the failure of cyber forces you’re doing it wrong soldier
DESCRIPTION
Security today is fundamentally broken and an overhaul is desperately needed. Today's advanced cyber threats evade both detection and prevention by current approaches to network security - whether you want to believe it or not. Most organisations have developed an over-reliance upon network-layer, perimeter-focused solutions that require signatures or statistical-based foreknowledge of each technical threat. As proven through endless security breaches over the last few years, most legacy solutions are obsolete with each new action of focused adversaries, such as cyber criminals and nation-state groups, and because of their ever-changing attack methods, including targeted and zero-day malware, obfuscation, and covert network channels. This session focuses on the true nature and sources of today's advanced threats, and describes solution characteristics, both technology and operations-related, which are required to combat these threats and close critical network visibility gaps.TRANSCRIPT
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Presentation for: Presented By:
The Failure of Cyber Forces You’re doing it wrong soldier
IP EXPO 2011 Chris Brown @tufferb [email protected]
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Agenda
»The Threat Environment and Why Cyber Forces and Technologies are Failing
»Advanced / Persistent Threats – In Context »Rethinking Network Monitoring – A Quick Case Study »Take-Away’s and Q&A
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Why Are We Failing At All This?
» Spear phishing attacks
» Poisoned websites and DNS – “Drive-by” attacks
» Pervasive infection (e.g., Duqu, ZeuS, Aurora, Stuxnet, Night Dragon, / etc.)
» Malware and more malware resulting from all of the above…
» Undetected data exfiltration, leakage, and covert network comms
» Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle )
» Social Networking / Mobility / Web 2.0
» Cloud Computing / Other unknown risk profiles
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
What is your security budget?
Do we really know the adversary?
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
What Do These Organizations Want?
» Nation-sponsored attacks on anything (critical infrastructure, defense industry base, etc.)
Designer malware directed at end users through spear phishing attacks
Covert channels and obfuscated network traffic
Low and slow data exfiltration Rogue encryption
» Organized criminal group attacks Data from retail and banking POS and
ATM systems Infiltration of transaction processing
systems in multiple industry sectors Application layer, database and
middleware systems with deep “personal information” and other “key” attributes
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Are Security Teams Failing? Definitely…
» People Underestimate the complexity
and capability of the threat actors
Do not take proactive steps to detect threats
» Process Organizations have misplaced
IT measurements and program focus
IR processes lack correct data and focus
» Technology Current technology is failing to
detect APT, APA, and other threats
Deep holes in network visibility
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Adobe Flash v10.1.82.76 and earlier vulnerability in-the-wild Share | Published: 2010-09-14, Last Updated: 2010-09-14 00:59:32 UTC by Adrien de Beaupre (Version: 1) 5 comment(s) Adobe has released an advisory for Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android, as well as Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. CVE-2010-2884 has been assigned to the issue, which has an impact of crashing Flash or arbitrary code execution on some affected platforms. There is currently no patch, Adobe has indicated that it should be released in late September and/or early October. There are indications that this previously unknown vulnerability is currently being exploited in the wild by malicious web sites attacking browsers. YYAAAV Yes, Yet Again Another Adobe Vulnerability. Sigh. Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendors to catch up and detect the malware that exploits the vulnerability. Although by that point the box affected may well be compromised as most detect after the exploit has already taken place. Since the vendor has released the advisory after being notified that exploits are already occurring against Windows boxes it is recommended to explore workarounds for mitigation, detection of already compromised hosts, and cleanup. Adobe PSIRT blog: http://blogs.adobe.com/psirt/2010/09/security-advisory-for-adobe-flash-player-apsa10-03.html Adobe advisory: http://www.adobe.com/support/security/advisories/apsa10-03.html Cheers, Adrien de Beaupré EWA-Canada.com
RISK= Threats x Assets x Vulnerabilities
Antiquated Thinking!
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Breach discovery methods 2011 VsB DBIR
“Past reports began to show an encouraging steady decline in breach discovery by third parties and we were hopeful that this would continue. Unfortunately, this year we see a significant increase (25%) in third party breach discovery.” VsB DBIR 2011
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
The Malware Problem
» 63% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2011) » 87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010) » 91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010)
"With security researchers now uncovering close to
100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011)
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Verizon 2011 DBIR Malware 49% Breaches, 79% Records
“This year nearly two-thirds of malware investigated in the Verizon caseload was customized—the highest we have ever seen. The extent of customization found in a piece of malware can range from a simple repack of existing malware to avoid AV detection to code written from the ground up for a specific attack.” VsB DBIR 2011
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Current Technologies Are Failing - Firewalls
Intent – Prevent or limit unauthorized connections into and out of your network Reality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities.
Firewalls
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
The Gaps in Status Quo Security – IDS/ IPS
Intent – Alert on or prevent known malicious network traffic Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitation Even worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact
Intrusion Detection/ Prevention Systems
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
The Gaps in Status Quo Security – Anti-Malware
Intent – Prevent malicious code from running on an endpoint, or from traversing your network Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures.
Anti-Malware Technologies
From a top AV Vendor Forum
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
2010 Ponemon Institute Advanced Threats Survey
» We know what we need to do, but we are not doing it…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
2010 Ponemon Institute Advanced Threats Survey
» Do the math yourself…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
ATTACKER FREE TIME
Attack Begins
System Intrusion
Attacker Surveillance
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
Time
Attack Set-up
Discovery / Persistence
Maintain foothold
Cover-up Starts
Attack Forecast
Physical Security
Containment & eradication
System Reaction
Damage Identification
Recovery
Defender discovery
Monitoring &
Controls Impact Analysis
Response Threat
Analysis
Attack Identified
Incident Reporting
Need to collapse attacker free time
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
New Security Concept: “OFFENSE IN DEPTH”
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
We Need to Change the Way We Think
There ARE specific targets…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
The Questions Are More Complex
» Why are packed or obfuscated executables being used on our systems?
» What critical threats are my Anti-Virus and IDS missing?
» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?
» We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior?
» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?
» How can I detect new variants of Zeus or other 0day malware on my network?
» We need to examine critical incidents as if we had an HD video camera recording it all…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Cyber Defense in 2011 and Beyond – What is Required?
» Advanced threat detection and response requires a different approach:
24 x 7 SITUATIONAL AWARENESS Applying the science of NETWORK
FORENSICS to the art of incident response
Application-layer threat context and intelligence
» Enable security teams to view network traffic as conversations instead of individual packets or groups of IP addresses » AGILITY to extend architecture to address emerging threat trends and integrate the intelligence of open and classified threat sources
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Typical Scenario These Days…
» Visit from the FBI saying, “You have a problem – information is being taken” Perhaps IP addresses of compromised machines are provided You might be told that certain types of files or email is being stolen The CEO does not pay much attention to cyber, generally, but now it has
his/her full attention What do you do now?
» Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc. WRONG!!
» How do you know what has happened or is really still happening on the network?
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
What’s really happening (in many cases)…
» If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while
It’s not simply a piece of malware you can detect and eradicate
Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)
» They have the ability to change techniques, control channels, SSL certs, hours of operation, etc.
Commands scheduled on individual Windows machines
Text files containing lists of target files
RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways
Spear phishing attacks using bogus mailboxes created on mail system
» Their true approach is not always the obvious one C & C servers in places like HVAC or other low profile systems, versus file servers
Drop locations are not in China or Belarus, but in the U.S.
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Sample Approach to Resilience
Stage 1: malware with dyndns -enabled host names -- exclusively routed to non-routable IP addresses – later, FTP (or other pathway) out to domestic system
Stage 2: XOR'd traffic over port 443 for data exfiltration and C&C, resolving to legitimate IP addresses -- blending in with legitimate traffic
Stage 3: very long beacon times: >2 weeks, SSL communications, not using dyndns domains -- hard-coded IP addresses, desperate to maintain access to the network
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Today’s adversaries leverage every weakness
» Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems
» Security program weaknesses – ongoing failure of controls and visibility:
Open domain admin accounts
Passwords backed up in clear text files
Postings on public forums containing questions regarding organization’s firewall rules
Flat security architecture (no segmentation of traffic)
Inadequate use of firewall ACLs and logging
» Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc.
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Case Study Understanding a Custom ZeuS-based APT Spear Phishing Attack
Finding bad things on the
network: Are all ZeuS
variants created equal?
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
“DPRK has carried out nuclear missile attack on Japan”
» AV effectively “neutered” by overwriting the OS hosts file » Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1 » Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Infection Progression – Nothing Unusual » After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com
» If user opens the file, the malware is installed
» Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Further Network Forensics Evidence…
» ZeuS configuration file download
» This type of problem recognition can be automated
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
» Malware stealing files of interest to the drop server in Minsk
» FTP drop server still is resolving to same address
» Early on March 8, 2010, server cleaned out and account disabled
» username: mao2 password: [captured]
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Files harvested from victim machines in drop server (located in Minsk, Belarus)
» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
» Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Non-standard
countries (or destinations
) 670
0.1 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Non-standard
countries (or destinations
) 670
0.1 % of Total
Interesting file types
200 0.04 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Non-standard
countries (or destinations
) 670
0.1 % of Total
Interesting file types
200 0.04 % of Total
We need to stop the failure rate and get better and using
these types of techniques
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Conclusions
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Hig
hest
Val
ue
L
owes
t Va
lue
Combating Advanced Threats Requires More and Better Information…
DATA SOURCE DESCRIPTION
Firewalls, Gateways, etc.
IDS Software
NetFlow Monitoring
SEIM Software
Real-time Network Forensics (NetWitness)
Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics.
For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries.
Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content.
Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics.
Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Take-Away
» Advanced adversaries and emerging threats require revolutionary thinking
» Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team
» The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes
» Goals:
» Lower risk to the organization Improve incident response through
shortened time to problem recognition and resolution
Reduce impact and cost related to cyber incidents
Generate effective threat intelligence and cyber investigations
» Reduce uncertainty surrounding the impact of new threat vectors
» Conduct continuous monitoring of critical security controls
» Achieve situational awareness – being able to answer any conceivable cyber security question – past, present or future
Copyright 2007 NetWitness Corporation
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Q&A
» Email: [email protected] » Websites: http://www.netwitness.com and http://www.rsa.com » Twitter:
@netwitness @tufferb
» Blog: http://www.networkforensics.com
YOUR YEAR-ROUND IT RESOURCE
– access to everything you’ll need to know
THE WHOLE TECHNOLOGY
STACK
from start to finish
COMMENT & ANALYSIS
Insights, interviews and the latest thinking on technology solutions
VIDEO Your source of live information
– all the presentations from our live events
TECHNOLOGY LIBRARY
Over 3,000 whitepapers, case studies, product overviews and press releases from all the
leading IT vendors
EVENTS, WEBINARS & PRESENTATIONS
Missed the event? Download the presentations that
interest you. Catch up with convenient webinars. Plan your next visit.
Directory A comprehensive A-Z listing
providing in-depth company overviews
online.ipexpo.co.uk