The following are threats to the Cloud Infrastructure
- Data segregation and session highjacking are threats
- Multi tenancy model is a great challenge to privacy
- Storage security at the cloud service providers data centers are often directly linked
- Tradition breach opportunities do not go away
- Malicious users can sniff network packets and gain extensive insight
- bypass the application logic to access the databases directly
- Cyber criminals have learned to move horizontal and thus making multi tenancy vulnerable
- Check you SLA do not assume service providers will be able to support electronic discovery or internal investigations of illegal activity
- What happens if the Cloud Provider goes out of business?
- Check your SLA, most of the time NONE of an organizations legal and regulatory compliance responsibilities are transferred to a provider when the organization adopts cloud services.
The cyber kill chain was documented to explain how cyber criminals were getting in. Several years ago, the single vector cyber-attack made its way to multi-vector approach. This also represents a process of events to accomplish goals set forth by the cyber-criminal.
These are individual steps. What was not addressed was the Rapidly Changing, Never before seen, polymorphic attacks. The principals are the same but solutions were put in place to perform functions at each stage.
The MISSSING Link was Intelligence in Real Time. The key attributes of Intelligence as defined in Wikipedia, is Knowledge, learning, memory, problem solving, and Reaction time. Intelligence delivers the ability to learn and remember what each of the steps in the Cyber Kill Chain did. Therefore, with the analysis or problem solving, and knowledge of the TOTAL situation, one can now React/block with extreme accuracy in Real Time.
Barrier1 Intelligent Threat Mgmt. goes beyond UTM- NGFW- Cloud Solutions, and Sandboxing
Intelligent Threat Management in Real Time
goes Beyond Static Analysis and Dynamic Analysis Sandboxes
Over $7B – $20B per year is being spent on network security. Yet, it is being reported that 8,000 -30,000 new malware exploits are identified per month. Worse, they are getting through the defense. UTM- NGFW- Sandboxes- Cloud Security Services were to have fixed or stop the problem. In addition, the belief that spending a lot of money on these platforms and extensive vulnerability scans and you would be protected.
History has a Clue
Network Security was developed by a couple of notable fundamentals. The process went like this
1. Early attacks were singular in nature. Singular that they had one attack vector.
2. Defense designs were first to find and identify the cyber-attacks.
3. The identification process was that of finding someone that had been the recipient of the attack and then scan that system.
4. Once found, craft a solution and then distribute the fix. This often took weeks to months.
This process was true for Viruses, Trojans, bad web sites, and etc. It was the method used on Routers using ACL rules and Thresholds, Firewall using rules, AV using signatures, Web Content/URL filtering, IDS using definitions, and etc. That process could take months. As the profit and disruptive motives increased, new vulnerabilities in OS, Applications, and Process were discovered faster and deployed faster. This ushered in new terms for exploits such as Zero Day, Malware, Bots, Mutation, Polymorphic, Dynamic, Automatic, Evasive, Rapid evolution, APT’s, and etc.
The common themes to this evolution of attacks are
• Sensors- Cyber criminals took some old and some new tools and used them to learn what was in place. They include, key loggers, root kits, Threshold technics, and etc.
• Time Compression- New Attacks types and categories are developed and launched faster
• Change- Once launched, they have the ability to Change. That could mean a change in responses, clocking, and acknowledgements, require responses, ports, destinations, file structure, and etc.
• Intelligent Evasion- by using packing, encryption, Change the required response time, changing fingerprints of the code all would alter the outcome.
How did the Cyber Criminals change?
Cyber Criminals continued to increase their activities. The increased activities compressed the time it took for new versions and methods. Second, they turned the cyber-attacks structure from a single vector to a multiple vector approach. Third, cyber-attacks became a process. The process is;
These activities are much like any modern day warfare. Cyber Criminals used these steps to learn about their targets, figure out how to get around the defenses, Attack, Extract the information called for by the Objective, and Cover Tracts. Over time this process became automated and at speeds that rendered present security solutions useless. Thus, $7B – $30 B spent and cyber criminals are still getting through.
What is the Security Gap in today’s Approaches?
The fundamental Security Gaps are;
1. Learning- No real time learning at the Edge of networks
2. Remembering- No one remembers what they found
3. Analysis- No one is analyzing the entire data stream together and as a whole
4. Slow reaction- Today’s speed of networks require inspection, analysis, and reaction with in microsecs.
5. Automation- Humans can no longer analyze fast enough to be effective
These fundamental requirements are absent in UTM-NGFW- Sandboxing- and Cloud based Security Solutions.
A new category is on the horizon. Some media outlets are calling it “Breach Detection Market”. So, what is this and how would it work? In order for this to work you will have to A. Identify and Block the known cyber attacks and B. Identify and Block the never before seen cyber attacks. All in real time.
Using real time Intelligence at the Edge of Networks is the only way.
There is more and more Malware being discovered that involves IP and SCADA. Black Energy is one of those. This is another case proving that Malware and APT’s are a process.
Black Energy capabilities include Trojan Custom Plug In, IT steal digital certificates and passwords, Attacks and can launch attacks from Cisco Routers and other networking devices, Targets ARM and MIPs platforms, can launch DDOS Attacks, and is compatible with a number of protocols like SMTP, HTTP, and FTP. Black Energy can Launch DDOS attack, delete all system tracking and files related to malware, gather information from USB. For CnC they use a lot of different servers.
Barrier1 with all of the components and the SCADA protocols would be able to identify this attack. One of the main reasons is the ability to Learn, Inspect All traffic, Analyze the traffic in total such as if a DDOS is launched Barrier1 would learn about the origins and stop if that source would try and steal digital certificates. In addition, Barrier1 has various version of Keyloggers on board acting as sensors. If the keyloggers detect activity and block it, the key attributes would be log in the onboard dbase and thus available for immediate (12 microsecs) use in the analytics for the next packet.
Voxis present another challenge for POS system. This one claims to get around Apple Pay, CurrentC, and other systems.
The present systems are limited in their analysis and only block from those that come from automated systems. Voxis, submits fraudulent card transaction with characteristics of a human sending a payment from a mobile device or PC.
Next, Voxis needs a fraudulent ecommerce site and 1 merchant account with a payment processor. Don’t worry if you do not have a site, Voxis will build one for you. Next step is a stolen identity. A stolen identity is used to open an account with a processor. Last, in any automated payment system the CVV number will be needed. In this case it could be supplied with the fraudulent information or the CVV number is automatically filled in and can come from over 32 different Credit Card Processors.
Barrier1 can identify and stop this attack.
Even the programing language, golang, created by Google and used by Dropbox and Sendspace have been seeing Malware exploits since 2012. The Malware checks personal folders and uploads documents with common file extension. This allows the use of refresh tokens to bypass the storage service authentication process. This is especially useful information. This activity generally is found during the Reconnaissance steps.
Barrier1 would catch this process through the file structures, the files mobility, and lack of authentication process. All would have specific attributes that would be added to the dbase and thus would be remembered when the official cyber-attack takes place.
Barrier1 -Intelligent Threat Management platform has a Key element, it Learns and Remembers.
DNS plays a major role in network traffic. So, if one could possibly take control or change DNS, would be a major step in a cyber breach. That is what a DNS Changer does. Some are considered a Trojan due to their ability to hide and yet they are part of an overall scheme of Malware.
DNS changer modifies setting without user knowledge nor with consent. Once modified, they direct you to a compromised DNS server or service. That usually is in a foreign country. Without sensors to notify and with the worldwide speed of internet connections, you would never know. That is, without a continuous eye on the logs 24×7. Even by that time it would be too late. So, traffic is redirected without knowledge. Very similar to man-in-the-middle.
Now that DNS redirection has occurred, Trojans are dropped on to the system via Malware. Once installed, they simply modify DSN setting, force request on to criminal operated DNS servers, replace logs, and controls and redirects network traffic.
Barrier1 via sensors will detect 1. DNS setting changes, and 2. DNS traffic to Unusual or Non authorized locations. Then if in automatic mode, Barrier1 would block and then alert.
APT’s really have been around since the 1990′s and early 2000′s. They were originally found on government networks. Now the succssfull process has found its way outside of the government.
The process of APT’s is the same as used by Classic Intelligence Cycle.
- Planning and Direction
- Analysis and Production
That is the Barrier1 process.
Barrier1 identifies and stops APT’s in real time.
Reports are out that SSL has a vulnerability now being known as “Poodle”. This vulerability begins with SSL 3.0 or older versions. However, even though SSL-VPN was upgraded to TLS, TLS is still vulenrable. The key is that a hacker must intercept the traffic. Thus, a man-in-the-middle is used. The interception of traffic forces an error. The next natural reaction is to attempt to connect with a downgraded version of SSL. So, TLS which was meant to improve the security of SSL now downgrades itself to ensure a connection by using SSL. The end result is a breach.
Barrier1 would identify the man-in-the-middle and the change of going from TLS to SSL. If the customer does not want SSL 3.0 Barrier1 would identify the hand shake of TLS and stop/block the connection.