如何提升金融資訊安全威脅情資分享與攔截 ·...

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

如何提升金融資訊安全-威脅情資分享與攔截

卓芳緯 - NETSCOUT Arbor

[email protected]


Sandbox/Security Analytics

Applying Defense in Depth

Anti-DDoS

NGFW/IPS/Secure GW

WAF

Multiple layers of security defense are

placed throughout an IT system

SIEM UEBA EDR


資料外洩事件層出不窮, 越演越烈

patients

380K passengers

passengers9.4M

383M guests

1.5M


…and 資安防護有漏洞 ?

All had an existing security stack in

place… THAT FAILED

Saks Fifth Avenue…Lord & Taylor…

Under Armour…

Panera Bread…

Best Buy…


• The average enterprise select and uses multiple best-of-breed security technologies / products to secure their network.

• Security devices constantly generates alerts

• High number of false positives pollutes the logs

• This ends up with alert fatigue, causing Analysts to ignore a high percentage of the messages

• When that happens, cyber attacks can slip by

資安維運人員淹沒於告警訊號

▪ Many enterprises have too many security point tools and not enough time.

Downsides = complex operations, employee burnout, low ROI and increased risk.


深層檢查 vs. 情資攔截(Deep Inspection vs. Intel Blocking)


威脅情資

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

CONTEXTUALIZED ACTIONABLE


Levels of Intelligence

• Quick and immediate response

• Indicators of compromise (IOC) – IP

address, URL, Domain, File Hash

• Granular TTPs

• SOC and CIRT

• Who, when, why, how

• Targeted vs Opportunistic - who else

are attacked?

• Prioritization and design appropriate

response

• Senior Forensics and Incident

Response Analyst

• Motivation of the threat actor

• Cyber threats in the context of business

objectives

• Helps with risk assessment, resource

allocation and organizational strategy

• C-level executives


IOCs-( 入侵指標)

Typical IOCs are IP addresses, MD5 hashes of malware files or URLs or domain

names of botnet command and control servers.

https://en.wikipedia.org/wiki/IP_address

https://en.wikipedia.org/wiki/URL

https://en.wikipedia.org/wiki/Domain_name


• Nonprofit organization that provides a central depository with information pertaining to cyber threats

• Ecosystem to automatically share cyber threat intelligence in real-timeto enable real-time defense

• Automation of machine to machinesharing of information to counter fast-moving threats (STIX/TAXII format)

• Split into verticals:

– Government (G-ISAC)

– National (N-ISAC)

– Financial Services (FS-ISAC)

– Electricity (E-ISAC)

– Water (W-ISAC)

– Oil and Gas (ONG-ISAC)

– And many more …

全世界正發展中的 ISAC組織及工作重點Information Sharing and Analysis Center


• 我國於2001年成立「行政院國家資通安全會報」(資安會報)，積極推動資通安全基礎建設工作。資安會報自2008年起推動跨領域之資安資訊分享與分析工作，「政府資安資訊分享與分析中心」(Government Information Sharing and Analysis Center, G-ISAC)於2009年11月正式運作，透過G-ISAC平台之交流模式，發展資安早期預警與應變。

• 2014年12月29日行政院國土安全辦公室函頒「國家關鍵基礎設施安全防護指導綱要」，規範8大關鍵基礎設施(Critical Infrastructure)領域(CI領域)，包含能源、水資源、通訊傳播、交通、銀行與金融、緊急救援與醫院、中央與地方政府機關及高科技園區。資安會報所屬關鍵資訊基礎設施安全管理組之各分組與相關重要資安組織，均逐步發展關鍵資訊基礎設施防護機制，以迅速掌握各CI領域與民間重要產業之資安威脅情資並立即應變。

• 鑒於國內外資安情資來源漸趨多元，且資安情資數量日益增加，為有效管理與傳遞跨領域資安情資，並達成橫向之資安聯防目標，「國家資安資訊分享與分析中心」(National Information Sharing and Analysis Center, N-ISAC)於2018年年1月正式運作。透過情資格式標準化與系統自動化之分享機制，提升情資分享之即時性、正確性及完整性，建立縱向與橫向跨領域之資安威脅與訊息交流，達到情資迅速整合、即時分享及有效應用之目的，提升國家資訊安全整體應變與防護能力。

Taiwan N-ISAC國家資安資訊分享與分析中心(N-ISAC)


• 金融監督管理委員會為提升金融體系資安防護能量，打造「金融資安資訊分享與分析中心（Financial Information Sharing and Analysis Center , F-ISAC）」，2017年12月22日(星期五)由金管會主任委員顧立雄、國安會資通安全辦公室主任廖述煌、行政院資通安全處處長簡宏偉及財金公司董事長趙揚清等人共同揭牌，現場與台灣駭客協會、TWCERT、國網中心等，共同宣示將引領金融資安揮別單打獨鬥，協力營造金融資安聯防體系。

• 金管會主委顧立雄於致詞時指出，金融機構面對愈來愈多全球的資安攻擊，如何化被動為主動，全面分析預防系統性風險的發生，已為當前金融資安管理的首要課題。全球主要國家相繼設立金融資安資訊分享與分析機構，如美國有FS-ISAC、英國有CiSP等資安分享中心。金管會F-ISAC中心的成立，代表我國的金融資安已邁入了一個新的里程碑。

• 「金融資安資訊分享與分析中心」現由金管會委請財金資訊公司營運，服務對象包含銀行、保險、證券期貨、投信投顧等各業別金融機構，提供通報、情資研判分析、資安資訊分享、協處資安諮詢與評估、研討會教育訓練及國際交流、協助資安事件應變處理、金融機構資安演練、協助資安規範評估與建議等9大服務功能。金融資安中心當天也特別說明其針對SWIFT、勒索軟體等之研析報告，包含駭客入侵手法、資安防護建議等，已具有資安預警及分析之能量。

• 金管會進一步表示，要營造金融資安聯防體系，除了財金公司的專業團隊外，也需要有全體金融機構及各資安領域的專家一起參與。當天到場參與揭牌活動的單位，包含台灣駭客協會、TWCERT、國網中心等，都將是F-ISAC緊密的協力夥伴，財金公司也將積極規劃與更多的資安專業團體及廠商合作，並與國外FS-ISAC進行交流，整合國內外產官學研之資源，協力建構金融資安聯防體系。

Taiwan F-ISAC金融資安資訊分享與分析中心(F-ISAC)


• 本計劃依據教育部2016年11月15日臺教資(四)字第1050144205ˋ號函辦理“臺灣學術網路骨幹提升資安防護合縱築牆先導計劃”

學術網路(TANET)築牆防護計畫

IPSApp AV User IOC

Blocking

Product

Sub Feature

Overloaded!

“Because multifunction firewalls apply so many

security inspection and prevention capabilities, they

typically are limited from as low as 10,000 threat

indicators to as

high as 300,000 for larger (higher-end)

appliances…”

“…A new solution is needed for this problem, and

one now exists.”


NETSCOUT Arbor’s Unique Solution


ASNs: 44,570

Unique IPv4

Addresses: 2.63B

“Dark” IPv4

Addresses: 1.76M

The Foundation of Global Threat Visibility

Statistics:

• 400 Active SP

Contributors

• ATLAS “sees” 1/3 of

All Internet Traffic

• Ingests 140Tbps

• 200K Malware

Samples per Day

• 250K High Fidelity

IOCs

(IP/DNS/URL/TLS

cert / JA3) in AIF

• 3.5M+ IOCs

supported


NETSCOUT Differentiation

Unparalleled Data Collection

Botnet Monitoring SystemMonitoring and tracking 50+ botnets activities

Product Feedback Data• 350+ Sightline deployments worldwide• 200+ APS / AED deployments worldwide• Attack information, malware matches, etc.

SinkholeMaintain 5000+ domains. Over 100+

malware families check in from all over

the world

HoneypotIoT Honeypots deployed around the world capturing exploitation attempts, brute-force botnet propagation, and DDoS attacks.

Public Data SourcesHigh quality public data source ``

Private Intel. Partners20+ malware sharing partners

Commercial Intel. FeedsComplementary commercial threat intelligence feeds

Darknet Forum MonitoringPartnership with Underground Forum/Darknet monitoring organizations

ScannerOperate a full 10Gbps scanner,

capable of scanning the entire IPv4

address space in minutes


NETSCOUT Differentiation – Malware Processing

Deep

Behavioral

Analysis

• Detonate all malware

in live environment

• Obtain additional

functionality

• Capture remote

configs, webinjects,

secondary payloads,

and commands

• Hard-coded data

• Configurations– additional C2s,

Fallback C2, URLs, Redirect

Servers, Proxy Servers, Webinjects

• Hard-coded properties/settings

• Bot IDs, Campaign IDs, & Unique

Strings

More unique IoCs. Richer contextual intelligence

Internet scale processing via full automation

Recursive

Introspection &

Extraction


NETSCOUT Differentiation – Validation

Confidence Scoring

• ASERT confidence in each source

• Overlap from multiple sources

• Overlap with Spam list sources

• Contacts with sinkhole research servers

• Domain name in TLDs with frequent misuse (.pw, .tk, .su, .cc)

• Domain name is slight modification of well-known brand (ex: ”g00gle”)

• Dynamic DNS usage

• Parked web domains

Aging

• High confidence level when a threat is first directly observed

• Add to confidence level when a threat is observed again

• Decrease confidence level when threat is not observed

• Custom aging curves based on threat type analysis

Whitelisting

• Misused legitimate services

• Avoid blocking

Highly accurate & effective intelligence


ATLAS 情資的獨特性

IPs Domains URLs

84% 95% 98%

PS: ~50K Highly Unique IoCs by Deep Behavioral Analysis & Recursive

Introspection / Extraction

Benchmarked against 35+ non commercial & commercial offerings


資安堆疊架構演進

Sandbox, Etc. …

End Point

NGFW

Internet

NETSCOUT Arbor APS

DDoS

IPS

1. IPS being consumed by

NGFW.

1

Stateless

blocking

Stateful

blocking Reputational

Blocking

2

2. IoCs, (reputation

blocking) in NGFW is

expensive, is impacting

performance.

TIG4

4. Emergence of Threat

Intelligence Gateway

(TIG) trying to take

pressure off NGFWTIP

Cyb

er

Th

rea

t

Inte

llig

en

ce

3

3. Threat Intelligence

Platform (TIP) managing

multiple forms of CTI.


新世代資安堆疊架構 – AED’s Stateless PerimeterFirst & Last Line of Smart Defense

Sandbox, Etc. …

NGFW

End Point

NGFW

IPS

Internet

Arbor Edge Defense

DDoS TIG

Integration:• Stop inbound &

outbound DDoS and

other cyber threats

• Intelligence from TIP

• Alerts to SIEM

• APIs enable further

integration

• Ansible for ease of

deployment

TIP Cyb

er

Th

rea

t

Inte

llig

en

ce

Consolidation:• Stateless DDoS

protection and

reputational blocking

• Embedded TIG

Cyb

er

Th

rea

t C

om

mu

nic

ation

Cyb

er T

hre

at

SIEM/ Security

Process

API

Global Threat

Intelligence &

Analytics


Edge Defense Manager

Edge Defense

Manager

Consolidating DDoS &

TIG Functions

Integrating with

Existing Security Stack

Augmenting NGFW

Threat Prevention


Consolidation &

Analysis of DDoS

Alerts

Consolidation &

Analysis of Blocked

IoC Alerts

Contexual Threat

Intelligence

Value of Edge Defense Manager


An Example of AED, EDM and ATLAS Integration

1. Filter on Outbound

2. Sort on Highest Severity

3. Drill in on a specific threat



4.What can ATLAS Threat Intelligence tell me

about this IoC?


▪ The additional

context provided by

EDM & ATLAS is

unique and valuable

to Security Analysts.

▪ This information can

be used by others on

the security team

and/or other security

tools.

▪ This is how our solution integrates into existing security stack and process.



ATLAS Intelligence Platform

DDoS Early Warning System

Honeypot

System

Botnet Monitoring System - Tracking 50+

botnets systems. Capture C2 Activities

Botnet C2

Bot

Bot

Bot

BotBotnet

C2

Bot

Bot

Bot

Bot

Customer Registration

Customer Notification


部署階層式防禦Adopting Gartner Endorsed Multi-Layer DDoS Architecture

The Internet

ISP

Arbor Cloud

Scrubbing Center

Volumetric DDoS AttackBotnet

Arbor APS

State-Exhaustion

and Application-

layer attacks

1st Layer: Cloud

Protection2nd Layer: On

Premise

The Internet

Arbor Cloud

Scrubbing Center

Reputational IOC BlockingBotnet

NETSCOUT

Arbor AED

1st Layer: Stateless

Blocking2nd Layer: Stateful

Inspection

NGFW/IPS/Secure Gateways/Malware

Analysis Boxes

Deep inspection

and behavioral

analysis


• First and Last Line of Smart Defense

• Protect availability of network, services and other security devices from DDoS

• Stop malware and other cyber threats that leads to data breach

• Helps to offload pressure on downstream security devices

• Integrate with existing security stack/processes (STIX/TAXII, RESTful API)

AED情資分享攔截效益


台灣某客戶實際案例

NGFW IPSAED

Internet

Threat Source Destination Categories

Dark Comet Taiwan Portugal Malware

Shylock Taiwan U.S. Command and Control

APT

HuntingTaiwan

Netherlands

UkraineMalware

Pony

LoaderTaiwan U.S. Campaigns and Targeted Attacks

Node Taiwan France Location Base Threat

Gh0stRAT

FamilyTaiwan China Malware

Hajime Taiwan China Location Base Threat

Black Hole Taiwan U.S. Location Base Threat

Ramnit Taiwan U.S. Malware

Threat Source Destination Categories

Exit

node

Germany

France

Ukraine

Taiwan Location Base Threat

Dark

CometU.S. Taiwan Malware

Shylock U.S. Taiwan Command and Control

Citadel U.S. Taiwan DDoS Reputation

APT

HuntingU.S. Taiwan Malware

Pony

LoaderPortugal Taiwan Campaigns and Targeted Attacks


Did someone break in?


Did it break?


Did someone break in?

Did it break?


Thank you

如何提升金融資訊安全 威脅情資分享與攔截 ·...

Documents

如何提升金融資訊安全威脅情資分享與攔截 ·...