Download PDF - Codenomicon
Download PDF - Codenomicon
Download PDF - Codenomicon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Codenomicon</strong> whitepaper:<br />
Proactive Cyber Security:<br />
Stay Ahead of Advanced<br />
Persistent Threats (APTs)<br />
- Anna-Maija Juuso & Ari Takanen -<br />
1<br />
12<br />
3<br />
4<br />
5<br />
6<br />
7<br />
8<br />
9<br />
Introduction<br />
Advanced Persistent Threats (APTs)<br />
Vulnerability Exposure<br />
Known and Unknown Vulnerabilities<br />
Fuzzing<br />
Automating Fuzzing<br />
Abuse Situation Awareness<br />
Automating Abuse Situation Awareness<br />
10<br />
11<br />
12<br />
13<br />
Cyber Security Risks<br />
Fuzzing Best Practices<br />
Abuse Situation Awareness Best Practices<br />
Conclusion<br />
Botnet-Inspired Situation Awareness System (AbuseSA)<br />
Preemptive security and<br />
robustness testing solutions
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
1 Introduction<br />
The security landscape is changing: Governments, critical infrastructure providers and defense organizations<br />
increasingly rely on the Internet to perform mission-critical operations. At the same time, cyber attacks<br />
have become more professional with attackers investing more time and money into creating detection<br />
evasion techniques and developing sophisticated, targeted attacks exploiting zero-day vulnerabilities.<br />
Zero-day exploits are the biggest threat to security, because there are no defenses against them and the<br />
attacks can go unnoticed. Most organizations are not even prepared against popular untargeted malware,<br />
not to mention for Advanced Persistent Threats (APTs). They rely largely on signature-based security solutions,<br />
which only defend against known threats and require continuous rule updates to even stay up-to-date<br />
on cyber attacks.<br />
In this paper, we take a two-fold approach to securing networks against APTs. Firstly, we discuss using fuzzing,<br />
a robustness testing technique, to discover exploitable zero-day vulnerabilities proactively. Secondly,<br />
we present a botnet-inspired system which enables organizations to expand their knowledge of Internet<br />
abuse without straining their security resources by better utilizing security information already provided by<br />
the security community. By collecting security information from public and private feeds and automatically<br />
generating actionable abuse reports organizations can adopt cost-effective processes for detecting malicious<br />
activity and mitigating incidents. It is equally important to ensure the security and robustness of critical<br />
networks and services and to develop capabilities for detecting attacks at the earliest possible moment.<br />
By implementing fuzzing into your software development and procurement processes and having good<br />
abuse situation awareness, you can prepare your networks against APTs.<br />
2<br />
Advanced Persistent Threats<br />
(APTs)<br />
Internet abuse refers to the misuse of the Internet to injure and<br />
disturb other users. It is an umbrella term covering cyber crime,<br />
hacktivism, attacks by nation-state sponsored adversaries and<br />
hobbyist crackers. Different types of internet abuse include<br />
unauthorized network access, data theft and corruption, disruptions<br />
to normal traffic flow (e.g. DoS and DDoS attacks), the<br />
propagation of malware, spamming, phishing and botnets. APT<br />
refers to sophisticated Internet abuse performed by highlymotivated<br />
and well-resourced groups, such as organized cyber<br />
criminals, hostile nation states and hacktivists. These attacks<br />
frequently utilize unknown, zero-day vulnerabilities. Zero-day<br />
vulnerabilities pose the greatest threat to network security, because<br />
there are no defenses for attacks against them [1]. The<br />
attacks can go unnoticed and once discovered it takes time to<br />
locate the vulnerabilities and to create patches for them [1]. Advanced<br />
attacks, like the Stuxnet, can utilize multiple zero-days<br />
making them extremely difficult to defend against.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
Preventing Advanced Cyber Attacks<br />
Crackers need to find a vulnerability in the protocol implementation<br />
in order to devise an attack against a target system [2].<br />
By removing potential zero-day vulnerabilities proactively, you<br />
can make it significantly harder for crackers to devise attacks.<br />
Thus, the best way to prevent zero-day attacks is to get rid of exploitable<br />
vulnerabilities proactively [1]. Fuzzing enables you to<br />
find previously unknown, zero-day vulnerabilities by triggering<br />
them with unexpected inputs [1]. By incorporating fuzzing best<br />
practices into your organization’s development and procurement<br />
processes you can improve the security and robustness<br />
of your networks.<br />
Detecting Advanced Cyber Attacks<br />
Not all attacks can be prevented, thus organizations must be<br />
able defend against attacks. Organizations commonly rely on<br />
signature-based security defenses, such IPS/IDS solutions, vulnerability<br />
scanners and firewalls [3]. They are fairly efficient in<br />
defending against known attacks. However, they can only detect<br />
pieces of malware, for which an identifier, known as a signature,<br />
already exists and has been deployed [4]. Advanced attacks<br />
exploiting zero-day vulnerabilities can completely bypass<br />
these defenses [3]. Automating abuse information collection<br />
and processing is key to getting actionable information on incidents<br />
in your network. Good abuse situation awareness is key<br />
to establishing systematic and efficient processes for responding<br />
to cyber incidents.<br />
Zero Exposure<br />
Limited Exposure<br />
Public Exposure<br />
3<br />
Vulnerability Exposure<br />
Vulnerabilities are flaws in software or software components<br />
in hardware, which enable crackers to exploit a system. Vulnerabilities<br />
are not created when a system is being attacked. They<br />
are design and implementation errors that are introduced into<br />
the code during development [4]. The errors become vulnerabilities<br />
once the software is released, and it gets exposed to outside<br />
attacks [5]. Security researchers, security companies and<br />
hackers discover some of the vulnerabilities, and if they choose<br />
to report the findings, they can enable software developers to<br />
create patches for the found vulnerabilities [5]. After the patch<br />
release the vulnerability becomes public knowledge [5].<br />
No exposure, no publicity<br />
Figure 1 categorizes vulnerabilities based on exposure. The exposure<br />
of a vulnerability depends firstly on whether the vulnerability<br />
can be accessed by outside attackers, and secondly on<br />
how public the vulnerability is. During development, new vulnerabilities<br />
have zero exposure to attacks: nobody knows that<br />
they exist and they cannot be exploited by outsiders [5]. After<br />
release the vulnerabilities have limited exposure: they are open<br />
to attacks, but the attackers first have to find them [5]. After a<br />
patch is released, the exposure is full: the attackers have both<br />
the possibility to attack and the information they need [5]. Public<br />
exposure can be avoided by deploying patches<br />
in a timely manner. In this paper, we focus on techniques<br />
used to discover zero-day vulnerabilities with<br />
zero-exposure prior to release or implementation<br />
and to detect attacks exploiting zero-day vulnerabilities<br />
with limi-ted exposure.<br />
inside access only<br />
Release/<br />
Implementation<br />
Patch<br />
Release<br />
in-and outside access<br />
Figure 1: Vulnerability exposure. Based on [5].
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
4<br />
Known and Unknown<br />
Vulnerabilities<br />
In this paper we focus on the fourth quadrant, the unidentified<br />
zero-day vulnerabilities. These vulnerabilities are the biggest<br />
threat to an organization’s security [7]. Their existence is<br />
unknown, there are no defenses against them and an attack<br />
can go completely unnoticed [7]. If an attacker finds a zero-day<br />
vulnerability in a network, service or application, they can do<br />
what they want with it from website defacing, obstructing operations<br />
to stealing confidential information. It is unlikely that<br />
targets of high profile attacks are not keeping their patches upto-date.<br />
It is the zero-day vulnerabilities in their systems that<br />
make APTs possible. How can APTs be mitigated<br />
Figure 2 divides vulnerabilities into known and unknown vulnerabilities<br />
for which there are already patches available or not.<br />
If you have vulnerabilities within your systems for which patches<br />
already exist, then clearly you should be doing better vulnerability<br />
research and be more vigilant about patch updates [6].<br />
Most organizations do a good job, employing various technologies<br />
like anti-virus, firewall, IPS/IDS to defend against known<br />
attacks and keep up-to-date with software updates [6]. During<br />
the small window when a vulnerability has been discovered but<br />
there is no patch yet, a workaround needs to be implemented.<br />
Zero-Day vulnerabilities and APTs<br />
Patch<br />
Not available<br />
Implement<br />
workaround<br />
<br />
5<br />
Fuzzing<br />
Fuzzing is a black-box robustness testing technique used to reveal<br />
unknown zero-day vulnerabilities by triggering them with<br />
unexpected inputs. Basically, unexpected data in the form of<br />
modified protocol messages are fed to the inputs of a system,<br />
and the behavior of the system is monitored [9]. If the system<br />
fails, e.g., by crashing or by failing built-in code assertions, then<br />
there is an exploitable vulnerability in the software [10]. While<br />
many security techniques focus on finding known vulnerabilities<br />
or variations of them, fuzzing reveals previously unknown<br />
vulnerabilities, so called zero-day vulnerabilities by triggering<br />
them with unexpected inputs [4]. Figure 3 depicts the flow of<br />
fuzzing tests. Discovering Zero-Day Vulnerabilities<br />
A survey conducted by a large independent software vendor<br />
found that every single unique vulnerability found had been<br />
discovered by fuzzing [6]. The Internet is full of fuzzing kits,<br />
like the Phoenix Exploit Kit, Blackhole and Crimepack, favored<br />
among crackers to find exploitable vulnerabilities in networks<br />
and applications [6]. Industry leading companies are already using<br />
fuzzing to protect their networks against zero-day attacks.<br />
By finding zero-day vulnerabilities proactively, networks can<br />
be made more robust against attacks reducing the risk of advanced<br />
cyber attacks [4].<br />
Patch<br />
Available<br />
Apply the patch<br />
Known<br />
Vulnerability<br />
Do better<br />
vulnerability<br />
research<br />
Unknown/Zero-Day<br />
Vulnerability<br />
Figure 2: Known and Unknown Vulnerabilities.[8]<br />
6<br />
Automating Fuzzing<br />
In fuzzing, thousands and even millions of misuse-cases are created<br />
for each use-case, thus most robustness testing solutions<br />
contain at least some degree of automation. There are two popular<br />
ways to automate fuzzing: generation and mutation-based<br />
fuzzing [11]. In mutation-based fuzzing, real-life inputs such<br />
as network traffic and files, are used to generate test cases by
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
Figure 3: The flow of fuzzing. [9]<br />
modifying the samples either randomly or based on the sample<br />
structure [11]. In generation-based fuzzing, the process of data<br />
element identification is automated by using protocol models<br />
[11].<br />
Specification-based Fuzzing<br />
Specification-based fuzzing is a form of generation-based<br />
fuzzing, which uses protocol and file format specifications to<br />
provide the fuzzer with protocol or file format specific information,<br />
e.g., on the boundary limits of the data elements [11].<br />
Specification-based test generation achieves excellent coverage<br />
testing the protocol features included in the specification.<br />
However, new features and proprietary features not included in<br />
the specification are not covered [12]. If no specification is available,<br />
then the best fuzzing results can be achieved with mutation-based<br />
fuzzers [12]. Generation-based testing can also be<br />
complemented with longer mutation-based fuzzing test runs.<br />
Some vulnerabilities might only be triggered through more aggressive<br />
input space testing [12]. Thus, the best test results are<br />
achieved by combining testing techniques.<br />
7<br />
Abuse Situation Awareness<br />
Human error is frequently attributed as the main cause of security<br />
breaches [13]. Endsley argues that the term “human error”<br />
is misleading, because it implies that the problems are caused<br />
by careless, poorly trained employees, when in most cases the<br />
real problem is inadequate situation awareness [14]. Security<br />
personnel operate in highly complex networks and handle vast<br />
amounts of information [14]. The problem is not that they do<br />
not know what is the correct way to react to incidents. Finding<br />
and identifying security incidents from the flood of network information<br />
is very difficult [14].
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
Rapid Detection<br />
Attack Impact<br />
Advanced attacks are typically hard to detect, because they are<br />
designed to stay under the radar [15]. Moreover, there is a lot<br />
scattered information about Internet abuse and local security<br />
experts tend to lag behind the latest knowledge. They use detection<br />
rules that defend against latest threats to the best of<br />
their knowledge. However, their latest knowledge can be quite<br />
outdated when compared to global state-of-the-art abuse situation<br />
awareness. Good abuse situation awareness provides information<br />
on the current security landscape, making it easier<br />
to identify attacks. For example, when new C&C servers are reported<br />
by the security community, local actors can automatically<br />
deploy this new information to their sensors. Thus, abuse<br />
situation awareness allows you to discover incidents earlier, and<br />
also to detect advanced attacks that might not otherwise be<br />
noticed. With better abuse situation awareness, the human factor<br />
can be reduced [14].<br />
STOP ABUSE HERE<br />
Infection<br />
Malware<br />
<strong>Download</strong>ed<br />
More devices<br />
corrupted<br />
The key to reducing the impact of cyber attacks is rapid detection<br />
[15]. According to the Verizon 2012 Security report, in 85%<br />
of incidents it took the attackers only a few minutes to compromise<br />
the victim, but it took them a day or longer to locate and<br />
exfiltrate data [16]. There is a window for mitigating the impact<br />
of cyber attacks, but according to the same report, it took the<br />
victims months or even years to discover the breaches [16]. To<br />
detect APTs at the earliest possible moment, security experts<br />
need quick access to the latest security information. To achieve<br />
this they need to actively monitor all possible sources of abuse<br />
information, something which cannot be executed manually.<br />
Information flood<br />
Better awareness of network incidents and internet abuse enables<br />
you to detect and react to attacks earlier. In most cases,<br />
organizations already have access to the correct information,<br />
but they are not fully using it [14]. Security personnel are<br />
drowned in disparate information from internal sources like<br />
log files, IDS/IPS alerts, network management tools and<br />
SIEM platforms [3]. In addition, there are many<br />
good external sources of threat information<br />
such as government channels, industry associations,<br />
commercial data feeds and<br />
abuse feeds provided by non-profit<br />
organizations such as Shadowserver.<br />
This information comes in a variety<br />
Critical resources<br />
accessed<br />
of formats, meaning that security<br />
personnel spend a lot of their manually<br />
collecting and processing the<br />
information [3]. The vast amount of<br />
information and poor processes result<br />
in security personnel being overwhelmed<br />
and susceptible to missing critical bits of information<br />
[14].
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
8<br />
Automating Abuse Situation<br />
Awareness<br />
By automating the collection and processing of abuse information,<br />
security personnel can handle more information in shorter<br />
time and discover relevant information faster. Automating basic<br />
tasks frees up the security personnel’s time to do the actual<br />
analysis [3]. However, the lack of a common information sharing<br />
standard has been a major hindrance to automating abuse<br />
situation awareness [15]. Security notifications and abuse feeds<br />
come in a variety of formats, including not machine-readable<br />
formats [3]. Especially following external threat information<br />
sources involves sifting through emails, website postings and<br />
other human communications. Instead of waiting for an ideal<br />
information sharing format, organizations should employ practical<br />
security collaboration solutions [15], such as AbuseSA.<br />
Collaboration<br />
The best results are achieved by fully automating the feedersproxies-cleaners<br />
information chain. Through collaboration,<br />
each organization can scale their security expertise, speed up<br />
attack detection and improve remediation [15]. The feeders<br />
are best at discovering Internet abuse [17]. The proxies have<br />
the best expertise and resources for collecting, aggregating<br />
and reporting abuse information provided by the international<br />
security community [17]. Actual attack mitigation needs to be<br />
done by the cleaners, because only they have access to their<br />
networks [17]. However, the availability of actionable abuse<br />
information collected and reported by the feeders and proxies<br />
makes their task a lot easier.<br />
9<br />
Botnet-Inspired Situation<br />
Awareness System (AbuseSA)<br />
Feeders, Proxies and Cleaners<br />
Actors in the abuse situation awareness field can be divided<br />
into three groups: feeders, proxies and cleaners [17]. Feeders<br />
monitor network incidents and provide data for abuse notifications<br />
which can be fed to other organizations [17]. Feeders<br />
are security vendors, industry organizations, government channels<br />
and non-commercial organizations, like Shadowserver,<br />
Zone-H and DShield [17]. The proxies, that is CERTs, ISP abuse<br />
teams and government defense organizations, are in charge of<br />
informing their stakeholders about abuse [17]. The stakeholders<br />
or the cleaners are organizations, enterprises, ISPs, critical<br />
infrastructure providers that are responsible for keeping their<br />
own networks clean [17].<br />
The AbuseSA is a botnet-inspired system for automatically<br />
collecting and sharing abuse situation awareness [17]. Similar<br />
systems have been used by the Finnish and Estonian national<br />
CERTs for automated abuse handling [17]. Before they became<br />
associated with malicious purposes, small software modules,<br />
or bots, were used for administrating Internet relay chat (IRC)<br />
rooms [18]. Administrating chat rooms was time consuming<br />
and bots could be used automate this task [18]. Criminals took<br />
this approach and used it to create huge botnets. By joining<br />
hundreds of thousands of infected PCs to IRC command and<br />
control (C&C) channels the criminals could control their net-<br />
Feeders produce data which AbuseSA users collect, process and report systematically to protect<br />
Abuse Feeds / Intelligence<br />
Proxies<br />
Cleaners<br />
Citizens<br />
• Non-profit and commercial organizations<br />
• Shadowserver, Zone-H, DShield, Abuse.ch,<br />
Malwaredomainlist and tens or more.<br />
• National and Governmental CERTS<br />
• Cyber Defense Organizations<br />
• ISP Abuse Teams<br />
• ISPs<br />
• Critical Infrastructure Providers<br />
• Govermental Organizations<br />
Critical Infra<br />
Figure 5: Feeders, Proxies and Cleaners. [17]
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
works remotely. An abuse situation awareness system needs<br />
to collect information from potentially unreliable sources and<br />
produce reliable reports. Botnets are modular and resilient and<br />
they can distribute processing. These features make a botnetinspired<br />
architecture the ideal basis for an abuse situation<br />
awareness system.<br />
Benefits of a botnet-based architecture<br />
The botnet-inspired architecture makes AbuseSA very flexible,<br />
scalable and robust. In AbuseSA, each source is followed by its<br />
own bot, which reports to a C&C channel. Using separate bots<br />
for different sources makes the system flexible and resilient to<br />
errors in the sources. The system can collect information from a<br />
wide variety of sources; each bot can be configured to understand<br />
the transports and formats of its source. Thus, the user<br />
can collect information without imposing any requirements to<br />
the feed provider. In addition, new sources can be added simply<br />
by adding a new bot on the fly, which makes the system easy<br />
to scale. The botnets communicate over the extensible messaging<br />
and presence protocol (XMPP). Thus various tasks can be<br />
distributed and even run in various geolocations.<br />
10<br />
Cyber Security Risks<br />
Hobbyists, Hacktivists and Cyber Crime<br />
Security threats have been growing in scale and sophistication<br />
for decades. Twenty years ago, cyber attacks were primarily<br />
the domain of hobbyists. Then, as the opportunity for profiting<br />
from stolen information grew, criminals started taking a larger<br />
role. More recently spies working for government and corporate<br />
espionage are leading some of the most technically advanced<br />
and resource intensive attacks to date. 2011 saw a significant increase<br />
in the activity of “hacktivist” groups like Anonymous and<br />
LulzSec [19]. The motivation for these groups is retaliation for<br />
perceived wrongdoing. Rather than financial gain, their main<br />
goal is embarrassing their victims. However, their attacks are<br />
not without financial consequences.<br />
Critical Infrastructure<br />
Critical infrastructure networks are no longer isolated. They<br />
are all connected to the cyberspace, the global network of<br />
interdependent information technology infrastructures and<br />
communication networks, and they depend on common commercial<br />
off-the-shelf software. When SCADA systems were fist<br />
implemented in the 1960’s, it would have been hard to image<br />
that critical control system could be attacked remotely or that<br />
printers in adjacent corporate networks could be used as weapons<br />
to attack them. Nobody could envision such threats, so no<br />
measures were taken to make the networks resilient against cyber-attacks.<br />
Newer SCADA devices communicate using Internet<br />
protocols, sometimes over the public Internet [20]. This helps<br />
reduce the cost of dedicated communication links, but at the<br />
same time it makes the networks more open to outside attacks<br />
[20].<br />
Power grids, telecommunication and transportation networks<br />
are exactly the type of infrastructure that has been the target of<br />
traditional warfare, only the weapons have changed [21]. There<br />
have only been a limited number of reported cyber-attacks<br />
against critical infrastructure [21]. However, it would be naïve to<br />
assume that hostile nation states, terrorists and hacktivists are<br />
not aware how vulnerable these networks are and how much<br />
havoc such an attack could cause [21]. The Stuxnet was the first<br />
publicly admitted act of cyber warfare. It demonstrated that<br />
cyber-attacks can cause significant physical damage to a facility<br />
[22]. The Stuxnet was a very sophisticated attack carefully<br />
selecting its victims and remaining undetected [22]. It utilized<br />
four different zero-day vulnerabilities. However, many critical<br />
infrastructure networks are so vulnerable that it does not take a<br />
sophisticated attack like Stuxnet to exploit them. In many countries,<br />
large parts of the critical infrastructure is privately owned<br />
and extremely vulnerable [21].<br />
Corporate Networks<br />
A network is only as strong as its weakest element [23]. If attackers<br />
manage to compromise a laptop or a smartphone of a<br />
remote user working over a VPN, then they direct access to your
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
network. The Stuxnet was carried into the plants on a corrupted laptop or thumb drive [22]. Corporate networks connected to critical<br />
networks are full of equipment, like VoIP phones, printers and storage devices. Nobody thought that these devices could be used<br />
to attack the networks, so the developers did not try to make this difficult or impossible to do [12].<br />
When sourcing equipment for critical networks or networks connected to critical networks security, robustness testing should be<br />
used as an acceptance criterion. The challenge with outsourcing is that you lose visibility over the security and quality of the software<br />
development. Often buyers have been surprised to find that the middleware they have purchased has an open source core.<br />
Networks for distributed organizations often include site-to-site, branch office, and remote access networks. There might also be<br />
additional network security layers such as VPNs and LANs. All these add to the complexity of a network making it more difficult to<br />
secure and increasing the importance of proactive measures.<br />
Desktops, laptops,<br />
smartphones, USB sticks<br />
Printers<br />
Firewall<br />
IPS/IDS<br />
Web and<br />
mobile services<br />
Cloud<br />
services<br />
Closed Network<br />
Router<br />
Corporate Network<br />
Router<br />
Internet<br />
Laptops<br />
USB Sticks<br />
Web servers<br />
VoIP server<br />
Storage devices<br />
VPN<br />
Partners<br />
Branch office<br />
Roaming user<br />
Remote user<br />
Figure 6: Closed and corporate networks.<br />
Cloud Security<br />
eGov and mGov<br />
In recent years the use of virtualization technologies and cloud<br />
services has increased dramatically. Cloud services and virtualization<br />
can help government agencies connect with citizens,<br />
improve efficiency and reduce costs. However, like any new<br />
technology, cloud services and virtualization introduce new security<br />
concerns. New technologies are not necessarily inherently<br />
less secure than old ones. They just have not been tested and<br />
used for as long. Also, the threats can be different. The potential<br />
security risk in cloud technologies is the hypervisor, which controls<br />
all the clients within a virtual cloud. If the implementations<br />
of PHYP or another hypervisor protocol contain vulnerabilities,<br />
these could be exploited to inject malicious code or to otherwise<br />
control client clouds.<br />
eGov and mGov services make information sharing between<br />
citizens, businesses and government more seamless: less paperwork,<br />
less bureaucracy and you use the services whenever,<br />
wherever. Such initiatives should be applauded, as they improve<br />
the efficiency of government services and improve the<br />
quality of service experienced by the users. However, in developing<br />
services with external user interfaces to handle private<br />
and confidential information, the robustness of the services<br />
should be thoroughly tested before deployment. Any security<br />
incidents could erode user confidence and set back the development<br />
of the services.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
11<br />
Fuzzing Best Practices<br />
Fuzzing can be used to test all software and software components<br />
with hardware, so you can use it to test all types<br />
applications, services and network equipment like routers,<br />
switches and servers, and also security software like antivirus<br />
and firewalls [6]. The cost of not fuzzing can be high.<br />
It can be costly, if an important network element is offline<br />
or services unavailable, never mind the consequences of an<br />
advanced cyber attack.<br />
As an acceptance condition<br />
Many vendors are in a hurry to push software onto the market,<br />
and often times it is the user who ends up doing the<br />
testing [12]. Actually, software products have the highest<br />
rate of defects of product sold today [12]. By insisting on<br />
using fuzzing as an acceptance condition, you can make<br />
vendors claim responsibility over the quality and security of<br />
their products [6]. A prominent US ISP already uses fuzzing<br />
as entry criteria for its network suppliers [7]. The <strong>Codenomicon</strong><br />
Defensics test suites automatically collect all important<br />
information on found vulnerabilities into a Remediation<br />
Package, which you can send to third parties for automated<br />
reproduction [23].<br />
During SDL<br />
Large software houses already include fuzzing as a part<br />
of their secure development lifecycles: Cisco’s CSDL, Microsoft’s<br />
SDLC and the Adobe Product lifecycles are good<br />
examples of this. Giants like IBM and Google also promote<br />
fuzzing [12]. The Microsoft secure development lifecycle<br />
(SDL) model endorses the use of fuzzing in the verification<br />
phase [24]. However, fuzzing can be used throughout the<br />
development process from the moment the first software<br />
components are ready to even after the release [24]. The<br />
earlier the vulnerabilities are found, the easier and cheaper<br />
it is to fix them [1]. Indeed, by building security into your<br />
software you can avoid costly, critical and embarrassing<br />
software blunders.<br />
During production<br />
In addition to fuzzing before development, the production<br />
environment should also be tested, because testing elements<br />
in isolation does not always reveal the same issues as<br />
testing a live environment [6]. However, this may disturb the<br />
tested system, because it is essentially simulating an attack<br />
against it [24]. Thus, it should only be done after extensive<br />
testing and in the presence of support personnel [24].<br />
Augmenting parameter security defenses<br />
During the lag time between threat discovery and signature<br />
deployment, the IDS (intrusion detection system) is<br />
unable to identify the threat [23]. Help your defenses block<br />
attacks exploiting zero-day vulnerabilities by using the extensive<br />
documentation that Defensics provides [23]. The<br />
test cases triggering vulnerabilities in your system are described<br />
clearly making it easy to write your own IDS rules<br />
[23]. The rules can be based on vulnerabilities found by running<br />
predefined Defensics tests, or testing around known<br />
vulnerabilities downloaded from third party vulnerability<br />
feeds [23]. You can also use Defensics to generate variations<br />
of the original attack and to test how well IDS/IPS systems<br />
and firewalls can detect and block both the original attack<br />
and variations of it [23].
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
12<br />
Abuse Situation Awareness Best Practices<br />
To respond to cyber attacks in a timely and effective manner, organizations need to adopt systematic<br />
incident handling processes. To develop such processes is the ability to share real abuse situation<br />
information. The key to designing an effective situation awareness system is understanding<br />
that real situation awareness only exists in the mind of the human operators [14]. Thus, tons of data<br />
will not help unless it successfully transmitted, absorbed and assimilated in a timely manner by the<br />
operator [14]. Here are some best practices for abuse situation awareness.<br />
Automated Data Collection<br />
External abuse feeds are an under-used resource, and it is easy to understand why: There can be<br />
billions of abuse notifications daily, each of them different in terms of timing, format, transport and<br />
content [3]. Security personnel must sift through emails, website postings or other communications.<br />
In most organizations, these tasks are performed manually by skilled analysts. It makes a lot<br />
of sense automate basic tasks like collecting and processing abuse information, and free up the<br />
analysts’ time to do the actual analysis [3].<br />
Automated Analysis<br />
Expertise plays a major role in situation awareness [14]. An experienced operator will be able to<br />
spot similarities between events, even if the events are not exactly alike [14]. For novices this task<br />
is much harder [14]. Thus, a good situation awareness system should help the operators draw parallels<br />
between events [14]. In AbuseSA, incidents are stored into a knowledge database for users<br />
with access rights to share. This information can be used to automatically augment abuse feeds’<br />
information in real-time. For example, if a certain IP address has been identified as a drop-time,<br />
then traffic to this address will immediately be flagged as high risk.<br />
Actionable Reporting<br />
Abuse feed transports and formats vary considerably. Reporting standards, on the other hand, can<br />
be strict [17]. The AbuseSA sanitizes and normalizes all the information, sending reports to stakeholders<br />
at preferred times, in preferred formats. Actionable reporting enables stakeholders to take<br />
swift action. Organizations often waste time handling notifications that contain inaccurate, false or<br />
old information, or do not contain vital information, like IP-addresses. The AbuseSA removes all this<br />
information only reporting actionable abuse information.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
Figure 7: Map view of Internet abuse.<br />
Figure 8: Categorization view of Internet abuse.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
Figure 9: Dynamic visualizations allow you to view the same data on different abstraction levels.<br />
Visualizations<br />
Situation awareness should help operators make better informed<br />
decisions faster [17]. Information collected at the lowest<br />
level can easily overwhelm human decision makers [26]. It<br />
is better to provide information on multiple abstraction levels<br />
with high-level abstractions complementing lower level details<br />
[26]. Abuse Situation Awareness generates this with real-time<br />
visualizations, providing high level abstractions (Figure 7). By<br />
clicking on the interactive images users can drill down to more<br />
detailed information for a more closer analysis (Figure 8). Also,<br />
the analyst can highlight different aspects of the collected information<br />
by choosing the visualized datasets differently (Figure<br />
9).<br />
Collaboration<br />
Global situation awareness is essential for understanding the<br />
threat landscape. Many actors only have an “island view” of<br />
events, knowing what is happening in their own network. Yet,<br />
global abuse situation awareness is the key to understanding<br />
global incident trends. The global view enables authorities and<br />
major players in different countries to share intelligence on the<br />
development of the incident and coordinate their responses<br />
[27]. Due to the sheer volume of dynamic information involved,<br />
visualizations are essential to providing global abuse situation<br />
awareness. AbuseSA provides a combination of interactive<br />
earth-view visualizations and abuse categorizations based on<br />
location, abuse type and industry.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
Combining Internal and External Information<br />
Comprehensive situation awareness is achieved by combining threat and vulnerability intelligence from internal<br />
and external sources. Most organizations employ SIEM systems and IPS/IDS solutions, which provide<br />
valuable insight into incidents within networks. However, even serious cyber threats can be dismissed as<br />
random attacks, if the security personnel lack the global abuse situation awareness needed to examine events<br />
in coordination with other security incidents.<br />
Similarly, external abuse information requires<br />
network-specific intelligence to be applied into<br />
practice. Figure 10 depicts the iteration of abuse<br />
situation awareness from internal and external<br />
sources. The internal resources include vulnerability<br />
and threat information from internal threat<br />
monitoring and in-house fuzz tests. The external<br />
resources include general abuse feeds and<br />
industry-specific threat information. Utilizing<br />
external information sources used to be challenging,<br />
due to the lack of common information<br />
sharing standards. AbuseSA solves this problem<br />
by being format-independent. You can use AbuseSA collect and present information in any format making<br />
it easier to combine internal and external security intelligence. The AbuseSA also makes it possible to share<br />
security information within industries on a completely new level.<br />
13<br />
Conclusion<br />
Cyber attacks are getting more sophisticated and traditional signature-based defenses are no longer enough<br />
to secure increasingly public networks. There has been a sharp rise in Advanced Persistent Threats, highlymotivated<br />
and well-resourced groups carrying out high-impact attacks. These attacks frequently exploit zeroday<br />
vulnerabilities making them hard to detect and difficult to defend against.<br />
This paper presented two approaches to handling such threats. Firstly, fuzzing can be used to prevent zeroday<br />
attacks by getting rid of exploitable vulnerabilities proactively. Secondly, abuse situation awareness provides<br />
you with the information you need to respond to cyber attacks rapidly.<br />
The best results can be achieved by incorporating fuzzing and situation awareness best practices in to your<br />
organizations processes. Fuzzing should be a part of your software development and procurement processes.<br />
Similarly, abuse situation awareness should be a part of your network monitoring processes automating the<br />
collection of abuse and incident information from internal and external sources. Due to the complexity and<br />
vastness of critical networks, the only effective form of cyber security is proactive cyber security.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
References<br />
[1] <strong>Codenomicon</strong>, “How to Really Avoid Zero-Day Attacks – Build<br />
Security In, Don’t Add it”, January 2010 [2] OECD, “Malicious<br />
Software (Malware): A Security Threat to the Internet Economy”,<br />
OECD Ministerial Meeting on the Future of the Internet Economy,<br />
June 2008. [3] RSA, The Security Devision of EMC, “Getting<br />
Ahead of Advanced Threats: Achieving Intelligence-Driven Information<br />
security”, Security for Business Innovation Council<br />
Report, 2012. [4] T. Rontti, A-M. Juuso & J-M. Tirilä, “Securing<br />
Next Generation Networks by Fuzzing Protocol Implementations”,<br />
November 2011. [5] A. Takanen, “Unknown Vulnerability<br />
Management and Testing”, Fuzzing 101 Webinar, January 2011.<br />
[6] C. Wang and A. Takanen, “Fuzz your infrastructure - the blackhats<br />
are doing it, shouldn’t you”, <strong>Codenomicon</strong> and Forrester,<br />
Fuzzing 101 Webinar, April 2011. [7] A-M. Juuso & A. Takanen,<br />
“Unknown Vulnerability Management for Telecommunications,<br />
March 2011. [8] Next-Generation Marketing and Measurement,<br />
a commissioned study conducted by Forrester on behalf of Omniture,<br />
June 2009. In [6]. [9] A. Takanen, J.D. Demott & C. Miller,<br />
Fuzzing for Software Security Testing and Quality Assurance,<br />
Artech House, 2008. [10] A. Takanen, “Fuzzing: Helping to Avoid<br />
Zero-Day Attack”, February 2010. http://www.continuitycentral.<br />
com/feature0754.html visited 2011/12/09 [11] R. Kaksonen &<br />
A. Takanen, “XML Fuzzing Tool: Testing XML on Multiple Levels”,<br />
Testing Experience, December 2009 [12] M. Varpiola, “Embedded<br />
Device [fuzz] testing [against [A]PT]], Government and<br />
Defense perspective”, Amphion Forum, June 2012. [13] L. F.<br />
Cranor, “A Framework for Reasoning About the Human in the<br />
Loop”, UPSEC 2008. http://static.usenix.org/event/upsec08/<br />
tech/full_papers/cranor/cranor.pdf visited 2012/08/15 [14] M.<br />
R. Endsley, “Designing for situation awareness in complex systems”.<br />
Proceedings of the Second intenational workshop on<br />
symbiosis of humans, artifacts and environment, Kyoto, Japan,<br />
2001. [15] RSA Security Brief, “Breaking Down Barriers to Collaboration<br />
in the Fight Against Advanced Threats”, February<br />
2012. [16] Verizon, “2012 Data Breach Investigations Report”,<br />
2012. [17] J. Kenttälä, “Abuse Situation awareness, Deal with<br />
Malware, Spam, Botnets, Phishing and more”, August 2012. [18]<br />
I. Sánchez, E. Kuusela, S. Turpeinen, J. Röning & J. Riekki, “Botnet-inspired<br />
architechture for Interactive Spaces”, Conference<br />
Proceedings of the 8th International Conference on Mobile and<br />
Ubiquitous Multimedia,Cambridge, UK, 2009. [19] HP, “2011<br />
Top Cyber Security Risks Report”, technical white paper, April<br />
2012. [20] P. Sommer & I. Brown, “Reducing Systemic Cybersecurity<br />
Risk”, OECD Project Future Global Shocks, January 2011.<br />
[21] The Washington Post, “Understanding cyberspace is key<br />
to defending against digital attacks”, June 2012. http://www.<br />
washingtonpost.com/investigations/understanding-cyberspace-is-key-to-defending-against-digital-attacks/2012/06/02/<br />
gJQAsIr19U_story.html visited 2012/08/15 [22] S. Kroft, “Stuxnet:<br />
Computer worm opens new era of warfare”, 60 Minutes,<br />
July 2012. [23] A-M. Juuso & A. Takanen, “Unknown Vulnerability<br />
Management”, April 2010. [24] A-M. Juuso & A. Takanen, “Building<br />
Secure Software using Fuzzing and Static Code Analysis”,<br />
August 2011. [25] Financial Services Sector Coordinating Council<br />
for Critical Infrastructure Protection and Homeland Security<br />
“Homeland Security Strategy for Critical Infrastructure Protection<br />
in the Financial Services Sector”, May 2004. [26] P. Barford<br />
& al, “Cyber SA: Situational Awareness for Cyber Defense”. [27] R.<br />
Chipman & R. Wuerfel, “Network based Information sharing Between<br />
Emergency Operations Center”, IEEE, 2008. Collaboration
CODENOMICON LTD | INFO@CODENOMICON.COM | WWW.CODENOMICON.COM<br />
Global and EMEA Headquarters | Tutkijantie 4E FIN-90590 OULU FINLAND | Tel. +358 424 7431<br />
Americas Headquarters | 12930 Saratoga Avenue, Suite B-1 Saratoga, CA 95070 UNITED STATES | Tel. +1 408-414-7650<br />
APAC Headquarters | 46B Tras Street Singapore 078985 Singapore | Tel. +65 9188 1502