SlideShare ist ein Scribd-Unternehmen logo

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

Als PPTX, PDF herunterladen
A
Andrew Morris

Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.

Technologie
1 von 36
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams Andrew Morris @andrew___morris andrew@greynoise.io
• Thank you ACoD! • Founders • Committee • Staff • Attendees
About Me Andrew Morris Founder, interim CEO @ GreyNoise Intelligence Previously: - Endgame R&D - Intrepidus (NCC Group) - KCG (ManTech) Twitter: @andrew___morris Email: andrew@greynoise.io
Agenda • What is GreyNoise • Background • Research Questions • Qualifiers • Methodologies 1-4 • Results • Recommendations
About GreyNoise GreyNoise is a gigantic system of globally-distributed passive collector sensors that monitor, analyze, and contextualize Internet-wide background scan and attack traffic. GreyNoise processes tens of millions of packets from hundreds of thousands of IPs every day Security professionals use GreyNoise to filter noisy alerts, identify compromised devices, and observe emerging threats. Learn more at https://greynoise.io or explore the data at https://viz.greynoise.io/
GreyNoise Examples (benign) • Cliqz • ShadowServer.org • Riddler.io • BinaryEdge.io • FindMalware • Quadmetrics.com • Stretchoid.com • CCBot • Internet Census • Stanford University • Brown University • CheckMarkNetwork • Mojeek • Cambridge Cybercrime Centre • Moz DotBot • Net Systems Research • Uptime.com • PDRLabs.net • Ruhr-Universitat Bochum • MJ12bot • A10 Networks • Baidu Spider • CompanyBook • Sogou • PingZapper • ipip.net • CyberGreen • Qwant • ExposureMonitoring • IBM oBot • University of Michigan • Team Cymru • Panscient • MauiBot • Facebook NetProbe • Archive.org • RWTH AACHEN University • Shodan.io • SiteExplorer • Kudelski Security • Project Sonar • SEMrush • ProbeTheNet.com • University of California Berkeley • Project25499 • Intrinsec • LoSec • DomainCrawler • BingBot • GoogleBot • DataProvider • Yandex Search Engine • Statastico • Censys • Cloud System Networks • DomainTools • Mail.RU • Talaia • Ampere Innotech • aiHit • ONYPHE • Ahrefs • OpenLinkProfiler • NetCraft • University of New Mexico • Seznam • Coc Coc • SafeDNS • Pingdom.com
GreyNoise Examples (malicious) • Eir D1000 Router Worm • D-Link 850L Worm • MSSQL Bruteforcer • Realtek Miniigd UPnP Worm CVE-2014-8361 • ZmEu Worm • Telnet Worm • Jboss Worm • D-Link 2750B Worm • PHP Worm • Apache Struts CVE-2017-5638 Worm • Mailbox Bruteforcer • Looks Like RDP Worm • Belkin N750 Worm CVE-2014-1635 • D-Link DSL-2640U DNS Hijack Vulnerability • EquationGroup Eternal/MS17-010 • Compromised Raspberry Pi • Oracle WebLogic CVE-2017-10271 Worm • HTTP PUT Uploader • Looks Like Conficker • Generic Windows Worm • Open Proxy Scanner • ADB Worm • Eternal MS17-010 • PHP InvokeFunction Attacker • IIS WebDAV Remote Code Execution CVE- 2017-7269 • Mikrotik CVE-2018-14847 Worm • Windows RDP Cookie Hijacker CVE-2014- 6318 • Zyxel OS Command Injection CVE-2017-6884 • VNC Bruteforcer • CHINANET SSH Bruteforcer • SSH Worm • PHPMyAdmin Worm • Wordpress Worm • Huawei HG532 UPnP Worm CVE-2017-17215 • Wordpress XML RPC Worm • Postgres Bruteforcer • Avtech IP Camera Worm • Hadoop Yarn Worm • Unknown Linux Worm • FTP Bruteforcer • GPON CVE-2018-10561 Router Worm • Mirai • Looks Like EternalBlue • Embedded Device Worm • D3c3mb3r Botnet • Linksys E-Series TheMoon Router Worm • Unauthenticated Redis Worm • Drupal CVE-2018-7600 Worm • CGI Script Scanner • LINK-NET LW-N605R Worm CVE-2018-16752 • Asterisk Bruteforcer • Apache Struts CVE-2018-11776 Worm
Background • There are many compromised devices around the Internet • A subset of these compromised devices become infected by exposing vulnerable services directly to the rest of the Internet • These services can be configured to accept default/easily guessable credentials or they can be unpatched and vulnerable to a large series of remote exploits • Botnets and bad guys constantly scan and crawl the Internet to find and infect these hosts with unsophisticated malware • Once infected, many of these compromised devices spread their malware to other hosts by opportunistically scanning for and attacking other similarly vulnerable devices around the Internet • This kind of activity is executed by a specific sub-category of botnet (Mirai, Satori, Muhstik, etc) • Most of the attacks an organization sees to the network perimeter originate from these devices
Background (cont’d) • When a device becomes compromised inside of a cloud provider (such as AWS, Google Cloud, DigitalOcean, etc) it will often start to attack other hosts around the Internet • The cloud provider abuse contact will start to receive some signals that the devices is compromised: • Abuse complaint emails from other network administrators around the Internet • A large uptick in traffic to thousands or millions of destination IPs over protocols that are generally used by authentication (SSH, Telnet, etc) • Some period of time after the device is infected / attacking other servers around the Internet (without being remediated by the owner), the cloud hosting provider abuse team will decommission or quarantine the server
Research Questions 1. How much time generally passes between a device in a cloud provider starting to attack other hosts around the Internet and for the activity to be remediated? 2. How much variance is there between different cloud hosting providers, such as Amazon AWS, Microsoft Azure, Google Cloud, DigitalOcean, etc? 3. How much variance is there internally on a given cloud hosting provider? 4. How many compromised devices are there in each cloud hosting provider?** 5. How long have is the longest “total compromised host time” of each provider? - …using compromised device data collected and labeled by GreyNoise ** This is a Dumb Question™️
Goal • Walk away with an understanding of how different cloud providers handle compromised devices within their network • Walk away with an understanding of how to reproduce this research with your own data sources • Walk away with an understanding of GreyNoise
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams In other words…
Qualifiers SHAME • This talk is not intended to shame anyone or compare what organizations are “better” or “worse” • We are measuring “response time”, not “effectiveness” Work sucks • Security is hard enough without some asshole telling you how to do your job Trust / Abuse / Fraud is hard • SOC / trust / abuse / fraud teams are INSANELY overworked • It’s a hard and thankless job • I have an ENORMOUS amount of respect for the folks who work these jobs Grace period • Every cloud provider has different internal policies on how long to wait until decommissioning or quarantining a customer server, as to not disrupt their business
Qualifiers (cont’d) Collection Bias • There are many gaps in my methodology and it is by no means conclusive. This talk is one data point from one source Comparison • Cloud providers have different problems and different priorities than other hosting types (ISPs, corporate networks, telecommunications providers) Customer != Corporate • These devices are not located in any of these organization’s corporate networks CYA • This talk is in no way a reflection of these organization’s security posture. It is a set of observations based on a specific set of data.
Data sources • Infection status – GreyNoise • Cloud provider ranges – IPinfo.io • Cloud provider sizes – IPinfo.io • I love IPinfo.io with all of my heart
Subjects • Amazon AWS • Google Cloud • DigitalOcean • Microsoft Azure • Oracle Cloud • Rackspace • Linode • IBM Softlayer • Vultr • Tencent • Ali Cloud • OVH • SingleHop • CenturyLink
Methodology 1: Pure quantity** • How many unique compromised IPs are there inside a given cloud hosting provider? • Over a four (4) month sample • This is a really, really, really stupid way to gauge anything • This breaks down when “size” is taken into consideration • A larger cloud hosting provider will simply have more compromised devices • E.g. if Google Cloud has 100 compromised devices (out of ten million customer machines) that’s very little • If a small cloud hosting provider with 1024 IPs has 100 infected devices, that’s *really* bad • Recreate: $ gnql $org classification:malicious | jq '.count'
Methodology 1** (this is a bad metric)
Large ISPs for scale
• Amazon: 2176 • DigitalOcean: 5465 • Vultr: 1677 • Google: 900 • Microsoft Corporation: 837 • Oracle: 540 • Rackspace: 79 • Linode: 251 • Softlayer: 192 • Tencent: 4846 • Alibaba: 292 • OVH: 2310 • SingleHop: 27 • CenturyLink: 736 Compromised IPs observed by GreyNoise over a four (4) month sample
Methodology 2: Ham-fisted cumulative time** • What is the total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • This is also a really, really bad way to measure anything • Breaks down when size is taken into consideration • Also breaks down when you take IP recycling into consideration • IP re-use between accounts • IP recycling between “known good” Internet scanners (Shodan, BinaryEdge) and briefly infected devices • Multiple infections on the same host over a long period of time (the “state” of “infectedness”)
Methodology 2** (this is a less bad metric but is still pretty bad)
Total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • Amazon : 652.42 • DigitalOcean : 648.64 • Vultr : 1060.51 • Google : 447.66 • Microsoft Corporation : 490.80 • Oracle : 1991.11 • Rackspace : 2694.37 • Linode : 578.67 • Softlayer : 910 • Tencent : 1835.27 • Alibaba : 1186.23 • OVH : 2048.07 • SingleHop : 1265.77 • CenturyLink : 1139.16
Methodology 3: Cumulative “infected” time (adjusted) • How many cumulative “state of infected” hours (per 10,000 IPs) are there for a given cloud hosting provider? • Get all IPs that have ever been infected inside a given cloud provider • Use GreyNoise to find the exact time ranges they were infected • Account for time interval overlap (this was a lot harder than I thought it would be) • Add all of the hours together • Get total size of Cloud provider, in IPs (using IPinfo.io) • This is harder for some providers than others • This is also not accurate, but it’s better than nothing • Divide hours by total IPs/10,000 • This breaks down because it makes smaller, busier hosting providers look slower and positively biases gigantic hosting providers (by dividing their “hour” amount by a huge number)
Cumulative Compromised Hours / (Total IPs / 10,000) • Amazon : 174370 / 2945 = 59.20 • DigitalOcean : 1305470 / 55 = 23735.81 • Vultr : 199017 / 28 = 7107.75 • Google : 100252 / 243 = 412.55 • Microsoft Corporation : 131239 / 1302 = 100.79 • Rackspace : 18653 / 135 = 138.17 • Linode : 7598 / 26 = 292.23 • Softlayer : 14428 / 190 = 75.93 • Tencent : 1405329 / 26 = 54051.11 • Alibaba : 41859 / 20 = 9586.62 • OVH : 1342128 / 140 = 9586.62 • SingleHop : 2025 / 26 = 77.88
Methodology 4: Average time-to-close of an infected host • What is the average amount of time between a machine getting infected (and attacking other hosts) and the infection being remediated (no longer attacking other hosts) • Find and average intervals of time (in hours) between attacks starting and stopping • Problem: Just because the machine stops attacking other hosts does not mean it is no longer infected • This is equally evident to GreyNoise and the hosting provider itself
Average Time-To-Close (hours) • Amazon : 40.92 • DigitalOcean : 118.12 • Vultr : 51.63 • Google : 66.46 • Microsoft_Corporation : 82.74 • Oracle : 107.76 • Rackspace : 78.29 • Linode : 17.48 • Softlayer : 34.73 • Tencent : 95.58 • Alibaba : 31.04 • OVH : 232.29 • SingleHop : 28.16 • CenturyLink : 19.21
Bonus Metric • How many devices are compromised in each provider right now? $ gnql metadata.organization:whatever classification:malicious last_seen:>=2019-01-29 | jq .count
Recommendations • Be proactive • Use third-party threat intelligence feeds to identify compromised hosts in your environment • Trust (believable) abuse complaint reports • Scrutinize hosts that receive a large amount of abuse complaints • Ignore reports that come from people who complain when the receive a single port scan • Start with strict firewall controls • Deny any inbound traffic beyond what is necessary and force the user to whitelist additional services • Consider vulnerability scanning your own environment and relaying concerning results to your customers • Google and Vultr do this • [SHAMELESS SELF PLUG] Ask me about the GreyNoise Cloud Trust Alliance program
QUESTIONS?
THANK YOU! andrew@greynoise.io @andrew___morris

Empfohlen

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 

Empfohlen

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 

Weitere ähnliche Inhalte

Was ist angesagt?

Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoringchrissanders88
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 

Was ist angesagt? (20)

Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring2018 - Using Honeypots for Network Security Monitoring
2018 - Using Honeypots for Network Security Monitoring
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 

Ähnlich wie Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Ransomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceRansomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceSagi Brody
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoopNiel Dunnage
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 

Ähnlich wie Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams (20)

Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Ransomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-ServiceRansomware-Recovery-as-a-Service
Ransomware-Recovery-as-a-Service
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 

Kürzlich hochgeladen

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Kürzlich hochgeladen (20)

Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

  • 1. Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams Andrew Morris @andrew___morris andrew@greynoise.io
  • 2. • Thank you ACoD! • Founders • Committee • Staff • Attendees
  • 3. About Me Andrew Morris Founder, interim CEO @ GreyNoise Intelligence Previously: - Endgame R&D - Intrepidus (NCC Group) - KCG (ManTech) Twitter: @andrew___morris Email: andrew@greynoise.io
  • 4. Agenda • What is GreyNoise • Background • Research Questions • Qualifiers • Methodologies 1-4 • Results • Recommendations
  • 5. About GreyNoise GreyNoise is a gigantic system of globally-distributed passive collector sensors that monitor, analyze, and contextualize Internet-wide background scan and attack traffic. GreyNoise processes tens of millions of packets from hundreds of thousands of IPs every day Security professionals use GreyNoise to filter noisy alerts, identify compromised devices, and observe emerging threats. Learn more at https://greynoise.io or explore the data at https://viz.greynoise.io/
  • 6. GreyNoise Examples (benign) • Cliqz • ShadowServer.org • Riddler.io • BinaryEdge.io • FindMalware • Quadmetrics.com • Stretchoid.com • CCBot • Internet Census • Stanford University • Brown University • CheckMarkNetwork • Mojeek • Cambridge Cybercrime Centre • Moz DotBot • Net Systems Research • Uptime.com • PDRLabs.net • Ruhr-Universitat Bochum • MJ12bot • A10 Networks • Baidu Spider • CompanyBook • Sogou • PingZapper • ipip.net • CyberGreen • Qwant • ExposureMonitoring • IBM oBot • University of Michigan • Team Cymru • Panscient • MauiBot • Facebook NetProbe • Archive.org • RWTH AACHEN University • Shodan.io • SiteExplorer • Kudelski Security • Project Sonar • SEMrush • ProbeTheNet.com • University of California Berkeley • Project25499 • Intrinsec • LoSec • DomainCrawler • BingBot • GoogleBot • DataProvider • Yandex Search Engine • Statastico • Censys • Cloud System Networks • DomainTools • Mail.RU • Talaia • Ampere Innotech • aiHit • ONYPHE • Ahrefs • OpenLinkProfiler • NetCraft • University of New Mexico • Seznam • Coc Coc • SafeDNS • Pingdom.com
  • 7. GreyNoise Examples (malicious) • Eir D1000 Router Worm • D-Link 850L Worm • MSSQL Bruteforcer • Realtek Miniigd UPnP Worm CVE-2014-8361 • ZmEu Worm • Telnet Worm • Jboss Worm • D-Link 2750B Worm • PHP Worm • Apache Struts CVE-2017-5638 Worm • Mailbox Bruteforcer • Looks Like RDP Worm • Belkin N750 Worm CVE-2014-1635 • D-Link DSL-2640U DNS Hijack Vulnerability • EquationGroup Eternal/MS17-010 • Compromised Raspberry Pi • Oracle WebLogic CVE-2017-10271 Worm • HTTP PUT Uploader • Looks Like Conficker • Generic Windows Worm • Open Proxy Scanner • ADB Worm • Eternal MS17-010 • PHP InvokeFunction Attacker • IIS WebDAV Remote Code Execution CVE- 2017-7269 • Mikrotik CVE-2018-14847 Worm • Windows RDP Cookie Hijacker CVE-2014- 6318 • Zyxel OS Command Injection CVE-2017-6884 • VNC Bruteforcer • CHINANET SSH Bruteforcer • SSH Worm • PHPMyAdmin Worm • Wordpress Worm • Huawei HG532 UPnP Worm CVE-2017-17215 • Wordpress XML RPC Worm • Postgres Bruteforcer • Avtech IP Camera Worm • Hadoop Yarn Worm • Unknown Linux Worm • FTP Bruteforcer • GPON CVE-2018-10561 Router Worm • Mirai • Looks Like EternalBlue • Embedded Device Worm • D3c3mb3r Botnet • Linksys E-Series TheMoon Router Worm • Unauthenticated Redis Worm • Drupal CVE-2018-7600 Worm • CGI Script Scanner • LINK-NET LW-N605R Worm CVE-2018-16752 • Asterisk Bruteforcer • Apache Struts CVE-2018-11776 Worm
  • 8. Background • There are many compromised devices around the Internet • A subset of these compromised devices become infected by exposing vulnerable services directly to the rest of the Internet • These services can be configured to accept default/easily guessable credentials or they can be unpatched and vulnerable to a large series of remote exploits • Botnets and bad guys constantly scan and crawl the Internet to find and infect these hosts with unsophisticated malware • Once infected, many of these compromised devices spread their malware to other hosts by opportunistically scanning for and attacking other similarly vulnerable devices around the Internet • This kind of activity is executed by a specific sub-category of botnet (Mirai, Satori, Muhstik, etc) • Most of the attacks an organization sees to the network perimeter originate from these devices
  • 9. Background (cont’d) • When a device becomes compromised inside of a cloud provider (such as AWS, Google Cloud, DigitalOcean, etc) it will often start to attack other hosts around the Internet • The cloud provider abuse contact will start to receive some signals that the devices is compromised: • Abuse complaint emails from other network administrators around the Internet • A large uptick in traffic to thousands or millions of destination IPs over protocols that are generally used by authentication (SSH, Telnet, etc) • Some period of time after the device is infected / attacking other servers around the Internet (without being remediated by the owner), the cloud hosting provider abuse team will decommission or quarantine the server
  • 10. Research Questions 1. How much time generally passes between a device in a cloud provider starting to attack other hosts around the Internet and for the activity to be remediated? 2. How much variance is there between different cloud hosting providers, such as Amazon AWS, Microsoft Azure, Google Cloud, DigitalOcean, etc? 3. How much variance is there internally on a given cloud hosting provider? 4. How many compromised devices are there in each cloud hosting provider?** 5. How long have is the longest “total compromised host time” of each provider? - …using compromised device data collected and labeled by GreyNoise ** This is a Dumb Question™️
  • 11. Goal • Walk away with an understanding of how different cloud providers handle compromised devices within their network • Walk away with an understanding of how to reproduce this research with your own data sources • Walk away with an understanding of GreyNoise
  • 12. Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams In other words…
  • 13. Qualifiers SHAME • This talk is not intended to shame anyone or compare what organizations are “better” or “worse” • We are measuring “response time”, not “effectiveness” Work sucks • Security is hard enough without some asshole telling you how to do your job Trust / Abuse / Fraud is hard • SOC / trust / abuse / fraud teams are INSANELY overworked • It’s a hard and thankless job • I have an ENORMOUS amount of respect for the folks who work these jobs Grace period • Every cloud provider has different internal policies on how long to wait until decommissioning or quarantining a customer server, as to not disrupt their business
  • 14. Qualifiers (cont’d) Collection Bias • There are many gaps in my methodology and it is by no means conclusive. This talk is one data point from one source Comparison • Cloud providers have different problems and different priorities than other hosting types (ISPs, corporate networks, telecommunications providers) Customer != Corporate • These devices are not located in any of these organization’s corporate networks CYA • This talk is in no way a reflection of these organization’s security posture. It is a set of observations based on a specific set of data.
  • 15. Data sources • Infection status – GreyNoise • Cloud provider ranges – IPinfo.io • Cloud provider sizes – IPinfo.io • I love IPinfo.io with all of my heart
  • 16. Subjects • Amazon AWS • Google Cloud • DigitalOcean • Microsoft Azure • Oracle Cloud • Rackspace • Linode • IBM Softlayer • Vultr • Tencent • Ali Cloud • OVH • SingleHop • CenturyLink
  • 17. Methodology 1: Pure quantity** • How many unique compromised IPs are there inside a given cloud hosting provider? • Over a four (4) month sample • This is a really, really, really stupid way to gauge anything • This breaks down when “size” is taken into consideration • A larger cloud hosting provider will simply have more compromised devices • E.g. if Google Cloud has 100 compromised devices (out of ten million customer machines) that’s very little • If a small cloud hosting provider with 1024 IPs has 100 infected devices, that’s *really* bad • Recreate: $ gnql $org classification:malicious | jq '.count'
  • 18. Methodology 1** (this is a bad metric)
  • 19. Large ISPs for scale
  • 20. • Amazon: 2176 • DigitalOcean: 5465 • Vultr: 1677 • Google: 900 • Microsoft Corporation: 837 • Oracle: 540 • Rackspace: 79 • Linode: 251 • Softlayer: 192 • Tencent: 4846 • Alibaba: 292 • OVH: 2310 • SingleHop: 27 • CenturyLink: 736 Compromised IPs observed by GreyNoise over a four (4) month sample
  • 21. Methodology 2: Ham-fisted cumulative time** • What is the total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • This is also a really, really bad way to measure anything • Breaks down when size is taken into consideration • Also breaks down when you take IP recycling into consideration • IP re-use between accounts • IP recycling between “known good” Internet scanners (Shodan, BinaryEdge) and briefly infected devices • Multiple infections on the same host over a long period of time (the “state” of “infectedness”)
  • 22. Methodology 2** (this is a less bad metric but is still pretty bad)
  • 23. Total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • Amazon : 652.42 • DigitalOcean : 648.64 • Vultr : 1060.51 • Google : 447.66 • Microsoft Corporation : 490.80 • Oracle : 1991.11 • Rackspace : 2694.37 • Linode : 578.67 • Softlayer : 910 • Tencent : 1835.27 • Alibaba : 1186.23 • OVH : 2048.07 • SingleHop : 1265.77 • CenturyLink : 1139.16
  • 24. Methodology 3: Cumulative “infected” time (adjusted) • How many cumulative “state of infected” hours (per 10,000 IPs) are there for a given cloud hosting provider? • Get all IPs that have ever been infected inside a given cloud provider • Use GreyNoise to find the exact time ranges they were infected • Account for time interval overlap (this was a lot harder than I thought it would be) • Add all of the hours together • Get total size of Cloud provider, in IPs (using IPinfo.io) • This is harder for some providers than others • This is also not accurate, but it’s better than nothing • Divide hours by total IPs/10,000 • This breaks down because it makes smaller, busier hosting providers look slower and positively biases gigantic hosting providers (by dividing their “hour” amount by a huge number)
  • 25.
  • 26.
  • 27.
  • 28. Cumulative Compromised Hours / (Total IPs / 10,000) • Amazon : 174370 / 2945 = 59.20 • DigitalOcean : 1305470 / 55 = 23735.81 • Vultr : 199017 / 28 = 7107.75 • Google : 100252 / 243 = 412.55 • Microsoft Corporation : 131239 / 1302 = 100.79 • Rackspace : 18653 / 135 = 138.17 • Linode : 7598 / 26 = 292.23 • Softlayer : 14428 / 190 = 75.93 • Tencent : 1405329 / 26 = 54051.11 • Alibaba : 41859 / 20 = 9586.62 • OVH : 1342128 / 140 = 9586.62 • SingleHop : 2025 / 26 = 77.88
  • 29. Methodology 4: Average time-to-close of an infected host • What is the average amount of time between a machine getting infected (and attacking other hosts) and the infection being remediated (no longer attacking other hosts) • Find and average intervals of time (in hours) between attacks starting and stopping • Problem: Just because the machine stops attacking other hosts does not mean it is no longer infected • This is equally evident to GreyNoise and the hosting provider itself
  • 30.
  • 31. Average Time-To-Close (hours) • Amazon : 40.92 • DigitalOcean : 118.12 • Vultr : 51.63 • Google : 66.46 • Microsoft_Corporation : 82.74 • Oracle : 107.76 • Rackspace : 78.29 • Linode : 17.48 • Softlayer : 34.73 • Tencent : 95.58 • Alibaba : 31.04 • OVH : 232.29 • SingleHop : 28.16 • CenturyLink : 19.21
  • 32. Bonus Metric • How many devices are compromised in each provider right now? $ gnql metadata.organization:whatever classification:malicious last_seen:>=2019-01-29 | jq .count
  • 33.
  • 34. Recommendations • Be proactive • Use third-party threat intelligence feeds to identify compromised hosts in your environment • Trust (believable) abuse complaint reports • Scrutinize hosts that receive a large amount of abuse complaints • Ignore reports that come from people who complain when the receive a single port scan • Start with strict firewall controls • Deny any inbound traffic beyond what is necessary and force the user to whitelist additional services • Consider vulnerability scanning your own environment and relaying concerning results to your customers • Google and Vultr do this • [SHAMELESS SELF PLUG] Ask me about the GreyNoise Cloud Trust Alliance program

Hinweis der Redaktion

  1. Please raise your hand if you’ve heard of GreyNoise before Please raise your hand if you’ve used GreyNoise before
  2. ISPs are…… way worse