netwitness
DESCRIPTION
As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.TRANSCRIPT
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Presentation for:Presented By:
APTs and the Failure of PreventionWayne Goeckeritz
Director of Channels, NetWitness Corporation
Wayne Goeckeritz
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Agenda
»Discussion Regarding Threat Environment
»Advanced / Persistent Threats – In Context
»Rethinking Network Monitoring – A Quick Case Study
»Take-Aways and Q&A
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Malware/APT continues to grow
“State of the Internet” Report, Akamai Technologies
SecuritySUCKS!
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Risk Management 101?
» Spear phishing attacks
» Poisoned websites and DNS – “Drive-by” attacks
» Pervasive infection (e.g., ZeuS, Aurora, Stuxnet, Night Dragon, / etc.)
» Malware and more malware resulting from all of the above…
» Undetected data exfiltration, leakage, and covert network comms
» Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle )
» Social Networking / Mobility / Web 2.0
» Cloud Computing / Other unknown risk profiles
Who Really 0wns Your Network?
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Drop Sites
Phishing Keyloggers
BotnetOwners
SpammersBotnet
Services
MalwareDistribution
Service
DataAcquisition
Service
DataMining &
Enrichment
DataSales Cashing $$$
MalwareWriters
IdentityCollectors
CreditCard Users
MasterCriminals
ValidationService
(Card Checkers)
CardForums
ICQ
eCommerceSite
Retailers
Banks
eCurrency
DropService
WireTransfer
Gambling
PaymentGateways
Tracking the Opposing I/T Organization
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Are Security Teams Failing? Definitely…
»People
Underestimate the complexity and capability of the threat actors
Do not take proactive steps to detect threats
»Process
Organizations have misplaced IT measurements and program focus
IR processes lack correct data and focus
»Technology
Current technology is failing to detect APT, APA, and other threatss
Deep holes in network visibility
RISK= Threats xAssets xVulnerabilities
Something missing here…
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
The Malware Problem
»54% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2010)
»87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010)
»91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010)
"With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011)
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Current Technologies Are Failing - Firewalls
Intent – Prevent or limit unauthorized connections into and out of your networkReality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities.
Firewalls
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
The Gaps in Status Quo Security – IDS/ IPS
Intent – Alert on or prevent known malicious network traffic Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitationEven worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact
Intrusion Detection/ Prevention Systems
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
The Gaps in Status Quo Security – Anti-Malware
Intent – Prevent malicious code from running on an endpoint, or from traversing your network
Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks
Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures.
Anti-Malware Technologies
From a top AV Vendor Forum
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
2010 Ponemon Institute Advanced Threats Survey
»We know what we need to do, but we are not doing it…
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
2010 Ponemon Institute Advanced Threats Survey
»Do the math yourself…
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
ATTACKER FREE TIME
AttackAttackBeginsBegins
SystemSystemIntrusionIntrusion
Attacker SurveillanceAttacker Surveillance
Cover-upCover-upCompleteComplete
Access Access ProbeProbe
Leap Frog Leap Frog AttacksAttacks
Complete Complete
TargetTarget AnalysisAnalysis
Time
AttackAttackSet-upSet-up
Discovery / Discovery / PersistencePersistence
Maintain foothold
Cover-up Starts
Attack Attack ForecastForecast
Physical Physical SecuritySecurity
Containment Containment & eradication& eradication
System System ReactionReaction
Damage Damage IdentificationIdentification
RecoveryRecovery
Defender discoveryDefender discovery
Monitoring & Monitoring & ControlsControls
Impact Impact AnalysisAnalysis
ResponseResponseThreat Threat
AnalysisAnalysis
Attack Attack IdentifiedIdentified
Incident Incident ReportingReporting
Need to collapse attacker free time
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
New Security Concept:“OFFENSE IN DEPTH”
Copyright 2007 NetWitness Corporation
John SmithCISO
John SmithCISO
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and ProprietaryCopyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Thinking Differently about Network Monitoring…or, how I learned to love full packet capture…
There ARE specific targets…
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
What Questions Are Vexing Today?
» Why are packed or obfuscated executables being used on our systems?
» What critical threats are my Anti-Virus and IDS missing?
» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?
» We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior?
» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?
» How can I detect new variants of Zeus or other 0day malware on my network?
» We need to examine critical incidents as if we had an HD video camera recording it all…
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Typical Scenario These Days…
»Visit from the FBI saying, “You have a problem – information is being taken”
Perhaps IP addresses of compromised machines are provided
You might be told that certain types of files or email is being stolen
The CEO does not pay much attention to cyber, generally, but now it has his/her full attention
What do you do now?
»Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc.
WRONG!!
»How do you know what has happened or is really still happening on the network?
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
What’s really happening (in many cases)…
»If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while
It’s not simply a piece of malware you can detect and eradicate
Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)
»They have the ability to change techniques, control channels, SSL certs, hours of operation, etc.
Commands scheduled on individual Windows machines
Text files containing lists of target files
RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways
Spear phishing attacks using bogus mailboxes created on mail system
»Their true approach is not always the obvious one
C & C servers in places like HVAC or other low profile systems, versus file servers
Drop locations are not in China or Belarus, but in the U.S.
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Sample Approach to Resilience
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Today’s adversaries leverage every weakness
»Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems
»Security program weaknesses:
Open domain admin accounts
Passwords backed up in clear text files
Postings on public forums containing questions regarding organization’s firewall rules
Flat security architecture (no segmentation of traffic)
Inadequate use of firewall ACLs and logging
»Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc.
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and ProprietaryCopyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Who is NetwitnessA quick introduction
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Security teams in high threat environments:
•5 of the Fortune 10
•70% of US Federal agencies
•Over 45,000 security experts around the world
Recognize for outstanding performance:
•#21 in the 2010 Inc. 500, including #1 in the U.S. in enterprise software companies
•Winner of the SC People’s Choice Award and numerous other industry achievements
Security Leaders Leverage NetWitness
“Traditional security measures like firewalls, intrusion detection, patch management, anti-virus, single tier DMZs are not enough to stop the new threats.”
CISOMajor U.S. Federal Agency
“NetWitness is the last security appliance you will ever need to buy.”
Josh Corman451 Group
“NetWitness is a cutting edge vendor for Network Analysis and Visibility.”
John KindervagForrester Research
“I rely upon NetWitness to detect and analyze malware that no other product can find.”
Director of Incident ResponseNY Health Care Provider
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Changes on the horizon…
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and ProprietaryCopyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Enabling A Revolution in Network MonitoringNetWitness Product Tour
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Understanding the NetWitness Network Monitoring Platform
29
Automated Malware Analysis and Prioritization
Automated Threat Reporting, Alerting and Integration
Freeform Analytics for Investigations and Real-time Answers
Revolutionary Visualization of Content for Rapid Review
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Signature-Free, Automated Malware Analysis, Prioritization, and Workflow
Spectrum• Mimics the techniques of leading malware
analysts by asking thousands of questions about an object without requiring a signature or a known “bad” action
• Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks
• Utilizes NetWitness’ pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications
• Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Automated Analysis, Reporting and Alerting
Informer• Flexible dashboard, chart and
summary displays for unified view of threat vectors
• Get automatic answers to any question for…
• Network Security• Security / HR• Legal / R&D / Compliance • I/T Operations
• HTML, CSV and PDF report formats included
• Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Getting Answers to the Toughest Questions
Investigator»I
nteractive data-driven session analysis of layer 2-7 content
»Award-winning, patented, port agnostic session analysis
»Infinite freeform analysis paths and content /context investigation points
»Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.)
»Supports massive data-sets
Instantly navigate terabytes of data Fast analytics - analysis that once took days,
now takes minutes
»Freeware Version used by over 45,000 security experts worldwide
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
A New Way to Look at Information
Visualize» Revolutionary visual
interface to content on the network
Extracts and interactively presents images, files, objects, audio, and voice for analysis
Supports multi-touch, drilling, timeline and automatic “play” browsing
Rapid review and triage of content
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and ProprietaryCopyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Case StudyUnderstanding a Custom ZeuS-based APT Spear Phishing Attack
Finding bad things on the
network:Are all ZeuS
variants created equal?
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Realities: Continued Targeted Attacks Against USG Assets
»There has been an ongoing campaign associated with forged emails containing targeted ZeuS infections
»Typical scenario is email from some “reliable” email address containing spear phishing text of interest and link to custom ZeuS site
»Parallels: this approach directly imitates non-USG mass eCrime ZeuS approaches
Subject: DEFINING AND DETERRING CYBER WARFrom: [email protected]. Army War College, Carlisle Barracks, PA 17013‐5050December 2009DEFINING AND DETERRING CYBER WARSince the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state’s national security, and examines cyber attack as an act of war. The paper examinesefforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests.
Subject: DEFINING AND DETERRING CYBER WARFrom: [email protected]. Army War College, Carlisle Barracks, PA 17013‐5050December 2009DEFINING AND DETERRING CYBER WARSince the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state’s national security, and examines cyber attack as an act of war. The paper examinesefforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests.
Source: iSightpartners
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Which AV Product Sucks the LEAST!!! ?
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
“DPRK has carried out nuclear missile attack on Japan”
»AV effectively “neutered” by overwriting the OS hosts file
»Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1
»Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Infection Progression – Nothing Unusual
»After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com
»If user opens the file, the malware is installed
»Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Further Network Forensics Evidence…
» ZeuS configuration file download
» This type of problem recognition can be automated
» ZeuS configuration file download
» This type of problem recognition can be automated
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
»Malware stealing files of interest to the drop server in Minsk
»FTP drop server still is resolving to same address
»Early on March 8, 2010, server cleaned out and account disabled
»username: mao2 password: [captured]
»Malware stealing files of interest to the drop server in Minsk
»FTP drop server still is resolving to same address
»Early on March 8, 2010, server cleaned out and account disabled
»username: mao2 password: [captured]
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Files harvested from victim machines in drop server (located in Minsk, Belarus)
» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data
» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
» Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”
» Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and ProprietaryCopyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Conclusions
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Hig
hest
Val
ue
L
owes
t V
alue
Combating Advanced Threats Requires More and Better Information…
Data Source Description
Firewalls, Gateways, etc.
IDS Software
NetFlow Monitoring
SEIM Software
Real-time Network Forensics (NetWitness)
Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics.
For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries.
Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content.
Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics.
Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Take-Away
»Advanced adversaries and emerging threats require revolutionary thinking
»Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team
»The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes
»Goals:
»Lower risk to the organization
Improve incident response through shortened time to problem recognition and resolution
Reduce impact and cost related to cyber incidents
Generate effective threat intelligence and cyber investigations
»Reduce uncertainty surrounding the impact of new threat vectors
»Conduct continuous monitoring of critical security controls
»Achieve situational \awareness – being able to answer any conceivable cyber security question – past, present or future
Copyright 2007 NetWitness Corporation
Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary
Q&A
»Email: [email protected]
»Website: http://www.netwitness.com
»Twitter:
@netwitness
»Blog: http://www.networkforensics.com
Know Everything…Answer Anything.