T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T W O R K

Similar documents
T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T WO R K

FIS' Partnership with Zelle for P2P Payments

Patrol: Revealing Zero-day Attack Paths through Network-wide System Object Dependencies

Android Security Mechanisms (2)

Quantum Computing: it s the end of the world as we know it? Giesecke+Devrient Munich, June 2018

ArcGIS Deployment Pattern. Azlina Mahad

Leveraging Web GIS: An Introduction to the ArcGIS portal

Foundations of Network and Computer Security

MySQL Attack Mitigation Using Deception Technology

Portal for ArcGIS: An Introduction. Catherine Hynes and Derek Law

Broadband Internet Access Disclosure

ST-Links. SpatialKit. Version 3.0.x. For ArcMap. ArcMap Extension for Directly Connecting to Spatial Databases. ST-Links Corporation.

Foundations of Network and Computer Security

Attack Graph Modeling and Generation

Portal for ArcGIS: An Introduction

M o n i t o r i n g O c e a n C o l o u r P y t h o n p r o c e d u r e f o r d o w n l o a d

KEY DISTRIBUTION 1 /74

The Elliptic Curve in https

STRIBOB : Authenticated Encryption

Introduction to Portal for ArcGIS. Hao LEE November 12, 2015

ARGUS.net IS THREE SOLUTIONS IN ONE

Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

Arcgis Enterprise Performance And Scalability Best Practices

New Cloud Solutions by My TimeZero

ArcGIS Earth for Enterprises DARRON PUSTAM ARCGIS EARTH CHRIS ANDREWS 3D

BEST PRACTICES FOR EDISCOVERY ON DATA IN THE AZURE OR AWS CLOUD TAKEAWAYS FROM THE WEBINAR

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Introduction to Portal for ArcGIS

Incident Response tactics with Compromise Indicators

WordPress and CRM. Match Made In Heaven... or Hell?

Troubleshooting Replication and Geodata Services. Liz Parrish & Ben Lin

Information Security in the Age of Quantum Technologies

Enforcing honesty of certification authorities: Tagged one-time signature schemes

SOCIAL MEDIA IN THE COMMUNICATIONS CENTRE

GeoComply Overview. 666 Burrard Street, Suite 1530, Vancouver BC V6C 2X8

new interface and features

Verification of the TLS Handshake protocol

Web GIS Deployment for Administrators. Vanessa Ramirez Solution Engineer, Natural Resources, Esri

T R A I N I N G M A N U A L 1. 9 G H Z C D M A P C S 80 0 M H Z C D M A /A M P S ( T R I - M O D E ) PM325

The science behind these computers originates in

Imagery and the Location-enabled Platform in State and Local Government

Session Data. Evan Misshula

Using OGC standards to improve the common

Quantum Wireless Sensor Networks

What s New. August 2013

Data-Sharing Agreement

Solution to Midterm Examination

Enabling Web GIS. Dal Hunter Jeff Shaner

R E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H.

Quantum threat...and quantum solutions

Innovation. The Push and Pull at ESRI. September Kevin Daugherty Cadastral/Land Records Industry Solutions Manager

CPSC 467: Cryptography and Computer Security

Web GIS Patterns and Practices

Dan Boneh. Introduction. Course Overview

Introduction to Cryptography. Lecture 8

JOB TITLE: CURRENT CLASSIFICATION/GRID POSITION # GIS Coordinator AD Grid Level 6(c) # 420

Working with ArcGIS Online

Lecture 1: Introduction to Public key cryptography

Troubleshooting Replication and Geodata Service Issues

Overview of Geospatial Open Source Software which is Robust, Feature Rich and Standards Compliant

Compensation Planning Application

ArcGIS Enterprise: What s New. Philip Heede Shannon Kalisky Melanie Summers Sam Williamson

Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo

Question: Total Points: Score:

GIS Data Conversion: Strategies, Techniques, and Management

Cryptography and Security Final Exam

Practice Assignment 2 Discussion 24/02/ /02/2018

Build relationships not link. Scott Wyden Kivowitz

Homeland Security Geospatial Data Model. Mark Eustis SAIC Joe Kelly Traverse Technologies 21 February, 2008

Information Security

Socket Programming. Daniel Zappala. CS 360 Internet Programming Brigham Young University

SpyMeSat Mobile App. Imaging Satellite Awareness & Access

ArcGIS. for Server. Understanding our World

Markov Chain analysis of packet sequence for intrusion detection

TECDIS and TELchart ECS Weather Overlay Guide

ASYMMETRIC ENCRYPTION

Integrated Electricity Demand and Price Forecasting

Lan Performance LAB Ethernet : CSMA/CD TOKEN RING: TOKEN

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

Random Number Generation Is Getting Harder It s Time to Pay Attention

Web GIS & ArcGIS Pro. Zena Pelletier Nick Popovich

Land Board, NW Services and SDI Tambet Tiits, FRICS

CPSC 467: Cryptography and Computer Security

Introduction to ArcGIS Server Development

BCeMap A Multi Agency Situational Awareness System for the Province of BC

PARASITIC COMPUTING: PROBLEMS AND ETHICAL

PAX2S Modbus Register Table REVISED 2/20/12 LP0894A

HASH FUNCTIONS 1 /62

Experimental Study of DIGIPASS GO3 and the Security of Authentication

Data Aggregation with InfraWorks and ArcGIS for Visualization, Analysis, and Planning

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?

Knocking down the HACIENDA with TCP Stealth

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Hardware Architectures for Public Key Algorithms Requirements and Solutions for Today and Tomorrow

Group Diffie Hellman Protocols and ProVerif

Data-Sharing Agreement

Portals: Standards in Action

PQ Crypto Panel. Bart Preneel Professor, imec-cosic KU Leuven. Adi Shamir Borman Professor of Computer Science, The Weizmann Institute, Israel

Homework 4 for Modular Arithmetic: The RSA Cipher

What are we talking about when we talk about post-quantum cryptography?

Transcription:

1 T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T W O R K Manoj Sharma Technical Director Symantec Corp Mark Sanders Lead Security Architect Venafi

T H R E A T S A R E H I D I N G I N E N2 W H AT YO U W I L L L E A R N Why encryption and digital certificates are helping our adversaries How to architect for today and tomorrow s SSL/TLS threatscape What you need to successfully run your operations What s your 45 day action plan 2

S S L / T L S T H R E AT S U P D AT E 3

T H R E A T S A R E H I D I N G I N E N4 P R O B L E M : Σ Κ Ό Τ Ο Σ = S C O T O M A = B L I N D S P O T

T H R E A T S A R E H I D I N G I N E N5 50-7 5 % A N D C L I M B I N G Of enterprise network traffic is encrypted with SSL/TLS today 5

T H R E A T S A R E H I D I N G I N E N6 5 0 % O F N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 1 7 7 0 % N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 2 0 70% of 6

T H R E A T S A R E H I D I N G I N E N7 E N T U N N E L S M E A N S E C U R I T Y S Y S T E M S C A N T S E E W H AT S C O M I N G 7

T H R E A T S A R E H I D I N G I N E N8 T R A D I T I O N A L S E C U R I T Y S Y S T E M S C A N T K E E P U P W I T H P E R F O R M A N C E N E E D E D T O D E C R Y P T A N D I N S P E C T S S L / T L S N E T W O R K 8

9 D I F F E R E N C E S I N E N T E R P R I S E E N C R Y P T I O N S T R AT E G I E S B Y C O U N T R Y S o u r c e : P o n e m o n I n s t i t u t e. 2 0 1 6 G l o b a l 9 E n c r y p t i o n T r e n d s S t u d y. 2 0 1 6

M A LWA R E A N D O U T B O U N D S S L 10

T H R E A T S A R E H I D I N G I N E N11 S S L / T L S : H I D D E N D A N G E R S Bad Actors are using encryption to: Hiding Malicious Actions and Messages Hiding the Initial Infection Hiding the Command and Control Channel Hiding Data Exfiltration 2987 blacklisted SSL certificates: https://sslbl.abuse.ch/ Most (recently) are Dyre C&C, KINS C&C, Vawtrak MITM, Shylock C&C, URLzone C&C, TorrentLocker C&C, CryptoWall C&C, Upatre C&C, Spambot C&C, Retefe C&C, ZeuS MITM, etc. * TCP Ports used by Dyre Trojan for Hidden Command & Control - Blue Coat Labs 11

NGFW IDS / IPS Host AV Traditional Web Gateway SIEM Email Gateway DLP Web Application Firewall T H R E A T S A R E H I D I N G I N E N12 B A D G U Y S A R E E VA D I N G D E F E N S E S Traditional Enterprise Defenses Threat Actors Traditional Threats Advanced Threats Nation States Known Threats, Novel Malware Cybercrime Known Malware, Zero-Day Hactivists Known Files Threats Insider-Threats Known IPs/URLs Targeted Attacks Modern HTTPs

T H R E A T S A R E H I D I N G I N E N13 S S L / T L S : H I D D E N D A N G E R S Users: Are they SSL Aware? 13

T H R E A T S A R E H I D I N G I N E N14 N E X T B I G H A C K E R M A R K E T P L A C E W I L L B E I N S T O L E N C E R T I F I C AT E S 14

T H R E A T S A R E H I D I N G I N E N15 W H AT D O Y O U T H I N K T H I N G S L O O K L I K E? Secure Communications

T H R E A T S A R E H I D I N G I N E N16 SSL & SSH Keys & Certificates T H I S I S W H AT I T R E A L LY L O O K S L I K E SSL Keys & Certificates Secure Communications Server Authentication Client-side Server Authentication Secure Communications Server Authentication Client-side Authentication

T H R E A T S A R E H I D I N G I N E N17 M O R E K E Y S, M O R E C E R T I F I C A T E S, M O R E E N C R Y P T I O N

18 A R C H I T E C T I N G F O R S S L / T L S T H R E AT S

T H R E A T S A R E H I D I N G I N E N19 Today Ready for Threats A R C H I T E C T U R E G A P A N A LY S I S Role of Decryption Non-Existent/Tactical Strategic Inspection Points Few Performance Struggling Wirespeed Outbound Decryption: Internal trusted root CA Inbound Decryption: all keys & certs available Inbound Decryption: keys & certs securely distributed Few Email, flash drive, file server All available Encryption distribution w/o people 19

T H R E A T S A R E H I D I N G I N E N20 B A L A N C I N G C O M P L I A N C E A N D D ATA P R I VA C Y DATA PRIVACY CONCERNS RISK OF ADVANCED THREATS LEAD TO REQUIREMENTS 1) Manage what type of information is decrypted 2) Assure custody and integrity of encrypted data 20

T H R E A T S A R E H I D I N G I N E N21 I N B O U N D A N D O U T B O U N D T R A F F I C Inbound SSL Decryption Web & Email Servers, Customer Web Portals Outbound SSL Decryption Encrypted Email, Social Networks, CRM, etc. IPS & IDS AV DLP APM SIM & SIEM Forensics Security Solution IPS & IDS AV DLP APM SIM & SIEM Forensics Security Solution Internet Internet Web, Email & Portal Servers Clients

T H R E A T S A R E H I D I N G I N E N22 P K I A R C H I T E C T U R E F O R I N S P E C T I O N Inbound Outbound Enterprise Root STATIC SSL Decryption Intermediate STATIC www app.. v125.. GENERATED ON THE FLY google.com outlook.com dropbox.com

T H R E A T S A R E H I D I N G I N E N23 A R C H I T E C T U R E F O R V I S I B I L I T Y CLIENT INTERNET SERVER GLOBAL INTELLIGENCE NETWORK GATEWAY / FIREWALL SECURITY ANALYTICS CORPORATE SERVERS ❷ SSL VISIBILITY APPLIANCE ❸ ❶ ❹ SANDBOX CLIENT NG IPS Encrypted traffic Decrypted traffic 23

T H R E A T S A R E H I D I N G I N E N24 S S L B L I N D S P O T S I N A C T I O N : D ATA I N F I LT R AT I O N + E X F I LT R AT I O N U S I N G S S L Malware Infiltration and Data Exfiltration using Wireshark Compare pcaps from identical operations with and without SSL Inspection enabled in the network. Download from a file magnetic* from sourceforge.net (HTTP Download) Download a known file using HTTPS: Infiltration Upload sensitive data using HTTPS: Exfiltration 24

T H R E A T S A R E H I D I N G I N E N25 25

S S L B L I N D S P O T S : D ATA E X F I LT R AT I O N E X P E R I M E N T Symantec DLP Network Prevent Details: Base OS: MS Windows 2012 R2 DLP Network Prevent Software Version: 14 DLP Network Prevent configured to monitor HTTP and HTTPS ports. SSL Inspection Device: Hardware Mode:SV800 / Software Version 3.8.2-409 Experiment: 1. Upload sensitive data using HTTP 2. SSL Inspection Disabled: Upload sensitive data using HTTPS 3. SSL Inspection Enabled: Upload sensitive data using HTTPS T H R E A T S A R E H I D I N G I N E N26 NOTE: SYMANTEC DOES NOT CLAIM THEY CAN INSPECT SSL TRAFFIC ON THEIR NETWORK DLP PRODUCTS 26

T H R E A T S A R E H I D I N G I N E N27 27

E C O N O M I C S O F S S L D E C R Y P T I O N Cost of No-Action =Infection=Intrusion=Breach=$ Direct Low performance -> higher cost to reach needed throughput Incomplete support for latest ciphers creates unseen blindspots Indirect Time and effort to identify, gather, distribute, and update keys & certificates T H R E A T S A R E H I D I N G I N E N28 28

O N G O I N G O P E R AT I O N S 29

T H R E A T S A R E H I D I N G I N E N30 M A I N TA I N I N G D E C R Y P T I O N Capture new keys and certificates (including those generated outside of IT security) Update renewed, rekey keys and certificates throughout SSL/TLS chain (e.g. firewall, load balancer, WAF, etc.)

31 W H AT U S E R B E N E F I T S D O E S T L S 1. 3 O F F E R Higher security than TLS 1.2 Only supports use of handshake mechanisms that provide Perfect Forward Secrecy RSA key exchange not supported Most existing ciphers are no longer supported Only support AEAD cipher suites AES-GCM, AES-CCM and CHACHA Most handshake messages are encrypted Higher speed Faster session establishment Fewer round trips before pass data Standard is 1 round trip time (RTT) compared with 2 in TLS 1.2 Option for 0 RTT with the ability for the client to send early data though with weaker security until the handshake completes Downgrade attack detection Allows client to detect if server did support 1.3 but used 1.2 because it was tricked into thinking the client doesn t support 1.3

33 M Y T H S A N D FA C T S A B O U T T L S 1. 3 It prevents MITM devices from being able to look at decrypted data More difficult but not impossible It will require new clients (browsers) Already implemented in browsers There is no possibility to do Passive decrypt for TLS 1.3 Must be a bump in the wire SSLV does not support TLS 1.3 We do already as you will see You cannot downgrade a session You can if you fully terminate TCP and TLS (i.e. full TLS proxy) It will be years before TLS 1.3 is implemented by major sites Once standard roll out will be fast for many large TLS sites on the Internet Google, Facebook, Cloudflare, CDNs all ready to roll Enterprise sites, particularly financial services are likely to take longer to adopt

4 5 D AY A C T I O N P L A N 34

T H R E A T S A R E H I D I N G I N E N35 YO U R 4 5 D AY A C T I O N P L A N Map your SSL footprint = Risk Exposure Decrypt once feed many v/s decryption in many places in network Performance impact of decryption on existing network/security devices Local regulations and compliance requirements Outbound: HR and Legal must be consulted to ensure user privacy is respected and preserved. Inbound: Obtaining keys/certificates, how will you keep them secure, how will you keep them updated 35

T H R E A T S A R E H I D I N G I N E N36 M A P Y O U R I N B O U N D S S L / T L S F O O T P R I N T Where and how many SSL/TLS enabled entities? What are all systems involved in SSL/TLS through DMZ? (e.g. firewall, load balancer, WAF, etc.) What are the security controls that need visibility in to encrypted traffic? How will you track keys and certificates? How frequently are they renewed and rekeyed? Who and how many are responsible for each key and certificate? How will you get them? How will you transfer keys and certificates? How will you update keys and certificates? 36

T H R E A T S A R E H I D I N G I N E N37 M A P Y O U R O U T B O U N D S S L / T L S F O O T P R I N T % of Total North-South Traffic is SSL/TLS encrypted SSL Versions seen on the networks SSL Versions have known vulnerabilities. SSL: Bad; TLS: Good BP: Do not allow known bad protocols Certificate Status Valid certificate v/s invalid certs Should not see any traffic with invalid certificate. BP: Do not allow not-valid cert traffic SSL/TLS traffic that isn t on port 443 Non-SSL traffic that is using port 443 Protocol versions in-use Ciphers used Strong v/s Weak cipher suites Logjam/Freak/Heartbleed BP: Do not allow connections with weak ciphers Top N SSL Sites by Request Users of SSL/TLS Traffic North-South communication 37

38 Manoj Sharma Technical Director Symantec Corp manoj_sharma@symantec.com Mark Sanders Lead Security Architect Venafi mark.sanders@venafi.com THANK YOU

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback