war on stealth cyber attacks phishing docusign apache metron
TRANSCRIPT
WaronStealthCybera/acksthatTargetUnknownVulnerabili:esInves:gate,ThreatScopeAnalysis&ForensicsofAdvancedCyberThreatswithApacheMetron
GeorgeVeFcaden&JamesSirotaApacheMetronCommi0ers
2 ©HortonworksInc.2011–2016.AllRightsReserved
UseCase:PhishingA/ack
3 ©HortonworksInc.2011–2016.AllRightsReserved
PhishingA/acks
à WhatisaPhishingA0ack?– Ana0ackthat“baits”unsuspecJngworkersintoclickingonlinksinemailsandunknowinglygivinga0ackersatoeholdintheiremployers’systems.
à FromNYTIMESArJcle(6/13/2016)
“Phishinga*ackshavebecomeanepidemic.Todate,morethan90percentofbreacheshavebegunwithaphishinga*ack,accordingtoVerizon.
Intelligenceexpertssaythatphishinga*acksarethepreferredmethodofChinesehackerswhohavemanagedtostealthingsasvariedasnuclearpropulsiontechnologyandSiliconValley’smostguardedsoGwarecode.”
4 ©HortonworksInc.2011–2016.AllRightsReserved
DocuSignPhishingA/acks
WhatisDocuSign?• Provideselectronicsignaturetechnology
andDigitalTransacJonManagementservicesforfacilitaJngelectronicexchangesofcontractsandsigneddocuments.
• E.g:Ifyougetanewjob,theofferle0erwillmostlikelybepresentedtoyouasa“DocuSignDoc”whichrequireselectronicsignature.
WhatisaDocuSignPhishingA0ack?• AcJvephishingcampaignsusingfake
DocuSigntryingtotrapemployeesintoopeningthemup
• These"securedoc"emailsareoneofthemostmisflaggedcategoriesofrealemails
• Usershavetroublefiguringoutwhethera"securedoc"emailisrealoraphish
5 ©HortonworksInc.2011–2016.AllRightsReserved
DocuSignPhishingA/ackonCompanyFOO
6 ©HortonworksInc.2011–2016.AllRightsReserved
UseCaseSetup
à On4/10,ausernamedEthanVatCompanyFoosubmitsasecurity:cketcomplainingaboutapoten:alPhishingEmail.
à TheDetailsprovidedbytheEthanVintheJcketarethefollowing– EthanreceivesanemailfromaninternalemployeeSonjaLarwhoworksontheFinanceTEam– TheemailstatesthatasignatureisrequiredforanewDocu-SigndocumentforanewStockOpJongrant
forgrantedtoEthan– ThereisalinkintheemailtotheDocu-SignDocument– Ethanclicksonthelink,andloginappears– EthanentershisSSOcreden:alsandsubmits– Onsubmission,nothinghappens– EthancallsSonjabutSonjastatesshedidn’tsendanemail– Ethanisworriedandthenfileshelpdesksecurity:cket
à Asecurity:cketiscreatedandassignedtotheSOCTeam
à ASOCanalystJamespicksupthecasetoinvesJgateit.
7 ©HortonworksInc.2011–2016.AllRightsReserved
TypicalWorkflowifCompanyFoousestradi:onalSIEMtool
8 ©HortonworksInc.2011–2016.AllRightsReserved
SystemsAccessedforInves:ga:on/Context“InvesJgaJon”WorkflowSteps
• Step1:AnalystJamessearchesinSIEMforanyeventsassociatedwiththeuserSonjaoverthelast24hours
• Step1Result:MosteventsarecomingfromIPY.ButfeweventsfromfromIPXwheresheissendingemailviaCorpGmailaccount.
• Step2:Jamesdoesgeo-lookupofIPXandYnMaxmind
• Step2Result:IPXisfromIreleandandIPyisfromSouthernCali
• Step3CorpFoohasofficesinIreland&LosAngeles.JamesfilesaJcketwithADteamtofindgroupsthatSonjabelongsto.
• Step3Result:ThegroupsshebelongstoisonlyassociatedwithLosAngelesandnotIreland
StoryUnfolding• Step1Insight:AnomalousEvent–CorpGmailwasdecommissionedonbehalfofexchangemonthsbackandonlyfewusersarecurrentlyusingit
• Step2Insight:NotpossibleforthesameuserbelogginginfromIreland&SouthernCaliatthesameJme.
• Step3Insight:UnauthorizedaccessisoccurringfromIreland
SIEM
Search
1
Maxmind(IPGeoDB)
2
AD(IdenJtyMgmt.)
3
• Step4:JameslogsintoFoo’sAssetMgmtsystemtodetermineassettheIPbelongto
• Step4Result:IPYisfromSonja’sworkstaJonwhileIPXisanunidenJfiedAsset
• Step4Insight:SeemslikeSonjaisinSouthernCalibutsomeoneelsepretendingtobeherislogginginfromunidenJfiedAsset
AssetMgmt.Inventory4
• Step5:JameslogintoSoltraathreatintelaggregaJonservicetoseeifIPXhasathreatintelhit.
• Step5Result:IPXhasathreatintelhitandSonja’saccountisimmediatelyshutdown&Ethan’scredenJalshavebeenreset
• Step5Insight:Sonja’saccounthasbeencompromised.ShutitdownandEthan’scredenJalshavebeenreset.ButwhatothersusersareaffectedlikeEthan?
Soltra(ThreatIntel)
5
9 ©HortonworksInc.2011–2016.AllRightsReserved
SystemsAccessedforThreatScope
SystemsAccessedforForensics
SystemsAccessedforInves:ga:on/Context
SIEM
“ScopeofThreat”WorkflowSteps
• Step6:SearchesSIEMforFireyeandIronPortemaileventsassociatedwithSonja.TheSIEMdoesn’thavethatinfo
• Step6Result:NeedtologintoFireyeandIronPort
• Step7:LogintoFireyeEmailThreatPrevenJonCloud&IronPorttofindallemailssentfromSonjafromthatmaliciousIP
• Step7Result:HavealistofallusersthatthePhishingemailwassentto.Canresetthepasswordforallthoseusers
Maxmind(IPGeoDB)
AD(IdenJtyMgmt.)
AssetMgmt.Inventory
Soltra(ThreatIntel)
StoryUnfolding• Step1Insight:AnomalousEvent–CorpGmailwasdecommissionedonbehalfofexchangemonthsbackandonlyfewusersarecurrentlyusingit
• Step2Insight:NotpossibleforthesameuserbelogginginfromIreland&SouthernCaliatthesameJme.
• Step3Insight:UnauthorizedaccessisoccurringfromIreland
• Step4Insight:SeemslikeSonjaisinSouthernCalibutsomeoneelsepretendingtobeherislogginginfromunidenJfiedAsset
• Step5Insight:Sonja’saccounthasbeencompromised.ShutitdownandEthan’scredenJalshavebeenreset.ButwhatothersusersareaffectedlikeEthan?
• Step6Insight:SIEMdoesn’thaveallthefireyeemaileventsIneedtodeterminescope
• Step7Insight:Understandthescopeofthethreatandcancancontainit.
“Forensics”WorkflowSteps
• Step8:LogsintoCiscoIronPorttodeterminewhenthea0ackerfirstcompromisedSonja’sGmailaccount
• Step8Result:On3/26,auserfromIreleandloggedintoSony’sCorpGmailAccount
• Step8Insight:UnderstandswhenSonja’sGmailAccountwasfirstcompromised
• Step9:LogsintoIntermedia,anemailarchivesystem,tounderstandhowtheaccountwascompromised
• Step9Result:Seesasetofemailswherethea0ackerspoofedsomeoneelseemailaddress“warmedup’herwithafewemailsandthensentanemailwithanlinkthatSonjaclickedonwhichstolehercredenJalsfromherchain
• Step9Insight:UnderstandhowSonja’saccountgotcompromised
SystemsAccessedforRemedia:on
Exchange(Primary
EmailService)
CorpGmail(Secondary
EmailService)
AD&SSO(IdenJtyProvider
&SSO)
Search
1
2 3 4 5
6
FireEye(Email
CloudSecurity)
7
CiscoIronPort(Email
On-PremiseSecurity)
8
Intermedia(EmailArchive)
9
10 ©HortonworksInc.2011–2016.AllRightsReserved
The“ThreatStory”theWorkflowTold….
11 ©HortonworksInc.2011–2016.AllRightsReserved
The Challenges faced by the SOC Analyst to Create this Story…
Challenge • The analyst had to jump from the SIEM to
more than 7 different tools that took up valuable time.
• It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.
• Half of my time was spending getting the context needed for me to create the story
• The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address
Need • Want a Centralized View of my data so I don’t
have to jump around and learn other tools Eliminate manual tasks to investigate a case
• Need to discover bad stuff quicker
• Need the System to create the context for me in real-time
• The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:
• UserSonjahasn’tusedcorpgmailinthelast3months
• UserSonjacan’tloginfromIrelandandSouthernCaliatthesameJme
12 ©HortonworksInc.2011–2016.AllRightsReserved
SameWorkflowifCompanyFoousedApacheMetron
13 ©HortonworksInc.2011–2016.AllRightsReserved
Demo
14 ©HortonworksInc.2011–2016.AllRightsReserved
DoInves:ga:on,FindScopeandPerformForensicsUsingonlyMetron
SystemsAccessedforRemediaJon
Exchange(Primary
EmailService)
CorpGmail(Secondary
EmailService)
AD&OKTA(IdenJtyProvider
&SSO)
Maxmind(IPGeoDB)
AD(IdenJtyMgmt.)
AssetMgmt.Inventory
Soltra(ThreatIntel)
SystemsAccessedforInvesJgaJon/Context
SystemsAccessedtoDetermineScope
FireEye(Email
CloudSecurity)
CiscoIronPort(Email
On-PremiseSecurity)
Intermedia(EmailArchive)
SystemsAccessedforForensics
15 ©HortonworksInc.2011–2016.AllRightsReserved
DoInves:ga:on,FindScopeandPerformForensicsUsingonlyMetron
MetronwillmakeiteasierandfastertofindtherealissuesIneedtoactonwithreal-Jmeenrichment
ProvidesSinglePaneofGlassforInvesJgaJon,ScopeAnalysisandForensics
MetroncantakeeverythingthatisknownaboutathreatandcheckforitinrealJme
ForAdvancedPersistentThreats(APT),MetroncanmodelhistoricalbehaviorofwhoeverIamimpersonaJngandflagmeasItrytodeviate
16 ©HortonworksInc.2011–2016.AllRightsReserved
MetronArchitecture
Network Data (PCAP, Netflow, Bro, etc)
IDS (suricata, Snort, etc)
Threat Intelligence Feeds(Soltra, OpenTaxi, Third
party Feeds)
Security Endpoint Devices (Fireye, Palo Alto, BlueCoat,
etc..)
Telemetry Data Sources
Machine Generated Logs (AD, App/Web Server,
Firewall, VPN, etc.)
Telemetry Parsers
TELEMETRY ING
EST BUFFER
Enrichment Indexers & Writers
Telemetry Parsers
Real-Time Processing Cyber Security Engine
Threat Intel Alert Triage
Cyber Security Stream Processing Pipeline
DATA SERVICES & INTEGRATIO
N LAYER
Modules
Community Analytical Models
Search and Dashboarding
Portal
Security Data Vault
Provisioning, Mgmt & Monitoring
Performant Network Ingest
Probes
Real-Time Enrich/
Threat Intel Streams
Telemetry Data Collectors
/ Other..
17 ©HortonworksInc.2011–2016.AllRightsReserved Real-JmeProcessingEngine
PCAP
NETFLOW
DPI
IDS
AV
FIREWALL
HOSTLOGS
Telemetry Event Buffer
1
PARSE
NORMALIZE
TAG
VALIDATE
PROCESS
2
USER
ASSET
GEO
WHOIS
CONN
ENRICH
3
STIX
FlatFiles
Aggregators
ModelAsAService
CloudServices
LABEL
4
PCAPStore
ALERTPERSIST
Alert
SecurityDataVault
5
NetworkTap
7a
Fast Telemetry Ingest
Telemetry Ingest
7b
Custom Performant Probes
CustomMetronUI/Portals
Real-TimeSearch
InteracJveDashboards
DataModelling
IntegraJonLayer
PCAPReplay
SecurityLayer
Data&Integra:onServices
6
Apache Metron
ApacheMetronLogicalArchitecture
18 ©HortonworksInc.2011–2016.AllRightsReserved
Analy:cs
19 ©HortonworksInc.2011–2016.AllRightsReserved
OldSchoolvs.NewSchoolSecurityControlsEmail
SecurityRules
FirewallRules IDSRules Sandbox
Rules DLPRulesOldSchool->(1-1)
NewSchool->(1-*) Email
Classifier AlertsTriageMalwareFamilyClassifier
NetworkBehaviorClassifier
UEBASystem
20 ©HortonworksInc.2011–2016.AllRightsReserved
Analy:cs
DescripJve DiagnosJc PredicJve PrescripJve
MetronSecurityDataAnalyJcsPlavorm
HDF HDP
DeepPacket
ModelasaService
Nevlow
ApplianceLogs
Alerts
HostLogs
GeoEnrich
HostEnrich
App.Enrich
IdenJtyEnrich
DomainEnrich
SocialMedia
Chat
Forums
Playbook
WokflowHR
IRMobileDevices
MachineExhaust IoT
DatasetsAccessLogs
MalwareBinaries Sandbox
Honeypot
DecepJon
SaaS
BusinessEnrich
CMDBEnrich
Compl.Enrich
KnowledgeGraph
EnJtyProfiles
InteracJonGraph
WebMining
UseCasesInsiderThreat
DataAccessManagement
BreachDetecJon
ExfiltraJon
LateralMovement
MalwareDetecJon
AlertsTriage
RemediaJon
21 ©HortonworksInc.2011–2016.AllRightsReserved
ThankYouGeorgeVeFcaden&JamesSirota
ApacheMetronCommi/ers
22 ©HortonworksInc.2011–2016.AllRightsReserved
Learn,ShareatBirdsofaFeatherStreaming,DataFlow&Cybersecurity
ThursdayJune306:30pm,BallroomC