1 / 56

Security Trends

Security Trends. Erik G. Mettala, Ph.D., Vice President, McAfee Research. Outline. Attack trends Vulnerability trends Today’s defensive posture Defensive trends. Attack Trends. Network Incidents are Increasing. Source: CMU Computer Emergency Response Team Last updated January 22, 2004.

aflinchum
Download Presentation

Security Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Trends Erik G. Mettala, Ph.D., Vice President, McAfee Research

  2. Outline • Attack trends • Vulnerability trends • Today’s defensive posture • Defensive trends

  3. Attack Trends

  4. Network Incidents are Increasing Source: CMU Computer Emergency Response Team Last updated January 22, 2004

  5. Discovered Virus Threats Per Day Source: McAfee AVERT

  6. Machines Infected per Hour at Peak Source: McAfee AVERT

  7. The Speed Of Attacks Accelerates SQL Slammer: • Blended threat exploits known vulnerability • Payload was single 404 byte UDP packet • Doubled every 8.5 seconds • Achieved full scanning rate (over 55 million scans per second) after approximately 3 minutes • Infected 90% vulnerable hosts worldwide within 10 minutes

  8. Intrusion Attack Trends • McAfee AVERT • CMU CERT

  9. Phishing Attack Trends

  10. Incident Response Cost is Increasing In billions [1] Blaster cost includes the cost of the near simultaneous Sobig.F virus Source: NetWorm.org

  11. Threat Evolution: Malicious Code Human response impossible Automated response required, i.e., automated remediation and automated attribution “Sasser” Seconds Minutes Hours Days Weeks or months “Flash” Threats, i.e., Sasser Human response impossible Automated response unlikely Proactive blocking possible “Warhol” threats Human response difficult/impossible Automated response possible Blended threats e-mail Worms Human response possible Macro Viruses File Viruses Boot, Com Infectors Time Early 1990s Mid 1990s Late 1990s 2000 2003

  12. Threat Impact on Emerging Targets Internet Backbone/ Broadband Physical Infrastructure/ SCADA Targets Wireless Infrastructure Web Services Threats Flash and Zero-Day Threats Major disruption to multiple networks Major disruption of B2B services sector-level impact Global Internet Disruption Impact to: Power Commun-ications Power Hydo Other infrastructure Warhol and Zero-Day Threats Short-term disruption of individual networks Short-term/ Localized Internet Disruption Blended Threats Disruption of internetworked SCADA DDoS Account theft/ corruption, DoS Disruption of targeted infrastructures Data theft/ corruption, DoS Targeted Hacking

  13. Types of Attacks – Types of Defense • Anti-Virus • Anti-Spam • Anti-Virus • DDoS Defense • Host Intrusion Prevention • Network Intrusion Prevention • Anti-Phishing • Virus • Spam • Worm • DDoS • Host Intrusion • Network Intrusion • Phishing

  14. Virus • What is a Virus?A virus is a manmade program or piece of code that causes an unexpected, usually negative, event. Viruses are often disguised games or images with clever marketing titles such as "Me, nude." • Viruses propagate through e-mail attachments, by automatic sending to e-mail lists, or through direct propagation techniques • Basic anatomy: • Propagation • Payload • Types: - File infecting - Metamorphic - Polymorphic - Memory resident - Exe, Scr, Vb, … - Gateway jumping

  15. Spam • What is Spam? Unsolicited "junk" e-mail sent to large numbers of people to promote products or services. • Also refers to inappropriate promotional or commercial postings to discussion groups or bulletin boards. • Types: • Malicious Spam email with adult content, violence, security threats etc. • Advertising Spam email from legitimate organizations generally trying to sell something e.g. Amazon.com • Friendly Spam email jokes, chain letters, humorous URL links etc.

  16. Worm • What is a Worm?Computer Worms are viruses that reside in the active memory of a computer and duplicate themselves. They may send copies of themselves to other computers, such as through email or Internet Relay Chat (IRC). • Basic anatomy: • Payload, transport • Types: • Zero day • Email, mass mailing • Memory resident

  17. Trojan Horse • What is a Trojan Horse?A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. • Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses. • Types: • Root kits • Backdoors • Wooden horses

  18. Network Intrusion • What is a Network Intrusion? A network or system attack from someone attempting to break into or compromise a system. Exploits vulnerabilities in the implementation of network protocols. • Types: - Targeted - Mass infector - Port probes - DNS Spoof - PC Anywhere Pings - TCP OS fingerprint • Shared systems & networks - ??? • Home LANs, hotels, airports, etc.

  19. Host Intrusion • What is a Host Intrusion?A Host Intrusion is an attack that typically involves several related mechanisms that allow an outside, unauthorized user to gain access to your computer, whether a server or desktop. Once access is gained, the outsider has access to all information and services that are otherwise provided to authorized users or system administrators. • Typical exploits involve identity theft, credit card theft, theft of intellectual property • Types: • Encrypted attacks (SSL, VPN) • Buffer Overflow • Operating System Service Exploitation • Web Server exploits • Database Server exploits

  20. Phishing • What is Phishing?Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them.

  21. Way back in the Summer of ‘03 • First successful execution or network release of flash virus’ (SQL Slammer) • Realized a propagation mechanism that had been conjectured in research • Had visible compression of the time between vulnerability announcement and exploitation release • Systematic cooperative exploitation of initial attack

  22. Nachi worm and Lovsan Killer Downloader-DM Trojan gets media attention IRC-BBot remote access Trojan uses RPC vulnerability Vulnerability discovered in DCOM RPC, Microsoft posts MS03-026 RPCSS X focus (Chinese hacking group) forwards attack source code to public security lists Lovsan worm Unconfirmed incident of RPC exploit being used to execute NET SEND spam attack Timeline: W32/LovSan.worm & W32/Nachi.worm . . . Jul 16 Jul 25 Jul 29 Jul 31 Aug 2 Aug11 Aug 18

  23. Summer of ’04 (Cicada) • Dominated by Bagle, NetSky, and MyDoom viruses • Three groups involved: Russians, Germans, and Polish • Hacker feeding frenzy

  24. Bagle.A ? MyDoom.A NetSky.A War for Bragging Rights Fueled by Vulnerability Bulletins Vulnerability Bulletin

  25. Bagle.N Bagle.G Bagle.C Bagle.A Bagle.M Bagle.L Bagle.O Bagle.J Bagle.B Bagle.D Bagle.Q Bagle.I Bagle.E Bagle.P Bagle.H Bagle.F Bagle.K ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? MyDoom.O MyDoom.F MyDoom.P MyDoom.E MyDoom.H MyDoom.D MyDoom.I MyDoom.J MyDoom.N MyDoom.K MyDoom.B MyDoom.Q MyDoom.L MyDoom.A MyDoom.G MyDoom.M MyDoom.C NetSky.G NetSky.M NetSky.E NetSky.B NetSky.C NetSky.H NetSky.A NetSky.D NetSky.I NetSky.L NetSky.K NetSky.F Sasser.A NetSky.P NetSky.Q NetSky.N NetSky.O NetSky.J War Continues - Only Modified By Release of New Vulnerability Bulletin Microsoft Security Bulletin MS04-011 Microsoft Security Bulletin MS03-032 Aug 20 Jan 18 Apr 13

  26. Internet Storm CentreTop attacked ports 13th August 2003

  27. Internet Storm CentrePort 135 traffic over the last 40 days (8/18/03)

  28. Blended Threats • A blended threat is a security attack or threat that uses multiple methods and techniques to propagate an attack • Combine hacking, DoS, and worm-like propagation • Can rapidly compromise millions of machines • Often spread without human interaction • Require multiple layers of protection and response to neutralize

  29. Blended Threat Types • Exploit software vulnerabilities • Email virus • Network virus/worm • Backdoors • Instant Messenger virus • Attack security software • Trojan horses • Network shares • Other digital data threats

  30. Misuse of protocols Misuse of service ports DoS based on crafted payloads Bandwidth or Flood attacks ICMP echo request Flood TCP data segment Flood TCP SYN/RST Flood TCP SYN Floods TCP, UDP, ICMP floods Buffer Overflows Protocol Attacks SYN Flood ICMP echo reply flood UDP Flood Protocol Tunneling Backdoor Intrusions Low-bandwidth DoS/DDOS attacks Logic Attacks Land attack Ping of Death Teardrop Intrusion Threats

  31. General Threat Evolution Attacks that Significantly shake the confidence in the Internet, i.e., Phishing and Cyber Terror Attacks Flash threats? Massive worm-driven DDoS? Critical infrastructure attacks? Blended threats Limited Warhol threats Worm-driven DDoS National credit hacking Infrastructure hacking e-mail worms DDoS Credit hacking 1st Generation Viruses Individual DoS Web defacement 1990s 2000 2005

  32. Vulnerability Trends

  33. Application Vulnerabilities are Increasing Source: CMU Computer Emergency Response Team Last updated January 22, 2004

  34. Vulnerability Half-life For a critical vulnerability every 30 days the number of vulnerable systems is reduced by 50% Source: www.Qualsys.com Last updated May 7, 2004

  35. Vulnerability Lifespan The lifespan of some vulnerabilities is unlimited Source: www.Qualsys.com Last updated May 7, 2004

  36. SQL Slammer Vulnerability 35 30 25 20 15 10 5 0 Feb Mar Apr May Jun 2003

  37. Vulnerability Timeline Time from Release to Attack What if Hackers had automated virus generators? 1990s 2003 2004 2005 Source: McAfee Research Last updated May 7, 2004

  38. Message on Vulnerabilities • Once a vulnerability is discovered • It rarely, if ever goes away • Vulnerability population decreases over time • But remains a vector for propagation of new attacks • Time from Vulnerability identification to exploit is decreasing • Systematic? Or coincidental side effect of the web? • Secure Software? • Unlikely given commercial pressures to perform

  39. Today’s Defensive Posture

  40. Defensive Posture • Vulnerability Scanning • Patch Application • Security Policy & Enforcement • Anti-Virus • Anti-Spam • Anti-Phishing • Host Intrusion Prevention • Network Intrusion Prevention

  41. Anti-Virus Posture • Many Anti-Virus tools available • Can’t be on the net without one • Over 80,000 known viruses • Approximately 20,000 in the wild • Far more in the zoo • Key issue is support • Time from virus release, to virus signature update publication

  42. Anti-Spam Posture • Integrity analysis • Heuristics • Content filtering • Black lists • White lists • Bayesian filtering • Hybrid Approaches • Key issue is support

  43. Anti-Phishing Posture • First anti-phishing attacks categorized in November, 2003 7 in first week 262 last month • Phishing emails, like spam, can be identified and filtered out of inbound email to stop employees from receiving them. • Response mechanisms are currently under development

  44. Intrusion Detection Signature-based Detection Stateful Signature Detection Real-Time Signature Updates User-Defined Signatures Anomaly-based Detection Statistical Anomalies Protocol Anomalies Application Anomalies Buffer Overflow Detection Intrusion Identification Protocol Discovery Protocol Tunneling Intrusion Direction Insider Threat Intrusion Relevancy Selective blocking Intrusion Impact Assessment Verification of attack success and impact Intrusion Forensics Capture and Analysis In-Process; Post Attack Intrusion Protection Posture

  45. Defensive Trends

  46. Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics

  47. Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics • Host intrusion prevention • Trusted computing platforms • BSD; Linux; Darwin; OS-X • Behavior blocking • Intrusion prediction • Impact assessment, recovery & remediation, and incident management

  48. Evolving Security Capabilities Defensive Trends Network Intrusion Prevention Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics • Network intrusion prevention • Intrusion Prediction • Intrusion response & recovery • Forensic traceback, and source identification • Scalable, coordinated intrusion management mechanisms • Distributed DDoS protection • Intrusion detection for mobile ad-hoc networks (MANETs)

  49. BSS A-bis BTS BSC BTS BTS Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Wireless Intrusion Prevention Threats, Attacks, Vulnerabilities& Architectures Malicious Code Defense Security Policy & Management High Performance Assurance & Forensics • Wireless intrusion prevention • Wireless Privacy - Crypto techniques for the wireless physical & link layers • Wireless Intrusion Detection – Device, Access Point • Wireless Firewall Solutions • Wireless Intrusion Response - • Low bandwidth protocols and low energy techniques • Efficient key management

  50. Evolving Security Capabilities Defensive Trends Host Intrusion Prevention Network Intrusion Prevention Wireless Intrusion Prevention Malicious Code Defense Malicious Code Defense Threats, Attacks, Vulnerabilities& Architectures Security Policy & Management High Performance Assurance & Forensics • Malicious code defense • Anti-Phishing Solutions • Malicious code detection; zero-day worm protection; malware technology & trends; static and dynamic malware analysis • Intrusion tolerance & self-regeneration; self-protecting data technologies • SPAM detection & blocking

More Related