Internet DRAFT - draft-witten-protectingendpoints
draft-witten-protectingendpoints
Network Working Group B. Witten
Internet-Draft Symantec
Intended status: Informational December 13, 2017
Expires: June 16, 2018
Necessity of Network and Third Party Protection of Endpoints
draft-witten-protectingendpoints-00
Abstract
This document describes the logic for third-party and network
security to complement strong cryptographic protocols, and presents
data, including independently verifiable data, helping scale the
importance of blocking attacks that might be hiding in encrypted
network traffic. This report includes data from multiple sources.
Some of that data is verifiable.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 16, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Witten Expires June 16, 2018 [Page 1]
�
Internet-Draft Network Protection of Endpoints December 2017
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Relevant Data . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Number of Certificates Issued to Phishing Sites . . . . . 3
2.2. Attack Rates, first data provider . . . . . . . . . . . . 4
2.3. Attack Rates, second data provider . . . . . . . . . . . 4
2.4. Portion of Attack Traffic Already Hiding in HTTPS . . . . 4
2.5. Additional Observations . . . . . . . . . . . . . . . . . 5
3. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Informative References . . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
A classic model of security emphasizes only "communications security"
between two "secure endpoints," with emphasis on both the need to
secure the endpoints, and the need to protect the communications
between those endpoints. Modern cryptographic protocols help protect
the communications. However, most endpoints still have
vulnerabilities. These vulnerabilities often have serious
consequences, including host compromise, and violation of any
confidentiality, integrity, and availability properties desired for
the information on the host and to which the host has access. Of
course, resultant consequences can be far worse for many parties
including consumers, activists, dissidents, commercial companies,
banks, utilities, and critical infrastructure of nearly all manner,
as well as anyone who depends on them. In this context, mitigation
of endpoint vulnerabilities is very important.
Mitigation of endpoint vulnerabilities is often achieved via
different means. For instance, security conscious and security
knowledgeable users and administrators often lock down endpoints with
strong operational security techniques. Alternatively, many users
and administrators with less security expertise often depend on third
party products to help protect their endpoints. Sometimes these
endpoint protection solutions install directly onto or into the
endpoint to be protected. However, sometimes the manufacturer of an
endpoint has produced a "closed" endpoint into which enough security
cannot be installed, or cannot be installed by anyone other than the
manufacturer who has already failed to install enough security. In
such cases, it's often possible to configure the endpoint and network
to ensure that all traffic to the endpoint is routed through a
security gateway attempting to protect the endpoint. This is often
done through either constraining the physical network topology, or by
Witten Expires June 16, 2018 [Page 2]
�
Internet-Draft Network Protection of Endpoints December 2017
trunking all of an endpoint's traffic through a Virtual Private
Network (VPN) which effectively connects the endpoint to the security
gateway. Note that with the rise of increasingly closed operating
systems for mobile and "Internet of Things" (IoT) devices, this model
of routing traffic through a security gateway is growing since such
vulnerable closed devices can only get additional security from the
network if not from the manufacturer who already failed to build in
adequate security.
2. Relevant Data
2.1. Number of Certificates Issued to Phishing Sites
In August of 2017, broadly trusted Certificate Authorities (CA)
including most commonly "Let's Encrypt," issued more than 4,800 TLS
certificates to phishing sites. Over the past year, these same CA's
issued more than 25,000 TLS certificates to phishing sites. We offer
below a conservative month by month count of TLS certificates issued
to phishing sites.
+----------------+-------+
| Month | Count |
+----------------+-------+
| August 2017 | 4,800 |
| July 2017 | 4,000 |
| June 2017 | 2,900 |
| May 2017 | 3,600 |
| April 2017 | 3,200 |
| March 2017 | 2,600 |
| February 2017 | 2,400 |
| January 2017 | 2,200 |
| December 2016 | 1,600 |
| November 2016 | 1,100 |
| October 2016 | 500 |
| September 2016 | 200 |
| August 2016 | 200 |
| July 2016 | 90 |
| June 2016 | 80 |
| May 2016 | 60 |
| April 2016 | 60 |
| March 2016 | 40 |
| February 2016 | 30 |
+----------------+-------+
Table 1: Conservative Counts of TLS Certificates Issued to Phishing
Sites
Witten Expires June 16, 2018 [Page 3]
�
Internet-Draft Network Protection of Endpoints December 2017
We note 20x year-over-year growth in issuance of TLS certificates to
phishing sites by trusted CA. We also note that phishing links are
distributed through many means including not only email but also
malicious web advertising often referred to as "malvertising," along
with other means such as SMS and instant messaging. We also note
that the numbers above do not include the vast number of legitimate
websites which are then later compromised and used for phishing along
with other types of attacks.
2.2. Attack Rates, first data provider
On a sampling of 90 million endpoints, in a given week of November
2017, 4 million of those endpoints were attacked. Of those 4 million
machines attacked in that week, more than 1 million were protected by
Intrusion Prevention Systems (IPS) inspecting network traffic. The
other 3 million were protected by other technologies.
2.3. Attack Rates, second data provider
A second source contributed data to this report. From that source,
for the month of October, 17.5 million users received 13 million
attempts at infection through malware, and 2 million attempts at
phishing. We also note that while some malware attempts are
malicious attachments, others are links to files which then
downloaded over FTP, HTTP, or HTTPS.
If the data is extrapolated, the data from both providers implies (a)
attack rates of more than 100 million attacks per year, and (b) each
endpoint would be compromised multiple times per year if not for the
third party security technologies protecting these endpoints, or some
other protection, such as tight operational security of the endpoints
on a level which is beyond the abilities of the average person. Of
course, every person, including consumers, deserve the right to
protect themselves and to choose the technologies and technology
providers they prefer to protect them.
2.4. Portion of Attack Traffic Already Hiding in HTTPS
A third source contributed data to this report. From that source, in
three days of January of 2017, over a million file download requests
were requests for malware. Of that million, more than 60,000 were
"second stage" requests. For this source, for that three-day period,
out of 1,396 of the most dangerous files, only 137 (9.8%) were from
HTTPS URLs.
That same source also sampled a period in November of 2017. From
that source, in three days of November of 2017, over 974,000 file
download requests were requests for malware. 117,000 of these
Witten Expires June 16, 2018 [Page 4]
�
Internet-Draft Network Protection of Endpoints December 2017
requests (roughly 12%) were confirmed as HTTPS or confirmed as TLS or
SSL. An additional 26% of those requests (total of 38% = 26% + 12%)
served files over port 443, but it was unclear whether the protocol
was HTTPS or something else.
2.5. Additional Observations
The data above in sections 2.2 and 2.3 does not include attacks
leveraging weaknesses in browser security models such as pop-under
mining of crypto-currency without the user's awareness [Tung], or
remote code exploitation vulnerabilities such as [rapid7] and
[Cimpanu], or CVE-2012-1845, CVE-2012-2897, CVE-2012-5112, CVE-
2012-5142, CVE-2016-1962, CVE-2016-1935, or over a dozen other high
severity remote code execution vulnerabilities found in browsers over
the past ten years. Of course, this is no criticism of browsers
specifically. All code has vulnerabilities. Concern stems from
those vulnerabilities being embedded in a "first line of defense"
running on the user's devices where mistakes can be quite damaging to
the device and the device's user. Instead, the reality that all code
has vulnerabilities should more strongly help drive urgency of
creating lines of defense in the network where exploitation of
vulnerabilities on disposable virtual machines can be far less
devastating than exploitation in the endpoint for an end user and
information on their device.
3. Conclusion
Precluding network based protection for endpoints is not consistent
with the imperative to treat mass surveillance as an attack. Mass
hacking of endpoints is surveillance by another means.
Endpoints currently face risks of compromise at a rate of a million
endpoints per week. Network based mitigation of endpoint
vulnerabilities is increasingly important to protecting those
endpoints.
Exposing millions of users per year to phishing, malvertising, and
countless other attacks, and denying them network based protection
against those attacks seems inconsistent with stated goals and
objectives of the IETF. Failing to standardize safer ways to provide
endpoints such network based protection against endpoint
vulnerabilities similarly seems to fall short of stated IETF goals
and objectives.
Witten Expires June 16, 2018 [Page 5]
�
Internet-Draft Network Protection of Endpoints December 2017
4. Informative References
[Cimpanu] Cimpanu, C., "RCE Vulnerability Affecting Older Versions
of Chrome Will Remain Unpatched", BleepingComputer rce-
vulnerability-affecting-older-versions-of-chrome-will-
remain-unpatched, August 2017.
[rapid7] Moulu, A., "Samsung Galaxy KNOX Android Browser RCE",
rapid7 samsung_knox_smdm_url, November 2017.
[Tung] Tung, L., "Windows: This sneaky cryptominer hides behind
taskbar even after you exit browser", zdnet windows-this-
sneaky-cryptominer-hides-behind-taskbar-even-after-you-
exit-browser, November 2017.
Author's Address
Brian Witten
Symantec Corporation
Email: brian_witten@symantec.com
Witten Expires June 16, 2018 [Page 6]
