APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security.

Slides:

Advertisements

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Advertisements

Incident Response Managing Security at Microsoft Published: April 2004.

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.

By Hiranmayi Pai Neeraj Jain

ISO How to leverage Dick Hacking Cornerstones of Trust 2014.

System Security Scanning and Discovery Chapter 14.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Web server security Dr Jim Briggs WEBP security1.

(Geneva, Switzerland, September 2014)

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

IBM Security Network Protection (XGS)

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

Joel Maloff Phone.com February, 2012.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Website Hardening HUIT IT Security | Sep

Norman SecureSurf Protect your users when surfing the Internet.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

APA of Isfahan University of Technology In the name of God.

Introduction to Honeypot, Botnet, and Security Measurement

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Storage Security and Management: Security Framework

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

1 IS 8950 Managing Network Infrastructure and Operations.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

PREPAREDNESS AND RESPONSE TO CYBER THREATS REQUIRE A CSIRT By Jaco Robertson, Marthie Lessing and Simon Nare*

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

Security Services Agenda Overview of HEAnet security services HEAnet CERT (Computer Emergency Response) Anti-Spam RBL (Real time blacklist service) HEAnet.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Drew Reinders | GSEC Principal Solutions Engineer Defending Your Castle.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Conficker Update John Crain. What is Conficker? An Internet worm  Malicious code that is self-replicating and distributed over a network A blended threat.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

CSCE 548 Secure Software Development Security Operations.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Copyright © 2015 Cyberlight Global Associates Cyberlight GEORGIAN CYBER SECURITY & ICT INNOVATION EVENT 2015 Tbilisi, Georgia19-20 November 2015 Hardware.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Critical Security Controls

Patch Management Patch Management Best Practices

Security Testing Methods

Security Standard: “reasonable security”

Secure Software Confidentiality Integrity Data Security Authentication

LCG/EGEE Incident Response Planning

Discussion about 'Shellshock' fixes--Ubuntu and OS X

Security in Networking

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Exploiting sandbox backdoor it with one evil Nikolay Klendar bsploit gmail.com.

Must cost less than possible Impact

Computer Emergency Response Team

Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security Research Consultant, Counter Threat Unit (CTU)

2 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Agenda Cooperation between NW Operators and Security Teams Vulnerability Handling –Traditional questions Challenges and Gaps ShellShock example –Enrichment of OSINT Conclusion: Actionable intelligence

Dell - Internal Use - Confidential 3 Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Traditional Cooperation Model/Cases Between N/W Operators and Security Teams Identify a stakeholder –Where does this hostile resource (IP/Domain) belongs to? –Who is the attacker? –Overload or Side work on N/W operation Vulnerability on N/W appliances –H/W and S/W –Management Console (Software) N/W protocol based vulnerability –POODLE SSL v3 DDoS attack –NTP, DNS reflective Amplification attack

Dell - Internal Use - Confidential 4 Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Traditional questions on a vulnerability Both for Security Teams and Network operators –For all stakeholders Questions –What is the technical detail for the new vulnerability? –Does a technical mitigation resolution exists? –Zero-day vulnerability –Mitigation plan –What and who is impacted? –Impacted products (Hardware / Software) –Scope of impact in constituency –Is there an (successful) exploit / incident case? –Exploit activity –Malware or Tools associated –Alternative mitigation plan? –Disable service –Actionable Intelligence CVSS (Common Vulnerability Scoring System) framework is widely adopted to address the questions.

5 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Challenges and Gap Security Teams –Vendor Dependent –Lack of information ›Identify the stakeholder –Deliverables ›Vuln. Advisory ›Link to Patches ›Indicators Network Operators –Legal issues ›Client information disclosure –Additional workload –Mitigation Plan ›Implementing Patches on production N/W –Lack of Contents for indicators –Perception on N/W availability

Dell - Internal Use - Confidential 6 Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Change in Threat Landscape N/W providers involvement in IT services increases –Outsourced N/W service, including security –Could Computing (data centers) N/W Admins are often targeted as an initial attack vector

7 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: What is ShellShock Shellshock, also known as Bashdoor, is a family of security bugs[2] in the widely used Unix Bash shell, the first of which was disclosed on 24 September Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. Reference:

8 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Enrichment of OSINT OSINT –List of CVEs –List of CPEs –(Malicious indicators) Enrichment –Additional payload or malware –Association with known TG –Association with known malicious infrastructure –Passive DNS records –etc. Demonstration on ShellShock investigation

9 Dell - Internal Use - Confidential Classification: //Dell SecureWorks/Confidential - Limited External Distribution: Conclusion: Actionable Intelligence Vulnerability Advisories are not easy to digest or to take action –Mostly lack of content –Risk of blocking legitimate services Security Teams should start to provide more details N/W operators need to focus more on vulnerabilities mitigation in a N/W level. Still do not forget about host based vulnerabilities. Actionable intelligence promotes the coordination and better mitigation plan in timely manner