The state of security in hosting:
the battle between good and evil
Igor Seletskiy,
CEO and Founder of CloudLinux
$20
Hacking
today is all
about
MONEY
Attack Types
Hosting
Enterprise / Consumer
§
Automated
§
Phising
§
Botnet driven
§
Individualized
§
DDoS
§
Stealthy
§
Bruteforce
§
0-days
§
Exploits
§
DDoS
§
SPAM
§
Botnets
§
SPAM
Value for attackers
DDOS
§ Day:$40 - $150
§ Week: $200 - $1000
Value for attackers
REMOTE ACCESS
§ Wordpress/Joomla admin: $0.2 - $2
per 500/sites
§ Webshell: $0.2 - $4 wholesale per
500/sites
§ cPanel/Plesk: $2 - $30 per server
§ SSH: $0.25 - $20 (worth more for US,
CA, EU)
§ HIGH SEO domains: $20 - $500
Value for attackers
SPAM
§ Sending spam: $150 - $500 for up to
1,000,000 list mailing
§ Email Lists, Users DB Dumps: $15
- $80 lists 10k-1M lists
Can you outrun the attacker?
How much attackers
willing to spend
§ $10K - $100K per attack
o Multiple targets have to be
attacked
Cost of 0-days
Zerodium payouts for 0-days attack
§ RCE Wordpress & Joomla → $10K
§ Local privilege escalation → $30K
§ RCE Dovecot / sendmail → $40K
§ RCE OpenSSL/PHP → $50K
Botnets, Botnets, Botnets
§ Prevent IP detection / blacklisting
§ Attack as many targets as possible
§ Vary attacks & payloads
Mish Mash of tools
§
§
§
Waf
AV
IDS
o
o
§
Fail2ban
CSF
Firewall
No single solution
ANTIVIRUS: not a good match for
hosting industry
§
Polymorphic malware -- not a big
presence … yet
§
Sandboxing + Heuristics
o Intercept system calls & filesystem
operations
o Windows AVs were doing it for years
Hosting sites & servers are constantly get hacked
Web Application Firewall
§ 0-day attacks
§ Wordpress plugins
Today security solution
§ Ad-hoc AV scanning
o INOTIFY too slow
o FTP/mod_security, but not SSH
o No re-scan of suspicious files on
signature update
All depends on a sys admins expertise
Today security solution
§
No way to see the whole picture
o
Events from separate tools come through
different channels
o
No way to correlate events
•
o
WAF & IDS
Info from multiple servers not tied together
Imunify360:
§ Collect ‘events’ from all the servers
o
Human threat analysis
o
Heuristics & machine learning techniques
o
Correlate data → WAF, IDS, traffic
§ Good signatures
o
Hosting related
o
Low false positives
§ Sandboxing (work in progress)
Provide security
beyond signatures
§ High degree of automation
§ Low false positive
§ Install & forget
Made for regular humans, not security experts
Thank you and visit us at our
booth #B04
Learn more at Imunify360.com