SlideShare une entreprise Scribd logo

IoT Security: Detecting and Defending against Botnet Attacks

Clare Nelson, CISSP, CIPP-E
Clare Nelson, CISSP, CIPP-E

The document discusses the Mirai botnet attacks of 2016 and subsequent variants. It provides details on: 1) The 2016 Mirai attack that took down major websites by exploiting vulnerabilities in IoT devices like IP cameras and routers. 2) How Mirai and other botnets work by compromising internet-connected devices into a botnet that can be used to launch DDoS attacks. 3) Updates on the evolution of Mirai variants that target new devices and architectures, incorporating more sophisticated techniques.

Technologie
1  sur  48
Télécharger pour lire hors ligne
IoT Security Mirai Revisited Graphic: https://crimeshop.org/2017/08/02/internet-of-things-cybersecurity-improvement-act-finally-iot-security/ InfraGard October 12, 2018 Clare Nelson, CISSP, CIPP/E
Contents 1. 2016 Mirai attack 2. Botnets, DDoS 3. Current state of Mirai and Mirai variants 4. How detect and defend 5. September-October 2018 updates • NISTIR Draft, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks • California IoT Security Law https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd
Botnets, DDoS
Botnets Collection of internet-connected devices that an attacker has compromised • Force multiplier for individual attackers, cyber-criminal groups, nation-states • Disrupt or break into targets systems • Commonly used in DDoS attacks • Collective computing power o Send large volumes of spam o Steal credentials at scale o Spy on people and organizations https://www.csoonline.com/article/3240364/hacking/what-is-a-botnet-and-why-they-arent-going-away-anytime-soon.html https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html Mirai-infected devices
Distributed Denial of Service (DDoS) https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.html Botnet Attack Nodes Many vectors • Layer 3, 4, and 7 attacks • DNS attacks • IoT Botnets • New attacks
2016 Mirai Attack
Mirai Attack Targeted IoT devices • Botnets • High-visibility attacks o Brian Krebs o Dyn’s DNS platform • Dyn affected many websites o Twitter, SoundCloud, Airbnb, Spotify, GitHub, HBO, Amazon, Reddit, DirecTV
Mirai Timeline https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ OVH = French cloud computing company CWMP = CPE WAN Management Protocol 620 Gbps 1.2 Tbps … December 2017 3 Americans plead guilty
Mirai Targets IP cameras, DVRs, home routers https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf Unsophisticated Dictionary Attack
Mirai and the Minecraft Connection https://www.cbronline.com/news/mirai-botnet https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/ • Mirai attacked Minecraft servers o Minecraft servers, lucrative o Gain Minecraft advantage • Targeted OVH, Minecraft DDoS mitigation tools (VAC) • Not nation-state attackers o 21-year-old Rutgers college student o 2 friends • 200,000-300,000 infections • Peak 600,000 devices • Used variety of traffic Graphic: https://minecraft.net/en-us/ “Targeted an entire range of IP addresses—not just one particular server or website—enabling it to crush a company’s entire network”
Mirai Operation • Mirai bots scan the IPv4 address space for devices that run telnet or SSH o Log in using dictionary of hardcoded IoT credentials • Bot sends the victim IP address and credentials to a report server, which asynchronously triggers a loader to infect the device • Infected hosts scan for additional victims and accept DDoS commands from a C2 server https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
Mirai Attack https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.htm https://krebsonsecurity.com/tag/ddos-for-hire/ Brian Krebs: A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services • DDoS-for-hire services • Allow unsophisticated users to launch high-impact attacks • Competition for profits in the blatantly illegal DDoS-for-hire industry
Command and Control Domains https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf Top clusters by C2 domain count • Highly connected components • Agile, long-lived infrastructures in use by botmasters
Mirai Variants, and Beyond
Mirai Variants • Brian Krebs reported Mirai precursors o Bashlite, Gafgyt, Qbot (2014), Remaiten, Torlus • Satori, also known as Masuta, and DaddysMirai include the original Mirai vectors but removed the HTTP attack • Orion is an exact copy of the original Mirai attack table (and just like Mirai, has abandoned the PROXY attack) • Owari added two new vectors, STD and XMAS https://www.zdnet.com/article/meet-torii-a-new-iot-botnet-far-more-sophisticated-than-mirai/ https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ https://krebsonsecurity.com/tag/ddos-for-hire/
Mirai Variants https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ Many attackers were fighting for Telnet access to IoT devices with traditional Mirai • New variants were developed to find additional methods of exploitation and infection • TR-064 exploits that were quickly added to the code (and used to infect the endpoints of service providers) • 0-day exploit on Huawei routers in several botnets • Reaper botnet, which includes 10 previously disclosed CVEs. CVE = Critical Vulnerabilities and Exposures • TR064 is defined by DSL Forum as part of its Broadband suite. • TR064 describes a specific implementation to be used for DSL CPE LAN-side configuration. • The management application can be a software program or a installation CD from the CPE vendor. • It was developed by DSL Forum based on UPnP Devices Structure 1.0.
New Mirai Botnet Breed Taps Aboriginal Linux to Spawn Across Devices https://www.cbronline.com/news/mirai-botnet The new variant has been created using an open source project named Aboriginal Linux; • Botnet compatible with an array of architectures, devices o IP cameras o Routers o Speakers o Android-based devices • Found an ARM7 Mirai variant running on an Android device running Android 4.4, and as well as a variant on Debian ARM Aboriginal Linux is a shell script that builds the smallest, simplest Linux system capable of rebuilding itself from source code. Aboriginal’s “elegant cross-compilation framework” gave Mirai new teeth
Torii (September 27, 2018) • Sophistication "a level above anything we have seen before” • Rich set of features for exfiltration of (sensitive) information • Ability to persist • Modular architecture capable of fetching and executing other commands and executables • Multiple layers of encrypted communication • Can infect a wide range of devices • Support for a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, MC68000, and others • Give credit to @VessOnSecurity, who actually tweeted about a sample hitting his telnet honeypot last week https://blog.avast.com/new-torii-botnet-threat-research Infection chain starts with a Telnet attack on the weak credentials of targeted devices • Then execution of an initial shell script
Defense Mitigation Strategies
IoT Challenges • Limited IoT visibility • Limited IoT control • Limited IoT security manufactured in • Increased attack surface • Wide range of devices • Many are consumer-managed • Many have no interface • Technical and regulatory challenges https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=006157&lang=EN Graphic: https://www.theinquirer.net/inquirer/news/3036359/half-a-billion-iot-devices-in-the-office-vulnerable-to-dns-attacks-warns-armis
IoT Challenges https://www.theinquirer.net/inquirer/news/3036359/half-a-billion-iot-devices-in-the-office-vulnerable-to-dns-attacks-warns-armis https://www.tripwire.com/state-of-security/vert/practical-attacks-dns-rebinding/ HALF A BILLION Internet of Things (IoT) enterprise devices are susceptible to DNS "rebinding attacks" that give remote attackers a way to get around firewalls and gain access to vulnerable devices on a local network DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks • Attackers can change the IP associated with a domain name after it has been used to load JavaScript • Since same-origin policy (SOP) is domain- based, the JavaScript will have access to the new IP
IoT Challenges • IoT security must evolve away from default-open ports to default-closed and adopt security hardening best practices • Devices should consider default networking configurations that limit remote address access to those devices to local networks or specific providers • Apart from network security, IoT developers need to apply ASLR, isolation boundaries, and principles of least privilege into their designs • From a compliance perspective, certifications might help guide consumers to more secure choices as well as pressure manufacturers to produce more secure products https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf ASLR = Address Space Layout Randomization Telnet A network protocol that allows a user on one computer to log onto another computer that is part of the same network
IoT Challenges: NISTIR • Many IoT devices interact with the physical world in ways conventional IT devices usually do not • Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can • The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices https://csrc.nist.gov/publications/detail/nistir/8228/draft Graphic: https://online.stanford.edu/courses/xee100-introduction-internet-things
• I1 Insecure Web Interface • I2 Insufficient Authentication/Authorization • I3 Insecure Network Services • I4 Lack of Transport Encryption • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Software/Firmware • I10 Poor Physical Security https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) OWASP IoT Top 10 (2014)
How Detect and Defend against Botnet Attacks? Ideal World • Detect new device on network • Automatically apply device policy • Monitor device • Detect abnormal activity • Alert on abnormal activity • Disable infected devices • End-of-Life, decommission https://www.electronicspecifier.com/blog/iot-device-management-scorecard-profiles-wind-river-helix-device-cloud
DDoS Defenses Ideal World • Outgoing o Throttle traffic o Block outbound DDoS o Isolate botnets • Incoming o Stop incoming DDoS o Throttle traffic o Prevent infection Brickers • Detect botnet attack, brick devices • BrickerBot o IP Cameras, DVRs • Use as a mitigating countermeasure? o Hajime o Blocks ports Mirai is known to attack (23, 7547, 555, 5358) o But after reboot, does not persist Source: Electronic Design, Ralph Nguyen, August 8, 2017
Mitigate IoT Botnet Attacks https://www.upwork.com/hiring/data/dont-get-entangled-botnet/ https://www.quest-global.com/wp-content/uploads/2015/08/UPnP-in_Digital_Home_Networking.pdf • Credentials and login o Change default passwords o Enforce login rate limiting to prevent brute force attacks o Use captcha or proof of work o Future: Eliminate default credentials • Authentication • Device Identification • Encryption • Chains of Trust • Turn Off Universal Plug-and-Play (UPnP) • Firewalls • Put IoT devices on a separate network • Keep Firmware Up-to-Date o Over the Air (OTA) o Automatic, Make Auto Patch Mandatory • Use Secure Devices • End-of-Life, Decommission old IoT devices o How get rid of them? UPnP is meant to make it easier to connect and set up devices by allowing them to discover one another over a local network
Mitigate IoT Botnet Attacks Using AI https://www.iotsecurityfoundation.org/machine-learning-will-be-key-to-securing-iot-in-smart-homes/ • Network-based solutions • Device-based solutions o Machine learning can help bring lightweight endpoint protection to IoT devices o Not signature-based o Behavior-based
Mitigate IoT Botnet Attacks Using AI https://hackernoon.com/prevent-iot-botnet-attacks-using-ai-with-code-3817fb3fcf7e Attribute Information • H: Stats summarizing the recent traffic from this packet’s host (IP) • HH: Stats summarizing the recent traffic going from this packet’s host (IP) to the packet’s destination host. • HpHp: Stats summarizing the recent traffic going from this packet’s host+port (IP) to the packet’s destination host+port. Example 192.168.4.2:1242 -> 192.168.4.12:80 • HH_jit: Stats summarizing the jitter of the traffic going from this packet’s host (IP) to the packet’s destination host Uses Linear Regression
Mitigate IoT Botnet Attacks: Domain Specificity https://www.iotsecurityfoundation.org/machine-learning-will-be-key-to-securing-iot-in-smart-homes/ • Domain-specific • Industrial Control Systems (ICS) • Smart Buildings o Includes intelligent buildings equipment and controls o Audio visual (AV) o Fire o HVAC o Lighting o Building security.
September, October 2018 Updates NISTIR, California Legislation
NIST Interagency/Internal Report (NISTIR) https://csrc.nist.gov/publications/detail/nistir/8228/draft NISTIR Draft, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks • Date Published: September 2018 • Comments Due: October 24, 2018
NISTIR https://csrc.nist.gov/publications/detail/nistir/8228/draft Each IoT device provides one or more capabilities—features or functions—it can use on its own or in conjunction with other IoT and non-IoT devices to achieve one or more goals
NISTIR https://csrc.nist.gov/publications/detail/nistir/8228/draft Recommendations for Addressing Cybersecurity and Privacy Risk Mitigation Challenges for IoT Devices 1. Understand the IoT device risk 2. Adjust organizational policies and processes 3. Implement updated mitigation practices for the organization’s IoT devices • May need to determine how to manage risk for hundreds or thousands of IoT device types • Capabilities vary widely from one IoT device type to another, with one type lacking data storage and centralized management capabilities, and another type having numerous sensors and actuators, using local and remote data storage and processing capabilities, and being connected to several internal and external networks at once • The variability in capabilities causes similar variability in the cybersecurity and privacy risks involving each IoT device type, as well as the options for mitigating those risks
Filed September 28, 2018 • Senate Bill No. 327 • Chapter 886 Goes into effect January 1, 2020 https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd California IoT Security Law
Requires manufacturers of any “connected device” to implement “reasonable” security features • “Connected device” is any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd California IoT Security Law
“Reasonable” security features for IoT devices are ones that are: • Appropriate to the nature and function of the device; • Appropriate to the information it may collect, contain, or transmit; and • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure Including: • A preprogrammed unique password assigned by the manufacturer, or • Requiring that the user establish a new password prior to first use https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd California IoT Security Law: No More Admin/Admin 60 username/password pairs hardcoded into Mirai source code: https://www.grahamclul ey.com/mirai-botnet- password/
https://www.securetechalliance.org/iot-security-mitigating-security-risks-in-secure-connected-environments-webinar/ IoT Security: Mitigating Security Risks in Secure Connected Environments (Webinar, October 11, 2018)
The Future Security by Design
https://www.arm.com/products/iot/pelion-iot-platform ARM Pelion • Device management • Data management • Connectivity management
@Safe_SaaS Questions? www.slideshare.net/eralcnoslen/presentations Clare_Nelson @ ClearMark . biz
Backup Slides
Usenix (August 2017) • a https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
References • Fruhlinger, Josh. The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet, https://www.csoonline.com/article/3258748/security/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought- down-the-internet.html (March 9, 2018). • Graff, Garrett M. How a Dorm Room Minecraft Scam Brought Down the Internet, https://www.wired.com/story/mirai-botnet-minecraft- scam-brought-down-the-internet/ (December 13, 2017). Herzberg, Dan; Bekerman, Dima; Zeifman, Igal. Breaking Down Mirai: An IoT DDoS Botnet Analysis, https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (October 26, 2016). • Herzberg, Dan; Bekerman, Dima; Zeifman, Igal. Breaking Down Mirai: An IoT DDoS Botnet Analysis, https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (October 26, 2016). • Krebs, Brian; Alleged ‘Satori‘ IoT Botnet Operator Sought Media Spotlight, Got Indicted, https://krebsonsecurity.com/tag/ddos-for-hire/ (September 2, 2018). • Winward, Bob. Defending Against the Mirai Botnet, https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ (September 12, 2018).
Mirai successfully compromised a segment that is severely lacking in security best practices, IoT devices. While it’s the first malware known to possess this capability, it will surely not be the last. https://www.youtube.com/watch?v=jMTwA6q6VKo – Roger Barranco, CISSP, NSA, CDCP Senior Director, Global Security Operations, Akamai Technologies
Defend Against the Mirai IoT Botnet https://www.radware.com/iot-attack-ebook-lpc-64317
Defend Against the Mirai IoT Botnet https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ Attack Vectors (Protocol) • DNS (UDP) • VSE (UDP) • STOMP (TCP) • GREETH (GRE) • GREIO (GRE) • SYN (TCP) • ACK (TCP) • UDO (UDP) • UDPPLAIN (UDP) • HTTP (TCP, HTTP) • STD (UDP) • XMAS (TCP) Valve Source Engine attack is specially crafted for servers that run certain games from the developer Valve Corporation
How Detect and Defend against Botnet Attacks? • Group IoT Traffic o Source or Destination IP address, Domains APN o IMEI o VLAN • Type of protocols and applications permitted for communication • Time of day, day of week for when communication allowed • Number of new connections, amount of bandwidth allowed

Recommandé

DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET Sukhdeep Singh Sandhu
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 

Recommandé

DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET DDOS ATTACK - MIRAI BOTNET
DDOS ATTACK - MIRAI BOTNET Sukhdeep Singh Sandhu
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS AttacksJignesh Patel
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Wireshark
WiresharkWireshark
WiresharkSourav Roy
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparationManich Koomsusi
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Network security
Network securityNetwork security
Network securitymena kaheel
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain AttacksLionel Faleiro
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxssuserfb92ae
 

Contenu connexe

Tendances

Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityEryk Budi Pratama
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Network security
Network securityNetwork security
Network securitymena kaheel
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and ProtectionChandrak Trivedi
 

Tendances (20)

Metasploit
MetasploitMetasploit
Metasploit
 
Wireshark
WiresharkWireshark
Wireshark
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Network security
Network securityNetwork security
Network security
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dos
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 

Similaire à IoT Security: Detecting and Defending against Botnet Attacks

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxssuserfb92ae
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesGokul Alex
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
Drobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applicationsDrobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applicationsMario Drobics
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeekNightHyderabad
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 

Similaire à IoT Security: Detecting and Defending against Botnet Attacks (20)

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
Cloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and TechniquesCloud Security Engineering - Tools and Techniques
Cloud Security Engineering - Tools and Techniques
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Drobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applicationsDrobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applications
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Network security
Network securityNetwork security
Network security
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Geek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the InternetGeek Night 15.0 - Touring the Dark-Side of the Internet
Geek Night 15.0 - Touring the Dark-Side of the Internet
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 

Plus de Clare Nelson, CISSP, CIPP-E

Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Clare Nelson, CISSP, CIPP-E
 
Zero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityZero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityClare Nelson, CISSP, CIPP-E
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EClare Nelson, CISSP, CIPP-E
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonClare Nelson, CISSP, CIPP-E
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Clare Nelson, CISSP, CIPP-E
 
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...Clare Nelson, CISSP, CIPP-E
 
Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Clare Nelson, CISSP, CIPP-E
 
Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Clare Nelson, CISSP, CIPP-E
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingClare Nelson, CISSP, CIPP-E
 

Plus de Clare Nelson, CISSP, CIPP-E (18)

Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?Texas Bitcoin Conference: Are Privacy Coins Private Enough?
Texas Bitcoin Conference: Are Privacy Coins Private Enough?
 
Zero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital IdentityZero-Knowledge Proofs in Light of Digital Identity
Zero-Knowledge Proofs in Light of Digital Identity
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and Authentication
 
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/EISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
ISSA Austin Speaker of the Year Award for Clare Nelson, CISSP, CIPP/E
 
Attack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition SystemsAttack Vectors in Biometric Recognition Systems
Attack Vectors in Biometric Recognition Systems
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
 
#BiometAuth Podcast
#BiometAuth Podcast#BiometAuth Podcast
#BiometAuth Podcast
 
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
What Every CISO, Product Strategist, or Consumer Needs to Know About Biometri...
 
Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017Biometric Recognition for Authentication, BSides Austin, May 2017
Biometric Recognition for Authentication, BSides Austin, May 2017
 
Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5Biometric Authentication, Dragon Unleashed, V1.5
Biometric Authentication, Dragon Unleashed, V1.5
 
FTC Start with Security: Panel
FTC Start with Security: PanelFTC Start with Security: Panel
FTC Start with Security: Panel
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
 
LASCON 2015
LASCON 2015LASCON 2015
LASCON 2015
 
OWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San FranciscoOWASP AppSec USA 2015, San Francisco
OWASP AppSec USA 2015, San Francisco
 
Financial services 20150503
Financial services 20150503Financial services 20150503
Financial services 20150503
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
HackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's ClothingHackFormers Talk: Beware Wolves in Sheep's Clothing
HackFormers Talk: Beware Wolves in Sheep's Clothing
 

Dernier

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Dernier (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

IoT Security: Detecting and Defending against Botnet Attacks

  • 1. IoT Security Mirai Revisited Graphic: https://crimeshop.org/2017/08/02/internet-of-things-cybersecurity-improvement-act-finally-iot-security/ InfraGard October 12, 2018 Clare Nelson, CISSP, CIPP/E
  • 2. Contents 1. 2016 Mirai attack 2. Botnets, DDoS 3. Current state of Mirai and Mirai variants 4. How detect and defend 5. September-October 2018 updates • NISTIR Draft, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks • California IoT Security Law https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd
  • 4. Botnets Collection of internet-connected devices that an attacker has compromised • Force multiplier for individual attackers, cyber-criminal groups, nation-states • Disrupt or break into targets systems • Commonly used in DDoS attacks • Collective computing power o Send large volumes of spam o Steal credentials at scale o Spy on people and organizations https://www.csoonline.com/article/3240364/hacking/what-is-a-botnet-and-why-they-arent-going-away-anytime-soon.html https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html Mirai-infected devices
  • 5. Distributed Denial of Service (DDoS) https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.html Botnet Attack Nodes Many vectors • Layer 3, 4, and 7 attacks • DNS attacks • IoT Botnets • New attacks
  • 7. Mirai Attack Targeted IoT devices • Botnets • High-visibility attacks o Brian Krebs o Dyn’s DNS platform • Dyn affected many websites o Twitter, SoundCloud, Airbnb, Spotify, GitHub, HBO, Amazon, Reddit, DirecTV
  • 8. Mirai Timeline https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ OVH = French cloud computing company CWMP = CPE WAN Management Protocol 620 Gbps 1.2 Tbps … December 2017 3 Americans plead guilty
  • 9. Mirai Targets IP cameras, DVRs, home routers https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf Unsophisticated Dictionary Attack
  • 10. Mirai and the Minecraft Connection https://www.cbronline.com/news/mirai-botnet https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/ • Mirai attacked Minecraft servers o Minecraft servers, lucrative o Gain Minecraft advantage • Targeted OVH, Minecraft DDoS mitigation tools (VAC) • Not nation-state attackers o 21-year-old Rutgers college student o 2 friends • 200,000-300,000 infections • Peak 600,000 devices • Used variety of traffic Graphic: https://minecraft.net/en-us/ “Targeted an entire range of IP addresses—not just one particular server or website—enabling it to crush a company’s entire network”
  • 11. Mirai Operation • Mirai bots scan the IPv4 address space for devices that run telnet or SSH o Log in using dictionary of hardcoded IoT credentials • Bot sends the victim IP address and credentials to a report server, which asynchronously triggers a loader to infect the device • Infected hosts scan for additional victims and accept DDoS commands from a C2 server https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
  • 12. Mirai Attack https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.htm https://krebsonsecurity.com/tag/ddos-for-hire/ Brian Krebs: A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services • DDoS-for-hire services • Allow unsophisticated users to launch high-impact attacks • Competition for profits in the blatantly illegal DDoS-for-hire industry
  • 13. Command and Control Domains https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf Top clusters by C2 domain count • Highly connected components • Agile, long-lived infrastructures in use by botmasters
  • 15. Mirai Variants • Brian Krebs reported Mirai precursors o Bashlite, Gafgyt, Qbot (2014), Remaiten, Torlus • Satori, also known as Masuta, and DaddysMirai include the original Mirai vectors but removed the HTTP attack • Orion is an exact copy of the original Mirai attack table (and just like Mirai, has abandoned the PROXY attack) • Owari added two new vectors, STD and XMAS https://www.zdnet.com/article/meet-torii-a-new-iot-botnet-far-more-sophisticated-than-mirai/ https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ https://krebsonsecurity.com/tag/ddos-for-hire/
  • 16. Mirai Variants https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ Many attackers were fighting for Telnet access to IoT devices with traditional Mirai • New variants were developed to find additional methods of exploitation and infection • TR-064 exploits that were quickly added to the code (and used to infect the endpoints of service providers) • 0-day exploit on Huawei routers in several botnets • Reaper botnet, which includes 10 previously disclosed CVEs. CVE = Critical Vulnerabilities and Exposures • TR064 is defined by DSL Forum as part of its Broadband suite. • TR064 describes a specific implementation to be used for DSL CPE LAN-side configuration. • The management application can be a software program or a installation CD from the CPE vendor. • It was developed by DSL Forum based on UPnP Devices Structure 1.0.
  • 17. New Mirai Botnet Breed Taps Aboriginal Linux to Spawn Across Devices https://www.cbronline.com/news/mirai-botnet The new variant has been created using an open source project named Aboriginal Linux; • Botnet compatible with an array of architectures, devices o IP cameras o Routers o Speakers o Android-based devices • Found an ARM7 Mirai variant running on an Android device running Android 4.4, and as well as a variant on Debian ARM Aboriginal Linux is a shell script that builds the smallest, simplest Linux system capable of rebuilding itself from source code. Aboriginal’s “elegant cross-compilation framework” gave Mirai new teeth
  • 18. Torii (September 27, 2018) • Sophistication "a level above anything we have seen before” • Rich set of features for exfiltration of (sensitive) information • Ability to persist • Modular architecture capable of fetching and executing other commands and executables • Multiple layers of encrypted communication • Can infect a wide range of devices • Support for a wide range of target architectures, including MIPS, ARM, x86, x64, PowerPC, SuperH, MC68000, and others • Give credit to @VessOnSecurity, who actually tweeted about a sample hitting his telnet honeypot last week https://blog.avast.com/new-torii-botnet-threat-research Infection chain starts with a Telnet attack on the weak credentials of targeted devices • Then execution of an initial shell script
  • 20. IoT Challenges • Limited IoT visibility • Limited IoT control • Limited IoT security manufactured in • Increased attack surface • Wide range of devices • Many are consumer-managed • Many have no interface • Technical and regulatory challenges https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=006157&lang=EN Graphic: https://www.theinquirer.net/inquirer/news/3036359/half-a-billion-iot-devices-in-the-office-vulnerable-to-dns-attacks-warns-armis
  • 21. IoT Challenges https://www.theinquirer.net/inquirer/news/3036359/half-a-billion-iot-devices-in-the-office-vulnerable-to-dns-attacks-warns-armis https://www.tripwire.com/state-of-security/vert/practical-attacks-dns-rebinding/ HALF A BILLION Internet of Things (IoT) enterprise devices are susceptible to DNS "rebinding attacks" that give remote attackers a way to get around firewalls and gain access to vulnerable devices on a local network DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks • Attackers can change the IP associated with a domain name after it has been used to load JavaScript • Since same-origin policy (SOP) is domain- based, the JavaScript will have access to the new IP
  • 22. IoT Challenges • IoT security must evolve away from default-open ports to default-closed and adopt security hardening best practices • Devices should consider default networking configurations that limit remote address access to those devices to local networks or specific providers • Apart from network security, IoT developers need to apply ASLR, isolation boundaries, and principles of least privilege into their designs • From a compliance perspective, certifications might help guide consumers to more secure choices as well as pressure manufacturers to produce more secure products https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf ASLR = Address Space Layout Randomization Telnet A network protocol that allows a user on one computer to log onto another computer that is part of the same network
  • 23. IoT Challenges: NISTIR • Many IoT devices interact with the physical world in ways conventional IT devices usually do not • Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can • The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices https://csrc.nist.gov/publications/detail/nistir/8228/draft Graphic: https://online.stanford.edu/courses/xee100-introduction-internet-things
  • 24. • I1 Insecure Web Interface • I2 Insufficient Authentication/Authorization • I3 Insecure Network Services • I4 Lack of Transport Encryption • I5 Privacy Concerns • I6 Insecure Cloud Interface • I7 Insecure Mobile Interface • I8 Insufficient Security Configurability • I9 Insecure Software/Firmware • I10 Poor Physical Security https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014) OWASP IoT Top 10 (2014)
  • 25. How Detect and Defend against Botnet Attacks? Ideal World • Detect new device on network • Automatically apply device policy • Monitor device • Detect abnormal activity • Alert on abnormal activity • Disable infected devices • End-of-Life, decommission https://www.electronicspecifier.com/blog/iot-device-management-scorecard-profiles-wind-river-helix-device-cloud
  • 26. DDoS Defenses Ideal World • Outgoing o Throttle traffic o Block outbound DDoS o Isolate botnets • Incoming o Stop incoming DDoS o Throttle traffic o Prevent infection Brickers • Detect botnet attack, brick devices • BrickerBot o IP Cameras, DVRs • Use as a mitigating countermeasure? o Hajime o Blocks ports Mirai is known to attack (23, 7547, 555, 5358) o But after reboot, does not persist Source: Electronic Design, Ralph Nguyen, August 8, 2017
  • 27. Mitigate IoT Botnet Attacks https://www.upwork.com/hiring/data/dont-get-entangled-botnet/ https://www.quest-global.com/wp-content/uploads/2015/08/UPnP-in_Digital_Home_Networking.pdf • Credentials and login o Change default passwords o Enforce login rate limiting to prevent brute force attacks o Use captcha or proof of work o Future: Eliminate default credentials • Authentication • Device Identification • Encryption • Chains of Trust • Turn Off Universal Plug-and-Play (UPnP) • Firewalls • Put IoT devices on a separate network • Keep Firmware Up-to-Date o Over the Air (OTA) o Automatic, Make Auto Patch Mandatory • Use Secure Devices • End-of-Life, Decommission old IoT devices o How get rid of them? UPnP is meant to make it easier to connect and set up devices by allowing them to discover one another over a local network
  • 28. Mitigate IoT Botnet Attacks Using AI https://www.iotsecurityfoundation.org/machine-learning-will-be-key-to-securing-iot-in-smart-homes/ • Network-based solutions • Device-based solutions o Machine learning can help bring lightweight endpoint protection to IoT devices o Not signature-based o Behavior-based
  • 29. Mitigate IoT Botnet Attacks Using AI https://hackernoon.com/prevent-iot-botnet-attacks-using-ai-with-code-3817fb3fcf7e Attribute Information • H: Stats summarizing the recent traffic from this packet’s host (IP) • HH: Stats summarizing the recent traffic going from this packet’s host (IP) to the packet’s destination host. • HpHp: Stats summarizing the recent traffic going from this packet’s host+port (IP) to the packet’s destination host+port. Example 192.168.4.2:1242 -> 192.168.4.12:80 • HH_jit: Stats summarizing the jitter of the traffic going from this packet’s host (IP) to the packet’s destination host Uses Linear Regression
  • 30. Mitigate IoT Botnet Attacks: Domain Specificity https://www.iotsecurityfoundation.org/machine-learning-will-be-key-to-securing-iot-in-smart-homes/ • Domain-specific • Industrial Control Systems (ICS) • Smart Buildings o Includes intelligent buildings equipment and controls o Audio visual (AV) o Fire o HVAC o Lighting o Building security.
  • 31. September, October 2018 Updates NISTIR, California Legislation
  • 32. NIST Interagency/Internal Report (NISTIR) https://csrc.nist.gov/publications/detail/nistir/8228/draft NISTIR Draft, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks • Date Published: September 2018 • Comments Due: October 24, 2018
  • 33. NISTIR https://csrc.nist.gov/publications/detail/nistir/8228/draft Each IoT device provides one or more capabilities—features or functions—it can use on its own or in conjunction with other IoT and non-IoT devices to achieve one or more goals
  • 34. NISTIR https://csrc.nist.gov/publications/detail/nistir/8228/draft Recommendations for Addressing Cybersecurity and Privacy Risk Mitigation Challenges for IoT Devices 1. Understand the IoT device risk 2. Adjust organizational policies and processes 3. Implement updated mitigation practices for the organization’s IoT devices • May need to determine how to manage risk for hundreds or thousands of IoT device types • Capabilities vary widely from one IoT device type to another, with one type lacking data storage and centralized management capabilities, and another type having numerous sensors and actuators, using local and remote data storage and processing capabilities, and being connected to several internal and external networks at once • The variability in capabilities causes similar variability in the cybersecurity and privacy risks involving each IoT device type, as well as the options for mitigating those risks
  • 35. Filed September 28, 2018 • Senate Bill No. 327 • Chapter 886 Goes into effect January 1, 2020 https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd California IoT Security Law
  • 36. Requires manufacturers of any “connected device” to implement “reasonable” security features • “Connected device” is any device, or other physical object, that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd California IoT Security Law
  • 37. “Reasonable” security features for IoT devices are ones that are: • Appropriate to the nature and function of the device; • Appropriate to the information it may collect, contain, or transmit; and • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure Including: • A preprogrammed unique password assigned by the manufacturer, or • Requiring that the user establish a new password prior to first use https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd California IoT Security Law: No More Admin/Admin 60 username/password pairs hardcoded into Mirai source code: https://www.grahamclul ey.com/mirai-botnet- password/
  • 40. https://www.arm.com/products/iot/pelion-iot-platform ARM Pelion • Device management • Data management • Connectivity management
  • 43. Usenix (August 2017) • a https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
  • 44. References • Fruhlinger, Josh. The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet, https://www.csoonline.com/article/3258748/security/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought- down-the-internet.html (March 9, 2018). • Graff, Garrett M. How a Dorm Room Minecraft Scam Brought Down the Internet, https://www.wired.com/story/mirai-botnet-minecraft- scam-brought-down-the-internet/ (December 13, 2017). Herzberg, Dan; Bekerman, Dima; Zeifman, Igal. Breaking Down Mirai: An IoT DDoS Botnet Analysis, https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (October 26, 2016). • Herzberg, Dan; Bekerman, Dima; Zeifman, Igal. Breaking Down Mirai: An IoT DDoS Botnet Analysis, https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (October 26, 2016). • Krebs, Brian; Alleged ‘Satori‘ IoT Botnet Operator Sought Media Spotlight, Got Indicted, https://krebsonsecurity.com/tag/ddos-for-hire/ (September 2, 2018). • Winward, Bob. Defending Against the Mirai Botnet, https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ (September 12, 2018).
  • 45. Mirai successfully compromised a segment that is severely lacking in security best practices, IoT devices. While it’s the first malware known to possess this capability, it will surely not be the last. https://www.youtube.com/watch?v=jMTwA6q6VKo – Roger Barranco, CISSP, NSA, CDCP Senior Director, Global Security Operations, Akamai Technologies
  • 46. Defend Against the Mirai IoT Botnet https://www.radware.com/iot-attack-ebook-lpc-64317
  • 47. Defend Against the Mirai IoT Botnet https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/ Attack Vectors (Protocol) • DNS (UDP) • VSE (UDP) • STOMP (TCP) • GREETH (GRE) • GREIO (GRE) • SYN (TCP) • ACK (TCP) • UDO (UDP) • UDPPLAIN (UDP) • HTTP (TCP, HTTP) • STD (UDP) • XMAS (TCP) Valve Source Engine attack is specially crafted for servers that run certain games from the developer Valve Corporation
  • 48. How Detect and Defend against Botnet Attacks? • Group IoT Traffic o Source or Destination IP address, Domains APN o IMEI o VLAN • Type of protocols and applications permitted for communication • Time of day, day of week for when communication allowed • Number of new connections, amount of bandwidth allowed