Page 1
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
ARack Surface ReducPon
Page 2
What is ARack Surface?
• ADack surface: is the exposure to malicious acPvity.
• ADack Surface ReducBon: Reducing the total reachable and exploitable vulnerabiliPes on a system, applicaPon or Network
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Page 3
ARack Surface Examples • Examples of aRack surface in the real world include:
– Open ports on outward facing web and other servers, code listening onthose ports
– Services available on the inside of the firewall
– Code that processes incoming data, email, XML, office documents, industry-specific custom data exchange formats (EDI)
– Interfaces, SQL, web forms
– An employee with access to sensiPve informaPon is socially engineered
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Page 4
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Why ARack Surface ReducPon?
Defending against the aRack Defending against the vector
Page 5
Example: SQL InjecPon
• SQL injecPon is an aRack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execuPon.
• Common Expression used for SQL injecPon detecPon 'OR 1=1‘
• Any signature that evaluates to true will work
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Page 6
Tools and Techniques
Defending Against the ARack
• Intrusion PrevenPon System (IPS)
• AnP-virus • Blacklist • Patching • Web ApplicaPon Firewall (WAF)
Defending Against the Vector
• Least Privilege ConfiguraPon • Disable Services • Firewall • Whitelist • Code Changes • MicrosoA Enhanced MiPgaPon Experience Toolkit (EMET)
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Page 7
ARack Surface ReducPon and Memory ARacks
• Memory aRacks are popular right now
• Memory aRack: Any aRack where the aRacker does not modify the hard disk in any way
• Because these aRacks never touch disk, they are nearly impossible to detect or stop by “defending against the aRack”
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Page 8
Three Types of ARack Surface
• Network ADack Surface: The aRack is delivered via a network
• So6ware ADack Surface: The aRack is delivered against soAware with a primary focus on web applicaPons
• Human ADack Surface: The aRack is delivered against a human in such forms as social engineering, errors, trusted insider, death and disease
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Page 9
SoAware ARack Surface
• We are spending more money to develop an increasing number of web applicaPons that are oAen mission criPcal.
• At the same Pme aRackers are geSng beRer at exploitaPon of web applicaPons.
• At the same Pme companies like Ameritrade and TJX have suffered massive data breaches leading to class acPon lawsuits and potenPally, another wave of government regulaPons
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Page 10
© 2015 N E T O R I A N L I M I T E D L I A B I L I T Y C O M P A N Y The information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
An ARack Surface Analysis of the Browser
Page 11
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Review:A#ackSurfaceReduc.onSteps
1. Definetheapplica.onorsystem
2. Researchthea#ackmethodologies
3. Createarefinedlistofa#ackvectorsthatareu.lizedbytheabovea#ackmethodologies
4. Determinetheop.malwaytorestrictordisabletheavailableservicevector
Page 12
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Step1:WeChoseTheWebBrowser• Receivesinstruc.onsfromtheinternetandexecutesthem– Uncontrolledinstruc.onsbydefender– Someinstruc.onstellthebrowsertoexecuteaddi.onalinstruc.onsfromuntrusted
loca.onsandsources– Someinstruc.onstellthebrowsertosendTCPdatatoothernetworkresources– Instruc.onsareencrypted,o^ennotallowingadefendertoseethetransmission
• Thea#acksurfaceiscon.nuallyincreasing• Ito^enupdatesinthebackgroundwithoutno.fica.on
• Itdependsonplugins(3rdpartyuntrustedcode)foreffec.veuse– Thepluginsareo^enmorevulnerablethantheoriginalcode– Everyvariantofthisso^warehasnumerousvulnerabili.es
Page 13
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
ABrowser/Opera.ngSystemComparison
Thebrowserarchitectureisimportanttounderstandwhendiscussingexploits.Thebrowserarchitectureisverysimilartothewayanopera.ngsystemworks.
Page 14
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Step2:A#ackMethodologiesStep2a.DefineA#ackCategories
A#acksAgainstUsers
A#acksAgainsttheBrowser
A#acksagainst
Extensions
A#acksagainstWebApplica.ons
A#acksAgainstPlugins
A#acksAgainsttheNetwork
Page 15
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
MatrixPlugins A#ackingAc.veXControls Ac.veX
WebApplica.on
SendingCross-originRequests,Enumera.ngCross-originQuirks,PreflightRequests,Implica.ons,Cross-originWebApplica.onDetec.on,DiscoveringIntranet
DeviceIPAddresses,Enumera.ngInternalDomainNames,
Reques.ngKnownResources,Cross-originAuthen.ca.onDetec.on,Cross-siteRequest
Forgery,A#ackingPasswordResetwithXSRF,UsingCSRFTokensforProtec.on,Cross-originResource
Detec.on,Cross-originWebApplica.onVulnerability
Detec.on
BypassSameOriginPolicy
User SignedJavaApplet,BypassAnonymiza.on
JavaPlugins A#ackingJava
Network PingSweepingusingJava,GeangShells
25A#acks3Vectors
User
Changepagecontent,Captureuserinput,Logwhereuserclicks,Logmouseevents,Logformevents,Logkeyboardshortcuts,Tabnabbing,Phishing,FakeSo^wareUpdate,BypassAnonymiza.on,HackPasswordManagers
JavaScript
BrowserBypassingPathA#ributeRestric.ons,SidejackingA#acks,A#ackJavascript,JavaScriptEncryp.on,
JavaHeap,AbusingSchemes
Extensions
ExploringPrivileges,A#ackingExtensions,Impersona.ngExtensions,Cross-contextScrip.ng,AchievingOSCommandExecu.on,AchievingOS
CommandInjec.onPlugins A#ackingPlugins,BypassingClicktoPlay
Network
Iden.fyingtheHookedBrowser’sInternalIP,Iden.fyingtheHookedBrowser’sSubnet,Ping
Sweeping,PortScanning,BypassingPortBanning,DistributedPortScanning,Fingerprin.ngNon-HTTP
Services,A#ackingNon-HTTPServices,NATPinning,AchievingInter-protocolCommunica.on,
AchievingInter-protocolExploita.on
Page 16
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
WhatCanIdo?
Page 17
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
BrowserChoice
Page 18
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
InternetExplorerBrowserPluginsforSecurityPlugin DescripAonMcAfeeSiteAdvisor IEAdd-onletsyouknowwhetherasiteissafetosurfbasedon
McAfee'sresearch.WebofTrust IEAddonlet'syouknowifsitesaresafetosearchbasedonuser
feedback.LastPass Replacestheautomatedpasswordmanager.Encryptsyourpassword
andstoresitinanonlinedatabaseandreplacesyourmul.pleloginsandpasswordswithasinglemasterpassword.
Real.meCookie&CacheCleaner
Removesstoredcookiesandclearsyourbrowsercacheasyousurf.
SpywallAn.-Spyware IEaddonthatsandboxesthebrowserkeepinginternetexplorerfromexecu.ngcommandstotherestofthePC.
AdBlockPro AdBlockProstopsthemajorityofwebadsfromappearingXssFilter LimitsScriptExecu.on
Page 19
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Some.mesPluginsareHidden
Page 20
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
DisableAddOn(Java)
Page 21
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Microso^’sGuidetoReducingtheA#ackSurfaceofaWebServer
h#ps://technet.microso^.com/en-us/library/cc785139(v=ws.10).aspx
Page 22
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
WebApplica.onProtec.on• h#ps://www.owasp.org/index.php/SQL_Injec.on_Preven.on_Cheat_Sheet
• h#ps://www.owasp.org/index.php/XSS_%28Cross_Site_Scrip.ng%29_Preven.on_Cheat_Sheet
• h#ps://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet
• h#ps://www.owasp.org/index.php/AJAX_Security_Cheat_Sheet
• h#ps://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
• h#ps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Preven.on_Cheat_Sheet
Page 23
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
LeastPrivilege• Theroleofsystemadministratorshouldbelimitedtoassmallagroupaspossible.
• Implementfinegrainedaccessprivilegeswhenaspecifictaskrequireselevatedprivileges
• Separatesystemadministra.onfromregularaccountrequirements
• Separatethesystemadministratorandaudit/loggingfunc.ons.
• Neverbrowsethewebasanadministrator
Page 24
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
EnforcingLeastPrivilege(NSARecommenda.ons)
• WindowsAppLocker:Tieexecu.onofanapplica.ontoapar.cularuserorgroup
• PreventBrowserInternetAccess:Inthehigh-privilegedaccount,setthebrowserproxyto127.0.0.1topreventthebrowserfromaccessingtheInternetwithelevatedprivileges.
• DisableE-mail:Donotenablee-mailforthehighprivilegedaccounts.h#ps://www.nsa.gov/ia/_files/factsheets/Final_49635NonInternetsheet91.pdf
Page 25
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
BrowserA#ackSurfaceReduc.onTechniquesDisablefirewalltraversalDisableNetworkPredic.onDisablesharingwithcloudperipheralsDisableGoogleDataSynchroniza.onBlockdesktopno.fica.ons,Disablepop-upsDisable3DGraphicAPIsDisableJavascriptinallavailableloca.onsDisableAutocompleteonFormsUpdatebrowserandpluginsregularlyBlockthirdpartycookiesDisableSessionOnlyCookiesDisablebackgroundprocessingEnableRevoca.onChecksforCer.ficatesDisableSearchSugges.onsDisableMetricsRepor.ngSetHomePageDisableIncognitoMode
DisablecleartextpasswordsDisablepasswordmanagerDisableImportofsavedpasswordsSethighestHTTPAuthen.ca.onSchemeDisableOutdatedPluginsUserpermissiontorunpluginsDisableautoma.cpluginsearchDisableautoma.cplugininstalla.onDisableautoma.cpluginexecu.onBlacklist/whitelistpluginsandextensionsLimitpluginstospecificURLUseEncryptedSearchingEnableSafeBrowsingDisallowLoca.onTrackingSaveBrowserHistorySettheDefaultsearchprovidername
Page 26
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
EMETASR
• Genericpluginblocker
• WorksprimarilywithInternetExplorer• WorkswithMSOfficeprogramssuch
asWord,ExcelandPowerpoint.• Ifacertainpluginisdetectedina
protectedapplica.onASRwillnotallowthespecifiedplugintoloadintheprotectedapplica.on.
• InInternetexplorertheplugincanbeblockedbysecurityzone.
Page 27
©2015NETORIANLIMITEDLIABILITYCOMPANYThe information contained within this document is competition sensitive and proprietary in nature. The information herein shall not be disclosed, duplicated or used outside the Government for other than evaluation purposes. This document contains Netorian proprietary
information exempt from disclosure under the Freedom of Information Act 5 USC 552 (FOIA).
Demonstra.on