3. OUTLINES
• General Security Problems
• Need to handle to secure IT computer networks
• Computer Systems, Hardware, Software, Data
• Detections
• Tactics, Techniques and Common Knowledge
3
4. GENERAL SECURITY PROBLEMS
1. Authenticity
• Multifactor. Should include Hardware-Support factor. E.g. Taiwan ID cards with weak
random.
• Mutual Authentication: e.g. may help prevent fishing
• FIDO: Strong Authentication Standard. U2F: Universal Second Factor (Yubico)
• Zero Trust
2. Authorization / Access Control
• Very widely applied to Principals and Resources
• Separate Networks. Classified Networks.
• Role-based Principals
• OS: Ring 0 – Ring 3
4
5. GENERAL SECURITY PROBLEMS
3. Confidentiality
• Reduce protecting TBs to thousands bits
• Following Encryption Standards. Crypto Agility
• Key Management is Vital. Hardware Security Module (HSM)
4. Integrity and Non-repudiation
• Signatures and Authenticated Encryption
• Code Signing: Signing process need to be carefully protected. E.g. Ccleaner AV. Flame.
• You can say Blockchain belongs to cybersecurity
• Side effect: Not deniable and accountability. E.g. Signing off releasing software
5. Availability
• DDOS
• Build efficient software: CPU, RAM, Network
• Data Replication and Backup 5
6. GENERAL SECURITY PROBLEMS
6. Monitoring and Auditing
• High Quality Data Collection: Wide Variety but Not too much
• About Processes, Users, Network, Protocols, Registries, Files, Services,
Permissions
• “CCTV” Cameras to Record and Replay
7. Detection
• Data Analysis to find intrusion alerts. Good data collection means good
detection
• Rule-based and Machine Learning
6
7. GENERAL SECURITY PROBLEMS
8. Investigation
• From alerts, find intrusion scope, timeline, approaches and signatures
• Track the intrusion spans: malicious user logons, C&C connections…
• Search, correlate and analyze on Memory, Files and other data
9. Response
• From Investigation results, find a good plan to quickly cleanup the IT
network
• Isolate, suspend and stop malicious endpoints, users, processes,
binaries, network traffic
10.Remediation and Prevention
• Measures, policies and rules to prevent similar attacks
7
8. SECURITY DESIGN PRINCIPLES
Principle Explanation
Open design Assume the attackers have the sources and
the specs.
Fail-safe defaults Fail closed; no single point of failure.
Least privilege No more privileges than what is needed.
Economy of mechanism Keep it simple.
Separation of privileges Don’t permit an operation based on a single
condition.
Total mediation Check everything, every time.
Least common mechanism Beware of shared resources.
Psychological acceptability Will they use it?
8
9. DETECTIONS
• All about https://attack.mitre.org/wiki/Technique_Matrix
• The Attack Dictionary
9
10. ESCALATION OF PRIVILEGE (EOP)
• Attacker exploit bugs to raise privilege level, such as from user
to system
• MITRE says “Detecting software exploitation may be difficult”
• But detection is possible with 100% accuracy, no FP or FN,
based on security permission data
10
11. CREDENTIAL DUMPING
• Harvesting passwords
• Tools: mimikatz, gsecdump
• With System level, open lsass.exe process to decrypt and read
passwords
• Detection is highly accurate
11
12. LSA PACKAGES
• Windows Security Support Provider (SSP) DLLs are loaded into the
Local Security Authority (LSA) process, then have access to passwords
• Modify some Registries to add new SSPs
• Detection by monitoring these Registries
• HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages
• HKLMSYSTEMCurrentControlSetControlLsaNotification Packages
• HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages
• HKLMSYSTEMCurrentControlSetControlLsaOSConfigSecurity Packages
12
13. CHANGE DEFAULT FILE ASSOCIATION
• File association selections are stored and edited in the Windows
Registry
• Modify the file association to call an arbitrary program for a file
extension
• Detection when the default File Association registry key is
modified
[HKEY_CURRENT_USER]SoftwareMicrosoftWindowsCurrentV
ersionExplorerFileExts
13
14. FILE SYSTEM PERMISSIONS WEAKNESS
• Processes execute binaries with improperly set permissions then the
binary may be overwritten with another binary using lower level
permissions
• The replaced binary will also execute under higher level permissions,
which could include SYSTEM. This technique can also be used for
persistence.
• Service binary replacement and Installers loading from weakly-ACL'd
directories.
• Detection when a process running at high privilege loads a binary
that is ACL'd to allow low privilege user tampering.
14
15. ACCESSIBILITY FEATURES
• Windows contains accessibility features launched with a key
combination before user logon. An adversary can use it to get a
command prompt or backdoor without logon.
• In recent Windows, the replaced binary needs to be signed for x64,
must reside in %systemdir%... The debugger method is a
workaround.
• Detection by Monitoring Registries within
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionImage File Execution Options 15
16. DISABLING SECURITY TOOLS
• Killing security software or event logging processes, deleting
Registry keys…
• Build tamper-resistant security software
• Detection by Deception/Traps of Security Software
16
17. FILE DELETION
• Adversaries may remove malware, tools to clean footprint
• Should preserves a copy of every binary that was loaded by any
process on any system
• They can go to Binary Analysis Pipeline (BAP) to assess a
suspicion score to it.
• And download to any customer.
17
18. APPINIT DLLS
• For persistence, DLLs specified in the AppInit_DLLs value in
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows are loaded by user32.dll into
every process that loads user32.dll.
• Detection where an application has modified the AppInit DLL
registry settings.
18
19. BYPASS USER ACCOUNT CONTROL (UAC)
• Elevate privileges to perform a task under administrator-level
permissions by prompting the user for confirmation.
• Bypass e.g. rundll32.exe load a specifically crafted DLL which loads
an auto-elevated COM object and performs a file operation in a
protected directory. Or malicious software may also be injected into a
trusted process to gain elevated privileges without prompting a user.
• Detection by tracking the state of each process token and reports any
token changes, e.g. unexpected Integrity Level (IL) change from
Medium to High
19
20. COMPONENT OBJECT MODEL HIJACKING
• Adversaries can use this system to insert malicious code that
can be executed in place of legitimate software through
hijacking the COM references and relationships as a means for
persistence.
• Hijacking a COM object requires a change in the Windows
Registry to replace a reference to a legitimate system
component.
• Detection by monitoring Registries of COM, such as Icon
Overlay Handler.
20
21. LOCAL PORT MONITOR
• A port monitor can be set through the AddMonitor API call to set a
DLL to be loaded at startup. This DLL will be loaded by the print
spooler service, spoolsv.exe. Or, an arbitrary DLL can be loaded for a
pathname to
HKLMSYSTEMCurrentControlSetControlPrintMonitors.
• The spoolsv.exe process also runs under SYSTEM level permissions.
• Detection monitoring registry keys under
HKLMSYSTEMCurrentControlSetControlPrintMonitors
• Better, Detection highlights any unknown, new, or suspicious Print
Spooler service DLL image loads
21
Hinweis der Redaktion
Identity Card. Taiwan ID cases with weak Random number generator. Very difficult to get security right, in every aspect
) Signing process need to be carefully protected. A recent example.
Ccleaner. where the Chinese hacked an AV company, trojaned their software, which gets pushed out to millions of customers
subsidiary was hacked through teamviewer. they had teamviewer on the build server
Flame attack. MD5 Collision
) Signing Documents. PKI.
Repudiation. MS: Employee card contains key pairs to sign various documents for him, for team, for products…, such as publishing products
1. Open design – Baran (1964) argued persuasively in an unclassified RAND report that secure systems, including cryptographic systems, should have unclassified designs. This reflects recommendations by Kerckhoffs (1883) as well as Shannon’s maxim: “The enemy knows the system” (Shannon, 1948). Even the NSA, which resisted open crypto designs for decades, now uses the Advanced Encryption Standard to encrypt classified information.
2. Fail-safe defaults – Figure 2 shows a physical example: outsiders can’t enter a store via an emergency exit, and insiders may only use it in emergencies. In computing systems, the save default is generally “no access” so that the system must specifically grant access to resources. Most file access permissions work this way, though Windows also provides a “deny” right. Windows access control list (ACL) settings may be inherited, and the “deny” right gives the user an easy way to revoke a right granted through inheritance. However, this also illustrates why “default deny” is easier to understand and implement, since it’s harder to interpret a mixture of “permit” and “deny” rights.
3. Least privilege – Every program and user should operate while invoking as few privileges as possible. This is the rationale behind Unix “sudo” and Windows User Account Control, both of which allow a user to apply administrative rights temporarily to perform a privileged task.
4. Economy of mechanism – A simple design is easier to test and validate.
5. Separation of privilege – A protection mechanism is more flexible if it requires two separate keys to unlock it, allowing for two-person control and similar techniques to prevent unilateral action by a subverted individual. The classic examples include dual keys for safety deposit boxes and the two-person control applied to nuclear weapons and Top Secret crypto materials. Figure 3 (courtesy of the Titan Missile Museum) shows how two separate padlocks were used to secure the launch codes for a Titan nuclear missile.
6. Complete mediation – Access rights are completely validated every time an access occurs. Systems should rely as little as possible on access decisions retrieved from a cache. Again, file permissions tend to reflect this model: the operating system checks the user requesting access against the file’s ACL. The technique is less evident when applied to email, which must pass through separately applied packet filters, virus filters, and spam detectors.
7. Least common mechanism – Users should not share system mechanisms except when absolutely necessary, because shared mechanisms may provide unintended communication paths or means of interference.
8. Psychological acceptability – This principle essentially requires the policy interface to reflect the user’s mental model of protection, and notes that users won’t specify protections correctly if the specification style doesn’t make sense to them.