the failure of cyber forces you’re doing it wrong soldier

Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary

Presentation for: Presented By:

The Failure of Cyber Forces You’re doing it wrong soldier

IP EXPO 2011 Chris Brown @tufferb [email protected]


Agenda

»The Threat Environment and Why Cyber Forces and Technologies are Failing

»Advanced / Persistent Threats – In Context »Rethinking Network Monitoring – A Quick Case Study »Take-Away’s and Q&A


Why Are We Failing At All This?

» Spear phishing attacks

» Poisoned websites and DNS – “Drive-by” attacks

» Pervasive infection (e.g., Duqu, ZeuS, Aurora, Stuxnet, Night Dragon, / etc.)

» Malware and more malware resulting from all of the above…

» Undetected data exfiltration, leakage, and covert network comms

» Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle )

» Social Networking / Mobility / Web 2.0

» Cloud Computing / Other unknown risk profiles


What is your security budget?

Do we really know the adversary?


What Do These Organizations Want?

» Nation-sponsored attacks on anything (critical infrastructure, defense industry base, etc.)

Designer malware directed at end users through spear phishing attacks

Covert channels and obfuscated network traffic

Low and slow data exfiltration Rogue encryption

» Organized criminal group attacks Data from retail and banking POS and

ATM systems Infiltration of transaction processing

systems in multiple industry sectors Application layer, database and

middleware systems with deep “personal information” and other “key” attributes


Are Security Teams Failing? Definitely…

» People Underestimate the complexity

and capability of the threat actors

Do not take proactive steps to detect threats

» Process Organizations have misplaced

IT measurements and program focus

IR processes lack correct data and focus

» Technology Current technology is failing to

detect APT, APA, and other threats

Deep holes in network visibility


Adobe Flash v10.1.82.76 and earlier vulnerability in-the-wild Share | Published: 2010-09-14, Last Updated: 2010-09-14 00:59:32 UTC by Adrien de Beaupre (Version: 1) 5 comment(s) Adobe has released an advisory for Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android, as well as Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. CVE-2010-2884 has been assigned to the issue, which has an impact of crashing Flash or arbitrary code execution on some affected platforms. There is currently no patch, Adobe has indicated that it should be released in late September and/or early October. There are indications that this previously unknown vulnerability is currently being exploited in the wild by malicious web sites attacking browsers. YYAAAV Yes, Yet Again Another Adobe Vulnerability. Sigh. Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendors to catch up and detect the malware that exploits the vulnerability. Although by that point the box affected may well be compromised as most detect after the exploit has already taken place. Since the vendor has released the advisory after being notified that exploits are already occurring against Windows boxes it is recommended to explore workarounds for mitigation, detection of already compromised hosts, and cleanup. Adobe PSIRT blog: http://blogs.adobe.com/psirt/2010/09/security-advisory-for-adobe-flash-player-apsa10-03.html Adobe advisory: http://www.adobe.com/support/security/advisories/apsa10-03.html Cheers, Adrien de Beaupré EWA-Canada.com

RISK= Threats x Assets x Vulnerabilities

Antiquated Thinking!


Breach discovery methods 2011 VsB DBIR

“Past reports began to show an encouraging steady decline in breach discovery by third parties and we were hopeful that this would continue. Unfortunately, this year we see a significant increase (25%) in third party breach discovery.” VsB DBIR 2011


The Malware Problem

» 63% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2011) » 87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010) » 91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010)

"With security researchers now uncovering close to

100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011)


Verizon 2011 DBIR Malware 49% Breaches, 79% Records

“This year nearly two-thirds of malware investigated in the Verizon caseload was customized—the highest we have ever seen. The extent of customization found in a piece of malware can range from a simple repack of existing malware to avoid AV detection to code written from the ground up for a specific attack.” VsB DBIR 2011


Current Technologies Are Failing - Firewalls

Intent – Prevent or limit unauthorized connections into and out of your network Reality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities.

Firewalls


The Gaps in Status Quo Security – IDS/ IPS

Intent – Alert on or prevent known malicious network traffic Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitation Even worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact

Intrusion Detection/ Prevention Systems


The Gaps in Status Quo Security – Anti-Malware

Intent – Prevent malicious code from running on an endpoint, or from traversing your network Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures.

Anti-Malware Technologies

From a top AV Vendor Forum


2010 Ponemon Institute Advanced Threats Survey

» We know what we need to do, but we are not doing it…


2010 Ponemon Institute Advanced Threats Survey

» Do the math yourself…


ATTACKER FREE TIME

Attack Begins

System Intrusion

Attacker Surveillance

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

Time

Attack Set-up

Discovery / Persistence

Maintain foothold

Cover-up Starts

Attack Forecast

Physical Security

Containment & eradication

System Reaction

Damage Identification

Recovery

Defender discovery

Monitoring &

Controls Impact Analysis

Response Threat

Analysis

Attack Identified

Incident Reporting

Need to collapse attacker free time

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

New Security Concept: “OFFENSE IN DEPTH”

Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary

We Need to Change the Way We Think

There ARE specific targets…


The Questions Are More Complex

» Why are packed or obfuscated executables being used on our systems?

» What critical threats are my Anti-Virus and IDS missing?

» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?

» We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior?

» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?

» How can I detect new variants of Zeus or other 0day malware on my network?

» We need to examine critical incidents as if we had an HD video camera recording it all…


Cyber Defense in 2011 and Beyond – What is Required?

» Advanced threat detection and response requires a different approach:

24 x 7 SITUATIONAL AWARENESS Applying the science of NETWORK

FORENSICS to the art of incident response

Application-layer threat context and intelligence

» Enable security teams to view network traffic as conversations instead of individual packets or groups of IP addresses » AGILITY to extend architecture to address emerging threat trends and integrate the intelligence of open and classified threat sources


Typical Scenario These Days…

» Visit from the FBI saying, “You have a problem – information is being taken” Perhaps IP addresses of compromised machines are provided You might be told that certain types of files or email is being stolen The CEO does not pay much attention to cyber, generally, but now it has

his/her full attention What do you do now?

» Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc. WRONG!!

» How do you know what has happened or is really still happening on the network?


What’s really happening (in many cases)…

» If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while

It’s not simply a piece of malware you can detect and eradicate

Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)

» They have the ability to change techniques, control channels, SSL certs, hours of operation, etc.

Commands scheduled on individual Windows machines

Text files containing lists of target files

RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways

Spear phishing attacks using bogus mailboxes created on mail system

» Their true approach is not always the obvious one C & C servers in places like HVAC or other low profile systems, versus file servers

Drop locations are not in China or Belarus, but in the U.S.


Sample Approach to Resilience

Stage 1: malware with dyndns -enabled host names -- exclusively routed to non-routable IP addresses – later, FTP (or other pathway) out to domestic system

Stage 2: XOR'd traffic over port 443 for data exfiltration and C&C, resolving to legitimate IP addresses -- blending in with legitimate traffic

Stage 3: very long beacon times: >2 weeks, SSL communications, not using dyndns domains -- hard-coded IP addresses, desperate to maintain access to the network


Today’s adversaries leverage every weakness

» Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems

» Security program weaknesses – ongoing failure of controls and visibility:

Open domain admin accounts

Passwords backed up in clear text files

Postings on public forums containing questions regarding organization’s firewall rules

Flat security architecture (no segmentation of traffic)

Inadequate use of firewall ACLs and logging

» Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc.


Case Study Understanding a Custom ZeuS-based APT Spear Phishing Attack

Finding bad things on the

network: Are all ZeuS

variants created equal?


“DPRK has carried out nuclear missile attack on Japan”

» AV effectively “neutered” by overwriting the OS hosts file » Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1 » Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now


Infection Progression – Nothing Unusual » After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com

» If user opens the file, the malware is installed

» Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary


Further Network Forensics Evidence…

» ZeuS configuration file download

» This type of problem recognition can be automated


» Malware stealing files of interest to the drop server in Minsk

» FTP drop server still is resolving to same address

» Early on March 8, 2010, server cleaned out and account disabled

» username: mao2 password: [captured]


Files harvested from victim machines in drop server (located in Minsk, Belarus)

» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data


» Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”


Example: Good network visualization

» Find Compromises

½ Million sessions 100 % of Total



» Find Compromises


HTTP ~125,400 Sessions

25 % of Total



» Find Compromises



25 % of Total

HTTP w/ abnormal headers

~100,000 20 % of Total



» Find Compromises



25 % of Total


~100,000 20 % of Total

Non-standard

countries (or destinations

) 670

0.1 % of Total



» Find Compromises



25 % of Total


~100,000 20 % of Total

Non-standard


) 670

0.1 % of Total

Interesting file types

200 0.04 % of Total



» Find Compromises



25 % of Total


~100,000 20 % of Total

Non-standard


) 670

0.1 % of Total

Interesting file types

200 0.04 % of Total

We need to stop the failure rate and get better and using

these types of techniques


Conclusions


Hig

hest

Val

ue

L

owes

t Va

lue

Combating Advanced Threats Requires More and Better Information…

DATA SOURCE DESCRIPTION

Firewalls, Gateways, etc.

IDS Software

NetFlow Monitoring

SEIM Software

Real-time Network Forensics (NetWitness)

Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics.

For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries.

Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content.

Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics.

Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.


Take-Away

» Advanced adversaries and emerging threats require revolutionary thinking

» Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team

» The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes

» Goals:

» Lower risk to the organization Improve incident response through

shortened time to problem recognition and resolution

Reduce impact and cost related to cyber incidents

Generate effective threat intelligence and cyber investigations

» Reduce uncertainty surrounding the impact of new threat vectors

» Conduct continuous monitoring of critical security controls

» Achieve situational awareness – being able to answer any conceivable cyber security question – past, present or future

Copyright 2007 NetWitness Corporation


Q&A

» Email: [email protected] » Websites: http://www.netwitness.com and http://www.rsa.com » Twitter:

@netwitness @tufferb

» Blog: http://www.networkforensics.com

http://www.netwitness.com

http://www.rsa.com

http://www.networkforensics.com

http://online.ipexpo.co.uk/

YOUR YEAR-ROUND IT RESOURCE

– access to everything you’ll need to know






THE WHOLE TECHNOLOGY

STACK

from start to finish




COMMENT & ANALYSIS

Insights, interviews and the latest thinking on technology solutions



VIDEO Your source of live information

– all the presentations from our live events


TECHNOLOGY LIBRARY

Over 3,000 whitepapers, case studies, product overviews and press releases from all the

leading IT vendors



EVENTS, WEBINARS & PRESENTATIONS

Missed the event? Download the presentations that

interest you. Catch up with convenient webinars. Plan your next visit.



Directory A comprehensive A-Z listing

providing in-depth company overviews


ALL FREE TO ACCESS

24/7


online.ipexpo.co.uk


the failure of cyber forces you’re doing it wrong soldier

Technology

emc corporation confidential

adobe vulnerability

adobeflash advisory

adobe flash player

adobe flash v10

adobe reader

designer malware

customized malware