31
Next Generation Cyber Attacks and Protection Dr. Khaled Salah Email: [email protected] March 26, 2013 SECURE ABU DHABI CONFERENCE 2013
Next Generation Cyber Attacks and ProtectionDr. Khaled SalahEmail: [email protected] 26, 2013
SECURE ABU DHABI CONFERENCE 2013
p2
Outline
NGT and APTStuxnet Future research directions
SECURE ABU DHABI CONFERENCE 2013
p3
NGT, NGA, & APT
SECURE ABU DHABI CONFERENCE 2013
p4
NGT
Cyber security spending is over $20B a year Cybercrime costs the US $21B a year
Major change in the IT security landscape
Old vs. new days Motivation Skills Sophistication
Who is the enemy? Hacktivists Cybercriminals Nation states
SECURE ABU DHABI CONFERENCE 2013
p5
SECURE ABU DHABI CONFERENCE 2013
p6
The era of APTs
DefinitionAdvanced Persistent Threats
SECURE ABU DHABI CONFERENCE 2013
p7
“APT attackers are more highly motivated. They’re likely to be better skilled, better funded, and more patient. They’re likely to try several different avenues of attack. And they’re much more likely to succeed,”
Bruce Schneier.
SECURE ABU DHABI CONFERENCE 2013
p8
APTs in the news
Facebook, Twitter, BK, Apple (2013) Flame & Duqu (2012) RSA SecureID Attack (2011)Stuxnet (2010) Logic bombs in US Power Grid (2009) Operation Aurora (2009)
SECURE ABU DHABI CONFERENCE 2013
p9
SCADA APTs
Die Hard IV attacks The objective is to disrupt rail, air traffic
control, oil & gas, electric power grid, nuclear plants, etc.
Highly crafted and targeted attacks: Stuxnet, Flame, Shamoon, RasGas.
SECURE ABU DHABI CONFERENCE 2013
p10
Why APTs succeed…
Defense is a hard problem!!
Security is a complex problem
AV, AA, AS are dependent on signatures
Malware directly attacks these
Many unpatched systems
Sophisticated malware
SECURE ABU DHABI CONFERENCE 2013
p11
Today’s malware
SECURE ABU DHABI CONFERENCE 2013
p12
Stuxnet
SECURE ABU DHABI CONFERENCE 2013
p13
Stuxnet Primary target: industrial control systems
Reprogram Industrial Control Systems (ICS) Specific Siemens (Step 7) PLC
The most advanced virus ever Command and control interface Vast array of components used
SECURE ABU DHABI CONFERENCE 2013
p14
Why took so long to detect? Development started in 2005 First appearance in the wild in 2007 The first discovered variant in March 2010 News out of Iran in November 20113-4 months to add signatures
Reasons it took so long to discover Targeted
• If not a target, nothing happens Signed DLLs AV evasion Very robust – never crashes PLC rootkits Zero-day vulns
SECURE ABU DHABI CONFERENCE 2013
p15
S7‐300
9000 centrifuges
PLC
Uranium‐238
Uranium‐235
Nuclear reactor: 3.5% enrichment
Nuclear weapon: 90% enrichment
Uranium Isotopes
Modbus / DNP3
SECURE ABU DHABI CONFERENCE 2013
p16
S7‐300
9000 centrifuges
PLC
1. Raise frequency to 1,402Hz (15 minutes)
Wait 27 days
2. Lower frequency to 2Hz (50 minutes)
3. Raise frequency back to 1,064Hz
Wait 27 days
4. Back to step 1, and so on …
SECURE ABU DHABI CONFERENCE 2013
p17
LNK Exploit (1/2)
SECURE ABU DHABI CONFERENCE 2013
p18
LNK Exploit (2/2)
SECURE ABU DHABI CONFERENCE 2013
p19
Signed Device Drivers
mrxcls is the main Stuxnet module mrxnet is a rootkit
SECURE ABU DHABI CONFERENCE 2013
p20
Mutexes Global mutexes used to coordinate and to prevent Stuxnet
from running number of times on the same machine. Also used to signal that installation has occurred successfully. When .TMP files get launched, they create a randomly named
mutex such as "FJKIKK" or "FJGIJK". Various other mutexes get created:
@ssd<hex_number>Global\Spooler_Perf_Library_Lock_PID_01FGlobal\{4A9A9FA4-5292-4607-B3CB-EE6A87A008A3}Global\{5EC171BB-F130-4a19-B782-B6E655E091B2}Global\{85522152-83BF-41f9-B17D-324B4DFC7CC3}Global\{B2FAC8DC-557D-43ec-85D6-066B4FBC05AC}Global\{CAA6BD26-6C7B-4af0-95E2-53DE46FDDF26}Global\{E41362C3-F75C-4ec2-AF49-3CB6BCA591CA}
SECURE ABU DHABI CONFERENCE 2013
p21
Works on all of these OSes
Win 2K WinXP Windows 200 Vista Windows Server 2008 Windows 7 Windows Server 2008 R2
SECURE ABU DHABI CONFERENCE 2013
p22
Command & Control Stuxnet contacts the command and control server
Sends some basic information about the compromised hosts
• www.mypremierfutbol.com• www.todaysfutbol.com
The two URLs above previously pointed to servers in Malaysia and Denmark
Test if can connect to:• www.windowsupdate.com• www.msn.com
SECURE ABU DHABI CONFERENCE 2013
p23
Propagation Vector
P2P communication and updates Infecting WinCC machines via a hardcoded
database server password Propagating through network shares Propagating through the MS10-061 Print Spooler
Zero-Day Vulnerability Propagating through the MS08-067 Windows
Server Service Vulnerability
SECURE ABU DHABI CONFERENCE 2013
p24
Future Research Directions
SECURE ABU DHABI CONFERENCE 2013
p25
Research DirectionsAutomated RT Analysis Polymorphic worms Alternatives to signature-based detectionSignature Similarities SW and HW rootkit detection
Big Data Security & Analytics
SECURE ABU DHABI CONFERENCE 2013
p26
SCADA Security Research PLC Rootkits – Development & Detection
Securing embedded devices SCADA Firewalls not enough. We need to stay ahead of the curve
IDS + Snort for SCADA Honeypots for SCADA Pen testing for industrial control networks Securing SCADA protocols Big Data Security for SCADA Systems
SECURE ABU DHABI CONFERENCE 2013
p27
SECURE ABU DHABI CONFERENCE 2013
p28
Hardware-assisted Snort for SCADA
SECURE ABU DHABI CONFERENCE 2013
p29
Future Outlook
Malware is growing in number and complexityAir gaps can be bridged Targeted APTs with high precision Lots of challenges & research are ahead Big Data Security Analytics requireBig Skills
We are not losing the battle, but we are not winning it
SECURE ABU DHABI CONFERENCE 2013
