Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

Download as PPTX, PDF

Due to the recent, well-publicized events involving celebrities and their private photos, the phrase “brute-force attack” has become the web’s newest buzzword. As an IT professional, it’s vital that you detect brute force attacks as quickly as possible so you can shut them down before the damage is done. Join us for a live demo, where we’ll demonstrate a brute force attack (simulated, of course!) and show how AlienVault USM can help you detect an (attempted) intruder and investigate the attack. You'll learn: How attackers can use brute force attacks to gain access to your network Measures you can take to better secure your environment and prevent these attacks How AlienVault USM alerts you immediately of brute force attack attempts, giving you valuable time to shut it down How to use AlienVault USM to investigate an attack and identify compromised assets

1 of 21
Live Demo: Get Complete Security Visibility in Under 1 Hour
@AlienVault About AlienVault AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against today’s modern threats
@AlienVault Agenda How Brute Force attacks work Why detecting these attacks quickly is key Measures you can take to prevent these attacks Demo: How to detect and investigate Brute Force attacks with AlienVault USM Bonus: How to detect the Bash (Shellshock) vulnerability with AlienVault USM
How To, Brute? • Simply put, a brute force attack consists of an attacker using preconfigured values, trying them against an authentication method, and then analyzing the responses • Usually performed via a script • Sometimes with specialized hardware • Modern day network-connected applications (email, domain access, etc.) @AlienVault will have policies to thwart simple brute force attacks • Captcha • Retry limit / delay • Account lockout • Password Requirements (length, complexity, etc.)
@AlienVault Basic Brute Force Attacks • Dictionary Attack • Is not this  • List of common passwords used • Software available today that will run through these lists (l0phtcrack, Brutus, John the Ripper) • Successful due to the amount of simple (or generic) passwords used • Can be thwarted with robust password policies • One random character in known words (i.e. “Suc3cess”) could defeat this attack
@AlienVault Basic Brute Force Attacks • Rainbow Table Attack • A form of dictionary attack • Uses pre-computed password hashes in a database • Takes longer to set up, but the attack is executed faster • Requires more storage than usual so, as storage costs went down, this method became more popular • EASILY thwarted by salting the password hash • Random data used when creating password hash • Requires hash dictionary to be recomputed for every password sought, rendering pre-computation infeasible
Basic Brute Force Example - Recent iCloud Breach @AlienVault • Exploit in authentication of Apple iCloud’s “Find My iPhone” allowed attackers to gain access to iCloud backups • One of many sources for the recently leaked “personal” celebrity photos • No limit set on the amount of retries in the FindMyiPhone feature • Allowed attackers to attempt as many passwords as they wanted to with no immediate repercussions (account lockout, delay, captcha, etc.)
Offline Brute Force Method If the attack is at this stage, there is not much you can do aside from hoping that someone implemented hash salting and/or a very large key space • Attacker steals encrypted file with all of your (or your organization’s) @AlienVault passwords • Attacker now has all of the time in the world to “guess” your passwords • Although passwords may be encrypted, the data is on the attacker’s hardware so its not subject to retry limits • This is usually when purpose built “cracking machines” come into play. • Loaded with GPUs and/or custom processors • More horsepower, the faster the crack
Catching These Threats Quickly Is Key @AlienVault • The earlier you catch the threat, the less time an attacker has to exhaust password list or key space - Allows you to put in place measures to block this certain attack o Block a specific IP o Shutdown, move, or obfuscate port used - Also gives you a chance to prevent future (possibly related) attacks
How To Detect These Attacks • Brute Force Attacks are one of the few attacks detected by volume @AlienVault rather than type. • In your web server (or proprietary app) logs, you’ll see a huge amount of authentication attempts - Usually originating from the same IP address but, with modern tech, its easy for an attacker to mask actual IP address • Malformed (or just unusual looking) referring urls - i.e http://user:password@website.com/login.html) • User names and/or password attempts run sequentially • We will show you how USM easily detects these threats
False Positives • We all forget our passwords and sometimes try over and over again, @AlienVault usually with caps lock on… • Multiple login attempts from the same IP, trying the same credentials over and over again could simply be something like a mobile device, trying to access email with an old password • Brute force attack activity looks quite different from this, though, and that consideration is reflected in our correlation directives - I am not able to try my username/password 300 times in 15 seconds but a computer can…
@AlienVault Prevention • Require that your users create robust passwords - Minimum length - Required characters (!, @, #, $, etc) - Nothing simple or common • Password Retry limit/delay - Not implementing can be the biggest mistake made (iCloud) • Captchas (everybody LOVES those) • Binding specific logins to particular IP addresses • Blocking IPs when multiple failed login attempts come from them
@AlienVault Prevention • Account lockouts are actually not the greatest idea - DDoS - Truly Malicious actors will just keep locking the account out if there is an expiration period - Authentication attempt results can be used to find which account names are valid o Only valid accounts will lock… - Ineffective when: o Password attempts are slow rolled o Same password is used against many usernames
Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Event Correlation • Incident Response @AlienVault
@AlienVault DEMO TIME!
@AlienVault ShellShock – What it is, Why should I care? • Affects Bash (Default command shell for Linux, Unix and OS X). How It Works • Execute arbitrary commands formatting an environmental variable Who Is At Risk? • Web Servers that make calls to the bash shell • Network Services and daemons that use shell scripts with environmental variables.
@AlienVault Back To The Lab… • Send a ping command to attackers machine • Multiple Malware installs identified. • Connection to a C&C Server • IRC Bot Connection
@AlienVault AlienVault Labs Research • Username/Passwords on the binary • Possible brute force attack • Known Supported commands: PING GETLOCALIP SCANNER HOLD JUNK (Dos Flood) UDP (Dos Flood) TCP (Dos Flood) KILLATTK • Hundreds of victims already identified.
@AlienVault Detect And Respond • Malicious Sources added to OTX • Threat intelligence: • Multiple IDS Signatures Including: 2019231 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI 2019232 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers 2019233 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in ClientBody 2019234 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2 2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number 2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 15 2019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67 • Correlation Directives to Detect and Alarm: Exploitation & Installation, Service Exploit, Bash - CVE-2014-6271 Reconnaissance & Probing, Service Exploit, Bash - CVE-2014-6271
@AlienVault DEMO TIME!
More Questions? Email Hello@alienvault.com NOW FOR SOME Q&A… Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Product Sandbox http://www.alienvault.com/live-demo-site

More Related Content

AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM + How to Detect the Bash vulnerability

  • 1. Live Demo: Get Complete Security Visibility in Under 1 Hour
  • 2. @AlienVault About AlienVault AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against today’s modern threats
  • 3. @AlienVault Agenda How Brute Force attacks work Why detecting these attacks quickly is key Measures you can take to prevent these attacks Demo: How to detect and investigate Brute Force attacks with AlienVault USM Bonus: How to detect the Bash (Shellshock) vulnerability with AlienVault USM
  • 4. How To, Brute? • Simply put, a brute force attack consists of an attacker using preconfigured values, trying them against an authentication method, and then analyzing the responses • Usually performed via a script • Sometimes with specialized hardware • Modern day network-connected applications (email, domain access, etc.) @AlienVault will have policies to thwart simple brute force attacks • Captcha • Retry limit / delay • Account lockout • Password Requirements (length, complexity, etc.)
  • 5. @AlienVault Basic Brute Force Attacks • Dictionary Attack • Is not this  • List of common passwords used • Software available today that will run through these lists (l0phtcrack, Brutus, John the Ripper) • Successful due to the amount of simple (or generic) passwords used • Can be thwarted with robust password policies • One random character in known words (i.e. “Suc3cess”) could defeat this attack
  • 6. @AlienVault Basic Brute Force Attacks • Rainbow Table Attack • A form of dictionary attack • Uses pre-computed password hashes in a database • Takes longer to set up, but the attack is executed faster • Requires more storage than usual so, as storage costs went down, this method became more popular • EASILY thwarted by salting the password hash • Random data used when creating password hash • Requires hash dictionary to be recomputed for every password sought, rendering pre-computation infeasible
  • 7. Basic Brute Force Example - Recent iCloud Breach @AlienVault • Exploit in authentication of Apple iCloud’s “Find My iPhone” allowed attackers to gain access to iCloud backups • One of many sources for the recently leaked “personal” celebrity photos • No limit set on the amount of retries in the FindMyiPhone feature • Allowed attackers to attempt as many passwords as they wanted to with no immediate repercussions (account lockout, delay, captcha, etc.)
  • 8. Offline Brute Force Method If the attack is at this stage, there is not much you can do aside from hoping that someone implemented hash salting and/or a very large key space • Attacker steals encrypted file with all of your (or your organization’s) @AlienVault passwords • Attacker now has all of the time in the world to “guess” your passwords • Although passwords may be encrypted, the data is on the attacker’s hardware so its not subject to retry limits • This is usually when purpose built “cracking machines” come into play. • Loaded with GPUs and/or custom processors • More horsepower, the faster the crack
  • 9. Catching These Threats Quickly Is Key @AlienVault • The earlier you catch the threat, the less time an attacker has to exhaust password list or key space - Allows you to put in place measures to block this certain attack o Block a specific IP o Shutdown, move, or obfuscate port used - Also gives you a chance to prevent future (possibly related) attacks
  • 10. How To Detect These Attacks • Brute Force Attacks are one of the few attacks detected by volume @AlienVault rather than type. • In your web server (or proprietary app) logs, you’ll see a huge amount of authentication attempts - Usually originating from the same IP address but, with modern tech, its easy for an attacker to mask actual IP address • Malformed (or just unusual looking) referring urls - i.e http://user:password@website.com/login.html) • User names and/or password attempts run sequentially • We will show you how USM easily detects these threats
  • 11. False Positives • We all forget our passwords and sometimes try over and over again, @AlienVault usually with caps lock on… • Multiple login attempts from the same IP, trying the same credentials over and over again could simply be something like a mobile device, trying to access email with an old password • Brute force attack activity looks quite different from this, though, and that consideration is reflected in our correlation directives - I am not able to try my username/password 300 times in 15 seconds but a computer can…
  • 12. @AlienVault Prevention • Require that your users create robust passwords - Minimum length - Required characters (!, @, #, $, etc) - Nothing simple or common • Password Retry limit/delay - Not implementing can be the biggest mistake made (iCloud) • Captchas (everybody LOVES those) • Binding specific logins to particular IP addresses • Blocking IPs when multiple failed login attempts come from them
  • 13. @AlienVault Prevention • Account lockouts are actually not the greatest idea - DDoS - Truly Malicious actors will just keep locking the account out if there is an expiration period - Authentication attempt results can be used to find which account names are valid o Only valid accounts will lock… - Ineffective when: o Password attempts are slow rolled o Same password is used against many usernames
  • 14. Asset Discovery • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing • Remediation Verification Threat Detection • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring Behavioral Monitoring • Log Collection • Netflow Analysis • Service Availability Monitoring Security Intelligence • SIEM Event Correlation • Incident Response @AlienVault
  • 16. @AlienVault ShellShock – What it is, Why should I care? • Affects Bash (Default command shell for Linux, Unix and OS X). How It Works • Execute arbitrary commands formatting an environmental variable Who Is At Risk? • Web Servers that make calls to the bash shell • Network Services and daemons that use shell scripts with environmental variables.
  • 17. @AlienVault Back To The Lab… • Send a ping command to attackers machine • Multiple Malware installs identified. • Connection to a C&C Server • IRC Bot Connection
  • 18. @AlienVault AlienVault Labs Research • Username/Passwords on the binary • Possible brute force attack • Known Supported commands: PING GETLOCALIP SCANNER HOLD JUNK (Dos Flood) UDP (Dos Flood) TCP (Dos Flood) KILLATTK • Hundreds of victims already identified.
  • 19. @AlienVault Detect And Respond • Malicious Sources added to OTX • Threat intelligence: • Multiple IDS Signatures Including: 2019231 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI 2019232 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers 2019233 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in ClientBody 2019234 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2 2019236 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number 2019237 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 15 2019238 - ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67 • Correlation Directives to Detect and Alarm: Exploitation & Installation, Service Exploit, Bash - CVE-2014-6271 Reconnaissance & Probing, Service Exploit, Bash - CVE-2014-6271
  • 21. More Questions? Email Hello@alienvault.com NOW FOR SOME Q&A… Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Product Sandbox http://www.alienvault.com/live-demo-site