1 / 16

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet. Agenda. Presentation objectives Introduction: a quick overview of Botnets Attack scenarios Protecting from Botnets Q&A. Presentation objectives.

magee-dixon
Download Presentation

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zombie or not to be:Trough the meshes of Botnets-Guillaume Lovet

  2. Agenda • Presentation objectives • Introduction: a quick overview of Botnets • Attack scenarios • Protecting from Botnets • Q&A

  3. Presentation objectives • Identify the threats currently posed by Botnets company-wise, and recognize what to expect in a near future • Generate consistent and effective security policies to protect against Botnets, from inside and outside the corporate network

  4. Introduction • A Botnet is a network of trojanized computers, reporting to and commanded via a Master Server. • Botnets have existed for years • Recent raise of their activity • High deleterious potential and obvious financial value Botnets are the number 1 Internet security threat today

  5. Threats posed by botnets • Critical data compromise • Proxying (attacks, spam, phish) • Hosting of illegal content • Seeding new malwares • Distributed denial of service

  6. Scenario 1: The worm in the fruit • Multiple infection vectors for bots to intrude in the corporate network: • Typical: Email, Webpage, IM systems • Bypassing gateways: CD (c.f. W32/YsRailee.A-tr), Laptops (c.f. W32/Dumador.DH) • Once a bot is inside: • Connect back to master server • Receive the order to spread inside the corp. net • Exfiltrate critical data Conclusion: strong firewall policies and AV/IPS systems at the edge of the network are not enough

  7. Scenario 2: The Cyberterrorist strike • Botnets are a perfect base to launch Distributed Denial of Service attacks • Effectively protecting against DDoS is not trivial • Companies which offer online services lose massive amounts of money if DDoSed (e.g. ebay) • Blackmail & Racket • Ransom is officially deemed “security consulting costs” Conclusion: The Botnets problem must be coped with at its roots – it’s a bit of everyone’s responsability

  8. One future possible scenario:The double-strike seed • Factors to create a successful worldwide virus outbreak: • Size of the seeding vector • Length of the “Opportunity Window” • Botnet A seeds: the new malware is mass-mailed • Botnet B extends the opportunity window: DDoS update servers of AV vendors Conclusion: Tight update policies are not enough

  9. Protecting from Botnets • Some security policies eradicate or mitigate the impact of Botnets on the company’s resources • Protection must be twofold • From the “inside” to be immune to: • Data exfiltration • Being a vector of cyber-criminal activities (roots of the problem) • From the “outside” to be immune to: • Intrusion • DoS attacks

  10. Protecting from bots inside the corporate network Pt I: Security 101 • Use appropriate and consistent firewall rules • Goal: cut communication to the master server • Default rule for both inbound and outbound connections: Deny • Allow only needed services for outbound connections (e.g.:HTTP, SMTP, SSH) • Enforce the use a HTTP proxy, so that port 80 is closed for users. • Will not always be sufficient, because of an expected diversification of bot/master protocols: e.g. W32/Dumador.DH is a “full HTTP” bot

  11. Alternate Master/Slave communication channel

  12. Alternate Master/Slave communication channel

  13. Alternate Master/Slave communication channel

  14. Protecting from bots inside the corporate network Pt II: Spot em’ • Is my network hosting bots? • Sniffing outbound traffic on the gateway for keywords used in Bot/Master communications: • .login • .scan • .status • .sysinfo • Set up a DNS redirection to an in-house honeypot (or sinkhole) for blacklisted bot master servers => unveil the infected hosts • Bot masters RSL (Real-Time Sinkhole List) public server project for DNS records updating

  15. Protecting from bots outside the corporate network • Sums up to protect against known types of attacks, bots only being a vector for those: • DDoS: Some products exist but not much can be done against an attack performed by a large botnets. Note that IPS re-active technologies can backfire at their users • Spam: Antispam & RBL • Phish: AV integrated to email gateways • Malware mass-mailing: "push update" AV technology (c.f. MyTob's case) combined with a 0-hour detection solution

  16. Questions?Contact:glovet@fortinet.com

More Related