Security: The Changing Threat Environment

David AucsmithArchitect and CTOSecurity Business & Technology Unitawk @ microsoft.comMicrosoft Corporation

Session OutlineSession Outline

The World TodayThreats

Bad Guys

How We Got ThereLegacy

Crime

Evolving the SolutionSecurity Strategy

A Look Ahead

Vulnerability TimelineVulnerability Timeline

Undiscovered

Vulnerability Discovered

Correction

Component Fixed

Packaging

Customer FixAvailable

Module Gap

Customer Testing /Deployment

Actual Vulnerability To Attack

ResponsibleDisclosure

Experimentation

VulnerabilityDisclosed

Software Ship Fix Deployed

Early Disclosure

Rarely discovered

Attacks occur here

Why does this gap exist?

The World Today

Vulnerability TimelineVulnerability Timeline

Undiscovered

Vulnerability Discovered

Correction

Component Fixed

Packaging

Customer FixAvailable

Module Gap

Customer Testing /Deployment

Actual Vulnerability To Attack

ResponsibleDisclosure

Experimentation

VulnerabilityDisclosed

Software Ship Fix Deployed

Early Disclosure

151151180180

331331

BlasterBlasterWelchia/ Welchia/ NachiNachi

NimdaNimda

2525SQL SQL

SlammeSlammerr

Days between patch & exploitDays between patch & exploit Days From Patch To Days From Patch To

ExploitExploit Have decreased so that Have decreased so that

patching is not a defense in patching is not a defense in large organizationslarge organizations

Average 6 days for patch to Average 6 days for patch to be reverse engineered to be reverse engineered to identify vulnerabilityidentify vulnerability

The World Today

Source: Microsoft

The Forensics of a VirusThe Forensics of a Virus

Blaster shows the complex interplay between security researchers, software companies, and hackers

Vulnerability reported to us /

Patch in progress

Bulletin & patch available

No exploit

Exploit code in public Worm in the world

July 1 July 16 July 25 Aug 11

ReportReport Vulnerability in Vulnerability in

RPC/DDOM RPC/DDOM reportedreported

MS activated MS activated highest level highest level emergency emergency response processresponse process

BulletinBulletin MS03-026 delivered MS03-026 delivered

to customers to customers (7/16/03)(7/16/03)

Continued outreach Continued outreach to analysts, press, to analysts, press, community, community, partners, partners, government government agenciesagencies

ExploitExploit X-focus (Chinese X-focus (Chinese

group) published group) published exploit toolexploit tool

MS heightened MS heightened efforts to get efforts to get information to information to customerscustomers

WormWorm Blaster worm Blaster worm

discovered –; discovered –; variants and other variants and other viruses hit viruses hit simultaneously (i.e. simultaneously (i.e. “SoBig”)“SoBig”)

The World Today

Source: Microsoft

Understanding the LandscapeUnderstanding the Landscape

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Vandal

Thief

Spy

Trespasser

The World Today

Tools created Tools created by experts by experts now used by now used by less-skilled less-skilled attackers and attackers and criminalscriminals

Fastest Fastest growing growing segmentsegment

Author

Legacy and EnvironmentLegacy and Environment

The security kernel of Windows NT was written

Before there was a World Wide Web

Before TCP/IP was the default communications protocol

The security kernel of Windows Server 2003 was written:

Before buffer overflow tool kits were generally available

Before Web Services were widely deployed

How We Got Here

Honey Pot ProjectsHoney Pot Projects

Six computers attached to InternetDifferent versions of Windows, Linux and Mac OS

Over the course of one weekMachines were scanned 46,255 times

4,892 direct attacks

No up-to-date, patched operating systems succumbed to a single attack

All down rev systems were compromised Windows XP with no patches

Infested in 18 minutes by Blaster and Sasser

Within an hour it became a "bot"

How We Got Here

Source: StillSecure, see http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html

MalwareMalware

Spam

Phishing

Spyware

Bots

Root Kit Drivers

How We Got Here

SpamSpam

Mass unsolicited email

For commerceDirect mail advertisement

For Web trafficArtificially generated Web traffic

Harassment

For fraudPhishing

Identity theft

Credential theft

How We Got Here

Affiliates Programs

Example

•$0.50 for every validated free-trial registrant

•60% of each membership fee from people you direct to join the site

SoBig spammed > 100 million inboxesIf 10% read the mail and clicked the link

= 10 million peopleIf 1% signed up for 3-days free trial

= (100,000 people) x ($0.50) = $50,000If 1% of free trials sign up for 1 year

= (1,000 people) x ($144/yr) = $144,000/yr

PhishingPhishing

Most people are spoofedOver 60% have visited a fake or spoofed site

Many people are tricked Over 15% have provided personal data

Economic loss ~ 2% of people

Average loss of $115

How We Got Here

Source: TRUSTe

SpywareSpyware

Software that:Collects personal information from you

Without your knowledge or permission

Privacy15 percent of enterprise PCs have a keylogger

Source: Webroot's SpyAudit

Number of keyloggers jumped three-fold in 12 monthsSource: Sophos

ReliabilityMicrosoft Watson

~50% of crashes caused by spyware

How We Got Here

BotsBots

Bot EcosystemBots

Botnets

Control channels

Herders

It began en masse with MyDoom.AEight days after MyDoom.A hit the Internet

Scanned for the back door left by the worm

Installed Trojan horse called Mitglieder

Then used those systems as their spam engines

Millions of computers across the Internet were now for sale to the underground spam community

How We Got Here

Bot-Nets Tracked (3 Sep 2004 snapshot)Bot-Nets Tracked (3 Sep 2004 snapshot)

Age (days) Name Server MaxSize

02.00 nubela.net dns.nubela.net 10725

10.94 winnt.bigmoney.biz (randex) winnt.bigmoney.biz 2393

09.66 PS 7835 - y.eliteirc.co.uk y.eliteirc.co.uk 2061

09.13 y.stefanjagger.co.uk (#y) y.stefanjagger.co.uk 1832

03.10 ganjahaze.com ganjahaze.com 1507

01.04 PS 8049 - 1.j00g0t0wn3d.net 1.j00g0t0wn3d.net 3689

10.93 pub.isonert.net pub.isonert.net 537

08.07 irc.brokenirc.net irc.brokenirc.net 649

01.02 PS 8048 - grabit.zapto.org grabit.zapto.org 62

10.34 dark.naksha.net dark.naksha.net UNK

08.96 PS 7865 - lsd.25u.com lsd.25u.com UNK

UNK PS ? - 69.64.38.221 69.64.38.221 UNK

How We Got Here

In The NewsIn The News

Botnet with 10,000 Machines Shut DownSept 8, 2004

A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages. […]http://news.netcraft.com/archives/2004/09/08/botnet_with_10000_machines_shut_down.html

How We Got Here

FBI busts alleged DDoS MafiaAug 26, 2004

A Massachusetts businessman allegedly paid members of the computer underground to launch organized, crippling distributed denial of service (DDoS) attacks against three of his competitors [...]http://www.securityfocus.com/news/9411

PayloadsPayloads

Keystroke loggers for stealing CC, PII

SYN or application flooding code Used for DDoS

DDoS has been used many times

Including public attacks against Microsoft.com

Spam relays: 70-80% of all spam Source SpecialHam.com, Spamforum.biz

Piracy

Future features

How We Got Here

Botnet Damage PotentialBotnet Damage Potential

Attack Requests/bot Botnet Total Resource exhausted

Bandwidth flood (uplink)

186 kbps 1.86 Gbps T1, T3, OC-3, OC-12

Bandwidth flood (downlink)

450 kbps 4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)

50% of Taiwan/US backbone

Syn flood 450 SYNs/sec 4.5M SYN/sec 4 Dedicated Cisco Guard (@$90k) OR

20 tuned servers

Static http get (cached)

93/sec 929,000/sec 15 servers

Dynamic http get 93/sec 929,000/sec 310 servers

SSL handshake 10/sec 100,000/sec 167 servers

10,000-member botnet

>$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)>Always Online: 5,000 - 6,000>Updated every: 10 minutes

>$220.00/weekly - $800.00/monthly (USD)>Type of service: Shared (4 slots)>Always Online: 9,000 - 10,000>Updated every: 5 minutes

September 2004 postings to SpecialHam.com, Spamforum.bizHow We Got Here

RootkitsRootkits

Growth in the root kit populationTechnical challenge in the community

Defeats current anti-spyware products

Financial motivation to support adware & spyware

How We Got Here

Microsoft OCA Root Kit Drivers

Evolving The Solution

Microsoft’s Security FocusMicrosoft’s Security Focus

Evolving The Solution

Microsoft’s Security FocusMicrosoft’s Security Focus

Combating Spyware ThreatsCombating Spyware Threats

Global SpyNet™ community helps identify new spywareGlobal SpyNet™ community helps identify new spyware

Automatic signature downloads keep you up-to-dateAutomatic signature downloads keep you up-to-date

Spyware removal reduces PC slow down, pop-up ads, and moreSpyware removal reduces PC slow down, pop-up ads, and more

Scheduled scans help maintain PC security and privacyScheduled scans help maintain PC security and privacy

Continuous protection guards 50+ ways spyware gets on a PCContinuous protection guards 50+ ways spyware gets on a PC

Intelligent alerts handle spyware based on your preferencesIntelligent alerts handle spyware based on your preferences

Evolving The Solution

Malicious Software Removal ToolsMalicious Software Removal Tools

Updated monthly to remove prevalent malwareTargeted at consumers without antivirusEnterprise deployable as part of a defense-in-depth strategyAvailable through: Windows Update Auto Update Online interface MS Download Center

Complements traditional Antivirus technologies by providing one tool that removes prevalent viruses and worms from a PC

Evolving The Solution

Cleaner Statistics (as of 11 March 2005)Cleaner Statistics (as of 11 March 2005)

Bots on Windows decreasing due to Windows XP SP2Source: Symantec

Release Days Live Executions

Disinfections

Value %

January 28 124,613,632 239,197 0.1920%

February 28 118,209,670 351,135 0.2970%

March 5 84,013,460 149,981 0.1785%

Total 61 326,836,762 740,313 0.2265%

1

10

100

1000

10000

100000

1000000

Mach

ines

Cle

aned

(log)

1 2 3 4 5 6 7 8 9

Malware per Machine

Evolving The Solution

Source: Microsoft

Vulnerability Assessment RoadmapVulnerability Assessment Roadmap

MBSA 1.2.1 (today)detects most security updates and common configuration vulnerabilities

Enterprise Scan Tool detects critical and important security updates that MBSA does not

MBSA 2.0 (Q2CY05)Will eventually detect all security updates and offer consistency with SMS, WUS and Windows Update

Geneva (1HCY06)Authoritative vulnerability assessment for the MS platform

Evolving The Solution

Advanced IsolationClients who do not pass can be blocked and isolated

Isolated clients can be given access to updates to get healthy

Health CheckupCheck update level, antivirus, and other plug in and scriptable criteria

Evolving The Solution

Network Access ProtectionNetwork Access Protection

Evolving The Solution

Microsoft’s Security FocusMicrosoft’s Security Focus

Update Quality ImprovementsUpdate Quality Improvements

Engineering Process Automated triggering of QA processes on fix check-ins

Focus on good non-code solutions where risk is high

Reduction of ‘encompassed fixes’Use of oldest possible versions of dependent files

‘Dual Tree’ versus ‘Single Tree’ servicing model

Increase Application compatibilityIncreased the number of applications tested

Expanded prescriptive documentation on tested applications

Broader pre-release testing Microsoft: Desktop 10k+, Server 100+ (various roles)

Testing guidance produced along with beta versions

Evolving The Solution

TodayToday20052005

Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…

Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…

Office Update

Download Center

SUSSUS SMSSMS

““Microsoft Update”Microsoft Update”(Windows Update)(Windows Update)

VS Update

Windows Update

Windows onlyWindows only

Windows onlyWindows only

Windows Windows UpdateUpdateServicesServices

Windows, SQL,Windows, SQL,Exchange, Office…Exchange, Office…

AutoUpdateAutoUpdate

Evolving The Solution

Updating RoadmapUpdating Roadmap

Evolving The Solution

Microsoft’s Security FocusMicrosoft’s Security Focus

AuthenticationAuthentication

Evolving The Solution

Evolving The Solution

Microsoft’s Security FocusMicrosoft’s Security Focus

The Genesis of Security VulnerabilitiesThe Genesis of Security Vulnerabilities

Intended Behavior

Actual Behavior

Traditional Bugs

Most Security Bugs

Evolving The Solution

Threat Modeling ProcessThreat Modeling Process

Create model of app (DFD, UML etc)

Categorize threats to each tree node with STRIDE

Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege

Build threat tree

Rank threats with DREADDamage potential, Reproducibility, Exploitability, Affected Users, Discoverability

Evolving The Solution

1.2.1Parse

Request

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

Threat (Goal)

STRIDE

DREADThreat

SubthreatCondition

Threat Threat

ConditionCondition DREAD

Sub threat

Threat

Condition

KEY

Evolving The Solution

SDSD33 At Work – MS03-007 At Work – MS03-007

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

The underlying DLL The underlying DLL (NTDLL.DLL) not (NTDLL.DLL) not vulnerablevulnerable

Code made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security PushCode made more conservative during Security Push

EvenEven if it was running if it was runningEvenEven if it was running if it was running IIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by defaultIIS 6.0 doesn’t have WebDAV enabled by default

EvenEven if it did have if it did have WebDAV enabledWebDAV enabledEvenEven if it did have if it did have WebDAV enabledWebDAV enabled

Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed) Maximum URL length in IIS 6.0 is 16kb by Maximum URL length in IIS 6.0 is 16kb by default (>64kb needed) default (>64kb needed)

EvenEven if it was vulnerable if it was vulnerableEvenEven if it was vulnerable if it was vulnerable IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003IIS 6.0 not running by default on IIS 6.0 not running by default on Windows Server 2003Windows Server 2003

EvenEven if it there was an if it there was an exploitable buffer exploitable buffer overrunoverrun

Would have occurred in Would have occurred in w3wp.exew3wp.exe which is which is now running as ‘network service’now running as ‘network service’

EvenEven if the buffer was if the buffer was large enoughlarge enoughEvenEven if the buffer was if the buffer was large enoughlarge enough

Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)Process halts rather than executes malicious code, Process halts rather than executes malicious code, due to buffer-overrun detection code (-GS)due to buffer-overrun detection code (-GS)

Evolving The Solution

6464

2727

628628Evolving The Solution

Focus Yields Results Focus Yields Results

Evolving The Solution

Microsoft’s Security FocusMicrosoft’s Security Focus

Guidance and trainingSecurity Guidance Center

Free training for over 500K IT professionals

Security toolsMicrosoft Baseline Security Analyzer

Security Bulletin Search Tool

Community engagementNewsletters

Webcasts and chats

Microsoft “Security360”

Evolving The Solution

Support And Engagement Support And Engagement

Microsoft Baseline Security Analyzer (MBSA) v1.2Microsoft Baseline Security Analyzer (MBSA) v1.2Virus Cleaner ToolsVirus Cleaner ToolsSystems Management Server (SMS) 2003Systems Management Server (SMS) 2003Software Update Services (SUS) SP1Software Update Services (SUS) SP1Internet Security and Acceleration (ISA) Server 2004 Internet Security and Acceleration (ISA) Server 2004 Standard EditionStandard EditionWindows XP Service Pack 2Windows XP Service Pack 2

Patching Technology Improvements (MSI Patching Technology Improvements (MSI 3.0)3.0)Systems Management Server 2003 SP1Systems Management Server 2003 SP1Microsoft Operations Manager 2005Microsoft Operations Manager 2005Windows malicious software removal toolWindows malicious software removal tool

Windows Server 2003 Service Pack 1Windows Server 2003 Service Pack 1Windows Update Services Windows Update Services ISA Server 2004 Enterprise EditionISA Server 2004 Enterprise EditionWindows Rights Management Services SP1Windows Rights Management Services SP1Windows AntiSpywareWindows AntiSpywareSystem Center 2005System Center 2005Windows Server 2003 “R2”Windows Server 2003 “R2”Visual Studio 2005Visual Studio 2005

Vulnerability Assessment and Vulnerability Assessment and RemediationRemediationActive Protection Technologies Active Protection Technologies AntivirusAntivirus

PriorPrior

H2 04H2 04

FutureFuture

20052005

Futures

Security TimelineSecurity Timeline

Call To ActionCall To Action

Keep currentSoftware

Anti-virus, cleaners, anti-spyware, …

Defense in depthStrong authentication

Firewalls

Anti-malware

Use threat-based developmentLearn from others

Community ResourcesCommunity Resources

Windows Hardware & Driver Central (WHDC)www.microsoft.com/whdc/default.mspx

Technical Communitieswww.microsoft.com/communities/products/default.mspx

Non-Microsoft Community Siteswww.microsoft.com/communities/related/default.mspx

Microsoft Public Newsgroupswww.microsoft.com/communities/newsgroups

Technical Chats and Webcastswww.microsoft.com/communities/chats/default.mspx

www.microsoft.com/webcasts

Microsoft Blogswww.microsoft.com/communities/blogs

ResourcesResources

Generalhttp://www.microsoft.com/security

XP SP2 Resources for the IT Professionalhttp://www.microsoft.com/technet/winxpsp2

Security Guidance Centerhttp://www.microsoft.com/security/guidance

Toolshttp://www.microsoft.com/technet/Security/tools

How Microsoft IT Secures Microsofthttp://www.microsoft.com/technet/itsolutions/msit

E-Learning Clinicshttps://www.microsoftelearning.com/security

Events and Webcastshttp://www.microsoft.com/seminar/events/security.mspx