#MDBW17

Davi Ottenheimer, Product Security

Managing Cloud Security Design and Implementationin a Ransomware World

Background

#MDBW17

#MDBW17

Whoami

>20 years of flyingpenguin

● Security Ops

● Assessments

● Investigations

● Products

#MDBW17

Realities of Securing Big Data

“Why trust a strategic

knowledge system?”

#MDBW17

Security is Evolution

● Evolution is the process not a destination

● Escalation a function of competitions

● Economics impacts risk mitigation

#MDBW17

#MDBW17

Security is Evolution

● Audit everything (Check your health)

● People who could behave responsibly may not

● BitCoin “mining” changed behavior economics

● Authentication hygiene still is top threat to security

#MDBW17

#MDBW17

Ignaz Semmelweis

1847 “Savior of mothers”

discovered hand washing

standards can drop childbed

fever from 30% to 1%

“There is one cause,

all that matters is

cleanliness”Source: http://www.pbs.org/newshour/updates/ignaz-semmelweis-doctor-prescribed-hand-washing/

#MDBW17

Economics of “Getting Bit”

● Mining with AWS keys is wasteful

○ 1 instance per day is ~$8 cost for ~$2 mined (variable)

○ ~$6/day loss per instance

○ “Better use of dollars to buy coins instead of instance time”

● Stolen AWS key shifts waste to victims

○ Attacker spins victim instances ASAP

○ $10,000/hour victim cost burden

○ $2,500/hour attacker profit

Today’s Hot Example

#MDBW17

#MDBW17

RANSOMWARE!

● Use of access to

deny access,

unless ransom paid

● US gov: 4,000/day

ransomware

attacks in 2016

(300% over 2015)

Source: https://www.justice.gov/criminal-ccips/file/872771/

#MDBW17

Source: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx#enterprise

RANSOMWARE!

#MDBW17

Ransomware Evolution

1994 2004 2007 2010 2014

Botnets

Adware

Spyware

Rogueware

For-Profit

“Advanced

Persistent”

Key & Cert

GPCODE CRYPTOLOCKERCRYPTOVIRUS

1989

AIDS

...

Viruses

Worms

Trojans

CRYPTOWALLTORRENTLOCKER

TESLACRYPTLOCKER

R.I.P. Tron

1998

R.I.P. Hagbard

1989

LOCKY

“KGB Hack”> DM 100K + drugs over 3 years

> Burned to death

> http://phrack.org/issues/25/10.html

#MDBW17

An Economics PerspectiveX

● Old-method experienced cost inflation

○ Cloud agility = DDoS more expensive

○ Expensive race condition for pay

● New-method experienced cost deflation

○ Scan/Exploit kits (easy to find victims)

○ Social engineering kits (easy to phish)

○ Key management kits (easy to encrypt)

○ Monetization kits (easy to extort)

“I’ve never actually stormed a castle, but I’ve

taken a bunch of siege-management courses.”

#MDBW17

Big DDoS attacks affect some AWS customers,

but chief Andy Jassy assures cloud is secure

● DDoS targeted Dynamic Network Services (Dyn)

● Dyn one of many AWS DNS providers

● AWS services (Shield) help, and 3rd party too but…

“...agility single biggest reason

enterprise move to cloud”

2016 Q4 Akamai “State of the Internet” Report:

● 7 of 10 biggest (300+ Gbps) DDoS in history happened in 2016

● 3 of 10 were in 2016 Q4

Sources: https://www.geekwire.com/2016/big-ddos-attacks-hit-amazon-web-services-customers-jassy-assures-cloud-secure/,

https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/

#MDBW17

2008 Terry Childs Case

● San Francisco City Government Loses Control of Cloud

○ Emergency Services (Fire, Police, etc.)

○ “Almost Included Utilities” (Wastewater Treatment)

● Own Administrator (Childs) Charged With DoS

○ Deadman Traps on Switches (Erase Config)

○ Encrypted Storage (Fiber Tap at Core Led to Hidden Servers)

○ Withheld “Keys” From Staff and Management

● Found Guilty by Court

○ “His boss’ boss was an authorized user, could not be legally denied access”

○ Jury included 13 Year Network Admin and CCIE

Source: http://www.computerworld.com/article/2468913/cybercrime-hacking/terry-childs-found-guilty-of-san-francisco-fiberwan-lockout.html

#MDBW17

“Rock Solid, Secure…” June 16, 2014

#MDBW17

“...completely deleted” June 17, 2014

Ransomware Explained

#MDBW17

#MDBW17

1. Seek vulnerable access

2. Lock and/or Encrypt

3. Extort

How Ransomware Works

Source: https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/

#MDBW17

Seek Vulnerable Access

1. Find a foothold using credential (or even non-credentialed)

• Internet facing services

• User devices

• Platforms (github, pastebin, facebook, etc.)

2. Pivot and traverse

• Gather credentials

• Elevate privileges

• Find valuable data

North

South

East

West

Users

Apps

User

Dir

User

Dir

#MDBW17

Lock and/or encrypt

• Anything believed to be valuable to target

• Any backups (prevent restores)

• Using modern algorithms (AES256)

• Unique keys on remote infrastructure

#MDBW17

Extort

• Name of “Replaced” DB

• README

• ReadmePlease

• PLEASE_READ

• IHAVEYOURDATA

• WARNING

• WARNING_ALERT

• PWNED

• PWNED_SECURE_YOUR_STUFF_SILLY

• DELETED_BECAUSE_YOU_DIDNT_PASSWORD_PROTECT_YOUR_MONGODB

• to_get_DB_back_send_1BTC_to_1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD

● Amount

○ 0.1 BTC

○ 0.15 BTC

○ 0.2 BTC

○ 0.25 BTC

○ 0.5 BTC

○ 1 BTC

Source: https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=0

{

"_id" : ObjectId("9854a4532b5e63f722fcc9da"),

"mail" : "user@domain.com",

"note" : "SEND 0.1 BTC TO THIS ADDRESS 1DGztzLNz1euFswtqMDWPMWSgwthdpxRtD AND

CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"

}

Design and Implementation

#MDBW17

#MDBW17

Are You Ready?

● Asset Management Lifecycle

● Dependencies on Providers

● Incident Response Procedures

● Disaster Recovery Plan (Backups!)

● Identity and Access Management

○ Components

○ Standards*

● AES256

● TLS1.2

● FIPS 140-2

*https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

{● PCI/DSS

● SOC2

● ISO 27000x

● HIPAA-HITECH

● GDPR

● FedRamp (NIST 800-53)

#MDBW17

Design Considerations

● Critical Severity Vulnerability○ Remediate Immediately (R = 0)

○ Patch Within 24 hours (e.g. HEARTBLEED)

● High Severity (R = 5 Days)

● Medium Severity (R = 60 Days)

● Low Severity ○ Business Impact Analysis

○ Customer Impact Analysis

#MDBW17

Design Considerations (RFC2904)X

● Authentication

● Authorization

● Accounting

Source: https://tools.ietf.org/html/rfc2904

#MDBW17

Security Design Review Services

• Providers*

• AWS Trusted Advisor, Inspector

• Azure Security Center

• GCP Cloud Security Scanner

• Self

• Scan for Accidental Secret Leaks (“Github Commit Crawler”)

• Detect and Identify Assets (API Call, OVF Scan)

• Assess Configurations (SCAP, XCCDF, SSLcheck)

*https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data

#MDBW17

Implementation Example 1

• Is authentication disabled?

> if (db.adminCommand('getCmdLineOpts').parsed.security === undefined ||

db.adminCommand('getCmdLineOpts').parsed.security.authorization === undefined ||

db.adminCommand('getCmdLineOpts').parsed.security.authorization == "disabled"){

print("NO AUTH! NO AUTH!")}else{print("Good work, Auth enabled")}

• Is a default port listening (27017, 29017)?

> db.adminCommand('getCmdLineOpts').parsed.net.port

Source: https://docs.mongodb.com/manual/reference/default-mongodb-port/

#MDBW17

Implementation Example 2

Service connected to wide area network lacking any

“security group” or firewall?

1. On system outside network, grab mongodb client

> wget https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz

> tar -zxf mongodb-linux-x86_64-ubuntu1604-3.4.5.tgz -C 3.4 --strip-components=1

2. Test by connecting to Internet hostname

> ~/3.4/bin/mongo --host <urmongodb_host_name> --port <urmongodb_port>

#MDBW17

Implementation Example 2

#MDBW17

Implementation Example 2

• Bind to localhost by default in v3.5.8

• IP Whitelisting option in v3.6

• Associate IP addresses/ranges to auth roles

• If IP fail, then authentication fail

• Can restrict __system user to authenticate from only cluster nodes

#MDBW17

Design Improvement Cycles

● Daily Full Credential Scan of Any New Instance

● Weekly Full Credential Scan of Builds Prior to Staging

● Quarterly “Approved Scanning Vendor” (ASV) Report

● Biannually

○ “Full” Penetration Test

○ Code Review

#MDBW17

#MDBW17

Managing Cloud Security

Design and Implementation

in a Ransomware World

Thank You!