an analysis of recent cyber attacks wade williamson
TRANSCRIPT
An Analysis of Recent Cyber Attacks
WADE WILLIAMSON
Introducing Vectra Networks
Investors
Jim MessinaCEO, The Messina Group
BoardHitesh ShethPresident & CEO, Vectra
Eric WolfordGP, Accel Ventures
Charles GiancarloAdvisor, Silver Lake
Leadership
Customers
Brad GillespieGP, IA Ventures
Alain MayerVP Product Mgmt
Jason KehlVP Engineering
Mike BanicVP Marketing
Rick GeehanVP Sales, N. Amer.
Oliver TavakoliCTO
Hitesh ShethPresident & CEO
Mission
Automatically detect any phase of an ongoing cyber attack
© 2014 Vectra Networks | www.vectranetworks.com
Cyber Attacks Follow the Same Blueprint
© 2014 Vectra Networks | www.vectranetworks.com
2000• Breaches are relatively
simple (SQL Injection)
• Security: Focus on preventing exploits
2007• TJX Breach - systemic
breach with massive financial impact
• Security: More prevention, clean-up, and forensics
2013• Breaches become a
regular occurrence
• Security: Evolving to a proactive daily effort to find active breaches
The Cyber Attacker Blueprint
© 2014 Vectra Networks | www.vectranetworks.com
Gain privileged access to the network
• Employees and partners
• Phishing
• Social engineering
Extend compromise across the network
Steal or destroy key assets
• Spread malware
• Elevate access
• Establish control
• Find key assets
• Aggregate data
• Tunnel out of the network
1 2 3
The Blueprint Applied to Target
© 2014 Vectra Networks | www.vectranetworks.com
Gain privileged access to the network
Compromised an HVAC vendor with login
credentials to a Target portal
Extend compromise across the network
Steal or destroy key assets
Pivoted from the portal to the internal Target
network, and delivered malware to PoS
terminals at stores
Payment card data aggregated from stores,
and exfiltrated out of the Target network
The Blueprint Applied to Sony*
© 2014 Vectra Networks | www.vectranetworks.com
Gain privileged access to the network
Social engineering to gain access to building,
and stole admin credentials
Extend compromise across the network
Steal or destroy key assets
Used admin access to spread malware across
the network
Stole content, private correspondence, and
deployed wiper malware to destroy assets
*Investigation into the Sony attack is ongoing
The Blueprint Applied to eBay
© 2014 Vectra Networks | www.vectranetworks.com
Gain privileged access to the network
Multiple employee credentials exposed
Extend compromise across the network
Steal or destroy key assets
Gained internal access to server with user account info and
encrypted passwords
Copied database and stole 145 million customer records
© 2014 Vectra | www.vectranetworks.com 8
Internal Recon
LateralMovement
Acquire Data
BotnetMonetization
Standard C&C
ExfiltrateData
Custom C&C& RAT
Opportunistic
Targeted
A Closer Look at a Modern Attack
Initial Infection
Custom C&C
9
How Security Effort Aligns to Life of an Attack
Perimeter security looks for known C&C or
malicious domains.
SIEM analysis and incident response reconstructs the
active phase after the breach.
Secu
rity
Invest
ment
& E
ffort
High Effort
Low Effort
Prevention Phase Active Phase Clean-up Phase
C&C and RAT
Internal Recon
LateralMovemen
t
Acquire
Data
BotnetMonetizatio
n
Exfiltrate
Data
Exfiltrated Data
Initial Exploit
Perimeter security looks for exploits and malware:• Firewalls
• IPS
• Malware Sandboxes
10
How Security Effort Aligns to Life of an Attack
SIEM analysis and incident response reconstructs the
active phase after the breach.
Secu
rity
Invest
ment
& E
ffort
High Effort
Low Effort
Prevention Phase Active Phase Clean-up Phase
C&C and RAT
Internal Recon
LateralMovemen
t
Acquire
Data
BotnetMonetizatio
n
Exfiltrate
Data
Exfiltrated Data
Initial Exploit
Perimeter security looks for exploits and malware:• Firewalls
• IPS
• Malware Sandboxes
Maginot Line Problem
11
Maginot Line
Prevention Phase – Nearly Impossible to Be Perfect
© 2014 Vectra | www.vectranetworks.com
Each with many interactions• Malicious links• Custom payloads• Social engineering
With many devices• Servers• Laptops• Mobile devices
Many privileged users• Employees• Partners• Contractors
Attackers only need to win
once, and
have near-infinite chances
to win
13
Targeted Attackers Don’t Reuse C&C Servers…typically.
The JP Morgan breach was detected when the attackers made a critical mistake
Attackers momentarily reused a C&C server that had been used to attack a charity site.
14
Many Ways to Command and Control
Recently observed malware using Gmail as an automated C&C
Used Microsoft COM to send Python commands directly through Internet Explorer
Drafts automatically synced to cloud, so C&C without mail ever being sent.
© 2014 Vectra | www.vectranetworks.com 15
Internal Recon
LateralMovement
Acquire Data
BotnetMonetization
Standard C&C
ExfiltrateData
Custom C&C
Opportunistic
Targeted
The Active Attack Phase – What Perimeter Security Sees
Custom C&C
Initial Infection
Proposing a Methodology for Real-TimeDetection of Cyber Attacks
© 2014 Vectra | www.vectranetworks.com 17
Requirements for Defending Against an Active Attack
1. Establish internal visibility
• Direct, deep analysis of traffic andhost behaviors
2. Detect all phases of the attack
• Must detect all techniques attackers use to spy, spread and steal
3. Real-time
• Real-time visibility, correlation, and context to take action before data is lost
Prevention
Active
Cleanup
18
Network-Based Breach Detection
Continuous Monitoring
Real-timeDetection
Automated and
Intuitive
Prioritized Results w/ Full Context
•All packets•N-S, E-W traffic•Any OS, app, device
•No signatures•No rules•No configuration
•Machine learning•Behavioral analysis•Correlated over time
•Prioritized by risk•Correlated by host•Insight into attack
19
Learn to see how an attacker spreads
20
21
22
Learn to see C&C and RATs without signatures
23
24
25
26
Focus on your data and key assets
27
28© 2014 Vectra | www.vectranetworks.com
EngineeringCommunity
FinanceCommunity
Summary
Establish Full Visibility• All traffic, all devices• Internal and edge (N-S, E-W)
Detect All Phases of Attack• Detect without need for
signatures• Detect in real time
Context for fast decisions• Automatically correlate events• See threats in relation to
assets
Prevention Phase Active Phase Clean-up Phase
30