internal network visibility for apts and insider threats · white paper internal network visibility...

VISION TO SECURE, INTELLIGENCE TO PROTECT

White Paper Internal Network Visibility for APTs and Insider Threats 1

Internal Network Visibility for APTs and Insider ThreatsA New Approach to Combating Advanced Adversaries



Table of Contents

Executive Summary 3

The Evolving Threat Landscape – Insider Attacks and APTs 3

Insider Threats 4

The Advanced Persistent Threat 5

Today’s Security Ecosystem 6

Firewalls 7

Antivirus 7

Network IDS/IPS 7

Behavioral-based Malware Detection 8

Packet Capture 8

SIEM 8

The Visibility Gap 9

“The Kill Chain” 10

Achieving Internal Visibility and Security 12

Flow-based Monitoring 12

Advanced Security Context 15

A New Approach for Advanced Adversaries 18



Executive SummaryToday’s threat actors are becoming more sophisticated, advanced and diverse. Widespread viruses and worm outbreaks are no longer the only worries for IT administrators; they also have to defend against the likes of 1) organized criminals launching profit-driven botnets, 2) hacktivists, 3) malicious insiders and 4) the Advanced Persistent Threat (APT). While conventional security tools – firewalls, antivirus, IDS/IPS, SIEM, etc. – still have a role to play in thwarting some types of attacks, others (particularly APTs and insider attacks) are easily evading these defenses and infiltrating enterprise networks.

The missing piece of the puzzle in many government and enterprise information security programs is internal network visibility. While there has been a lot of emphasis on blocking attacks at the perimeter and detecting known malware through the use of signatures, these strategies are no longer enough. Attacks that evade these defenses need to be detected at other layers. Monitoring and analyzing all of the activity taking place on the internal network is the next step for detecting and mitigating compromises after the walls have been breached.

This paper will explain why internal visibility is a necessity for network security today, and how it can be used to more effectively mitigate insider threats and APTs.

The Evolving Threat Landscape – Insider Attacks and APTsAmidst the plethora of threats facing today’s computer networks, the most concerning and challenging are insider attacks and APTs. While widespread worms, viruses and other malware attacks – even botnets – can often be thwarted using conventional security solutions, insider threats and APTs are much more difficult to defend against.

First of all, they do not typically involve known malware that can be blocked with a signature update. (And if they do, that piece of malware will be just one of many methods used to infiltrate an organization.) Secondly, they do not always enter a network via the perimeter where most security solutions are deployed.

89% of surveyed IT Security Officers enhanced network security posture with StealthWatch by Lancope. Source: TechValidate.

TVID: E13-627-238

http://www.techvalidate.com/product-research/lancope-stealth-watch/facts/E13-627-238



83% of surveyed IT organizations use Lancope’s StealthWatch System to detect or prevent suspicious user behavior.

Source: TechValidate.

TVID: 609-77A-F7D

Insider ThreatsInsider threats are a rising concern. Over the past several years, there has been a steady stream of reported incidents of authorized users abusing their privileges to sabotage their company or steal confidential data for financial or competitive gain. Changes in the business environment are also contributing to this concern, as increased reliance on outsourcing, contractors and third-party technology platforms means that sensitive information is exposed to a larger group of people. Computer security professionals are searching for effective ways to detect and deter this activity.

Carnegie Mellon’s Computer Emergency Response Team (CERT) has been conducting research into insider threats since 2001. They define a malicious insider threat as “a current or former employee, contractor or other business partner who has or had authorized access to an organization’s network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity or availability of the organization’s information or information systems.”1

1 – Carnegie Mellon CERT Insider Threat Center, http://www.cert.org/insider_threat/

While widespread, automated attacks have become much less of a concern for security professionals, insider threats and APTs have taken center stage.

http://www.techvalidate.com/product-research/lancope-stealth-watch/facts/609-77A-F7D

http://www.cert.org/insider_threat/



In the case of the insider threat, the perpetrator will already have access to the internal environment. Access controls and perimeter defenses aren’t going to stop them. The only way to prevent this kind of attack is to have visibility into what insiders are doing on the network so that suspicious behavior – such as unusually large file transfers or attempts to access restricted areas – can be identified and further investigated.

The Advanced Persistent ThreatOver the past several years, the Advanced Persistent Threat (APT) has quickly risen as a top-level concern for organizations of all types and sizes. While there are a variety of different definitions applied to this term, it is typically applied to threat actors who are capable of launching highly targeted, sophisticated attacks. These attacks are often launched by nation-states to conduct cyber espionage or cripple the critical infrastructure of an enemy country.

Once only a concern for government entities, the APT is now going after organizations across industries, large or small, in the U.S. and abroad. Any organization that houses valuable intellectual property or national intelligence, or that controls key components of a nation’s infrastructure, can now find itself squarely in the bullseye of an APT.

The term APT became mainstream in 2010 as the result of media coverage surrounding state-sponsored attacks on high-profile entities including:

► RSA Security

► Google, Adobe and dozens of other organizations as part of Operation Aurora

► More than 70 organizations, including a dozen U.S. defense contractors, as part of Operation Shady RAT

Sophisticated attackers often go to great lengths to target specific organizations and use specially tailored combinations of attack vectors and unpatched vulnerabilities to infiltrate a particular environment. This can make them very difficult to detect. These attackers may have a long-term interest in collecting information from a particular target network, which means that they must maintain access to that network



without being discovered. In order to be stealthy, attackers will often access the network using legitimate access credentials.

According to Mandiant, a firm that specializes in APT incident investigations, 100 percent of the attacks they investigated in 2011 utilized stolen access credentials during the intrusion, and conversely, only 54 percent of compromised machines were infected with malware. Mandiant also reported that it takes a median of 416 days for the typical organization to discover an advanced attack within its network.2

Due to the success of these strategies, financially motivated cyber criminals have also begun to mimic some of the techniques used by APTs, further widening the swath of organizations that are susceptible to advanced attacks. Many of these operations involve well-funded organizations with large numbers of participants who have highly specialized skills. These factors contribute to their success, making them a very formidable threat.

Considering the customized, relentless and well-backed nature of APTs, it is imperative that organizations know what is going on within their internal networks to fill in the gaps left by conventional security defenses. A complete audit trail of network activity can be used to fully assess the impact of a breach and hunt for ongoing espionage and data exfiltration occurring in real time.

Today’s Security EcosystemUnfortunately there is a widespread misconception among many security organizations today that if they have antivirus, firewall, IDS/IPS, SIEM and maybe even an advanced malware detection system or two, then they are well protected from any and all attacks that come their way. In an era of rising insider threats and APTs, this is simply not true. In the real world, we have malware operating for years at a time before antivirus software can detect it, and that malware often spreads by exploiting zero-day security vulnerabilities for which there are no patches, using exploits that cannot be detected either.

2 – Mandiant M-Trends Report, https://blog.mandiant.com/archives/2326



Obviously, security controls that are based on detecting known threats are not going to be sufficient to protect our networks against this kind of attack. Perimeter-based defenses are also ineffective since many attacks originate from the inside. Here’s a look at the various, conventional security solutions being used today, and how they fall short when it comes to detecting APTs and insider threats.

FirewallsFirewalls help manage the complexity of a computer network by defining and enforcing barriers between different network compartments. Over the years, software applications have adapted to the existence of firewalls by layering on top of protocols such as HTTP, which most firewall policies allow. Attackers have adapted too – targeting vulnerabilities in the increasingly complex software interfaces that these applications expose. This has allowed sophisticated external attackers to get access to systems behind the firewall – malicious insiders, of course, already have access.

AntivirusAntivirus software has become a standard piece of today’s security ecosystem due to its efficacy in detecting and mitigating known attacks at the endpoint. However, polymorphic code and encryption techniques have enabled today’s malware authors to create software that cannot be detected. Antivirus vendors employ a “safety in numbers” strategy to respond to new malware – meaning that as broadly targeted attacks begin spreading through the Internet, vendors collect samples and write signatures for them, protecting the community at large. However, highly targeted attacks that involve unknown, zero-day techniques can fly under the radar for long periods of time.

Network IDS/IPSSignature-based Intrusion Detection and Prevention Systems (IDS/IPS) provide another method of detecting and mitigating known threats. However, since they require signature updates to detect specific threats, they provide limited protection against zero-day attacks. Popular attack tools also use encryption and JavaScript to hide even well-known attacks from detection systems. Additionally,

“We have used Lancope to consolidate several tools including replacing our IDS system and reducing costs and time to locate network problems.” – McKee Foods


TVID: AFC-07E-FF3

http://www.techvalidate.com/product-research/lancope-stealth-watch/case-studies/AFC-07E-FF3



due to the high costs and complexity associated with probe-based deployments, IDS/IPS implementations are typically just found at the perimeter, meaning they also face the same challenges as firewalls when it comes to policing the internal network.

Behavioral-based Malware DetectionBehavioral-based malware detection can help identify zero-day attacks, since it does not rely on signature updates. However, effective behavioral analysis is difficult to achieve in real time – when an attack is detected, it has already occurred. Incident responders must determine what events occurred after the initial infection and where the infection might have spread. This is difficult to achieve without an audit trail of traffic on the internal network. These technologies are also limited to perimeter deployments, making them unable to provide any visibility into attack activity originating from the inside or via devices such as USB flash drives. Additionally, some attacks do not use malware at all, so malware detection needs to be complemented with other security strategies.

Packet CaptureNetwork monitoring tools that collect a full packet capture of all network activity can provide a valuable record to investigate in the event that an attack is suspected. However, like the other technologies discussed above, these types of technologies are only really feasible for deployment at the perimeter, leaving a gap when it comes to events that occurred on the internal network. Furthermore, keeping a full packet capture covering long periods of time can become extremely expensive, particularly when considering that many advanced attacks are not discovered for over a year.

SIEMSIEM tools correlate Syslog data from multiple security devices within the network infrastructure to provide a broader picture of information security events. To be effective, a SIEM must be tailored to the environment it is protecting. This requires a great deal of customization by a knowledgeable security professional. Once configured, it must be constantly tuned and the networks it protects must be re-evaluated on a regular basis.



New machines are constantly being introduced to the network, new services are being set up, and software upgrades can change log formatting or introduce new messages that should be parsed. Without diligence, the SIEM can start over-reporting false positives or become blind to network assets/services that did not exist when it was set up.

Furthermore, while it can provide a consolidated view of security events, SIEM cannot generally provide any net new data beyond what has already been seen by other security devices (largely perimeter devices), meaning it poses the same challenges as the above solutions when it comes to detecting advanced, targeted attacks. While some organizations pull additional logs from servers and other internal clients into their SIEM tools, once a machine is compromised, its log information is no longer valid, so visibility is skewed.

The Visibility GapWhile each of these technologies has a role to play in combating network threats, they all miss the mark when it comes to internal visibility, leaving a wide open gap in enterprise security posture. This gap is evident to external attackers who know that once they have gotten past perimeter defenses, they can wreak havoc on the internal network without fear of being detected.

“Lancope’s solution has provided us with better visibility into network activity across our global enterprise.” – Westinghouse Electric Company


TVID: 436-FAD-940

Organizations must think beyond the perimeter when planning and executing their security strategies, and have controls in place for addressing attacks that enter the network interior.

http://www.techvalidate.com/product-research/lancope-stealth-watch/facts/436-FAD-940



The gap is also evident to malicious insiders, who already have access to sensitive information and also have no reason to fear being discovered. Lastly, this gap has become a challenge for incident responders, who have the hard job of reconstructing what happened once a system has been breached and the logs have been corrupted. However, by combining these conventional security technologies with a solid solution that provides internal network visibility and an audit trail of network activity, organizations can more effectively identify, investigate, halt and prevent advanced attacks including insider threats and APTs.

“The Kill Chain”There is no simple solution that can be deployed on a network that will be completely effective against advanced attackers. Today, defending a network requires building a set of different controls and processes that can work together to increase detection rates.

Advanced attackers tend to spend a lot of time within their targets’ networks, using an involved series of steps to execute a successful strike. While attackers try to stay “low and slow,” they inadvertently provide security professionals with many opportunities to detect them – if they are armed with the right tools and processes.

Sophisticated attackers haven’t won the moment they first evade perimeter defenses. They still need to pivot internally, locate the data they are after, and exfiltrate it. Many will try to stay inside the network for long periods of time. Information security professional Mike Cloppert first suggested that incident responders can detect attacks by looking into each stage of the adversary’s “kill chain,” a term first used to describe military strikes.3

For most sophisticated attacks, the perpetrator will conduct a combination of some or all of the following activities: 1) network reconnaissance, 2) spear phishing, 3) exploitation of zero-day vulnerabilities, 4) exploit obfuscation to evade COTS security products, 5) covert command-and-control communications, 6) internal pivoting that evades detection by internal IPS systems, and 7) data exfiltration.

60% of surveyed IT organizations use StealthWatch to detect or prevent network reconnaissance.


TVID: E18-780-612

3 – “Security Intelligence: Attacking the Kill Chain,” Mike Cloppert, http://computer-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill-chain#

http://www.techvalidate.com/product-research/lancope-stealth-watch/facts/E18-7B0-612



Based on the sheer number of steps involved, it becomes clear that virtually any security control could potentially detect at least part of an advanced attack. However, 1) sophisticated attackers are aware of this fact, and go to great lengths to evade conventional defenses, using obfuscation techniques and even testing their exploits against commonly deployed security products, and 2) should one part of their attack fail, targeted attackers will have plenty more tricks up their sleeve and will continue to try to knock down the doors until they get in (hence, the “persistent” part of the APT moniker).

While they may be imperfect when considered in isolation, however, the security controls discussed above can be valuable components of a comprehensive detection strategy when used in concert. The key is taking an active, multifaceted approach to detecting APTs, and realizing that internal visibility must be a part of the strategy.

If you will notice, many of the “kill chain” steps addressed above – network reconnaissance, communication with command-and-control servers, internal pivoting and data exfiltration – are not easily detected with perimeter- or signature-based technologies, but could be uncovered via internal network monitoring. For example, when a host is discovered downloading an unusually large amount of data from a critical Identity and Access Management server, it could be an indicator that an attack is taking place. Having visibility and controls along the entire kill chain is critical.

Sophisticated attackers go through a series of steps to successfully extract data from an organization.



It is also important to recognize the role of human incident responders in combating advanced security threats. No security solution is going to automatically detect and block APTs while the IT staff is asleep. The best solutions harness the strengths of both automated and human analysis – helping professional incident responders monitor their systems and networks and comb through the masses of information there to find the subtle indicators that sophisticated attacks leave behind. Next-generation network visibility technologies can help here by turning the network into an always-on sensor grid for detecting suspicious behavior.

Achieving Internal Visibility and Security Flow-based MonitoringThe most comprehensive and cost-effective means of obtaining visibility and protection across the internal network is to leverage existing infrastructure. Vast amounts of security insight can be obtained by collecting and analyzing NetFlow, IPFIX, sFlow and other types of flow data from routers, switches and other flow-enabled devices already deployed within the network. Like a call record, flow data can show who is talking to whom within a network, for how long, using which devices, etc.

Flow-based monitoring cost-effectively expands visibility and threat intelligence across the entire enterprise network.



Unlike conventional security solutions, flow-based monitoring solutions like Lancope’s StealthWatch® System can provide a full audit trail of host-to-host communications across the entire network by collecting, analyzing and storing network data over long periods of time. By having a complete view of all activity taking place across the network, administrators can baseline normal network behavior and then easily identify when a host is doing something it shouldn’t be – whether it be logging in from an unfamiliar location, beaconing, communicating with a questionable external IP address, sending out unusually high amounts of traffic, and the list goes on.

Status quo security measures are often blind to these types of behaviors even though they pose a danger to the organization. StealthWatch is highly scalable to provide this in-depth insight even across the largest enterprise networks, analyzing up to 120,000 flows per second (fps) per collector, or 3 million fps total.

Due to its strong analysis capabilities, StealthWatch was also selected to provide the flow-based monitoring component of the Cisco Cyber Threat Defense Solution. As part of its inclusion in the Cisco Cyber Threat Defense Solution, StealthWatch includes specially tailored dashboards designed for more easily tracking various stages of the kill chain, including network reconnaissance, internal malware propagation, command-and-control communications and data exfiltration.

In the case of APTs and insider threats, flow-based monitoring can fill in the dangerous blind spot left by conventional solutions. Instead of only revealing nefarious traffic going in and out of the network, it can also clearly depict the spread of attacks on the internal network, providing faster insight into internally spreading attacks than can be obtained through manual forensic analysis of compromised machines. Additionally, it can also identify malicious insiders or external attackers using stolen, valid credentials (which is becoming increasingly common) by picking up on unusual behaviors, even if the perpetrator appears to be a trusted entity. For example, if an account executive from Florida logs in from overseas while he is sitting in the office, you

The American Cancer Society reduced the time it took to mitigate a security incident by more than 75% with StealthWatch.


TVID: 0EF-E3C-98F

http://www.techvalidate.com/product-research/lancope-stealth-watch/facts/0EF-E3C-98F



know something is not right. Since it is based on behavior, flow-based monitoring can still detect anomalies even if network communications are encrypted.

In addition to improving real-time detection of attacks, flow-based monitoring is invaluable for conducting incident response and forensic investigations. Because NetFlow records are smaller than packet captures, it is possible to efficiently store an audit trail of activity that happened across the entire network over long periods of time. That audit trail can be a critical asset in the midst of a breach investigation, filling in the details of what the attacker did between the time that an attack began and when it was discovered. This view provides a way of assessing the scope of an incident, including what systems were accessed, so that an active attacker can be quickly and comprehensively eliminated.

To successfully combat today’s threats, organizations must employ a layered cyber threat defense strategy that includes a mix of various security technologies and incident response procedures



Advanced Security ContextAccording to a recent Forrester Consulting Technology Adoption Profile (TAP) study commissioned by Lancope and Cisco, despite the fact that 84 percent of organizations surveyed were doing some basic NetFlow monitoring, many of them were missing out on the security insights that NetFlow can provide. According to Forrester, “Enlightened organizations have adopted network flow analysis capabilities to augment their preventative controls, but fail to include the additional context necessary to truly identify malicious activity within their networks. To be successful in this advanced threat environment, organizations must adopt new robust detection and analysis capabilities.”4

While many vendors collect and store flow data, or offer limited analysis capabilities, Lancope goes beyond the basics to provide the in-depth threat intelligence and security context required to shut down advanced attackers. StealthWatch employs sophisticated behavioral analytics and heuristics to analyze 90+ attributes of network flow data to establish baselines for each host and group of hosts on the network. Examples of some of these attributes include 1) how much traffic a specific host is generating, 2) which other hosts it is communicating with, 3) the types of applications it is running, and many, many more.

From there, StealthWatch can easily detect and generate an alarm when a host is exceeding its normal traffic threshold, for example, or conducting other anomalous behaviors. In addition to providing high-level overviews of concerning behaviors, StealthWatch also allows users to drill down into specific alarms, hosts and traffic patterns to obtain more in-depth insight. StealthWatch Host Snapshots, for example, provide a multitude of details on specific hosts, such as recent alarm activity observed from the host, interfaces the host is using, and more.

4 – “Responding To New Threats Requires A New Approach,” a commissioned study conducted by Forrester Consulting on behalf of Cisco Systems and Lancope, August 2012, http://www.lancope.com/resource-center/industry-reports/forrester-tap-report/



StealthWatch also includes the following advanced features to bolster network visibility and security context:

Application awareness – Through a combination of behavioral analysis and packet inspection, StealthWatch can identify and gather performance statistics for Layer 7 applications, detecting application-based issues and ensuring that the network is delivering applications reliably and securely. StealthWatch also provides advanced data on the specific URLs that users are accessing to further enhance troubleshooting.

Identity awareness – StealthWatch provides several options for obtaining identity data and tracking network and security issues back to the exact users responsible. Organizations can either deploy the StealthWatch IDentity™ appliance, or integrate their Cisco Identity Services Engine (ISE) with StealthWatch, holding users accountable for conducting bad behavior or operating compromised systems on the network.

Mobile monitoring – In the wake of IT consumerization and the bring-your-own-device (BYOD) movement, organizations have to be prepared to fend off threats stemming from employee-owned mobile devices. StealthWatch takes a unique approach to this challenge by analyzing mobile device information collected from existing network infrastructure to detect and alarm on anomalous behavior originating from users’ personal smartphones, tablets or laptops.

The system helps organizations proactively detect issues coming from any device on the network without having to install additional software or deploy expensive probes. Through integration with Cisco’s ISE, StealthWatch also incorporates advanced device and identity data such as device type, security posture, physical location and more into its overall view of network activity, further advancing its ability to provide comprehensive security no matter what device is connected to the network.



Virtual monitoring – Virtualization is taking enterprise data centers by storm, but it is unfortunately leading to a decrease in network visibility and the demise of conventional security defenses. This lack of insight complicates problem identification and resolution, potentially erasing any cost savings associated with virtual environments in the first place. StealthWatch leverages NetFlow and other flow data from VMware as well as existing routers and switches to provide in-depth visibility into both physical and virtual environments.

Through a combination of behavioral analysis and packet inspection, the system can collect critical data from virtual environments and generate flow records that can be analyzed for performance statistics and anomalous behavior. This way, organizations can obtain the same level of visibility and insight they have within physical networks in virtual environments, greatly enhancing security and performance.

Concern Index™ – Through its proprietary Concern Index (CI), StealthWatch automatically prioritizes the top threats facing an organization so they can be dealt with first. StealthWatch monitors all hosts, both internal and external, that cross the network, tracking both the behavior of each host as well as the relationship between it and other hosts. When hosts conduct suspicious behaviors, they are assigned CI points, and hosts that accumulate a specified number of points will trigger an alarm to the IT administrator alerting him/her that the host should be investigated. The CI also employs its own set of over 100 algorithms designed to detect and prioritize anomalous behavior even before baselines are established, providing immediate, actionable intelligence for expedited troubleshooting.

StealthWatch Labs Intelligence Center™ (SLIC) – Lancope correlates its sophisticated behavioral analysis capabilities with global threat intelligence from the StealthWatch Labs research group. By conducting in-house research and gathering third-party intelligence on known threats, vulnerabilities, exploits and IP reputation reports from around the world, StealthWatch Labs further enhances Lancope’s early threat detection capabilities with new detection algorithms as well as threat feeds that identify suspicious hosts on the Internet.


©2013 Lancope, Inc. All rights reserved. Lancope, StealthWatch, and other trademarks are registered or unregistered trademarks of Lancope, Inc. All other trademarks are properties of their respective owners.

WP-r0203-06192013

White PaperInternal Network Visibility for APTs and Insider Threats

A New Approach for Advanced Adversaries According to the Ponemon Institute, “Over reliance on A/V and IDS solutions has weakened the collective security posture, as these solutions cannot stand up in the face of the advanced threats we now see. New solutions focused on network and traffic intelligence are seen as the best way to combat advanced threats, and much broader adoption is required.”5

Similarly, the previously referenced Forrester TAP paper states, “Today, information security success is no longer defined by preventing attacks, but instead how quickly organizations can detect and contain breaches.” Organizations that deploy a multifaceted security strategy, combining conventional security technologies, next-generation internal visibility tools and advanced security context, will be well-poised to defend their networks against sophisticated adversaries.

5 – Ponemon Institute, “Growing Risk of Advanced Threats,” June 30, 2010

To learn more or request a demo, contact [email protected].

Lancope, Inc. 3650 Brookside Parkway, Suite 500, Alpharetta, GA 30022 (888) 419-1462 www.lancope.com

Lancope, Inc. Corporate Headquarters [email protected] + 1 (888) 419-1462

Lancope, Inc. European Headquarters [email protected] + 44 (0) 208-528-175

Lancope UAE FZ LLC Middle East [email protected] + 971 503 455 708

internal network visibility for apts and insider threats · white paper internal network visibility...

Documents