如何提升金融資訊安全 威脅情資分享與攔截 ·...
TRANSCRIPT
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1
如何提升金融資訊安全-威脅情資分享與攔截
卓芳緯 - NETSCOUT Arbor
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2
Sandbox/Security Analytics
Applying Defense in Depth
Anti-DDoS
NGFW/IPS/Secure GW
WAF
Multiple layers of security defense are
placed throughout an IT system
SIEM UEBA EDR
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3
資料外洩事件層出不窮, 越演越烈
patients
380K passengers
passengers9.4M
383M guests
1.5M
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4
…and 資安防護有漏洞 ?
All had an existing security stack in
place… THAT FAILED
Saks Fifth Avenue…Lord & Taylor…
Under Armour…
Panera Bread…
Best Buy…
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
• The average enterprise select and uses multiple best-of-breed security technologies / products to secure their network.
• Security devices constantly generates alerts
• High number of false positives pollutes the logs
• This ends up with alert fatigue, causing Analysts to ignore a high percentage of the messages
• When that happens, cyber attacks can slip by
資安維運人員淹沒於告警訊號
▪ Many enterprises have too many security point tools and not enough time.
Downsides = complex operations, employee burnout, low ROI and increased risk.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11
深層檢查 vs. 情資攔截(Deep Inspection vs. Intel Blocking)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12
威脅情資
“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
CONTEXTUALIZED ACTIONABLE
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13
Levels of Intelligence
• Quick and immediate response
• Indicators of compromise (IOC) – IP
address, URL, Domain, File Hash
• Granular TTPs
• SOC and CIRT
• Who, when, why, how
• Targeted vs Opportunistic - who else
are attacked?
• Prioritization and design appropriate
response
• Senior Forensics and Incident
Response Analyst
• Motivation of the threat actor
• Cyber threats in the context of business
objectives
• Helps with risk assessment, resource
allocation and organizational strategy
• C-level executives
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14
IOCs-( 入侵指標)
Typical IOCs are IP addresses, MD5 hashes of malware files or URLs or domain
names of botnet command and control servers.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15
• Nonprofit organization that provides a central depository with information pertaining to cyber threats
• Ecosystem to automatically share cyber threat intelligence in real-timeto enable real-time defense
• Automation of machine to machinesharing of information to counter fast-moving threats (STIX/TAXII format)
• Split into verticals:
– Government (G-ISAC)
– National (N-ISAC)
– Financial Services (FS-ISAC)
– Electricity (E-ISAC)
– Water (W-ISAC)
– Oil and Gas (ONG-ISAC)
– And many more …
全世界正發展中的 ISAC組織及工作重點Information Sharing and Analysis Center
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
• 我國於2001年成立「行政院國家資通安全會報」(資安會報),積極推動資通安全基礎建設工作。資安會報自2008年起推動跨領域之資安資訊分享與分析工作,「政府資安資訊分享與分析中心」(Government Information Sharing and Analysis Center, G-ISAC)於2009年11月正式運作,透過G-ISAC平台之交流模式,發展資安早期預警與應變。
• 2014年12月29日行政院國土安全辦公室函頒「國家關鍵基礎設施安全防護指導綱要」,規範8大關鍵基礎設施(Critical Infrastructure)領域(CI領域),包含能源、水資源、通訊傳播、交通、銀行與金融、緊急救援與醫院、中央與地方政府機關及高科技園區。資安會報所屬關鍵資訊基礎設施安全管理組之各分組與相關重要資安組織,均逐步發展關鍵資訊基礎設施防護機制,以迅速掌握各CI領域與民間重要產業之資安威脅情資並立即應變。
• 鑒於國內外資安情資來源漸趨多元,且資安情資數量日益增加,為有效管理與傳遞跨領域資安情資,並達成橫向之資安聯防目標,「國家資安資訊分享與分析中心」(National Information Sharing and Analysis Center, N-ISAC)於2018年年1月正式運作。透過情資格式標準化與系統自動化之分享機制,提升情資分享之即時性、正確性及完整性,建立縱向與橫向跨領域之資安威脅與訊息交流,達到情資迅速整合、即時分享及有效應用之目的,提升國家資訊安全整體應變與防護能力。
Taiwan N-ISAC國家資安資訊分享與分析中心(N-ISAC)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17
• 金融監督管理委員會為提升金融體系資安防護能量,打造「金融資安資訊分享與分析中心(Financial Information Sharing and Analysis Center , F-ISAC)」,2017年12月22日(星期五)由金管會主任委員顧立雄、國安會資通安全辦公室主任廖述煌、行政院資通安全處處長簡宏偉及財金公司董事長趙揚清等人共同揭牌,現場與台灣駭客協會、TWCERT、國網中心等,共同宣示將引領金融資安揮別單打獨鬥,協力營造金融資安聯防體系。
• 金管會主委顧立雄於致詞時指出,金融機構面對愈來愈多全球的資安攻擊,如何化被動為主動,全面分析預防系統性風險的發生,已為當前金融資安管理的首要課題。全球主要國家相繼設立金融資安資訊分享與分析機構,如美國有FS-ISAC、英國有CiSP等資安分享中心。金管會F-ISAC中心的成立,代表我國的金融資安已邁入了一個新的里程碑。
• 「金融資安資訊分享與分析中心」現由金管會委請財金資訊公司營運,服務對象包含銀行、保險、證券期貨、投信投顧等各業別金融機構,提供通報、情資研判分析、資安資訊分享、協處資安諮詢與評估、研討會教育訓練及國際交流、協助資安事件應變處理、金融機構資安演練、協助資安規範評估與建議等9大服務功能。金融資安中心當天也特別說明其針對SWIFT、勒索軟體等之研析報告,包含駭客入侵手法、資安防護建議等,已具有資安預警及分析之能量。
• 金管會進一步表示,要營造金融資安聯防體系,除了財金公司的專業團隊外,也需要有全體金融機構及各資安領域的專家一起參與。當天到場參與揭牌活動的單位,包含台灣駭客協會、TWCERT、國網中心等,都將是F-ISAC緊密的協力夥伴,財金公司也將積極規劃與更多的資安專業團體及廠商合作,並與國外FS-ISAC進行交流,整合國內外產官學研之資源,協力建構金融資安聯防體系。
Taiwan F-ISAC金融資安資訊分享與分析中心(F-ISAC)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18
• 本計劃依據教育部2016年11月15日臺教資(四)字第1050144205ˋ號函辦理“臺灣學術網路骨幹提升資安防護合縱築牆先導計劃”
學術網路(TANET)築牆防護計畫
IPSApp AV User IOC
Blocking
Product
Sub Feature
Overloaded!
“Because multifunction firewalls apply so many
security inspection and prevention capabilities, they
typically are limited from as low as 10,000 threat
indicators to as
high as 300,000 for larger (higher-end)
appliances…”
“…A new solution is needed for this problem, and
one now exists.”
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20
NETSCOUT Arbor’s Unique Solution
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21
ASNs: 44,570
Unique IPv4
Addresses: 2.63B
“Dark” IPv4
Addresses: 1.76M
The Foundation of Global Threat Visibility
Statistics:
• 400 Active SP
Contributors
• ATLAS “sees” 1/3 of
All Internet Traffic
• Ingests 140Tbps
• 200K Malware
Samples per Day
• 250K High Fidelity
IOCs
(IP/DNS/URL/TLS
cert / JA3) in AIF
• 3.5M+ IOCs
supported
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22
NETSCOUT Differentiation
Unparalleled Data Collection
Botnet Monitoring SystemMonitoring and tracking 50+ botnets activities
Product Feedback Data• 350+ Sightline deployments worldwide• 200+ APS / AED deployments worldwide• Attack information, malware matches, etc.
SinkholeMaintain 5000+ domains. Over 100+
malware families check in from all over
the world
HoneypotIoT Honeypots deployed around the world capturing exploitation attempts, brute-force botnet propagation, and DDoS attacks.
Public Data SourcesHigh quality public data source ``
Private Intel. Partners20+ malware sharing partners
Commercial Intel. FeedsComplementary commercial threat intelligence feeds
Darknet Forum MonitoringPartnership with Underground Forum/Darknet monitoring organizations
ScannerOperate a full 10Gbps scanner,
capable of scanning the entire IPv4
address space in minutes
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23
NETSCOUT Differentiation – Malware Processing
Deep
Behavioral
Analysis
• Detonate all malware
in live environment
• Obtain additional
functionality
• Capture remote
configs, webinjects,
secondary payloads,
and commands
• Hard-coded data
• Configurations– additional C2s,
Fallback C2, URLs, Redirect
Servers, Proxy Servers, Webinjects
• Hard-coded properties/settings
• Bot IDs, Campaign IDs, & Unique
Strings
More unique IoCs. Richer contextual intelligence
Internet scale processing via full automation
Recursive
Introspection &
Extraction
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24
NETSCOUT Differentiation – Validation
Confidence Scoring
• ASERT confidence in each source
• Overlap from multiple sources
• Overlap with Spam list sources
• Contacts with sinkhole research servers
• Domain name in TLDs with frequent misuse (.pw, .tk, .su, .cc)
• Domain name is slight modification of well-known brand (ex: ”g00gle”)
• Dynamic DNS usage
• Parked web domains
Aging
• High confidence level when a threat is first directly observed
• Add to confidence level when a threat is observed again
• Decrease confidence level when threat is not observed
• Custom aging curves based on threat type analysis
Whitelisting
• Misused legitimate services
• Avoid blocking
Highly accurate & effective intelligence
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25
ATLAS 情資的獨特性
IPs Domains URLs
84% 95% 98%
PS: ~50K Highly Unique IoCs by Deep Behavioral Analysis & Recursive
Introspection / Extraction
Benchmarked against 35+ non commercial & commercial offerings
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26
資安堆疊架構演進
Sandbox, Etc. …
End Point
NGFW
Internet
NETSCOUT Arbor APS
DDoS
IPS
1. IPS being consumed by
NGFW.
1
Stateless
blocking
Stateful
blocking Reputational
Blocking
2
2. IoCs, (reputation
blocking) in NGFW is
expensive, is impacting
performance.
TIG4
4. Emergence of Threat
Intelligence Gateway
(TIG) trying to take
pressure off NGFWTIP
Cyb
er
Th
rea
t
Inte
llig
en
ce
3
3. Threat Intelligence
Platform (TIP) managing
multiple forms of CTI.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27
新世代資安堆疊架構 – AED’s Stateless PerimeterFirst & Last Line of Smart Defense
Sandbox, Etc. …
NGFW
End Point
NGFW
IPS
Internet
Arbor Edge Defense
DDoS TIG
Integration:• Stop inbound &
outbound DDoS and
other cyber threats
• Intelligence from TIP
• Alerts to SIEM
• APIs enable further
integration
• Ansible for ease of
deployment
TIP Cyb
er
Th
rea
t
Inte
llig
en
ce
Consolidation:• Stateless DDoS
protection and
reputational blocking
• Embedded TIG
Cyb
er
Th
rea
t C
om
mu
nic
ation
Cyb
er T
hre
at
SIEM/ Security
Process
API
Global Threat
Intelligence &
Analytics
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28
Edge Defense Manager
Edge Defense
Manager
Consolidating DDoS &
TIG Functions
Integrating with
Existing Security Stack
Augmenting NGFW
Threat Prevention
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29
Consolidation &
Analysis of DDoS
Alerts
Consolidation &
Analysis of Blocked
IoC Alerts
Contexual Threat
Intelligence
Value of Edge Defense Manager
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30
An Example of AED, EDM and ATLAS Integration
1. Filter on Outbound
2. Sort on Highest Severity
3. Drill in on a specific threat
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31
An Example of AED, EDM and ATLAS Integration
4.What can ATLAS Threat Intelligence tell me
about this IoC?
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32
▪ The additional
context provided by
EDM & ATLAS is
unique and valuable
to Security Analysts.
▪ This information can
be used by others on
the security team
and/or other security
tools.
▪ This is how our solution integrates into existing security stack and process.
An Example of AED, EDM and ATLAS Integration
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33
ATLAS Intelligence Platform
DDoS Early Warning System
Honeypot
System
Botnet Monitoring System - Tracking 50+
botnets systems. Capture C2 Activities
Botnet C2
Bot
Bot
Bot
BotBotnet
C2
Bot
Bot
Bot
Bot
Customer Registration
Customer Notification
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34
部署階層式防禦Adopting Gartner Endorsed Multi-Layer DDoS Architecture
The Internet
ISP
Arbor Cloud
Scrubbing Center
Volumetric DDoS AttackBotnet
Arbor APS
State-Exhaustion
and Application-
layer attacks
1st Layer: Cloud
Protection2nd Layer: On
Premise
The Internet
Arbor Cloud
Scrubbing Center
Reputational IOC BlockingBotnet
NETSCOUT
Arbor AED
1st Layer: Stateless
Blocking2nd Layer: Stateful
Inspection
NGFW/IPS/Secure Gateways/Malware
Analysis Boxes
Deep inspection
and behavioral
analysis
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35
• First and Last Line of Smart Defense
• Protect availability of network, services and other security devices from DDoS
• Stop malware and other cyber threats that leads to data breach
• Helps to offload pressure on downstream security devices
• Integrate with existing security stack/processes (STIX/TAXII, RESTful API)
AED情資分享攔截效益
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36
台灣某客戶實際案例
NGFW IPSAED
Internet
Threat Source Destination Categories
Dark Comet Taiwan Portugal Malware
Shylock Taiwan U.S. Command and Control
APT
HuntingTaiwan
Netherlands
UkraineMalware
Pony
LoaderTaiwan U.S. Campaigns and Targeted Attacks
Node Taiwan France Location Base Threat
Gh0stRAT
FamilyTaiwan China Malware
Hajime Taiwan China Location Base Threat
Black Hole Taiwan U.S. Location Base Threat
Ramnit Taiwan U.S. Malware
Threat Source Destination Categories
Exit
node
Germany
France
Ukraine
Taiwan Location Base Threat
Dark
CometU.S. Taiwan Malware
Shylock U.S. Taiwan Command and Control
Citadel U.S. Taiwan DDoS Reputation
APT
HuntingU.S. Taiwan Malware
Pony
LoaderPortugal Taiwan Campaigns and Targeted Attacks
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39
Did someone break in?
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 40
Did it break?
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 41
Did someone break in?
Did it break?
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 42
Thank you