacker can be on different sides of the globe
• But at the same time attacker has tailored the attack to person
Typical Computerized Espionage Case
• Victim gets an email or a message over some social network
• The content looks like a regular business mail or a link
• However it contains exploit code with a trojan payload
• Victim reads a document or clicks link and the payload is executed
• Payload connects back to attackers C&C network
• Computer is under spies control
• Spy will mine computer for anything interesting
• Anything of value in system, or to be used to infect others
What’s The Catch? This Sounds Like Any Other
Malware
• Nowadays, users are careful, they don’t open just anything
• Thus the catch is in getting users trust
• To do this the spies study victim
in order to slip past peoples guard. Just like in physical espionage
• Thus Facebook, Linkedin, Twitter, etc are spies favorite tools
What Are The Spies After For?
• Corporate secrets of course
• But if those are not available, then anything that helps them [1]
• Travel tickets, hotel invoices and other time/location info
• Banking info and scans of documents, f.ex passport
• Job applications, legal documents
• Email, sms messages, address books and other communication
• If current victim is not interesting, maybe someone he knows is
• And thus current victim can be impersonated online
Attack Vectors
• Attack over email attachment
• Attack externally visible server and continue to internal network
• Attack from supplier web page
• Steal user credentials
• Attacks over business related files
Attacks Over Email
• Employee at Digital Bond received credible looking mail from his boss [2]
• The mail contained correct names, correct lingo and had a link to PDF file
related to targets field
• Digitalbond is a SCADA security vendor, and thus has very interesting clients
from spy point of view
• The attachment actually was a ZIP file
which contained an EXE
• The EXE was a backdoor which was not
detected by any AV vendor
Mass Email Campaigns
• “Nitro” industrial espionage is a typical example of mass email attack [3]
• The attackers had a list of contacts with various level of info
• If connection between two contacts was known
• The attack emails pretended to be meeting invites from known contacts
• Otherwise the attack emails pretended to be “security updates”
• Attackers mined proprietary designs, formulas, and manufacturing processes
• And any email and contact info that could be used find new targets
Attacks On Externally Visible Servers
• Hacker broke into HBGary Federal web server using SQL injection
• SQL access allowed attackers to download passwords file
• One of passwords allowed SSH access to server connected to internal network
• After this hacker had access to full corporate network
• Access to all email, twitter
• Thus access to password reset on
Google, iCloud, etc services
• Greg Hoglunds email account was used to
social engineer password to rootkit.com
Watering Hole: Attacks Over Industry Contacts
• Many interesting targets are well protected
• Thus attackers may focus on less
protected supply chain [4]
• European aeronautical parts suppliers
web site was hacked [5]
• The site was injected with 0-Day exploit for Internet Explorer
• Thus any customer of that company who use IE could be targeted
• IE exploit was actually rather crude way to using supplier
• Attackers could have infected PDF documents or SDK installers
Attacks Over Business Related Files
• Non-PDF business related files are trusted to high degree
• ESET discovered Autocad Worm that was used to steal
10000s of docs [6]
• Acad/Medre.A is Autocad based worm that infects other
autocad files
• Medre.A had infected a template in Peru that local businesses had to use
• Thus almost everyone in that industry got infected
• After infection Medre.A collected Autocad files from system and emailed
them to list of email accounts in China (163.com and qq.com)
• Medre.A also tries to steal Outlook PST files
C&C
• After successful attack the attacker needs to be able to talk to the payload
• Which means that he needs some way to communicate
• HTTP(s) C&C (simple domain, fast flux, compromised site)
• Skype, IRC, Messenger, ICQ, etc chat connections
• Twitter, facebook, social networks
• FTP, Dropbox, file-leave, file sharing sites
• SMTP
• Anything else that looks like regular user activity
Data Exfiltration
• After attacker has C&C he needs some way to get data out
• Most common approach is to use C&C channel and HTTP
• But sometimes attackers get creative [7] [8] [9]
• Print “error pages” that contain encoded information and dumpster dive
• Leak information in DNS queries, payload 240 bytes per query
• Leak info in ping ICMP packages
• Open VOIP connection and emulate analog modem
• Use IE or other web browser to make network connections to
bypass firewall
Protection: Get your basics right
• Attackers are using malware, so basic malware defense takes you a
long way [10]
• Harden workstations and servers
• Harden your network especially outgoing data
• Make sure external servers contain only what is needed
• Make sure systems are up to date and well configured
• Use security software
• Use gateway filtering
• Etc, good basic admin work
Hardening workstations and servers
• In 2011 I covered this topic in detail at T2
• The previous material is included with these slides
• The key points that you have to take care of
• Prevent hostile content from reaching clients
• Prevent exploits from working
• Prevent malware access inside system
• Prevent malware communicating to C&C
• Above all make sure information and systems are isolated
• Add custom user agent to your browsers to “watermark” legitimate traffic
Hardening Network
• Isolate everything in network, no inbound to clients no outbound from server
• Allow email only over company mail server
• Don’t allow mail sending without user authentication
• Don’t allow any other outbound traffic except HTTP(s)
• Allow HTTP(s) only over company proxy
• Don’t allow external DNS servers, don’t allow ping to external hosts
• Set up DNS white listing and landing page for unknown domains
• Do these configurations also to laptop software firewalls
• Common trick is to leak info when not in corporate network
DNS Is Botnets Achilles Heel
• Bot is useless if it cannot connect to C&C
• Provided that you are not facing
exotic attack such as Flame
• Basically all bots do use domain names for C&C
• Thus restricting DNS resolution will take you a long way
• I am collecting a list of domains used by document exploits
• 8953 domains out of 9035 do not belong in Alexa top
1M list of domains
• Which means that restricting DNS resolution is very effective
Ok So Basics Are Done, The fun part begins
• You have to assume that attacker gets past your defenses
• Prevent access to sensitive information and systems
• Buy time for detection systems to react
• Minimize damage even if attack is not detected
• Detect the breach
• According to Trustware there is average 156 days between
initial breach and discovery [11]
• This is way too long, we need to lay traps for attackers
Know What You Are Protecting
• Intra web
• Customer Relations Info
• Any services that you have
webified
• Active directory
• User accounts
• Web servers
• Especially if you are
subcontractor, your customer
might be the real target
• Document files
• Business plans, price offers,
pricing, patent applications, HR
records
• Source code
• Files on developer desktops,
source code repositories
• Email files
• Mergers, financial information
before release, etc insider info
Protect Documents, Use Rights Management
• Windows Rights Management Services (RMS) provides transparent document
protection [12]
• With RMS all protected documents are stored in encrypted form
• To open a document Word/Excel/etc must request key from RMS server
• RMS server authenticates user against domain account
• If account checks ok and user has rights the server returns a key
• Thus if document is stolen it cannot be read
• Also documents can be restricted by a person or a group
• Third party vendors like GigaTrust can expand rights management
to non-Microsoft documents and iPhone/iPad devices [13]
Protect Access To Source Code
• Isolate development from desktop
• Run development in separate Virtual machine session
• Have a VPN that serves only that virtual machine
• Alternatively use some form of terminal service,
VNC or RDP for example
• Protect access to source code repository
• User accesses need to be tightly controlled,
no universal read access
• Use data leakage prevention software [14]
• Configure all source code as non-transferable from the workstation
• Of course DLP can be circumvented, but it is additional protection
Protect Your Internal Web Applications
• Make attackers life bit more difficult. Lock access only to a one browser
• Use Kerberos authentication for all internal web pages
• Set client firewall to allow only correct browser to use HTTP/S to intra
• Configure the intra server only to accept company custom user agent
• Thus the attacker needs to take over the browser or fake it 100%
• Have log alerts for partially successful authentications
• It’s very unlikely that attacker would get everything right
Protect External Web From Inside Attacks
• Being attack vector at your customer will be bad for business relations
• Thus you have to protect your external servers from insider attacks
• Isolate external facing servers from internal network
• Allow admin access only from specified hosts and IP addresses
• Don’t do direct changes, use content management
• Do all changes to CMS that has auditing and change logging
• Have server to periodically pull updates from CMS
• Do automated consistency checks between CMS and public server
• Set alert if there are differences between intended and actual content
Protect Your Email
• Most recorded email thefts happen by stealing the mail files
• Issue email certificates for all users, and lock the certs with password
• Thus almost all critical email will have transparent encryption
• And to read them spy has to be able to steal the certificate
• Block or set warnings on programmatic access to mail client
• Also remember to control access to .PST, etc files
BYOD
• It would be nice to be without BYOD
• If you have to allow user devices, do it safely
• Laptops, Phones and PDAs should have own WIFI
• Require that mail server can enforce policies
• Mandatory PIN or other lock code
• Allow only couple days of email
• Allow only one month of caldendar in the future
• Use rights management on everything that supports it
Detect Breaches And Information Leaks
Even if you fail at prevention, game is not lost
Spy still has to be send the goods out of your network
Most companies focus on preventing intrusion
While what you should really focus is to prevent data from escaping
Set Data Exfiltration Honeypots
• Create fake routes out of the company that give alarm if someone uses them
• Fake smtp.company.com mail server that accepts mail but does not forward
• Capture all HTTP traffic that does not go through correct proxy
• Capture all DNS traffic that does not go to your DNS server
• Capture all ping ICMP traffic
How To Build Honeypots
• All you need is Linux IPTables or a good router, python and a spare server
• Route all unwanted traffic to honeypot server
• Create fake services with python that answer ok, log and send alarm email
• HTTP example http://fragments.turtlemeat.com/pythonwebserver.php
• SMTP http://muffinresearch.co.uk/archives/2010/10/15/fake-smtpserver-with-python/
• DNS http://code.activestate.com/recipes/491264-mini-fake-dns-server/
Monitor Traffic That Is Allowed To Go Through
• Due to privacy reasons I don’t advice reading content, but just
traffic inspection will reveal if there is need to start investigation
• Monitor DNS queries for unusual patterns
• 10s of queries different subdomains in same domain
• Queries to domains not in .fi or in Alexa top 1M space
• Monitor Ping requests (even if you are blocking it)
• Normal users do not try to send frequent ping traffic to odd
destinations
• HTTP requests that do not have company standard HTTP user agent
• Whitelist known self update destinations (apple, dell, google, etc)
Monitor For Unusual Process Activity
• Spies often use tools that normal users don’t execute ever or almost ever
• cmd.exe /c “some command”
• Runs specified command in command shell. Used by some exploits and backdoors
• Focus on things not used by installers. F.ex cmd.exe /c “dir”
• Certmgr.exe (especially certmgr.exe -add)
• Used to add certificates to trusted certificates
• Used by some backdoors to better hide in system from forensic investigation
• Bcdedit.exe (bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS)
• Used to modify boot configuration, and disable code signing protection on boot
• Netsh (especially netsh.exe firewall)
• Used by malware to disable or alter Windows firewall
Monitor File Access Behavior On Clients
• Regular users have rather uniform access patterns
• Documents are accessed with Word, Outlook, Explorer and Backup softwares
• Source code is accessed with Eclipse, Visual Studio, etc
• So unknown application accessing given file type is rare, and interesting
• Build alert system to monitor unknown applications accessing critical data
• Why does %appdata%/Protector-vvxb.exe read document files?
Simple Example For Monitoring Activity
• Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645
• With Process Monitor we see all file creations and other interesting events
• Start process monitor and filter desired events to be visible
• Dump results to disk and convert to XML
• Parse the result for anything out of the ordinary and alert admin
Setting Up Process Monitor
• Save configuration to ProcmonConfiguration.pmc
Demo Using Process Monitor
• I implemented a simple tool to parse process monitor logs
• And alert on anything unusual
• The tool could be deployed on all user workstations
• It’s ”demo” quality, so use at your own risk
Conclusion
• You cannot trust that you can always prevent infections
• Thus corporate security and defence in depth is a must
• Whenever possible make data difficult for malware to steal
• When that fails make data readable only in your environment
• Invest in monitoring
• When you know patterns of your valid users
• Spy breaking the patterns will be detected
References
• [1] http://www.nartv.org/mirror/shadows-in-the-cloud.pdf
• [2] https://www.digitalbond.com/2012/06/07/spear-phishing-attempt/
• [3] http://www.symantec.com/content/en/us/enterprise/media/
security_response/whitepapers/the_nitro_attacks.pdf
• [4] http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsoredexploit/
• [5] http://www.symantec.com/content/en/us/enterprise/media/
security_response/whitepapers/the-elderwood-project.pdf
• [6] http://www.eset.com/fileadmin/Images/US/Docs/Business/
white_Papers/ESET_ACAD_Medre_A_whitepaper.pdf
References
• [7] http://www.iamit.org/blog/2012/01/advanced-data-exfiltration/
• [8] http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHatDC-2010-Percoco-Global-Security-Report-2010-slides.pdf
• [9] http://www.kentonborn.com/sites/default/files/data_exfil.pdf
• [10] http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
• [11] http://www.blackhat.com/presentations/bh-dc-10/Percoco_Nicholas/BlackHatDC-2010-Percoco-Global-Security-Report-2010-slides.pdf
• [12] http://en.wikipedia.org/wiki/Rights_Management_Services
• [13] http://www.gigatrust.com/desktop_client.shtml
• [14] http://www.mydlp.com/