Abstract image of a woman sitting on books and studying on a laptop

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

Download as PPTX, PDF
A
Andrew Morris

The document discusses the use of Greynoise to analyze and quantify the response times of cloud provider abuse teams regarding compromised devices. It outlines the background of Greynoise, research questions, methodologies used to assess various cloud providers, and provides results and recommendations for improving responses to compromised hosts. Focus is placed on understanding how different cloud providers manage such incidents and the importance of proactive measures in handling potential threats.

Technology
Related topics:
Threat Intelligence
1 of 36
Downloaded 26 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams Andrew Morris @andrew___morris andrew@greynoise.io
• Thank you ACoD! • Founders • Committee • Staff • Attendees
About Me Andrew Morris Founder, interim CEO @ GreyNoise Intelligence Previously: - Endgame R&D - Intrepidus (NCC Group) - KCG (ManTech) Twitter: @andrew___morris Email: andrew@greynoise.io
Agenda • What is GreyNoise • Background • Research Questions • Qualifiers • Methodologies 1-4 • Results • Recommendations
About GreyNoise GreyNoise is a gigantic system of globally-distributed passive collector sensors that monitor, analyze, and contextualize Internet-wide background scan and attack traffic. GreyNoise processes tens of millions of packets from hundreds of thousands of IPs every day Security professionals use GreyNoise to filter noisy alerts, identify compromised devices, and observe emerging threats. Learn more at https://greynoise.io or explore the data at https://viz.greynoise.io/
GreyNoise Examples (benign) • Cliqz • ShadowServer.org • Riddler.io • BinaryEdge.io • FindMalware • Quadmetrics.com • Stretchoid.com • CCBot • Internet Census • Stanford University • Brown University • CheckMarkNetwork • Mojeek • Cambridge Cybercrime Centre • Moz DotBot • Net Systems Research • Uptime.com • PDRLabs.net • Ruhr-Universitat Bochum • MJ12bot • A10 Networks • Baidu Spider • CompanyBook • Sogou • PingZapper • ipip.net • CyberGreen • Qwant • ExposureMonitoring • IBM oBot • University of Michigan • Team Cymru • Panscient • MauiBot • Facebook NetProbe • Archive.org • RWTH AACHEN University • Shodan.io • SiteExplorer • Kudelski Security • Project Sonar • SEMrush • ProbeTheNet.com • University of California Berkeley • Project25499 • Intrinsec • LoSec • DomainCrawler • BingBot • GoogleBot • DataProvider • Yandex Search Engine • Statastico • Censys • Cloud System Networks • DomainTools • Mail.RU • Talaia • Ampere Innotech • aiHit • ONYPHE • Ahrefs • OpenLinkProfiler • NetCraft • University of New Mexico • Seznam • Coc Coc • SafeDNS • Pingdom.com
GreyNoise Examples (malicious) • Eir D1000 Router Worm • D-Link 850L Worm • MSSQL Bruteforcer • Realtek Miniigd UPnP Worm CVE-2014-8361 • ZmEu Worm • Telnet Worm • Jboss Worm • D-Link 2750B Worm • PHP Worm • Apache Struts CVE-2017-5638 Worm • Mailbox Bruteforcer • Looks Like RDP Worm • Belkin N750 Worm CVE-2014-1635 • D-Link DSL-2640U DNS Hijack Vulnerability • EquationGroup Eternal/MS17-010 • Compromised Raspberry Pi • Oracle WebLogic CVE-2017-10271 Worm • HTTP PUT Uploader • Looks Like Conficker • Generic Windows Worm • Open Proxy Scanner • ADB Worm • Eternal MS17-010 • PHP InvokeFunction Attacker • IIS WebDAV Remote Code Execution CVE- 2017-7269 • Mikrotik CVE-2018-14847 Worm • Windows RDP Cookie Hijacker CVE-2014- 6318 • Zyxel OS Command Injection CVE-2017-6884 • VNC Bruteforcer • CHINANET SSH Bruteforcer • SSH Worm • PHPMyAdmin Worm • Wordpress Worm • Huawei HG532 UPnP Worm CVE-2017-17215 • Wordpress XML RPC Worm • Postgres Bruteforcer • Avtech IP Camera Worm • Hadoop Yarn Worm • Unknown Linux Worm • FTP Bruteforcer • GPON CVE-2018-10561 Router Worm • Mirai • Looks Like EternalBlue • Embedded Device Worm • D3c3mb3r Botnet • Linksys E-Series TheMoon Router Worm • Unauthenticated Redis Worm • Drupal CVE-2018-7600 Worm • CGI Script Scanner • LINK-NET LW-N605R Worm CVE-2018-16752 • Asterisk Bruteforcer • Apache Struts CVE-2018-11776 Worm
Background • There are many compromised devices around the Internet • A subset of these compromised devices become infected by exposing vulnerable services directly to the rest of the Internet • These services can be configured to accept default/easily guessable credentials or they can be unpatched and vulnerable to a large series of remote exploits • Botnets and bad guys constantly scan and crawl the Internet to find and infect these hosts with unsophisticated malware • Once infected, many of these compromised devices spread their malware to other hosts by opportunistically scanning for and attacking other similarly vulnerable devices around the Internet • This kind of activity is executed by a specific sub-category of botnet (Mirai, Satori, Muhstik, etc) • Most of the attacks an organization sees to the network perimeter originate from these devices
Background (cont’d) • When a device becomes compromised inside of a cloud provider (such as AWS, Google Cloud, DigitalOcean, etc) it will often start to attack other hosts around the Internet • The cloud provider abuse contact will start to receive some signals that the devices is compromised: • Abuse complaint emails from other network administrators around the Internet • A large uptick in traffic to thousands or millions of destination IPs over protocols that are generally used by authentication (SSH, Telnet, etc) • Some period of time after the device is infected / attacking other servers around the Internet (without being remediated by the owner), the cloud hosting provider abuse team will decommission or quarantine the server
Research Questions 1. How much time generally passes between a device in a cloud provider starting to attack other hosts around the Internet and for the activity to be remediated? 2. How much variance is there between different cloud hosting providers, such as Amazon AWS, Microsoft Azure, Google Cloud, DigitalOcean, etc? 3. How much variance is there internally on a given cloud hosting provider? 4. How many compromised devices are there in each cloud hosting provider?** 5. How long have is the longest “total compromised host time” of each provider? - …using compromised device data collected and labeled by GreyNoise ** This is a Dumb Question™️
Goal • Walk away with an understanding of how different cloud providers handle compromised devices within their network • Walk away with an understanding of how to reproduce this research with your own data sources • Walk away with an understanding of GreyNoise
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams In other words…
Qualifiers SHAME • This talk is not intended to shame anyone or compare what organizations are “better” or “worse” • We are measuring “response time”, not “effectiveness” Work sucks • Security is hard enough without some asshole telling you how to do your job Trust / Abuse / Fraud is hard • SOC / trust / abuse / fraud teams are INSANELY overworked • It’s a hard and thankless job • I have an ENORMOUS amount of respect for the folks who work these jobs Grace period • Every cloud provider has different internal policies on how long to wait until decommissioning or quarantining a customer server, as to not disrupt their business
Qualifiers (cont’d) Collection Bias • There are many gaps in my methodology and it is by no means conclusive. This talk is one data point from one source Comparison • Cloud providers have different problems and different priorities than other hosting types (ISPs, corporate networks, telecommunications providers) Customer != Corporate • These devices are not located in any of these organization’s corporate networks CYA • This talk is in no way a reflection of these organization’s security posture. It is a set of observations based on a specific set of data.
Data sources • Infection status – GreyNoise • Cloud provider ranges – IPinfo.io • Cloud provider sizes – IPinfo.io • I love IPinfo.io with all of my heart
Subjects • Amazon AWS • Google Cloud • DigitalOcean • Microsoft Azure • Oracle Cloud • Rackspace • Linode • IBM Softlayer • Vultr • Tencent • Ali Cloud • OVH • SingleHop • CenturyLink
Methodology 1: Pure quantity** • How many unique compromised IPs are there inside a given cloud hosting provider? • Over a four (4) month sample • This is a really, really, really stupid way to gauge anything • This breaks down when “size” is taken into consideration • A larger cloud hosting provider will simply have more compromised devices • E.g. if Google Cloud has 100 compromised devices (out of ten million customer machines) that’s very little • If a small cloud hosting provider with 1024 IPs has 100 infected devices, that’s *really* bad • Recreate: $ gnql $org classification:malicious | jq '.count'
Methodology 1** (this is a bad metric)
Large ISPs for scale
• Amazon: 2176 • DigitalOcean: 5465 • Vultr: 1677 • Google: 900 • Microsoft Corporation: 837 • Oracle: 540 • Rackspace: 79 • Linode: 251 • Softlayer: 192 • Tencent: 4846 • Alibaba: 292 • OVH: 2310 • SingleHop: 27 • CenturyLink: 736 Compromised IPs observed by GreyNoise over a four (4) month sample
Methodology 2: Ham-fisted cumulative time** • What is the total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • This is also a really, really bad way to measure anything • Breaks down when size is taken into consideration • Also breaks down when you take IP recycling into consideration • IP re-use between accounts • IP recycling between “known good” Internet scanners (Shodan, BinaryEdge) and briefly infected devices • Multiple infections on the same host over a long period of time (the “state” of “infectedness”)
Methodology 2** (this is a less bad metric but is still pretty bad)
Total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • Amazon : 652.42 • DigitalOcean : 648.64 • Vultr : 1060.51 • Google : 447.66 • Microsoft Corporation : 490.80 • Oracle : 1991.11 • Rackspace : 2694.37 • Linode : 578.67 • Softlayer : 910 • Tencent : 1835.27 • Alibaba : 1186.23 • OVH : 2048.07 • SingleHop : 1265.77 • CenturyLink : 1139.16
Methodology 3: Cumulative “infected” time (adjusted) • How many cumulative “state of infected” hours (per 10,000 IPs) are there for a given cloud hosting provider? • Get all IPs that have ever been infected inside a given cloud provider • Use GreyNoise to find the exact time ranges they were infected • Account for time interval overlap (this was a lot harder than I thought it would be) • Add all of the hours together • Get total size of Cloud provider, in IPs (using IPinfo.io) • This is harder for some providers than others • This is also not accurate, but it’s better than nothing • Divide hours by total IPs/10,000 • This breaks down because it makes smaller, busier hosting providers look slower and positively biases gigantic hosting providers (by dividing their “hour” amount by a huge number)
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Cumulative Compromised Hours / (Total IPs / 10,000) • Amazon : 174370 / 2945 = 59.20 • DigitalOcean : 1305470 / 55 = 23735.81 • Vultr : 199017 / 28 = 7107.75 • Google : 100252 / 243 = 412.55 • Microsoft Corporation : 131239 / 1302 = 100.79 • Rackspace : 18653 / 135 = 138.17 • Linode : 7598 / 26 = 292.23 • Softlayer : 14428 / 190 = 75.93 • Tencent : 1405329 / 26 = 54051.11 • Alibaba : 41859 / 20 = 9586.62 • OVH : 1342128 / 140 = 9586.62 • SingleHop : 2025 / 26 = 77.88
Methodology 4: Average time-to-close of an infected host • What is the average amount of time between a machine getting infected (and attacking other hosts) and the infection being remediated (no longer attacking other hosts) • Find and average intervals of time (in hours) between attacks starting and stopping • Problem: Just because the machine stops attacking other hosts does not mean it is no longer infected • This is equally evident to GreyNoise and the hosting provider itself
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Average Time-To-Close (hours) • Amazon : 40.92 • DigitalOcean : 118.12 • Vultr : 51.63 • Google : 66.46 • Microsoft_Corporation : 82.74 • Oracle : 107.76 • Rackspace : 78.29 • Linode : 17.48 • Softlayer : 34.73 • Tencent : 95.58 • Alibaba : 31.04 • OVH : 232.29 • SingleHop : 28.16 • CenturyLink : 19.21
Bonus Metric • How many devices are compromised in each provider right now? $ gnql metadata.organization:whatever classification:malicious last_seen:>=2019-01-29 | jq .count
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Recommendations • Be proactive • Use third-party threat intelligence feeds to identify compromised hosts in your environment • Trust (believable) abuse complaint reports • Scrutinize hosts that receive a large amount of abuse complaints • Ignore reports that come from people who complain when the receive a single port scan • Start with strict firewall controls • Deny any inbound traffic beyond what is necessary and force the user to whitelist additional services • Consider vulnerability scanning your own environment and relaying concerning results to your customers • Google and Vultr do this • [SHAMELESS SELF PLUG] Ask me about the GreyNoise Cloud Trust Alliance program
QUESTIONS?
THANK YOU! andrew@greynoise.io @andrew___morris

More Related Content

PDF
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
PPTX
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
PPTX
Weekend Malware Research 2012
Andrew Morris
 
PPTX
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
PDF
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
PDF
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
PDF
Honeycon2016-honeypot updates for public
Julia Yu-Chin Cheng
 
PPTX
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
Andrew Morris
 
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
Weekend Malware Research 2012
Andrew Morris
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
Honeycon2016-honeypot updates for public
Julia Yu-Chin Cheng
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 

What's hot (20)

PDF
Honeypots for Active Defense
Greg Foss
 
PPTX
The Background Noise of the Internet
Andrew Morris
 
PPTX
The Honeynet Project Introduction
Julia Yu-Chin Cheng
 
PDF
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
PPTX
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
PDF
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
PPTX
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
PDF
Advanced Threats and Lateral Movement Detection
Greg Foss
 
PPTX
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
PDF
Security by Weston Hecker
EC-Council
 
PDF
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
PPTX
How to stay protected against ransomware
Sophos Benelux
 
PPTX
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
PPTX
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
PDF
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
PPTX
"There's a pot of Bitcoins behind the ransomware rainbow"
Christiaan Beek
 
PDF
Why are you still getting CryptoLocker?
Aaron Lancaster
 
PPTX
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
PPT
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
PDF
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Honeypots for Active Defense
Greg Foss
 
The Background Noise of the Internet
Andrew Morris
 
The Honeynet Project Introduction
Julia Yu-Chin Cheng
 
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Advanced Threats and Lateral Movement Detection
Greg Foss
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Security by Weston Hecker
EC-Council
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
How to stay protected against ransomware
Sophos Benelux
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
2018 - Using Honeypots for Network Security Monitoring
chrissanders88
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
"There's a pot of Bitcoins behind the ransomware rainbow"
Christiaan Beek
 
Why are you still getting CryptoLocker?
Aaron Lancaster
 
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Ad

Similar to Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams (20)

PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PDF
Top 10 Threats to Cloud Security
SBWebinars
 
PPTX
Ransomware-Recovery-as-a-Service
Sagi Brody
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PPTX
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 
PDF
Ccna sec 01
EduclentMegasoftel
 
PPTX
Botnets Attacks.pptx
MuhammadRehan856177
 
PPTX
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
PPT
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PPTX
Fighting cyber fraud with hadoop
Niel Dunnage
 
PPTX
Securing your Cloud Environment v2
ShapeBlue
 
PPT
intrusion detection system (IDS)
Aj Maurya
 
PDF
110307 cloud security requirements gourley
GovCloud Network
 
PPTX
Crypto Miners in the Cloud
2nd Sight Lab
 
PPTX
Malware analysis
Prakashchand Suthar
 
PDF
Do you lose sleep at night?
Nathan Van Gheem
 
PDF
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
PDF
Compliance made easy. Pass your audits stress-free.
AlgoSec
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
Top 10 Threats to Cloud Security
SBWebinars
 
Ransomware-Recovery-as-a-Service
Sagi Brody
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Jason Trost
 
Ccna sec 01
EduclentMegasoftel
 
Botnets Attacks.pptx
MuhammadRehan856177
 
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Fighting cyber fraud with hadoop
Niel Dunnage
 
Securing your Cloud Environment v2
ShapeBlue
 
intrusion detection system (IDS)
Aj Maurya
 
110307 cloud security requirements gourley
GovCloud Network
 
Crypto Miners in the Cloud
2nd Sight Lab
 
Malware analysis
Prakashchand Suthar
 
Do you lose sleep at night?
Nathan Van Gheem
 
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
Compliance made easy. Pass your audits stress-free.
AlgoSec
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Ad

Recently uploaded (20)

PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
PPTX
Internet of Everything -Basic concepts details
sendilkumar66
 
DOCX
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
PDF
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
PDF
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
PDF
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PPTX
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
Internet of Everything -Basic concepts details
sendilkumar66
 
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
Kalilur Rahman
 
Transform-Your-Streaming-Platform-with-AI-Driven-Quality-Engineering.pdf
Kalilur Rahman
 
CXOs-Are-you-still-doing-manual-DevOps-in-the-age-of-AI.pdf
Kalilur Rahman
 
Comparative analysis of machine learning models for fake news detection in so...
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week IV
NewMind AI
 
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Principled Technologies
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Module 1 Introduction to Web Programming .pptx
kamleshkc191
 

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams

  • 1. Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams Andrew Morris @andrew___morris [email protected]
  • 2. • Thank you ACoD! • Founders • Committee • Staff • Attendees
  • 3. About Me Andrew Morris Founder, interim CEO @ GreyNoise Intelligence Previously: - Endgame R&D - Intrepidus (NCC Group) - KCG (ManTech) Twitter: @andrew___morris Email: [email protected]
  • 4. Agenda • What is GreyNoise • Background • Research Questions • Qualifiers • Methodologies 1-4 • Results • Recommendations
  • 5. About GreyNoise GreyNoise is a gigantic system of globally-distributed passive collector sensors that monitor, analyze, and contextualize Internet-wide background scan and attack traffic. GreyNoise processes tens of millions of packets from hundreds of thousands of IPs every day Security professionals use GreyNoise to filter noisy alerts, identify compromised devices, and observe emerging threats. Learn more at https://greynoise.io or explore the data at https://viz.greynoise.io/
  • 6. GreyNoise Examples (benign) • Cliqz • ShadowServer.org • Riddler.io • BinaryEdge.io • FindMalware • Quadmetrics.com • Stretchoid.com • CCBot • Internet Census • Stanford University • Brown University • CheckMarkNetwork • Mojeek • Cambridge Cybercrime Centre • Moz DotBot • Net Systems Research • Uptime.com • PDRLabs.net • Ruhr-Universitat Bochum • MJ12bot • A10 Networks • Baidu Spider • CompanyBook • Sogou • PingZapper • ipip.net • CyberGreen • Qwant • ExposureMonitoring • IBM oBot • University of Michigan • Team Cymru • Panscient • MauiBot • Facebook NetProbe • Archive.org • RWTH AACHEN University • Shodan.io • SiteExplorer • Kudelski Security • Project Sonar • SEMrush • ProbeTheNet.com • University of California Berkeley • Project25499 • Intrinsec • LoSec • DomainCrawler • BingBot • GoogleBot • DataProvider • Yandex Search Engine • Statastico • Censys • Cloud System Networks • DomainTools • Mail.RU • Talaia • Ampere Innotech • aiHit • ONYPHE • Ahrefs • OpenLinkProfiler • NetCraft • University of New Mexico • Seznam • Coc Coc • SafeDNS • Pingdom.com
  • 7. GreyNoise Examples (malicious) • Eir D1000 Router Worm • D-Link 850L Worm • MSSQL Bruteforcer • Realtek Miniigd UPnP Worm CVE-2014-8361 • ZmEu Worm • Telnet Worm • Jboss Worm • D-Link 2750B Worm • PHP Worm • Apache Struts CVE-2017-5638 Worm • Mailbox Bruteforcer • Looks Like RDP Worm • Belkin N750 Worm CVE-2014-1635 • D-Link DSL-2640U DNS Hijack Vulnerability • EquationGroup Eternal/MS17-010 • Compromised Raspberry Pi • Oracle WebLogic CVE-2017-10271 Worm • HTTP PUT Uploader • Looks Like Conficker • Generic Windows Worm • Open Proxy Scanner • ADB Worm • Eternal MS17-010 • PHP InvokeFunction Attacker • IIS WebDAV Remote Code Execution CVE- 2017-7269 • Mikrotik CVE-2018-14847 Worm • Windows RDP Cookie Hijacker CVE-2014- 6318 • Zyxel OS Command Injection CVE-2017-6884 • VNC Bruteforcer • CHINANET SSH Bruteforcer • SSH Worm • PHPMyAdmin Worm • Wordpress Worm • Huawei HG532 UPnP Worm CVE-2017-17215 • Wordpress XML RPC Worm • Postgres Bruteforcer • Avtech IP Camera Worm • Hadoop Yarn Worm • Unknown Linux Worm • FTP Bruteforcer • GPON CVE-2018-10561 Router Worm • Mirai • Looks Like EternalBlue • Embedded Device Worm • D3c3mb3r Botnet • Linksys E-Series TheMoon Router Worm • Unauthenticated Redis Worm • Drupal CVE-2018-7600 Worm • CGI Script Scanner • LINK-NET LW-N605R Worm CVE-2018-16752 • Asterisk Bruteforcer • Apache Struts CVE-2018-11776 Worm
  • 8. Background • There are many compromised devices around the Internet • A subset of these compromised devices become infected by exposing vulnerable services directly to the rest of the Internet • These services can be configured to accept default/easily guessable credentials or they can be unpatched and vulnerable to a large series of remote exploits • Botnets and bad guys constantly scan and crawl the Internet to find and infect these hosts with unsophisticated malware • Once infected, many of these compromised devices spread their malware to other hosts by opportunistically scanning for and attacking other similarly vulnerable devices around the Internet • This kind of activity is executed by a specific sub-category of botnet (Mirai, Satori, Muhstik, etc) • Most of the attacks an organization sees to the network perimeter originate from these devices
  • 9. Background (cont’d) • When a device becomes compromised inside of a cloud provider (such as AWS, Google Cloud, DigitalOcean, etc) it will often start to attack other hosts around the Internet • The cloud provider abuse contact will start to receive some signals that the devices is compromised: • Abuse complaint emails from other network administrators around the Internet • A large uptick in traffic to thousands or millions of destination IPs over protocols that are generally used by authentication (SSH, Telnet, etc) • Some period of time after the device is infected / attacking other servers around the Internet (without being remediated by the owner), the cloud hosting provider abuse team will decommission or quarantine the server
  • 10. Research Questions 1. How much time generally passes between a device in a cloud provider starting to attack other hosts around the Internet and for the activity to be remediated? 2. How much variance is there between different cloud hosting providers, such as Amazon AWS, Microsoft Azure, Google Cloud, DigitalOcean, etc? 3. How much variance is there internally on a given cloud hosting provider? 4. How many compromised devices are there in each cloud hosting provider?** 5. How long have is the longest “total compromised host time” of each provider? - …using compromised device data collected and labeled by GreyNoise ** This is a Dumb Question™️
  • 11. Goal • Walk away with an understanding of how different cloud providers handle compromised devices within their network • Walk away with an understanding of how to reproduce this research with your own data sources • Walk away with an understanding of GreyNoise
  • 12. Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams In other words…
  • 13. Qualifiers SHAME • This talk is not intended to shame anyone or compare what organizations are “better” or “worse” • We are measuring “response time”, not “effectiveness” Work sucks • Security is hard enough without some asshole telling you how to do your job Trust / Abuse / Fraud is hard • SOC / trust / abuse / fraud teams are INSANELY overworked • It’s a hard and thankless job • I have an ENORMOUS amount of respect for the folks who work these jobs Grace period • Every cloud provider has different internal policies on how long to wait until decommissioning or quarantining a customer server, as to not disrupt their business
  • 14. Qualifiers (cont’d) Collection Bias • There are many gaps in my methodology and it is by no means conclusive. This talk is one data point from one source Comparison • Cloud providers have different problems and different priorities than other hosting types (ISPs, corporate networks, telecommunications providers) Customer != Corporate • These devices are not located in any of these organization’s corporate networks CYA • This talk is in no way a reflection of these organization’s security posture. It is a set of observations based on a specific set of data.
  • 15. Data sources • Infection status – GreyNoise • Cloud provider ranges – IPinfo.io • Cloud provider sizes – IPinfo.io • I love IPinfo.io with all of my heart
  • 16. Subjects • Amazon AWS • Google Cloud • DigitalOcean • Microsoft Azure • Oracle Cloud • Rackspace • Linode • IBM Softlayer • Vultr • Tencent • Ali Cloud • OVH • SingleHop • CenturyLink
  • 17. Methodology 1: Pure quantity** • How many unique compromised IPs are there inside a given cloud hosting provider? • Over a four (4) month sample • This is a really, really, really stupid way to gauge anything • This breaks down when “size” is taken into consideration • A larger cloud hosting provider will simply have more compromised devices • E.g. if Google Cloud has 100 compromised devices (out of ten million customer machines) that’s very little • If a small cloud hosting provider with 1024 IPs has 100 infected devices, that’s *really* bad • Recreate: $ gnql $org classification:malicious | jq '.count'
  • 18. Methodology 1** (this is a bad metric)
  • 19. Large ISPs for scale
  • 20. • Amazon: 2176 • DigitalOcean: 5465 • Vultr: 1677 • Google: 900 • Microsoft Corporation: 837 • Oracle: 540 • Rackspace: 79 • Linode: 251 • Softlayer: 192 • Tencent: 4846 • Alibaba: 292 • OVH: 2310 • SingleHop: 27 • CenturyLink: 736 Compromised IPs observed by GreyNoise over a four (4) month sample
  • 21. Methodology 2: Ham-fisted cumulative time** • What is the total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • This is also a really, really bad way to measure anything • Breaks down when size is taken into consideration • Also breaks down when you take IP recycling into consideration • IP re-use between accounts • IP recycling between “known good” Internet scanners (Shodan, BinaryEdge) and briefly infected devices • Multiple infections on the same host over a long period of time (the “state” of “infectedness”)
  • 22. Methodology 2** (this is a less bad metric but is still pretty bad)
  • 23. Total time (in hours) between the time GreyNoise first and last saw all infected IPs in a given cloud hosting provider? • Amazon : 652.42 • DigitalOcean : 648.64 • Vultr : 1060.51 • Google : 447.66 • Microsoft Corporation : 490.80 • Oracle : 1991.11 • Rackspace : 2694.37 • Linode : 578.67 • Softlayer : 910 • Tencent : 1835.27 • Alibaba : 1186.23 • OVH : 2048.07 • SingleHop : 1265.77 • CenturyLink : 1139.16
  • 24. Methodology 3: Cumulative “infected” time (adjusted) • How many cumulative “state of infected” hours (per 10,000 IPs) are there for a given cloud hosting provider? • Get all IPs that have ever been infected inside a given cloud provider • Use GreyNoise to find the exact time ranges they were infected • Account for time interval overlap (this was a lot harder than I thought it would be) • Add all of the hours together • Get total size of Cloud provider, in IPs (using IPinfo.io) • This is harder for some providers than others • This is also not accurate, but it’s better than nothing • Divide hours by total IPs/10,000 • This breaks down because it makes smaller, busier hosting providers look slower and positively biases gigantic hosting providers (by dividing their “hour” amount by a huge number)
  • 28. Cumulative Compromised Hours / (Total IPs / 10,000) • Amazon : 174370 / 2945 = 59.20 • DigitalOcean : 1305470 / 55 = 23735.81 • Vultr : 199017 / 28 = 7107.75 • Google : 100252 / 243 = 412.55 • Microsoft Corporation : 131239 / 1302 = 100.79 • Rackspace : 18653 / 135 = 138.17 • Linode : 7598 / 26 = 292.23 • Softlayer : 14428 / 190 = 75.93 • Tencent : 1405329 / 26 = 54051.11 • Alibaba : 41859 / 20 = 9586.62 • OVH : 1342128 / 140 = 9586.62 • SingleHop : 2025 / 26 = 77.88
  • 29. Methodology 4: Average time-to-close of an infected host • What is the average amount of time between a machine getting infected (and attacking other hosts) and the infection being remediated (no longer attacking other hosts) • Find and average intervals of time (in hours) between attacks starting and stopping • Problem: Just because the machine stops attacking other hosts does not mean it is no longer infected • This is equally evident to GreyNoise and the hosting provider itself
  • 31. Average Time-To-Close (hours) • Amazon : 40.92 • DigitalOcean : 118.12 • Vultr : 51.63 • Google : 66.46 • Microsoft_Corporation : 82.74 • Oracle : 107.76 • Rackspace : 78.29 • Linode : 17.48 • Softlayer : 34.73 • Tencent : 95.58 • Alibaba : 31.04 • OVH : 232.29 • SingleHop : 28.16 • CenturyLink : 19.21
  • 32. Bonus Metric • How many devices are compromised in each provider right now? $ gnql metadata.organization:whatever classification:malicious last_seen:>=2019-01-29 | jq .count
  • 34. Recommendations • Be proactive • Use third-party threat intelligence feeds to identify compromised hosts in your environment • Trust (believable) abuse complaint reports • Scrutinize hosts that receive a large amount of abuse complaints • Ignore reports that come from people who complain when the receive a single port scan • Start with strict firewall controls • Deny any inbound traffic beyond what is necessary and force the user to whitelist additional services • Consider vulnerability scanning your own environment and relaying concerning results to your customers • Google and Vultr do this • [SHAMELESS SELF PLUG] Ask me about the GreyNoise Cloud Trust Alliance program

Editor's Notes

  • #4: Please raise your hand if you’ve heard of GreyNoise before Please raise your hand if you’ve used GreyNoise before
  • #14: ISPs are…… way worse