logging in or signing up FIRST07 Noormahl Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 56 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: March 06, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript From the SANS Institute’s Internet Storm Center: From the SANS Institute’s Internet Storm Center Future Trends In Network Security Tom Liston Incident Handler – SANS Internet Storm Center Senior Security Consultant – Intelguardians tliston@isc.sans.org tom@intelguardians.comWho are you / Why are you here?: Who are you / Why are you here? Incident Handler – SANS Institute’s Internet Storm Center Programmer ISC’s resident “code monkey” Founding Member – ISC Malware Analysis Team Senior Security Consultant – Intelguardians High End Security Consulting Cutting Edge Research Author Software LaBrea : Introduced the concept of a network “tarpit” to slow the propagation of worms PEInfo : Malware analysis tool Other tools for network security, forensics, malware analysis, etc… Books / Articles Counter Hack Reloaded – A Step-by-Step Guide to Computer Attacks and Effective Defences (with Ed Skoudis) Follow the Bouncing Malware – A series of articles for the ISCInternet Storm Center?: Internet Storm Center? Modeled after the data collection, analysis, and warning system used by weather forecasters Many small sensors collecting geographically diverse data Analysts available to monitor data Warn of impending problemsISC History: ISC History Created in 2001 The Li0n Worm An unorganized group of systems admins, incident handlers, and malware analysts Successfully detected, analyzed, and responded within 14 hours Based only on a spike in port 53 traffic Today Hand picked group of 35 volunteer Incident Handlers from around the world Thousands of individuals and organizations submit data from firewalls and IDS “Infocon” indicating current state of the ‘netThe ISC Today: The ISC Today Uses the DShield distributed intrusion detection system for data collection and analysis Available tools for submitting anonymized logs from hundreds of firewalls and IDS systems 15 million event records / day 1 – 2 million source IP addresses / day 5.4 billion event records / year Cover >300,000 target IP addressesWhere do you want to go today?: Where do you want to go today? Let’s try to take an un-sensationalistic look into the futureOur Agenda: Our Agenda “Tom… look into your crystal ball…” The future The Future for the Bad Guys The Future for “Joe Sixpack,” Internet Surfer The Future for the Good Guys Some crazy speculation in the form of “Fearless Predictions” thrown in along the wayThe Future for the Bad Guys Item 1: The Future for the Bad Guys Item 1 “Feature Based Attacks” Evolution of network attacks Over the past five to seven years, we’ve seen an important evolution in attacks Change in attack focus Servers -> Applications Why? Perhaps… we’ve gotten better at what we do… Or… perhaps they’re going where the money is… Where next? Abusing features!Web 2.0 as an attack tool: Web 2.0 as an attack tool Example: The “Samy” worm on MySpace October 2005 Vulnerability: XSS exploit allowed the injection of a new <SCRIPT> into the active user’s profile AJAX used to inject viral script into the profile of anyone who viewed an infected page Added “Samy” as a friend Added “Samy is my hero” to the end of victim’s profile Result: “Samy” had over 1 million friends within 24 hoursAbusing Javascript Restrictions: Abusing Javascript Restrictions Javascript has built-in restrictions to limit abuse “Same Origin Policy” Will only allow a script to interact with the site from which it originated Very simple………… minded What if there was one site on the ‘net where I could download content from multiple sites? Naaah… that could never happen Translation sites, proxies, etc…Abusing Javascript Restrictions (continued): Abusing Javascript Restrictions (continued) DNS Re-binding Subverting the “same origin” policy Changing DNS resolution on-the-fly, to alter what the browser considers to be “same origin” Can drop an attack behind a firewall Mitigation possible, but difficult to completely fix “Pinning” – locking a name to and address for a period of time No re-binding a-non RFC 1918 address to an RFC 1918 address Beyond this, the fixes tend to break little, unimportant things like “Akamaized” websitesFearless Prediction #1: Fearless Prediction #1 Within the next two years, we will see a cross-site javascript-based worm Exploit a XSS injection vulnerabilities using AJAX Actively seek out other, similar, victims using a search engine All from within the comfortable confines of some unsuspecting user’s browserThe Future for the Bad Guys Item 2: The Future for the Bad Guys Item 2 “Boutique” malware Coining a new term… we’ve been using “targeted” and no one is paying attention… Malware with a small, targeted distribution Current AV products – Worse than USELESS Signature based Gives the warm fuzzy feeling of security “Heuristics” / Behavior-based AV Immature Quite frankly, it’s really, really bad… So bad, that AV vendors keep it off by defaultFearless Prediction #2: Fearless Prediction #2 Raise your hand if you’ve been involved in a targeted or “boutique” malware attack Next year, if I ask the same question, about 2-3x as many of you will raise your hand It’s going to get much worse before it gets better AV isn’t ready Heuristics / Behavior based detection is very immature We, as an industry, aren’t ready either Signature-based mentalityThe Future for the Bad Guys Item 3: The Future for the Bad Guys Item 3 Nation-states take the field Do governments actually have professional “hacking” organizations? Well, of course they do! The question is: Would they ever use it to attack another country? Normally conducted as part of classified espionage efforts China has admitted to building a cyber attack capability Some governments condone hacking by citizens, or have weak laws preventing it China and Russia seem to be the most active Romania, and Indonesia are also of interest Cyber War International Espionage Cyber TerrorismCyber War!: Cyber War! The perfect CNN story, but… ...is it real? …is it possible? Three weeks of heavy DoS attacks in Spring 2007 against computer systems in Estonia Attacks appeared to come from Russia Russian government denied any involvement Estonia is highly dependent on their networks for banking, transportation, voting and daily commercial operations Cyber attacks were reportedly a response to Estonia’s decision to move a war memorial International Espionage: International Espionage China appears to be the current “bad boy” threat in this area US and German governments have “named names” Titan Rain intrusion against US military networks Source code to Microsoft Windows and Office is available in China and Russia Most of the 2006 zero-day attacks against Microsoft Office products appear to have come from China But… there are certainly other nations playing this gameThe attribution problem: The attribution problem On the Internet, nobody knows you’re a dog… Or a Chinese spy Or a Russian teenager Or… Technical attribution Political attribution Can this ambiguity be used as a weapon?The Russia / Estonia Dust-up: The Russia / Estonia Dust-up Perfect example of how this issue affects “cyber warfare” Technical attribution almost impossible Attacks came from “botnets” Some of the bots were “hosted” on Russian government machines Does that indicate guilt, or poor network security? Is “political attribution” enough to justify a response Cyber response? Conventional “kinetic” response? Cyber terrorism: Cyber terrorism “Nation state” or “non-nation-state-third-party-actor” Does it make any difference? All the same issues apply ‘nuf said…Fearless Prediction #3: Fearless Prediction #3 Nation states (especially the US) will soon begin publicly developing and recruiting for cyber attack and defensive capabilities Over the next three years, we will have at least one serious international “cyber” incident that will highlight attribution issues Based on this incident, technical attribution capabilities will become a “national security” priorityThe Future for Joe Sixpack Item 1: The Future for Joe Sixpack Item 1 The DRMing of the Computing Experience Way back in 2005, Sony BMG fired the first, widely recognized salvo in the war between those who produce and those who consume “content” Recognizing the huge market for, say… bootleg copies of a Celine Dion CD, Sony’s deployed DRM Though perhaps their copyright enforcement software went a bit too far… It’s War! DRM War!: It’s War! DRM War! And its being fought on our networks Fundamental misunderstanding Two sides fighting different battles The recording and movie industries: Attempting to control copyright infringement through technological means The consumer: For the most part, simply wants access to content on their terms Play music / movies on any equipment any time any place Example: DVD menu restrictions Yes, there are people ripping off copyright content, but they’re not the majority Fearless Prediction #4: Fearless Prediction #4 Good News: p2p bandwidth issues will slowly be decreasing as content providers crack down Bad News: Compliance issues Manditory monitoring Manditory “information sharing” Copyright holders tend to be “wired” into governments Overall: headaches, headaches, headaches…A quick (fun) side excursion… The “Toby” Principle: A quick (fun) side excursion… The “Toby” Principle All of us are faced with the problem of explaining what it is we do to the “security clueless”: Friends Family Users Uh… um… er…. ManagementToby: TobyThe Toby Principle: The Toby Principle “Every Information Security concept can be explained to even the most clueless n00b when explained with references doggies” Yes, even MANAGERS can understand security concepts when explained in this wayAn Example: An Example A stranger approaches my sister-in-law’s house and rattles the back door to see if it is open. Toby alerts Toby is an IDS Sister-in-law says: “It’s OK, Toby” She is TUNING her IDS!The Future for the Good Guys Item 1: The Future for the Good Guys Item 1 Outsourcing Huge growth User management Routine monitoring (FW / IDS / IPS) Defining good policy is easy Enforcing it is hard Not “technically” Politically Outsourcing allows policy enforcement and accountability through contractual agreement Third party takes the political “heat”Fearless Prediction #5: Fearless Prediction #5 Security outsourcing will be the single most important factor driving our industry for the next 3-5 years Note: Please do not shoot the messengerThe Future for the Good Guys Item 2: The Future for the Good Guys Item 2 Legislation / compliance Every time a laptop goes missing… Every time “x” thousand people have their information disclosed through sloppy security practices… Every time a rogue employee rips off client data and sells it… Every SQL injection flaw that gets exploited… We get closer and closer to some really onerous legislation that will make our lives miserableFearless Prediction #6: Fearless Prediction #6 Second only to outsourcing, LEGISLATION (and the threat of legislation) will shape security toward being entirely policy-driven Policy… policy… policy… policy… Get used to saying the word, you’ll be using it a lot over the next several years Security Policy will become far more “comprehensive” and legalisticThe Future for the Good Guys Item 2: The Future for the Good Guys Item 2 Information Sharing Unquestionably, the Bad Guys are doing it If we expect to successfully keep our networks safe in the future, WE NEED TO COMMUNICATE Traditionally, security is a “closed” profession We need to share information ISC / DShield Conferences Non-binary “networking”A Final Fearless Prediction: A Final Fearless Prediction Death of the security “Lone Wolf” Too much complexity Change too rapid I encourage you to actively participate in the growing security community Resources: Resources The SANS Institute’s Internet Storm Center http://isc.sans.org The SANS Top 20 http://www.sans.org/top20/ DShield http://www.dshield.org You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
FIRST07 Noormahl Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 56 Category: Education License: All Rights Reserved Like it (1) Dislike it (0) Added: March 06, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript From the SANS Institute’s Internet Storm Center: From the SANS Institute’s Internet Storm Center Future Trends In Network Security Tom Liston Incident Handler – SANS Internet Storm Center Senior Security Consultant – Intelguardians tliston@isc.sans.org tom@intelguardians.comWho are you / Why are you here?: Who are you / Why are you here? Incident Handler – SANS Institute’s Internet Storm Center Programmer ISC’s resident “code monkey” Founding Member – ISC Malware Analysis Team Senior Security Consultant – Intelguardians High End Security Consulting Cutting Edge Research Author Software LaBrea : Introduced the concept of a network “tarpit” to slow the propagation of worms PEInfo : Malware analysis tool Other tools for network security, forensics, malware analysis, etc… Books / Articles Counter Hack Reloaded – A Step-by-Step Guide to Computer Attacks and Effective Defences (with Ed Skoudis) Follow the Bouncing Malware – A series of articles for the ISCInternet Storm Center?: Internet Storm Center? Modeled after the data collection, analysis, and warning system used by weather forecasters Many small sensors collecting geographically diverse data Analysts available to monitor data Warn of impending problemsISC History: ISC History Created in 2001 The Li0n Worm An unorganized group of systems admins, incident handlers, and malware analysts Successfully detected, analyzed, and responded within 14 hours Based only on a spike in port 53 traffic Today Hand picked group of 35 volunteer Incident Handlers from around the world Thousands of individuals and organizations submit data from firewalls and IDS “Infocon” indicating current state of the ‘netThe ISC Today: The ISC Today Uses the DShield distributed intrusion detection system for data collection and analysis Available tools for submitting anonymized logs from hundreds of firewalls and IDS systems 15 million event records / day 1 – 2 million source IP addresses / day 5.4 billion event records / year Cover >300,000 target IP addressesWhere do you want to go today?: Where do you want to go today? Let’s try to take an un-sensationalistic look into the futureOur Agenda: Our Agenda “Tom… look into your crystal ball…” The future The Future for the Bad Guys The Future for “Joe Sixpack,” Internet Surfer The Future for the Good Guys Some crazy speculation in the form of “Fearless Predictions” thrown in along the wayThe Future for the Bad Guys Item 1: The Future for the Bad Guys Item 1 “Feature Based Attacks” Evolution of network attacks Over the past five to seven years, we’ve seen an important evolution in attacks Change in attack focus Servers -> Applications Why? Perhaps… we’ve gotten better at what we do… Or… perhaps they’re going where the money is… Where next? Abusing features!Web 2.0 as an attack tool: Web 2.0 as an attack tool Example: The “Samy” worm on MySpace October 2005 Vulnerability: XSS exploit allowed the injection of a new <SCRIPT> into the active user’s profile AJAX used to inject viral script into the profile of anyone who viewed an infected page Added “Samy” as a friend Added “Samy is my hero” to the end of victim’s profile Result: “Samy” had over 1 million friends within 24 hoursAbusing Javascript Restrictions: Abusing Javascript Restrictions Javascript has built-in restrictions to limit abuse “Same Origin Policy” Will only allow a script to interact with the site from which it originated Very simple………… minded What if there was one site on the ‘net where I could download content from multiple sites? Naaah… that could never happen Translation sites, proxies, etc…Abusing Javascript Restrictions (continued): Abusing Javascript Restrictions (continued) DNS Re-binding Subverting the “same origin” policy Changing DNS resolution on-the-fly, to alter what the browser considers to be “same origin” Can drop an attack behind a firewall Mitigation possible, but difficult to completely fix “Pinning” – locking a name to and address for a period of time No re-binding a-non RFC 1918 address to an RFC 1918 address Beyond this, the fixes tend to break little, unimportant things like “Akamaized” websitesFearless Prediction #1: Fearless Prediction #1 Within the next two years, we will see a cross-site javascript-based worm Exploit a XSS injection vulnerabilities using AJAX Actively seek out other, similar, victims using a search engine All from within the comfortable confines of some unsuspecting user’s browserThe Future for the Bad Guys Item 2: The Future for the Bad Guys Item 2 “Boutique” malware Coining a new term… we’ve been using “targeted” and no one is paying attention… Malware with a small, targeted distribution Current AV products – Worse than USELESS Signature based Gives the warm fuzzy feeling of security “Heuristics” / Behavior-based AV Immature Quite frankly, it’s really, really bad… So bad, that AV vendors keep it off by defaultFearless Prediction #2: Fearless Prediction #2 Raise your hand if you’ve been involved in a targeted or “boutique” malware attack Next year, if I ask the same question, about 2-3x as many of you will raise your hand It’s going to get much worse before it gets better AV isn’t ready Heuristics / Behavior based detection is very immature We, as an industry, aren’t ready either Signature-based mentalityThe Future for the Bad Guys Item 3: The Future for the Bad Guys Item 3 Nation-states take the field Do governments actually have professional “hacking” organizations? Well, of course they do! The question is: Would they ever use it to attack another country? Normally conducted as part of classified espionage efforts China has admitted to building a cyber attack capability Some governments condone hacking by citizens, or have weak laws preventing it China and Russia seem to be the most active Romania, and Indonesia are also of interest Cyber War International Espionage Cyber TerrorismCyber War!: Cyber War! The perfect CNN story, but… ...is it real? …is it possible? Three weeks of heavy DoS attacks in Spring 2007 against computer systems in Estonia Attacks appeared to come from Russia Russian government denied any involvement Estonia is highly dependent on their networks for banking, transportation, voting and daily commercial operations Cyber attacks were reportedly a response to Estonia’s decision to move a war memorial International Espionage: International Espionage China appears to be the current “bad boy” threat in this area US and German governments have “named names” Titan Rain intrusion against US military networks Source code to Microsoft Windows and Office is available in China and Russia Most of the 2006 zero-day attacks against Microsoft Office products appear to have come from China But… there are certainly other nations playing this gameThe attribution problem: The attribution problem On the Internet, nobody knows you’re a dog… Or a Chinese spy Or a Russian teenager Or… Technical attribution Political attribution Can this ambiguity be used as a weapon?The Russia / Estonia Dust-up: The Russia / Estonia Dust-up Perfect example of how this issue affects “cyber warfare” Technical attribution almost impossible Attacks came from “botnets” Some of the bots were “hosted” on Russian government machines Does that indicate guilt, or poor network security? Is “political attribution” enough to justify a response Cyber response? Conventional “kinetic” response? Cyber terrorism: Cyber terrorism “Nation state” or “non-nation-state-third-party-actor” Does it make any difference? All the same issues apply ‘nuf said…Fearless Prediction #3: Fearless Prediction #3 Nation states (especially the US) will soon begin publicly developing and recruiting for cyber attack and defensive capabilities Over the next three years, we will have at least one serious international “cyber” incident that will highlight attribution issues Based on this incident, technical attribution capabilities will become a “national security” priorityThe Future for Joe Sixpack Item 1: The Future for Joe Sixpack Item 1 The DRMing of the Computing Experience Way back in 2005, Sony BMG fired the first, widely recognized salvo in the war between those who produce and those who consume “content” Recognizing the huge market for, say… bootleg copies of a Celine Dion CD, Sony’s deployed DRM Though perhaps their copyright enforcement software went a bit too far… It’s War! DRM War!: It’s War! DRM War! And its being fought on our networks Fundamental misunderstanding Two sides fighting different battles The recording and movie industries: Attempting to control copyright infringement through technological means The consumer: For the most part, simply wants access to content on their terms Play music / movies on any equipment any time any place Example: DVD menu restrictions Yes, there are people ripping off copyright content, but they’re not the majority Fearless Prediction #4: Fearless Prediction #4 Good News: p2p bandwidth issues will slowly be decreasing as content providers crack down Bad News: Compliance issues Manditory monitoring Manditory “information sharing” Copyright holders tend to be “wired” into governments Overall: headaches, headaches, headaches…A quick (fun) side excursion… The “Toby” Principle: A quick (fun) side excursion… The “Toby” Principle All of us are faced with the problem of explaining what it is we do to the “security clueless”: Friends Family Users Uh… um… er…. ManagementToby: TobyThe Toby Principle: The Toby Principle “Every Information Security concept can be explained to even the most clueless n00b when explained with references doggies” Yes, even MANAGERS can understand security concepts when explained in this wayAn Example: An Example A stranger approaches my sister-in-law’s house and rattles the back door to see if it is open. Toby alerts Toby is an IDS Sister-in-law says: “It’s OK, Toby” She is TUNING her IDS!The Future for the Good Guys Item 1: The Future for the Good Guys Item 1 Outsourcing Huge growth User management Routine monitoring (FW / IDS / IPS) Defining good policy is easy Enforcing it is hard Not “technically” Politically Outsourcing allows policy enforcement and accountability through contractual agreement Third party takes the political “heat”Fearless Prediction #5: Fearless Prediction #5 Security outsourcing will be the single most important factor driving our industry for the next 3-5 years Note: Please do not shoot the messengerThe Future for the Good Guys Item 2: The Future for the Good Guys Item 2 Legislation / compliance Every time a laptop goes missing… Every time “x” thousand people have their information disclosed through sloppy security practices… Every time a rogue employee rips off client data and sells it… Every SQL injection flaw that gets exploited… We get closer and closer to some really onerous legislation that will make our lives miserableFearless Prediction #6: Fearless Prediction #6 Second only to outsourcing, LEGISLATION (and the threat of legislation) will shape security toward being entirely policy-driven Policy… policy… policy… policy… Get used to saying the word, you’ll be using it a lot over the next several years Security Policy will become far more “comprehensive” and legalisticThe Future for the Good Guys Item 2: The Future for the Good Guys Item 2 Information Sharing Unquestionably, the Bad Guys are doing it If we expect to successfully keep our networks safe in the future, WE NEED TO COMMUNICATE Traditionally, security is a “closed” profession We need to share information ISC / DShield Conferences Non-binary “networking”A Final Fearless Prediction: A Final Fearless Prediction Death of the security “Lone Wolf” Too much complexity Change too rapid I encourage you to actively participate in the growing security community Resources: Resources The SANS Institute’s Internet Storm Center http://isc.sans.org The SANS Top 20 http://www.sans.org/top20/ DShield http://www.dshield.org