Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

The Failure of Cyber Forces You’re doing it wrong soldier

549
views

Published on

Security today is fundamentally broken and an overhaul is desperately needed. Today's advanced cyber threats evade both detection and prevention by current approaches to network security - whether …

Security today is fundamentally broken and an overhaul is desperately needed. Today's advanced cyber threats evade both detection and prevention by current approaches to network security - whether you want to believe it or not. Most organisations have developed an over-reliance upon network-layer, perimeter-focused solutions that require signatures or statistical-based foreknowledge of each technical threat. As proven through endless security breaches over the last few years, most legacy solutions are obsolete with each new action of focused adversaries, such as cyber criminals and nation-state groups, and because of their ever-changing attack methods, including targeted and zero-day malware, obfuscation, and covert network channels. This session focuses on the true nature and sources of today's advanced threats, and describes solution characteristics, both technology and operations-related, which are required to combat these threats and close critical network visibility gaps.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
549
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Failure of Cyber ForcesYou’re doing it wrong soldierPresentation for:IP EXPO 2011 Presented By: Chris Brown @tufferbCopyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary chris.brown4@rsa.com
  • 2. Agenda» The Threat Environment and Why Cyber Forces and Technologies are Failing» Advanced / Persistent Threats – In Context» Rethinking Network Monitoring – A Quick Case Study» Take-Away’s and Q&A Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 3. Why Are We Failing At All This?» Spear phishing attacks» Poisoned websites and DNS – “Drive-by” attacks» Pervasive infection (e.g., Duqu, ZeuS, Aurora, Stuxnet, Night Dragon, / etc.)» Malware and more malware resulting from all of the above…» Undetected data exfiltration, leakage, and covert network comms» Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle )» Social Networking / Mobility / Web 2.0» Cloud Computing / Other unknown risk profiles Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 4. What is your security budget? Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 5. Do we really know theadversary?
  • 6. What Do These Organizations Want?» Nation-sponsored attacks onanything (critical infrastructure, defenseindustry base, etc.)  Designer malware directed at end users through spear phishing attacks  Covert channels and obfuscated network traffic  Low and slow data exfiltration  Rogue encryption» Organized criminal group attacks  Data from retail and banking POS and ATM systems  Infiltration of transaction processing systems in multiple industry sectors  Application layer, database and middleware systems with deep “personal information” and other “key” attributes Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 7. Are Security Teams Failing? Definitely…» People  Underestimate the complexity and capability of the threat actors  Do not take proactive steps to detect threats» Process  Organizations have misplaced IT measurements and program focus  IR processes lack correct data and focus» Technology  Current technology is failing to detect APT, APA, and other threats  Deep holes in network visibility Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 8. Adobe Flash v10.1.82.76 and earlier vulnerability in-the-wildShare |Published: 2010-09-14,Last Updated: 2010-09-14 00:59:32 UTCby Adrien de Beaupre (Version: 1)5 comment(s)Adobe has released an advisory for Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris,and Adobe Flash Player 10.1.92.10 for Android, as well as Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, andAdobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. CVE-2010-2884 has been assigned to the issue,which has an impact of crashing Flash or arbitrary code execution on some affected platforms. There is currently nopatch, Adobe has indicated that it should be released in late September and/or early October. There are indications thatthis previously unknown vulnerability is currently being exploited in the wild by malicious web sites attacking browsers.YYAAAV Yes, Yet Again Another Adobe Vulnerability. Sigh.Keep an eye out for this one folks. It will take a bit for the anti-virus, IDS/IPS and other vendorsto catch up and detect the malware that exploits the vulnerability. Although by that point thebox affected may well be compromised as most detect after the exploit has already taken place. Since the vendor hasreleased the advisory after being notified that exploits are already occurring against Windows boxes it is recommended toexplore workarounds for mitigation, detection of already compromised hosts, and cleanup.Adobe PSIRT blog: http://blogs.adobe.com/psirt/2010/09/security-advisory-for-adobe-flash-player-apsa10-03.htmlAdobe advisory: http://www.adobe.com/support/security/advisories/apsa10-03.htmlCheers,Adrien de BeaupréEWA-Canada.com Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 9. RISK= Threats x Assets x Vulnerabilities Antiquated Thinking!
  • 10. Breach discovery methods 2011 VsB DBIR “Past reports began to show an encouraging steady decline in breach discovery by third parties and we were hopeful that this would continue. Unfortunately, this year we see a significant increase (25%) in third party breach discovery.” VsB DBIR 2011 Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 11. The Malware Problem» 63% of breaches involved customized malware (no signaturewas available at time of exploit (VzB/USSS, 2011)» 87% of records stolen were from Highly Sophisticated Attacks(VzB/USSS, 2010)» 91% of organizations believe exploits bypassing their IDS andAV systems to be advanced threats (Ponemon, 2010) "With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011) Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 12. Verizon 2011 DBIRMalware 49% Breaches, 79% Records “This year nearly two-thirds of malware investigated in the Verizon caseload was customized—the highest we have ever seen. The extent of customization found in a piece of malware can range from a simple repack of existing malware to avoid AV detection to code written from the ground up for a specific attack.” VsB DBIR 2011 Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 13. Current Technologies Are Failing -FirewallsIntent – Prevent or limitunauthorized connections into andout of your networkReality – Adversaries aredesigning malware to use “allowedpaths” (DNS, HTTP, SMTP, etc) toprovide reliable and hard to detectC&C and data exfiltration channelsfrom inside your internal network.Even worse, they are usingencrypted tunnels to provide“reverse-connect” for full remote Firewallscontrol capabilities. Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 14. The Gaps in Status Quo Security – IDS/IPSIntent – Alert on or preventknown malicious network trafficReality – Attackers are usingobfuscation methods to prevent Intrusion Detection/ PreventionIDS signatures from Systemsrecognizing malicious trafficand client-side attacks thatdon’t perform “network-based”exploitationEven worse: IntrusionPrevention Systems are largelyleft unimplemented or crippleddue to fears of business impact Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 15. The Gaps in Status Quo Security – Anti-Malware Intent – Prevent malicious code from running on an endpoint, or from traversing your network Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks Even worse…adversaries create custom malware for high value targets. If they Anti-Malware Technologies don’t use widespread distribution, you are even less likely to have timely signatures. From a top AV Vendor Forum Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 16. 2010 Ponemon Institute AdvancedThreats Survey » We know what we need to do, but we are not doing it… Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 17. 2010 Ponemon Institute AdvancedThreats Survey» Do the math yourself… Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 18. New Security Concept: “OFFENSE IN DEPTH” AttackAttacker Surveillance Begins Discovery / Attack Target Persistence Set-up Analysis Leap Frog Attacks Access System Cover-up Complete Probe Intrusion Starts Cover-up Complete Maintain foothold Time ATTACKER FREE TIME Need to collapse attacker free time Containment Physical & eradication Security Monitoring & Controls Response Impact Threat Attack Incident Analysis Analysis Forecast Reporting Recovery System Defender discovery Attack Reaction Identified Damage Identification Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf) Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 19. We Need to Change the WayWe ThinkCopyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 20. There AREspecifictargets…
  • 21. The Questions Are More Complex» Why are packed or obfuscated executables being used on our systems?» What critical threats are my Anti-Virus and IDS missing?» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?» We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior?» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?» How can I detect new variants of Zeus or other 0day malware on my network?» We need to examine critical incidents as if we had an HD video camera recording it all… Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 22. Cyber Defense in 2011 and Beyond– What is Required?» Advanced threat detection andresponse requires a different approach:  24 x 7 SITUATIONAL AWARENESS  Applying the science of NETWORK FORENSICS to the art of incident response  Application-layer threat context and intelligence» Enable security teams to viewnetwork traffic as conversations insteadof individual packets or groups of IPaddresses» AGILITY to extend architecture toaddress emerging threat trends andintegrate the intelligence of open andclassified threat sources Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 23. Typical Scenario These Days…» Visit from the FBI saying, “You have a problem – information is beingtaken”  Perhaps IP addresses of compromised machines are provided  You might be told that certain types of files or email is being stolen  The CEO does not pay much attention to cyber, generally, but now it has his/her full attention  What do you do now?» Knee-jerk reaction: take down these systems/networks, image thedrives, rebuild the machines, life goes on, etc.  WRONG!!» How do you know what has happened or is really still happening onthe network? Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 24. What’s really happening (in manycases)…» If it’s an advanced persistent threat (APT), the adversary is quite entrenched and hasbeen there for a while  It’s not simply a piece of malware you can detect and eradicate  Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)» They have the ability to change techniques, control channels, SSL certs, hours ofoperation, etc.  Commands scheduled on individual Windows machines  Text files containing lists of target files  RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways  Spear phishing attacks using bogus mailboxes created on mail system» Their true approach is not always the obvious one  C & C servers in places like HVAC or other low profile systems, versus file servers  Drop locations are not in China or Belarus, but in the U.S. Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 25. Sample Approach to ResilienceStage 1: malware with dyndns -enabled hostnames -- exclusively routed to non-routable IPaddresses – later, FTP (or other pathway) outto domestic system Stage 2: XORd traffic over port 443 for data exfiltration and C&C, resolving to legitimate IP addresses -- blending in with legitimate traffic Stage 3: very long beacon times: >2 weeks, SSL communications, not using dyndns domains -- hard-coded IP addresses, desperate to maintain access to the network Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 26. Today’s adversaries leverage everyweakness » Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems » Security program weaknesses – ongoing failure of controls and visibility:  Open domain admin accounts  Passwords backed up in clear text files  Postings on public forums containing questions regarding organization’s firewall rules  Flat security architecture (no segmentation of traffic)  Inadequate use of firewall ACLs and logging » Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc. Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 27. Case StudyUnderstanding a Custom ZeuS-based APT Spear PhishingAttackCopyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 28. Finding bad things on the network: Are all ZeuSvariants created equal?
  • 29. Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 30. Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 31. “DPRK has carried out nuclear missileattack on Japan” » AV effectively “neutered” by overwriting the OS hosts file » Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1 » Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 32. Infection Progression – Nothing Unusual» After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com» If user opens the file, the malware is installed» Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 33. Further Network Forensics Evidence… » ZeuS configuration file download » This type of problem recognition can be automated Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 34. » Malware stealing files of interest to the drop server in Minsk » FTP drop server still is resolving to same address » Early on March 8, 2010, server cleaned out and account disabled » username: mao2 password: [captured]Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 35. Files harvested from victim machines indrop server (located in Minsk, Belarus) » FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 36. » Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 37. Example: Good network visualization» Find Compromises ½ Million sessions 100 % of Total Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 38. Example: Good network visualization» Find Compromises ½ Million sessions 100 % of Total HTTP ~125,400 25 % of Total Sessions Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 39. Example: Good network visualization» Find Compromises ½ Million sessions 100 % of Total HTTP ~125,400 25 % of Total Sessions HTTP w/ abnormal headers 20 % of Total ~100,000 Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 40. Example: Good network visualization» Find Compromises ½ Million sessions 100 % of Total HTTP ~125,400 25 % of Total Sessions Non- standard countries (or 0.1 % of Total destinations ) HTTP w/ 670 abnormal headers 20 % of Total ~100,000 Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 41. Example: Good network visualization» Find Compromises ½ Million sessions 100 % of Total Interesting file types 0.04 % of 200 Total HTTP ~125,400 25 % of Total Sessions Non- standard countries (or 0.1 % of Total destinations ) HTTP w/ 670 abnormal headers 20 % of Total ~100,000 Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 42. Example: Good network visualization» Find Compromises ½ Million sessions 100 % of Total Interesting file types 0.04 % of 200 Total HTTP ~125,400 25 % of Total We need to stop the failure Sessions rate and get better and using Non- these types of techniques standard countries (or 0.1 % of Total destinations ) HTTP w/ 670 abnormal headers 20 % of Total ~100,000 Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 43. ConclusionsCopyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 44. Combating Advanced Threats Requires More and Better Information…Lowest Value DATA SOURCE DESCRIPTION Firewalls, Overwhelming amounts of data with little context, but can be valuable when used within Gateways, etc. a SEIM and in conjunction with network forensics. IDS Software For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries. NetFlow Network performance management and network behavioral anomaly detection (NBAD) Monitoring tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content. SEIM Software Correlates IDS and other network and security event data and improves signal toHighest Value noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics. Real-time Network Collects the richest network data. Provides a deeper level of advanced threat Forensics identification and situational awareness. Provides context and content to all other data (NetWitness) sources and acts as a force multiplier. Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 45. Take-Away» Advanced adversaries and emerging » Goals:threats require revolutionary thinking » Lower risk to the organization» Current security paradigms are  Improve incident response throughcompletely broken -- all organizations shortened time to problem recognition(including yours) will be compromised – no and resolutionmatter how good your security team  Reduce impact and cost related to cyber» The real objective should be improving incidentsvisibility at the application layer -- this goal  Generate effective threat intelligence andrequires complete knowledge of the cyber investigationsnetwork and powerful analytic tools and » Reduce uncertainty surrounding theprocesses impact of new threat vectors » Conduct continuous monitoring of critical security controls » Achieve situational awareness – being able to answer any conceivable cyber security question – past, present or future Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2007 NetWitness Corporation
  • 46. Q&A» Email: chris.brown@netwitness.com» Websites: http://www.netwitness.com and http://www.rsa.com» Twitter:  @netwitness @tufferb» Blog: http://www.networkforensics.com Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
  • 47. YOUR YEAR-ROUND IT RESOURCE – access to everything you’ll need to know
  • 48. THE WHOLETECHNOLOGY STACKfrom start to finish
  • 49. COMMENT & ANALYSISInsights, interviews and the latest thinking on technology solutions
  • 50. VIDEOYour source of live information – all the presentations from our live events
  • 51. TECHNOLOGY LIBRARY Over 3,000 whitepapers,case studies, product overviews and press releases from all the leading IT vendors
  • 52. EVENTS, WEBINARS & PRESENTATIONS Missed the event? Download the presentations thatinterest you. Catch up with convenient webinars. Plan your next visit.
  • 53. DirectoryA comprehensive A-Z listing providing in-depth company overviews
  • 54. ALL FREE TO ACCESS 24/7
  • 55. online.ipexpo.co.uk