Managing Cloud Security Design and Implementation in a Ransomware World
2 likes709 views
The document provides an overview of managing cloud security and implementing countermeasures against ransomware. It discusses how ransomware works, the economics driving ransomware attacks, and how cloud computing has impacted the ransomware threat landscape. It then outlines recommendations for security designs like preventing initial access, stopping lateral movement, and early detection. Specific examples are provided around authentication, open ports, IP whitelisting and data encryption. The importance of processes like testing, audits and rapid remediation of vulnerabilities is also covered.
Managing Cloud Security Design and Implementation in a Ransomware World
- 1. #MDBE17 O2 Intercontinental MANAGING CLOUD SECURITY DESIGN AND IMPLEMENTATION in a Ransomware World
- 2. #MDBE17 Head of Product Security, MongoDB DAVI OTTENHEIMER @daviottenheimer
- 4. #MDBE17 WHOAMI • Graduate of London School of Economics (Go Beavers!) and ex-Resident of “the Charlton” (Go Athletics!) • 20+ years in computer security as ... flyingpenguin ‒ Investigations ‒ Operations ‒ Products ‒ Audits
- 5. BACKGROUND
- 6. #MDBE17 IGNAZ SEMMELWEIS the “Savior of Mothers” • Discovered hand washing standards can drop childbed fever from 30% to 1% • “There is one cause, all that matters is cleanliness” • Went “insane” trying to convince health care to adopt hand washing Source: http://www.pbs.org/newshour/updates/ignaz-semmelweis-doctor-prescribed-hand-washing/
- 7. #MDBE17 • Health is a Process, Not a Destination • Resource Competition (Economics) Source: http://circoutcomes.ahajournals.org/content/10/9/e003532
- 8. #MDBE17 ECONOMICS OF (DIGITAL ASSET) MINING • Mine instances generate high cost, daily losses ‒ “A better use of dollars is to buy coins instead of instance time” ‒ 1 instance per day is ~$8 cost for ~$2 in mined coin (variable) ‒ Net ~$6/day loss per instance • Externalized cost (harm transfer) changes everything ‒ Attackers launch victim instances as quickly as possible ‒ $10,000/hour cost burden for victim ‒ $2,500/hour profit to attacker Source: https://biblio.wiki/wiki/The_Diamond_Smugglers
- 9. #MDBE17 CYBER THREAT ECONOMICS • Inflation for blackmail attempts ‒ Cloud agility = DDoS more expensive ‒ Expensive race condition for pay • Deflation for ransom attempts ‒ Easier to find victims (Scan/Exploit kits) ‒ Easier to phish (Social engineering kits) ‒ Easier to encrypt (Key management kits) ‒ Easier to extort (Monetization kits)
- 10. #MDBE17 INFLATION FOR BLACKMAIL ATTEMPTS June 16, 2014
- 11. #MDBE17 INFLATION FOR BLACKMAIL ATTEMPTS
- 12. #MDBE17 CLOUD AGILITY CHANGED RISK MARKET 2016 Q4 Akamai “State of the Internet” Report: • 7 of 10 biggest (300+ Gbps) DDoS in history happened in 2016 • 3 of 10 were in 2016 Q4 “...agility single biggest reason enterprise move to cloud” “Big DDoS attacks affect some AWS customers, but chief Andy Jassy assures cloud is secure” ● DDoS targeted Dynamic Network Services (Dyn) ● Dyn one of many AWS DNS providers ● AWS services (Shield) helped, as did 3rd party tools Sources: https://www.geekwire.com/2016/big-ddos-attacks-hit-amazon-web-services-customers-jassy-assures-cloud-secure/, https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/
- 13. #MDBE17 CYBER THREAT MARKET HISTORY 1989 Viruses Worms Trojans 1994 Botnets Adware Spyware Rogueware 2004 For-Profit 2014 Key & Cert Management GPCODE CRYPTOLOCKERCRYPTOVIRUSAIDS CRYPTOWALL TORRENTLOCKER TESLACRYPT LOCKER LOCKY R.I.P. Tron 1998 R.I.P. Hagbard 1989 “KGB Hack” > DM 100K + drugs over 3 years > Burned to death in forest > http://phrack.org/issues/25/10.html
- 14. EXPLANATION
- 15. #MDBE17 THEREFORE 2016 RANSOMWARE! • Definition: Access used to deny others access, unless paid ransom • May 12, 2017: “45 NHS hospital groups across the country are taken offline by WannaCrypt” • Sep 27, 2017 Interpol: “Ransomware attacks have eclipsed most other global cybercrime … an increase of 750% from 2015” Sources: http://www.zdnet.com/article/hospitals-across-england-hit-by-cyber-attack-systems-knocked-offline/ https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2017
- 16. #MDBE17 45 HOSPITAL GROUPS TAKEN OFFLINE • “...19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals had to divert ambulances elsewhere.” • “...unsophisticated attack and could have been prevented by NHS following basic IT security best practice...NHS need to get their act together” Source: https://www.theguardian.com/technology/2017/oct/27/nhs-could-have-avoided-wannacry-hack-basic-it-security-national-audit-office You’re telling me
- 17. #MDBE17Source: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx#enterprise JAN-JUN 2017 RANSOMWARE DISTRO
- 18. #MDBE17 HOW RANSOMWARE WORKS 1. Establish a Foothold 2. Find Assets and Encrypt 3. Extort Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/ Build Attack Server Scan to find vulns Steal and Use Login Credentials Batch deploy malware via PsExec Delete shadow files via vssadmin.exe Install Trojan:MSIL/Samas Install Ransom:MSIL/Samas
- 19. #MDBE17 1. ESTABLISH A FOOTHOLD A.Seek access route (credentialed or not) ‒ Internet facing services ‒ User devices ‒ Platforms (amazon, instagram, github, pastebin, facebook, etc.) B.Pivot and traverse to expand access to assets ‒ Gather more credentials ‒ Elevate privileges ‒ Flag valuable data North South East West Users Apps DirectoryDirectory
- 20. #MDBE17 2. FIND ASSETS AND ENCRYPT •Encrypt anything believed to be valuable to target •Destroy or encrypt backups, snapshots (prevent restores) ● Use strong algorithms (AES256) ● Use unique keys and remote management infrastructure
- 21. #MDBE17 3. EXTORT (TARGETS ARE MEANT TO FIND) “Replaced” DB Name ‒ README ‒ ReadmePlease ‒ PLEASE_READ ‒ IHAVEYOURDATA ‒ WARNING ‒ WARNING_ALERT ‒ PWNED ‒ PWNED_SECURE_YOUR_STUFF_SILLY ‒ DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB ‒ to_get_DB_back_send_1BTC_to_1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD { "_id" : ObjectId("9854a4532b5e63f722fcc9da"), "mail" : "user@domain.com", "note" : "SEND 0.1 BTC TO THIS ADDRESS 1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" } ● 0.1 BTC ● 0.15 BTC ● 0.2 BTC ● 0.25 BTC ● 0.5 BTC ● 1 BTC Source: https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=0
- 23. DESIGN
- 24. #MDBE17 PREVENT FOOTHOLDS • Stop Initial Access ‒ Network Filtering ‒ System Hardening ‒ Human (Phish) Training • Stop Pivots ‒ Isolation and Segmentation ‒ Role Based Access • Detect Early and Often #MDBE17 attackers will fall into quickSAN ../../../../../..
- 25. #MDBE17 STOP INITIAL ACCESS Source: https://tools.ietf.org/html/rfc2904 • Network Filtering ‒ Bind to localhost by default in v3.5.8 ‒ IP Whitelisting option in v3.6 o Associate IP addresses/ranges to auth roles o If IP fail, then authentication fail o Can restrict __system user to authenticate from only cluster nodes • System Hardening ‒ Authentication ‒ Authorization ‒ Accounting
- 26. #MDBE17 PROCESS OF DESIGN REVIEWS • Provider Services* ‒ AWS Trusted Advisor, Inspector ‒ Azure Security Center ‒ GCP Cloud Security Scanner • Self Tests ‒ Scan for Accidental Secret Leaks (“Github Commit Crawler”) ‒ Detect and Identify Assets (API Call, OVF Scan) ‒ Assess Configurations (SCAP, XCCDF, SSLcheck) • External Audits Sources: https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
- 27. #MDBE17 PROCESS OF TEST CYCLES • Daily Full Credential Scan of Any New Instance • Weekly Full Credential Scan of Builds Prior to Staging • Quarterly “Approved Scanning Vendor” (ASV) Report • Biannually ‒ “Full” Penetration Test ‒ Code Review
- 28. #MDBE17 PROCESS OF FIX PRIORITY • Critical Severity ‒ Remediate Immediately (R = 0) ‒ Fix Within 24 hours (e.g. HEARTBLEED) • High Severity (R = 5 Days) • Medium Severity (R = 60 Days) • Low Severity ‒ Business Impact Analysis (BIA) ‒ Customer Impact Analysis
- 29. IMPLEMENTATION
- 31. #MDBE17 EXAMPLE 2 • Is Authentication Disabled? > if (db.adminCommand('getCmdLineOpts').parsed.security === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined || db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){ print("NO AUTH! NO AUTH!")}else{print("Good work, Auth enabled")} • Is Default Port (27017, 29017) Listening? > db.adminCommand('getCmdLineOpts').parsed.net.port Source: https://docs.mongodb.com/manual/reference/default-mongodb-port/
- 32. #MDBE17 EXAMPLE 2 Service connected to network without “security group” or firewall? 1. On system outside network, grab mongodb client > wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz > tar -zxf mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz -C 3.4 --strip-components=1 2. Test by connecting to Internet hostname > ~/3.4/bin/mongo --host <urmongodb_host_name> --port <urmongodb_port>
- 33. #MDBE17 EXAMPLE 3 • Bind to localhost by default in v3.5.8 • IP Whitelisting option in v3.6 ‒ Associate IP addresses/ranges to auth roles ‒ If IP fail, then authentication fail ‒ Can restrict __system user to authenticate from only cluster nodes
- 34. #MDBE17 EXAMPLE 3 ● AES 256 ● TLS 1.2 ● FIPS 140-2 ● PCI DSS ● SOC 2 ● ISO 2700x ● HIPAA ● NIST 800-53 ● GDPR #MDBE17
- 35. IGNAZ SEMMELWEIS 1847 Etiology, Concept and Prophylaxis of Childbed Fever “There is one cause, all that matters is cleanliness.”
- 36. JOHN SNOW 1849 On the Mode of Communication of Cholera Focus of infection…“handle of the pump was removed on the following day”.