Final set of Black Hat 2016 presentation notes.
Dns DDOS Overview
- Open DNS resolvers
- Dns amplifiers: legit / purpose-built
- Spoofing sending IP address (of victoms)
DnsSEC: small i/P request generates response
- Filter spoofed sending addresses
- Disarm amplifiers (so that they will not send huge responses)
- Close open resolvers.
High spikes of unique domain names on Internet
Eg blackhat.com has 3 legit subdomains
Attacker generates queries to undefined domain names eg XXYK.blackhat.com Is allowed in the Dns spec.
2011/12 attack used against gaming sites.NXD
Initially China only.
Now aimed at high-value targets. Eg 200M unique subdomain queries aimed at one site. Kills Dns servers for site.
Kinds of strings used
- Fixed /varying length
- Time stamps
- Random strings, numbers
- Dictionary words
- Left most
- 2cd left most
- 3rd left most
- Single subdomain string
- Multiple subdomain strings
- Attacks tgt domain’s author. Dns servers
- Subdomain generator
- (optional) Open resolvers
- (optional) Spoofing sending addr
- Dns server can serve more than 1 domain, idem for resolvers. Major ISP may be taken down by small-scale subdomain attack. Easy to do.
- Drop queries with random strings
- Rate limit queries with random strings
- Limit queries per IP address
- Limit queries per domain
- Drop queries per domain.
Dns protocol abuse
- Dns cache poisoning
- Dns changer: Trojan changes Dns server on victim user computer.
- Dns amplification
- Dns subdomain
- Dns tunneling.
Analysis of the attack surface of Win 10 virtualization
Look at whitepaper for details.
VTL0 subject to restrictions: EPT table under hypervisor control
Credential Guard: goal is to prevent PTH attack. Credentials stored in secure VM. Mimikatz blocked.
- CG Scenario 1: No hardening, just enabled in GPO.
- Exposes RPC API
- API call exposes plaintext credentials, can give NTLM response to encrypted blob + NTLM challenge
- So cleartext creds protected. But
- while user is logged in, is automatically. Attacker as well.
- Also if attacker collects encrypted blob, can still login as user after user logs off.
- Demo to show this!
- Problem Credentials during logon
- Keylogger can capture pwd during login.
- Idem for smartcard
- CG scenario 2 to solve problem of creds during login. Extra key used to protect plaintext creds during login
- Attacker can still collect encrypted pwd hashes + authenticate as user until reboot.
- So is an improvement but not bullet-proof.
- No hypervisor compromise. Just root partition compromise.
VBS-enforced code integrity
Trusted code (in VTL1) agrees to grant execute rights in EPT tables only for pages storing signed code.
Problem: Mixed signed / unsigned code
- Usual config: unsigned usermode allowed, unsigned kernelmode denied
- Problem: code starts in usermode, jumps to C, allowed. Code switches to kernelmode + jumps to C: still allowed????
- Sln: separate EPT tables for each mode
Kernel HVCI and kernel exploits
- ROP code
- Cannot hook kernel code directly
- Data-only exploits, ROP will work
- MS16-066: found RWX pages lying around in memory that can be reused to bypass HVCI
Weird threat model with VBS: Hypervisor running untrusted VM
- Without VBS
- Need Secureboot, other firmware protections to protect hypervisor
- With VBS
- more code exposed in root partition, since root partition untrusted
- access to almost all physical memory range, idem physical I/O ports
- S3 sleep can be compromised if firmware vulnerable (circa 2014)
- S4 sleep: hiberfile encrypted with key stored either in TPM or cleartext UEFI partition.
Highly privileged mode of CPU, unrestricted by hypervisor
Firmware vendors pack lots of function in SMM
SMM however tends to be buggy.
SMM vulns can be used to compromise hypervisor, also secure boot.
Eg Thinkpwm UEFI exploit
VBS is useful. Need VTd TPM, secureboot.
SMM vulns the greatest threat.
Hardening AWS Environments / Automating Incident Response
Boeing Security people
Presented in suits + ties!!!
4 tools presented
Risks to minimize
AWS access Keys compromised
- Configuration file with AWS keys published to GitHub
- Developer creates EC2 instance to run jobs. Stores access key on EC2 instance which is then compromised.
More serious attacks:
- cross-over to corporate Intranet via VPC
- access bkp repo of all AWS access keys.
AWS tools to automate IR workflow
Leverage AWS services:
- CloudWatch: billing, service use
- CloudTrail: AWS logging
- Simple Server Management to automate spin up
- Spin up infosec IR instance for acquisition, evidence acquisition
- IAM roles confusing. Need to plan role architecture, audit use
- Use generic roles with no IAM privilege
- Automate AWS auditing / compliance tool: AWS Config
- Can give timeline of all changes to an instance
- Records configs after instance terminated
- State-based rule engine for compliance
- AWS Lambda for immediate remediation automation
- SEC308 Wrangling security events in the cloud (last year)
- Access Advisor
- Revision of IAM use vs policies
- Auditing of IAM
Their new custom tools
- Key Compromise: Look for AWS access key compromise, and disable it across all the instances.
- Host-based Compromise:
- Username, IP address, access key are I/P.
- Pulls down all AWS regions for quick search for given instance.
- Quarantine instance to stop egress + limit access to I/R workstation.
- Create S3 bucket for all forensic data acquisition.
- Snapshot all volumes.
- Grab instance memory.
- Grab logs / screenshot console.
- Then powers instance down and deletes it. Attn: will do same to all autoscale hosts in a group.
- Memory acquisition: steps:
- ssh into compromised system.
- Figures out whether kernel module is from their warehouse. LIME parallelized execution.
- Streams memory into S3 bucket.
- Runs on YAML file for multiple instance acquisition. Wow!
- Run on Docker container.
- Kernel Module warehouse:
- Ruby drives docker.
- Backend is an S3 of all potential LIME modules for all kernel versions.
- They will host a public version. Or can build a private one.
- AMI forensic workstation: + IR tool to create workstation. Docker-based Volatility. Timeline creation automated with S3 buckets + Docker containers. Can scale horizontally to multiple instances. TimeSketch.
- Advice: configuration settings to harden. Open-source replacement for Trusted Advisor product.
Year in Flash
- Worth looking at the slides
- The speaker was responsible for a lot of the Flash vulns reported.
DPTrace – dual-purpose trace for exploitability analysis of pgm crashes
The presenters’ work is not related to their jobs at Intel. They don’t work for Mcafee/Intel either.
Do backwd taint (“does attacker have ctl”) and fwd analysis (“anything useful can be done”) to semi-automate exploit development.
AI Approach to Malware Similarity Analysis
Invincealabs → doing a lot of AI work
Triage, detection, who hacked the PC → all require malware similarity analysis
AI to deal with volume of data.
Intelligence thru similarity
- Identify threat actors
- Quickly understand fn, RE thru similar samples
- Mitigation approaches.
How to find similar malware in the huge database of malware
- Features: byte n-grams, system calls, printable strings, opcode n-grams
- Attribute extraction → Attribute Map (Embedding) + (Similarity search thru attribute space)
➔ The basic challenge: Given set of attributes, how do we create a good “map”?
- Variational autoencoder
- Balances 2 conflicting ideas: only 1 malware factory but needs to cluster malware families.
- Squeezes out “secret sauce” because useless attributes are dropped to get to one “factory”. NB ones are kept in order to cluster.
- Basic fn:
- Encoder to transform original feature set into “better” map
- Add random noise
- Embedding into map.
- Decode to see how did
- Supervised approach to check prediction against labelled data.
- Result: Even with Invincea Neural Net Virus classification, this approach produced even better results.