Zombie or not to be Trough the meshes

Зарегистрируйтесь, чтобы просмотреть полный документ!

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet

Agenda • Presentation objectives • Introduction: a quick overview of Botnets • Attack scenarios • Protecting from Botnets • Q&A

Presentation objectives • Identify the threats currently posed by Botnets company-wise, and recognize what to expect in a near future • Generate consistent and effective security policies to protect against Botnets, from inside and outside the corporate network

Introduction • A Botnet is a network of trojanized computers, reporting to and commanded via a Master Server. • Botnets have existed for years • Recent raise of their activity • High deleterious potential and obvious financial value Botnets are the number 1 Internet security threat today

Threats posed by botnets • Critical data compromise • Proxying (attacks, spam, phish) • Hosting of illegal content • Seeding new malwares • Distributed denial of service

Scenario 1: The worm in the fruit • Multiple infection vectors for bots to intrude in the corporate network: – Typical: Email, Webpage, IM systems – Bypassing gateways: CD (c. f. W 32/Ys. Railee. A-tr), Laptops (c. f. W 32/Dumador. DH) • Once a bot is inside: – Connect back to master server – Receive the order to spread inside the corp. net – Exfiltrate critical data Conclusion: strong firewall policies and AV/IPS systems at the edge of the network are not enough

Scenario 2: The Cyberterrorist strike • Botnets are a perfect base to launch Distributed Denial of Service attacks • Effectively protecting against DDo. S is not trivial • Companies which offer online services lose massive amounts of money if DDo. Sed (e. g. ebay) Þ Blackmail & Racket • Ransom is officially deemed “security consulting costs” Conclusion: The Botnets problem must be coped with at its roots – it’s a bit of everyone’s responsability

One future possible scenario: The double-strike seed • Factors to create a successful worldwide virus outbreak: – Size of the seeding vector – Length of the “Opportunity Window” • Botnet A seeds: the new malware is mass-mailed • Botnet B extends the opportunity window: DDo. S update servers of AV vendors Conclusion: Tight update policies are not enough

Protecting from Botnets • Some security policies eradicate or mitigate the impact of Botnets on the company’s resources • Protection must be twofold • From the “inside” to be immune to: – Data exfiltration – Being a vector of cyber-criminal activities (roots of the problem) • From the “outside” to be immune to: – Intrusion – Do. S attacks

Protecting from bots inside the corporate network Pt I: Security 101 • Use appropriate and consistent firewall rules – Goal: cut communication to the master server – Default rule for both inbound and outbound connections: Deny – Allow only needed services for outbound connections (e. g. : HTTP, SMTP, SSH) – Enforce the use a HTTP proxy, so that port 80 is closed for users. – Will not always be sufficient, because of an expected diversification of bot/master protocols: e. g. W 32/Dumador. DH is a “full HTTP” bot

Alternate Master/Slave communication channel

Protecting from bots inside the corporate network Pt II: Spot em’ • Is my network hosting bots? – Sniffing outbound traffic on the gateway for keywords used in Bot/Master communications: • • . login. scan. status. sysinfo – Set up a DNS redirection to an in-house honeypot (or sinkhole) for blacklisted bot master servers => unveil the infected hosts – Bot masters RSL (Real-Time Sinkhole List) public server project for DNS records updating

Protecting from bots outside the corporate network • Sums up to protect against known types of attacks, bots only being a vector for those: – DDo. S: Some products exist but not much can be done against an attack performed by a large botnets. Note that IPS re-active technologies can backfire at their users – Spam: Antispam & RBL – Phish: AV integrated to email gateways – Malware mass-mailing: "push update" AV technology (c. f. My. Tob's case) combined with a 0 -hour detection solution

Questions? Contact: glovet@fortinet. com

Скачать презентацию Zombie or not to be Trough the meshes

12552eaf7bbee68336a19ba7d21c2748.ppt

Количество слайдов: 16