Tuesday, October 22, 2019

TSL vs MLS


  • Web Services Security at Transport Level and Message Level


Web Services currently revolves around three important protocols: SOAP, WSDL and UDDI.
There are two ways with which we can ensure security with Web Services:

    Transport level security, such as HTTP Basic/Digest and SSL, is the usual "first line of defence", as securing the transport mechanism itself makes Web services inherently secure.  The trade-off is transport dependency (Web services are more tightly coupled to the network transport layer).
   
    Message level security, such as WS-Security, SAML, XML Digital Signatures, and XML Encrypttion,  can be more effective and has the added flexibility that the message can be sent over any transport.

TRANSPORT LEVEL

    Uses SSL
    Point-to-Point: Protects the "pipe"
    Does not work with Intermediaries
    Ubiquitous


MESSAGE LEVEL

    Dose not use SSL
    Data Chunks are protected
    Intended to work with Intermediaries
    Standards still under development

Transport Level Security
Transport level security is based on Secure Sockets Layer (SSL) or Transport Layer Security (TLS) that runs beneath HTTP. SSL and TLS provide security features including authentication, data protection, and cryptographic token support for secure HTTP connections. To run with HTTPS, the service endpoint address must be in the form https://. The integrity and confidentiality of transport data, including SOAP messages and HTTP basic authentication, is confirmed when you use SSL and TLS. Web services applications can also use Federal Information Processing Standard (FIPS) approved ciphers for more secure TLS connections.

Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. The SSL is the Industry accepted standard protocol for secured encrypted communications over TCP/IP. The SSL protocol provides transport layer security: authenticity, integrity, and confidentiality, for a secure communication across the wire.  SSL uses a cryptographic system that uses two keys to encrypt data − a public key known to everyone and a private or secret key known only to the recipient of the message.

Transport Layer Security (TLS) is a security protocol from the IETF that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape. TLS uses digital certificates to authenticate the user as well as authenticate the network (in a wireless network, the user could be logging on to a rogue access point). The TLS client uses the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchang

Message Level Security

Message level security is an application layer service and facilitates the protection of message data between applications. Message level security is typically most useful for:

    Solutions that are designed to use predominantly asynchronous queues.
    Solutions for which application level security is important; that is solutions whose normal message paths include flows over multiple nodes perhaps connected with different protocols. Message-level security manages trust at the application level, which means security in other layers becomes unnecessary.

For this reason, message-level security is also sometimes referred to as end-to-end security.

There are some standards available for securing Web Services at XML level. They are:

    XML Encryption
    XML Digital signature API
    XKMS (XML Key Management Specification)
    SAML (Security Assertion Markup Language)

SSL Limitations

    SSL is designed to provide point-to-point security, which falls short for Web services because we need end-to-end security, where multiple intermediary nodes could exist between the two endpoints. In a typical Web services environment where XML-based business documents rout through multiple intermediary nodes, it proves difficult for those intermediary nodes to participate in security operations in an integrated fashion.

    SSL secures communication at transport level rather than at message level. As a result, messages are protected only while in transit on the wire. For example, sensitive data on your hard disk drive is not generally protected unless you apply a proprietary encryption technology.

SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is due to the fact that SSL is a transport-level security scheme as opposed to a message-level scheme.

https://www.xyzws.com/scdjws/WSGEN/4


  • Transport Level Security Vs Message Level Security in WCF

    Transport Level Security
    It secures the actual transport (i.e. the pipe) over which the message passes through from client to a service. For example it uses SSL (Secure Socket Layer) to ensure point-to-point protection.
    Message Level Security
    It secures the message itself that is being transported from client to a service and vice versa.

Recommended Scenarios for Transport and Message Level Security:

Transport Level Security doesn’t support scenarios when Intermediaries involved. It only support sending a message directly from client to WCF Service without an intermediate system. It’s suited when both client and service resides on same intranet.

On the other hand, actual message is secured in Message Level Security, it support intermediaries. No problem at all in scenarios even if message routed through multiple intermediate systems.

Transport Level Security
Advantages:
As Transport Level Security secures the network protocol, so no extra coding required
Improved performance can be achieved by using hardware accelerators.
Disadvantages:
Lacks support for intermediate systems because it’s point to point and protects the “pipe” between a single client and a service.

Message Level Security
Advantages:
As the message is secured (signed and encrypted) while transmitting through the network, any intermediate hop in the network has no impact on security.
Supports wide range of security options, even we can implement custom security.
Disadvantages:
Every individual Message is secured means there is a cost to encrypt a message at one side and decrypt on the other resulting in reduced performance.
Lacks Interoperability. It demands both client and service should support WS-Security specification,
http://www.topwcftutorials.net/2014/09/transport-level-security-vs-message-level-security-wcf.html



Friday, October 18, 2019

Fileless malware

  • a new breed of malicious operations utilizing inherent features built into Windows that allow a clever hacker to turn the operating system against itself and compromise entire networks without needing a single piece of software to be installed.
There are two different tools that hackers are beginning to utilize as a foundation for fileless malware: Windows Management Instrumentation and Powershell

The same way an admin uses WMI to query metrics and execute code, a hacker can use it to run malicious code across an entire network of machines. This can be done silently, instantly, and is undetectable by standard anti-virus as an undesired action.
WMI cannot be uninstalled, it can only be disabled

This allows attackers to easily hide by dropping Base64 scrambled or encrypted code directly into Powershell, automatically decoding it and running it from memory

What makes Powershell even scarier as a tool for hackers is that it can be run remotely through WinRM, legitimately, allowing attackers to instantly punch a hole through the Windows Firewall on that compromised endpoint. if WinRM is turned off it can be turned on remotely through WMI using a single line of code. Because Powershell is an inherent part of Windows, it is completely trusted by the machine, ignored by antivirus software and other defense mechanisms. All the attacker needs is access to the machine, which can be achieved using WMI as shown above
http://www.cybereason.com/fileless-malware-an-evolving-threat-on-the-horizon

  • In-Memory Malware is Difficult to Detect

Fileless malware, is reaping a great benefit for hackers and cyber-criminals and great risk for your business. Fileless infections are exactly what they seem to be: malware or virus infections that don’t use any files in the processThe malware is written directly into the physical memory (or RAM) and is capable of eluding most detection technologies such as desktop firewalls and anti-virus programs.
https://digitalguardian.com/solutions/use-case/memory-forensics

  • fileless infection (fileless malware) is malicious coding that exists only in memory rather than installed to the target computer's hard drive.
A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in the target computer’s hard drive. POWELIKS is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry.
http://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/


  • FILELESS MALWARE 101: UNDERSTANDING NON-MALWARE ATTACKS

Unlike file-based attacks, fileless malware does not leverage traditional executable files. Fileless attacks abuses tools that are built-in to the operating system to carry out attacks. Essentially, Windows is turned against itself.
Without an executable, there is no signature for antivirus software to detect. This is part of what makes fileless attacks so dangerous - they are able to easily evade antivirus products. 
Fileless attacks use a technique called  living-off-the-land. Living-off-the-land is when attackers use legitimate tools for malicious purposes
The abused, legitimate tools are known as LOLBins, and can include Microsoft Office Macros, PowerShell, WMI, and many more system tools. 

HOW DOES FILELESS MALWARE WORK?
Fileless malware leverages trusted, legitimate processes (LOLBins) running on the operating system to perform malicious activities like 
lateral movement, 
privilege escalation, 
evasion, 
reconnaissance, 
and the delivery of payloads.

REASONS TO USE FILELESS MALWARE IN AN ATTACK
Stealthy: Fileless malware uses legitimate tools, which means it is almost impossible to blocklist the tools used in a fileless attack.
Living-off-the-land: The legitimate tools used for fileless malware are installed by default. The attacker does not need to create or install any custom tools to use them.
Trusted and Frequented: These tools are frequently used and trusted. It is not unusual to see the tools used in fileless malware running in an enterprise environment for a legitimate purpose.

LOLBINS LEVERAGED BY FILELESS MALWARE

POWERSHELL
PowerShell is a cross-platform, open source task automation and configuration management framework created by Microsoft. 
sThe PowerShell framework, based on .NET, is made up of a command-line shell and scripting language. PowerShell gives full access to many Windows system functions, including WMI and component object model (COM) objects, as well as management features for the Microsoft Exchange server and others. Further, it is able to execute payloads directly from memory, which is what enables attackers to leverage it for fileless malware.

WINDOWS MANAGEMENT INSTRUMENTATION (WMI)
Windows Management Instrumentation (WMI) is a Microsoft standard for accessing management information about devices in an enterprise environment
WHAT IS WMI LEGITIMATELY USED FOR?
WMI is all about the management of Windows devices on a network. It can give you information about the status of local or remote machines, and can be used to configure security settings like system properties, user groups, scheduling processes, or disabling error logging. WMI is valuable to administrators that need to easily manage all machines on the network - a task that happens regularly in an enterprise.

.NET FRAMEWORK
.NET is an open source framework, or set of generic, commonly used and editable functionality, made by Microsoft. It has two main components that developers use together to create applications: the Common Language Runtime and the .NET Framework Class Library. 

MACROS
In Microsoft Office, Macros are used to automate frequent tasks. They are typically created in Word documents or Excel spreadsheets as a series of commands grouped together to complete a task automatically. Many macros are made using Visual Basic for Applications and can be written by anyone, including software developer
WHY USE MACROS FOR FILELESS ATTACKS?
Using macros for fileless attacks is convenient, because they can easily be combined with phishing campaigns and social engineering techniques to trick a user



WHY IS DETECTION AND PREVENTION OF FILELESS MALWARE CHALLENGING?
Fileless malware depends on tools that are part of the daily workflow of enterprise professionals. Attackers know they can rely on a set of tools that are pre-installed on every Windows machine and are vital for the daily operations of the enterprise. Fileless malware also decreases the number of files on disk, which means signature-based prevention and detection methods will not be able to identify them. This makes it incredibly difficult for an analyst or security product to identify whether the tool is being used for malicious purposes or normal, day-to-day actions. Analysts must have an intimate understanding of their environment to be able to identify LOLBins at work.
https://www.cybereason.com/blog/fileless-malware

  • What is Fileless Malware?

Fileless malware is a type of malicious software that uses legitimate programs to infect a computer.
It does not rely on files and leaves no footprint, making it challenging to detect and remove.
it just means that fileless attacks are often undetectable by antivirus, whitelisting, and other traditional endpoint security solutions.
Fileless attacks fall into the broader category of low-observable characteristics (LOC) attacks, a type of stealth attack that evades detection by most security solutions and frustrates forensic analysis efforts.
While not considered a traditional virus, fileless malware does work in a similar way—it operates in memory.
Without being stored in a file or installed directly on a machine, fileless infections go straight into memory and the malicious content never touches the hard drive.

How does a fileless attack happen?
Fileless attacks fall into the broader category of low-observable characteristics (LOC) attacks, a type of stealth attack that evades detection by most security solutions and frustrates forensic analysis efforts. While not considered a traditional virus, fileless malware does work in a similar way—it operates in memory. Without being stored in a file or installed directly on a machine, fileless infections go straight into memory and the malicious content never touches the hard drive. Many LOC attacks take advantage of Microsoft Windows PowerShell, a legitimate and useful tool used by administrators for task automation and configuration management. PowerShell consists of a command-line shell and associated scripting language, providing adversaries with access to just about everything and anything in Windows.

fileless attacks often use social engineering to get users to click on a link or an attachment in a phishing email. Fileless attacks are typically used for lateral movement, meaning they make their way from one device to the next with the objective of gaining access rights to valuable data across the enterprise network. To avoid suspicion, fileless malware gets into the inner recesses of trusted, whitelisted applications (like PowerShell and Windows script host executables such as wscript.exe and cscript.exe) or the operating system to initiate malicious processes. These attacks abuse the trust model used by security applications to not monitor whitelisted programs.

How can you defend against fileless attacks?
Microsoft has also upgraded its Windows Defender package to detect irregular activity from PowerShell.
The real key to successfully counteracting fileless attacks is an integrated approach that addresses the entire threat lifecycle. By having a multi-layered defense, you gain an advantage over attackers by being able to investigate every phase of a campaign before, during, and after an attack.

Two things are especially important:
The ability to see and measure what’s happening: discovering the techniques used by the attack, monitoring activities in PowerShell or other scripting engines, accessing aggregated threat data, and gaining visibility into user activities.
The ability to control the state of the targeted system: halting arbitrary processes, remediating processes that are part of the attack, and isolating infected devices.

Endpoint hardening:
defenses like vulnerability assessment, exploit/memory protection, desktop firewall, and URL filtering.
Machine learning:
security analytic solutions using advanced, adaptive, and state-of-the-art machine learning, deep learning, and artificial intelligence techniques.
Application containment:
whitelisting solution that blocks unauthorized applications and code from running on servers, desktops, and fixed-function devices.
Behavior monitoring:
Understanding user behavior analytics (UBA) helps you identify threats hidden among your data, allowing you to increase security operations accuracy while shortening investigation timelines.Rather than focusing exclusively on users or entities,  a combination of anomaly detection and customized rules, along with other intelligent and advanced correlation models.
Interactive threat hunting:
tool that automatically and proactively investigates and responds to abnormal behavior on endpoints and searches for fileless attack footholds
Single-console centralized management:
a unified platform that provides control, visibility, reporting, and actionable dashboards across hundreds and even thousands of nodes enterprise-wide.
Integration with partner technologies:

protection against specific types of fileless threats

Fileless threat: Reflective self injection:
Reflective loading refers to loading a portable executable (PE) from memory rather than from disk. A crafted function/script can reflectively load portable executable without getting registered as a loaded module in the process and hence can perform actions without leaving footprints. PowerShell is one of the most widely used applications to execute these crafted scripts. This event indicates a fileless attack where a PowerShell script tries to inject a PE into the PowerShell process itself.
Fileless threat: Reflective EXE self injection:
This event indicates a fileless attack where a PowerShell script tries to inject an EXE into the PowerShell process itself.
Fileless threat: Reflective DLL remote injection:
This event indicates a fileless attack where a PowerShell script tried to inject a DLL into a remote process.
Fileless threat: Malicious code execution using DotNetToJScript technique:
This event indicates an attempt to execute malicious shellcode using the DotNetToJScript technique, which is used by prevalent fileless attacks like CACTUSTORCH. DotNetToJScript attack vectors allow loading and execution of malicious .NET assembly (DLL, EXE, etc.) straight from memory with the help of .NET libraries exposed via COM. Just like any other typical fileless attack technique, DotNetToJScript does not write any part of the malicious .NET DLL or EXE in the computer's hard drive.

https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html