mining threat intelligence from billion scale ssh brute
play

Mining Threat-intelligence from Billion- scale SSH Brute-Force - PowerPoint PPT Presentation

Nov 01, 2023 •266 likes •421 views

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

  1. Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 § , Phuong M. Cao 1 § , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National Center for Supercomputing Applications (NCSA) § Joint first authors

  2. Key Findings Implications • Over 70% are persistent attackers • Discerning global coordination efforts in SSH key exploitation and client version spoofing • Identification of 7 SSH keys related to outdated vulnerabilities • Alerting cloud providers and IoT vendors regarding stolen SSH keys • Globally distributed IPs massively spoofed over one million fake client • Deterring large-scale evasion techniques versions using anomaly detectors or rate limiters • Discovery of human-supervised • Preparing for resourceful and strategic versus fully automated botnets human-supervised attacks 2

  3. Analysis Workflow 3

  4. Exploitation, Coordination, and Evasion - Leaked SSH Keys • We identified 7 keys related to outdated vulnerabilities – indicating some devices still unpatched Attackers had adequate details (i.e., credentials) about relevant vulnerabilities that were related with these 7 keys, when plotting the targeted attacks 4

  5. Exploitation, Coordination, and Evasion - Leaked SSH Keys: Attack Origins • Attackers leveraged Google LLC (Google), Charter Communications, and Portlane to exploit the 7 identified leaked keys • Attackers from Google-registered IPs attempted all 7 keys with four other unknown keys on the same day Speculation: Attackers were rapidly switching ASes to evade detection, and possibly switching targets 5

  6. Exploitation, Coordination, and Evasion - Key-based Collaboration • An SSH key was exploited by 20 countries • The globally coordinated botnet exploited a single SSH key 90 times within only 4 days • The last key was persistently used one single country for 2,700 times spanning 5 months The globally coordinated bot wrapped up its fruitless attacks and shifted targets 50× faster than the persistent, single-country botnet 6

  7. Exploitation, Coordination, and Evasion - Client Version-based Collaboration and Evasion • More than 1.7 million new client versions 7000x 1.0000 were spoofed in August alone max previous months 0.9998 • Only several hundred globally- distributed IPs were spoofing 0.9996 cdf (e.g. SSH-2.0-OpenSSH_+qLfH) 0.9994 Aug • Yet 90% IPs used only 1 client version 0.9992 Sep Oct 0.9990 • The top-spoofing IP advertised 400,000 10 1 10 2 10 3 10 4 10 5 # Unique client versions per IP unique client versions during its 200- hour attack campaign A globally-coordinated botnets were involved in forging a million permutations of client versions at high frequencies Voids signature-based detectors 7

  8. Analysis Workflow 8

  9. Human-supervised Attack Techniques - Data-driven Methodology Purpose: identify evidence of human attackers • Time zone and duration selection 0.4 µ + 3 σ µ • Ratio: average weekday to weekend attempt pmf 0.2 computation for each IP 0.0 • Tail analysis of ratio distribution 10 0 10 1 10 2 0 ratio • All IPs in the tail present similar activity patterns; used the same group of credentials; came from 10 7 the same /8 subnet Attempts 10 5 10 3 • Periodic variations with decreasing activities 10 1 1 3 5 7 2 4 6 1 3 5 7 2 4 6 1 3 5 7 2 4 6 1 3 5 7 2 4 Day of week on weekends (especially Sundays) 9

  10. Human-supervised versus Fully Automated Bots Human-supervised botnet is more resourceful, ambitious, and strategic than full automated one 10

  11. Conclusions Future • Investigated a broad scope of • Landscape of unidentified, SSH attack strategies unknown SSH keys • Discovered large-scale, • Resourceful attackers with persistent, and evasion attacks relatively large number of legitimate client versions • Contributed a scientific data- driven approach to differentiate • Threat intelligence sharing between human-supervised across peer sites with and fully automated botnet preservation of privacy 11

  12. Thank you! 12

  13. Acknowledgements • SDAIA: https://wiki.ncsa.illinois.edu/display/cybersec/SDAIA • NSF Grant: CICI: Secure Data Architecture: Shared Intelligence Platform for Protecting our National Cyberinfrastructure. Award Number: 1547249 • NSF Grant: SI2-SSE: AttackTagger: Early Threat Detection for Scientific Cyberinfrastructure. Award Number: 1535070 • DEPEND group Symphony Cluster 13

  14. References • “Ssh bad keys,” 2017, https://github.com/rapid7/ssh-badkeys. • “Packet storm,” 2019, https://packetstormsecurity.com/. 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost January 12, 2016 whoami Jason Trost VP of Threat Research @ ThreatStream Previously at Sandia, DoD, Booz Allen, Endgame Inc. Background

473 views • 28 slides
Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3 October 2018 What is Intelligence Convincing evidence Probable cause, beyond a reasonable doubt, or preponderance of

646 views • 25 slides
THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat Intelligence (CTI) Define Cyber Intelligence (CI) Understand the importance of CTI to an organization Components of Threat Sources of

197 views • 19 slides
FIVE DAYS IN THE LIFE OF A CMS BRUTE FORCING MALWARE Anna Shirokova Veronica Valeros Cognitive

FIVE DAYS IN THE LIFE OF A CMS BRUTE FORCING MALWARE Anna Shirokova Veronica Valeros Cognitive

FIVE DAYS IN THE LIFE OF A CMS BRUTE FORCING MALWARE Anna Shirokova Veronica Valeros Cognitive Threat Analytics Cognitive Threat Analytics @ AnnaBandicoot @ verovaleros WHO WE ARE? Anna Veronica Threat Researcher Threat Researcher

605 views • 42 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat Intelligence and Hunting Jamie Buening, Manager, Threat Intelligence and Hunting, MISO August 21, 2019 MRO SAC Update Technical Training and Social

478 views • 45 slides
Robotron: Top-down Network Management at Scale Yu-Wei Eric Sung , Xiaozheng Tie,

Robotron: Top-down Network Management at Scale Yu-Wei Eric Sung , Xiaozheng Tie,

Robotron: Top-down Network Management at Scale Yu-Wei Eric Sung , Xiaozheng Tie, Starsky H.Y. Wong, Hongyi Zeng ACM SIGCOMM 2016 August 25, 2016 Scale of Facebook Community 500 Million 1 Billion 1 Billion 1.7 Billion on

959 views • 51 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
The Purge Threat : Scien*sts thoughts on peta-scale

The Purge Threat : Scien*sts thoughts on peta-scale

The Purge Threat : Scien*sts thoughts on peta-scale usability Alexandra Holloway <fire@soe.ucsc.edu> Storage Systems Research Center + Assis*ve Technology

716 views • 32 slides
Introduction to Artificial Intelligence Introduction to Artificial Intelligence Data Mining with

Introduction to Artificial Intelligence Introduction to Artificial Intelligence Data Mining with

Introduction to Artificial Intelligence Introduction to Artificial Intelligence Data Mining with Clustering Algorithms Miosz Kadziski Institute of Computing Science Poznan University of Technology, Poland www.cs.put.poznan.pl/mkadzinski/iai

1.37k views • 41 slides
Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies, and In Incident Response Dangerous Toys USB Device Impersonators USB Killers Man in the Middle Faceplates Wireless Pineapples Payload Phone

727 views • 30 slides
Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2

Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2

Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2 2020 Sergio Caltagirone Dave Bittner VP Threat Intelligence Producer & Host Dragos The CyberWire Podcast Before we get started - The

874 views • 17 slides
Internet-scale Experimentation The challenges of large-scale networked system experimentation and

Internet-scale Experimentation The challenges of large-scale networked system experimentation and

Internet-scale Experimentation The challenges of large-scale networked system experimentation and measurements MIT Tech Review on The Loon Project The state of affairs An ever growing Internet ~3 billion people 15 billion devices

1.21k views • 107 slides
Joe Slowik, Threat Intelligence & Hunter Current: Dragos Adversary Hunter Previous:

Joe Slowik, Threat Intelligence & Hunter Current: Dragos Adversary Hunter Previous:

Joe Slowik, Threat Intelligence & Hunter Current: Dragos Adversary Hunter Previous: Los Alamos National Lab: IR Lead US Navy: Information Warfare Officer University of Chicago: Philosophy Drop-Out Network vs. Host

1.07k views • 71 slides
Large-scale Data Mining: MapReduce and beyond Part 1: Basics Spiros Papadimitriou, Google

Large-scale Data Mining: MapReduce and beyond Part 1: Basics Spiros Papadimitriou, Google

Large-scale Data Mining: MapReduce and beyond Part 1: Basics Spiros Papadimitriou, Google Jimeng Sun, IBM Research Rong Yan, Facebook Monday, August 23, 2010 Data everywhere 2 Monday, August 23, 2010 Data everywhere Flickr (3 billion

1.87k views • 142 slides
Exscale when will it happen? William Kramer National Center for Supercomputing Applications

Exscale when will it happen? William Kramer National Center for Supercomputing Applications

Exscale when will it happen? William Kramer National Center for Supercomputing Applications Sustained Petascale computing will enable advances in a broad range of science and engineering disciplines: Molecular Science Weather &

232 views • 6 slides
TeraGrid: National Cyberinfrastructure Charlie Catlett Director, TeraGrid www.teragrid.org

TeraGrid: National Cyberinfrastructure Charlie Catlett Director, TeraGrid www.teragrid.org

TeraGrid: National Cyberinfrastructure Charlie Catlett Director, TeraGrid www.teragrid.org Senior Fellow, Computation Institute The University of Chicago and Argonne National Laboratory November 2006 TeraGrid is supported by the National

460 views • 13 slides
Pacific Wave: Introduction and Update APAN 30, Hanoi, Vietnam What is Pacific Wave? It is a

Pacific Wave: Introduction and Update APAN 30, Hanoi, Vietnam What is Pacific Wave? It is a

Pacific Wave: Introduction and Update APAN 30, Hanoi, Vietnam What is Pacific Wave? It is a state of the art international peering exchange facility designed to serve research and education networks throughout the Pacific Rim and the

889 views • 20 slides
Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing

Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing

Large-Scale Astronomy data- management at NCSA 30 minutes) National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA/U of I Astronomy Currently in Production BIMA/CARMA millimeter radio array +

285 views • 12 slides
The -Grid: A National Infrastructure for Computer Systems Research Ian Foster Argonne

The -Grid: A National Infrastructure for Computer Systems Research Ian Foster Argonne

The -Grid: A National Infrastructure for Computer Systems Research Ian Foster Argonne National Laboratory The University of Chicago Randy Butler, Charlie Catlett National Center for Supercomputer Applications Overview Views on the

597 views • 21 slides
Communication for InfiniBand Clusters G.Santhanaraman, T. Gangadharappa, S.Narravula, A.Mamidala

Communication for InfiniBand Clusters G.Santhanaraman, T. Gangadharappa, S.Narravula, A.Mamidala

Design Alternatives for Implementing Fence Synchronization in MPI-2 One-Sided Communication for InfiniBand Clusters G.Santhanaraman, T. Gangadharappa, S.Narravula, A.Mamidala and D.K.Panda Presented by: Miao Luo National Center for

674 views • 29 slides
ARCHER Training Courses General Overview Reusing this material This work is licensed under a

ARCHER Training Courses General Overview Reusing this material This work is licensed under a

ARCHER Training Courses General Overview Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. http://creativecommons.org/licenses/by-nc-sa/4.0/deed.en_US This

409 views • 19 slides
iRODS at KTH and SNIC - Status and Prospects Ilari Korhonen iRODS Users Group Meeting 2019, June

iRODS at KTH and SNIC - Status and Prospects Ilari Korhonen iRODS Users Group Meeting 2019, June

iRODS at KTH and SNIC - Status and Prospects Ilari Korhonen iRODS Users Group Meeting 2019, June 24th, Utrecht, Netherlands Distributed National Infrastructure KTH Royal Institute of Technology in Stockholm is one of Europes leading technical

437 views • 12 slides

More recommend