an analysis of recent cyber attacks wade williamson

An Analysis of Recent Cyber Attacks

WADE WILLIAMSON

Introducing Vectra Networks

Investors

Jim MessinaCEO, The Messina Group

BoardHitesh ShethPresident & CEO, Vectra

Eric WolfordGP, Accel Ventures

Charles GiancarloAdvisor, Silver Lake

Leadership

Customers

Brad GillespieGP, IA Ventures

Alain MayerVP Product Mgmt

Jason KehlVP Engineering

Mike BanicVP Marketing

Rick GeehanVP Sales, N. Amer.

Oliver TavakoliCTO

Hitesh ShethPresident & CEO

Mission

Automatically detect any phase of an ongoing cyber attack

© 2014 Vectra Networks | www.vectranetworks.com

Cyber Attacks Follow the Same Blueprint


2000• Breaches are relatively

simple (SQL Injection)

• Security: Focus on preventing exploits

2007• TJX Breach - systemic

breach with massive financial impact

• Security: More prevention, clean-up, and forensics

2013• Breaches become a

regular occurrence

• Security: Evolving to a proactive daily effort to find active breaches

The Cyber Attacker Blueprint


Gain privileged access to the network

• Employees and partners

• Phishing

• Social engineering

Extend compromise across the network

Steal or destroy key assets

• Spread malware

• Elevate access

• Establish control

• Find key assets

• Aggregate data

• Tunnel out of the network

1 2 3

The Blueprint Applied to Target



Compromised an HVAC vendor with login

credentials to a Target portal



Pivoted from the portal to the internal Target

network, and delivered malware to PoS

terminals at stores

Payment card data aggregated from stores,

and exfiltrated out of the Target network

The Blueprint Applied to Sony*



Social engineering to gain access to building,

and stole admin credentials



Used admin access to spread malware across

the network

Stole content, private correspondence, and

deployed wiper malware to destroy assets

*Investigation into the Sony attack is ongoing

The Blueprint Applied to eBay



Multiple employee credentials exposed



Gained internal access to server with user account info and

encrypted passwords

Copied database and stole 145 million customer records

© 2014 Vectra | www.vectranetworks.com 8

Internal Recon

LateralMovement

Acquire Data

BotnetMonetization

Standard C&C

ExfiltrateData

Custom C&C& RAT

Opportunistic

Targeted

A Closer Look at a Modern Attack

Initial Infection

Custom C&C

9

How Security Effort Aligns to Life of an Attack

Perimeter security looks for known C&C or

malicious domains.

SIEM analysis and incident response reconstructs the

active phase after the breach.

Secu

rity

Invest

ment

& E

ffort

High Effort

Low Effort

Prevention Phase Active Phase Clean-up Phase

C&C and RAT

Internal Recon

LateralMovemen

t

Acquire

Data

BotnetMonetizatio

n

Exfiltrate

Data

Exfiltrated Data

Initial Exploit

Perimeter security looks for exploits and malware:• Firewalls

• IPS

• Malware Sandboxes

10

How Security Effort Aligns to Life of an Attack

SIEM analysis and incident response reconstructs the

active phase after the breach.

Secu

rity

Invest

ment

& E

ffort

High Effort

Low Effort


C&C and RAT

Internal Recon

LateralMovemen

t

Acquire

Data

BotnetMonetizatio

n

Exfiltrate

Data

Exfiltrated Data

Initial Exploit

Perimeter security looks for exploits and malware:• Firewalls

• IPS

• Malware Sandboxes

Maginot Line Problem

11

Maginot Line

Prevention Phase – Nearly Impossible to Be Perfect

© 2014 Vectra | www.vectranetworks.com

Each with many interactions• Malicious links• Custom payloads• Social engineering

With many devices• Servers• Laptops• Mobile devices

Many privileged users• Employees• Partners• Contractors

Attackers only need to win

once, and

have near-infinite chances

to win

13

Targeted Attackers Don’t Reuse C&C Servers…typically.

The JP Morgan breach was detected when the attackers made a critical mistake

Attackers momentarily reused a C&C server that had been used to attack a charity site.

14

Many Ways to Command and Control

Recently observed malware using Gmail as an automated C&C

Used Microsoft COM to send Python commands directly through Internet Explorer

Drafts automatically synced to cloud, so C&C without mail ever being sent.


Internal Recon

LateralMovement

Acquire Data

BotnetMonetization

Standard C&C

ExfiltrateData

Custom C&C

Opportunistic

Targeted

The Active Attack Phase – What Perimeter Security Sees

Custom C&C

Initial Infection

Proposing a Methodology for Real-TimeDetection of Cyber Attacks


Requirements for Defending Against an Active Attack

1. Establish internal visibility

• Direct, deep analysis of traffic andhost behaviors

2. Detect all phases of the attack

• Must detect all techniques attackers use to spy, spread and steal

3. Real-time

• Real-time visibility, correlation, and context to take action before data is lost

Prevention

Active

Cleanup

18

Network-Based Breach Detection

Continuous Monitoring

Real-timeDetection

Automated and

Intuitive

Prioritized Results w/ Full Context

•All packets•N-S, E-W traffic•Any OS, app, device

•No signatures•No rules•No configuration

•Machine learning•Behavioral analysis•Correlated over time

•Prioritized by risk•Correlated by host•Insight into attack

19

Learn to see how an attacker spreads

22

Learn to see C&C and RATs without signatures

26

Focus on your data and key assets

Summary

Establish Full Visibility• All traffic, all devices• Internal and edge (N-S, E-W)

Detect All Phases of Attack• Detect without need for

signatures• Detect in real time

Context for fast decisions• Automatically correlate events• See threats in relation to

assets


an analysis of recent cyber attacks wade williamson

Documents

todays malware

firewall rules

practical fact

privileged access

sigs quick

limitations of firewalls

cyber attacker blueprint

target portalextend