Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Jim Butterworth - Senior Cybersecurity Director Guidance Software Inc.
Brasília, 04 de agosto de 2010
10. Intellectual Property Theft Information Warfare/Cyber Forensics for USSTRATCOM/US NAVY eDiscovery for Federal and State Departments Sabotage of Critical Infrastructure (Oil/Water/Gas) Network Sabotage to secure contracts Malware Analysis & 0-Day Incident Containment Phishing and PII theft Employee Misuse of assets/access for personal gain Field Experience in IR
12. Primary Attack Vectors Digital insider attacks previously compromised systems Client-side applications (applications running on desktop / end-user systems, including email readers, web browsers, media players, instant messengers, productivity tools such as MS Office, etc.) Operating systems Web applications Wireless networks
13. 2009 Trends in Attacks Against .GOV SQL Injection and Cross-site Scripting Island Hopping-Unisys/DHS Remote User Compromise-VPN Attacks-Client Side Attacks PKI Compromise--Private Key Theft Zero-Day Attacks/Drive By Downloads Automated Attack Tools Digital Insider Attacks
14. Keeping Up Technical Challenges: High profile attacks – Good vectors need concealment C2 of malware is sophisticated, landscape changes We’re not looking for a single file, many artifacts dropped Designed to evade detection Designed to persist defensive techniques We’re trying to find the needle in the haystack No Magic Pill to take or Silver Bullet to shoot Analysis is considered heavy lifting Malware exists a Tactical level, yet analyzed at Strategic level. But: “k0d3R2 r LA2y” (Coders are Lazy) – They reuse code…
15. Evolving Threats Perimeter defense won’t stop it New Technologies bring new Exploits Threats can be Outside-In & Inside-Out A determined hacker will find a way (high end) Hacking has become “Productized” (low end) Nasty stuff is memory resident only Better QA in some malware than COTS Designed to be Resilient and Persistent!
16. Points to Ponder Incident Response: Actions taken AFTER an event has been detected This is D/BDA (Digital/Battle Damage Assessment) Concentrates on restoral and damage control Intelligence Preparation of the Cyber Battlefield Surveillance & Recon Planning – What you bring… Terrain & Weather – What technology brings… Digital Order of Battle – What the enemy brings… Enemy Capability to impact or influence your operations Cyber Denial & Deception? Cyber Psyops?
17. “We originally thought of EnCase Enterprise as an e-forensic tool only. However, Guidance Software’s solutionaddresses virtually every aspect of information security and eDiscovery.”Litigation Counsel, Dell EnCase® Enterprise – The Industry Standard Platform for Conducting Network Investigations
18.
19.
20.
21. EnCase Cybersecurity provides… Network-enabled incident response Cyberforensic triage and analysis, attack attribution analysis, and remediation System deviation assessments Expose system integrity issues caused by anomalous or unknown threats Data policy enforcement Identify and wipe PII/IP/Classified data from unauthorized endpoints Why Risk Compromising Your Data?
22. Network-enabled Incident Response How it Works You’ve Been Compromised!EnCase Cybersecurity collects data from potentially affected machines for analysis… …Which are then compared to the appropriate pre-defined system profiles …And further culled down by comparison to included whitelist database The resulting confirmed malware is used as a basis for exact and near match scans in order to locate and remove the threat network-wide. This is where Entropy takes charge… The resulting set is analyzed against potentially relevant running processes Leaving a small set of highpriority binaries for deep analysis 100110101
23. EnCase Enterprise vs. EnCase Cybersecurity – High Level Overview Legend Manual Process Automated Process Not Included Included ü * ** *** ü * No PST/NST Output ** Includes PST/NST Output *** Limited SharePointsearch capabilities ü
28. Current Product Capabilities Proactive Data Security & Compliance Auditing PII, PCI, etc. data leakage and risks Reveal & detect internal threats Identify & validate external threats (including polymorphic malware) Reactive “Cyber forensic endpoint” incident response Responding to & remediating advanced malware & Zero-day attacks Reducing/minimize information security workflow complexity Integration with SIEM tools, IDS/IPS systems, etc. Leverages investment in existing EnCase Infrastructure Built as an application on top of EnCase Enterprise Built using ECC application framework
29. EnCase Cybersecurity provides… System deviation assessments Expose system integrity issues caused by anomalous or unknown threats Create Profiles of known good machines Static (on disk) Dynamic (in runtime) Integrate with Bit9 database for Application Whitelisting Enables proactive scheduled scans for system deviations Trusted Computing Environments
30. How do you make the unknown known? Deviation assessments capture running processes Up to 10,000 nodes per hour! Compare against trusted baseline and whitelist Analyze resulting set of unknown processes Identify unapproved process or malware Update baseline(s) Introducing EnCase® CybersecuritySystem Deviation Assessment
31. System Deviation AssessmentHow It Works System Deviation AssessmentRegularly scheduled, rapid scans for anomalies across a range of endpoints Running processes are gathered at lightning speed – up to 10,000 nodes per hour …And are then compared to the appropriate customer defined profiles …And further culled down by comparison to included whitelisting database Good processes can be added to the trusted profile(s). Unapproved processes can be remediated. Leaving a small set of processesfor further analysis 100110101
32. How it WorksStay in a Trusted State Profile: Baseline a “trusted” configuration for each endpoint, using optional Bit9 databases to pinpoint suspicious content Audit: Automatically search out sensitive IP and PII from any system on your network, exposing risk and enabling clean-up Restore: Return drifting or compromised configurations to a trusted state by deleting malware, inappropriate data, and unauthorized software Enforce and collect: Apply policies and remotely retrieve sensitive data capturing its metadata for evidence
33. System Deviation AssessmentHow do You Expose the Unknown? Assess: Scan endpoints against baselines to expose unknowns Detect: Unknowns become events Secure: Restore systems to baseline through remediation, update baseline(s) Respond: Analyze unknowns, identify malware or unapproved processes
34. How it Works…Maximize Operational Resources Code Analysis Further analysis of the malicious code to determine the full extent of the threat to the enterprise. Calculate Entropy value to find polymorphic iterations and remediate the threat Triage After basic analysis confirms the activity of the suspicious code, core functionality is used to further investigate the incident. (What? When? Who? How?) RAM Analysis If code is found to be out of profile, Snapshot and other analysis is done to determine if suspicious code is a threat System Profile and Analysis with Bit9 Alert comes in and first response is to see if any code is out of profile on system(s) -- (RUN THIS DAILY)
42. Can determine if a piece of Malware is polymorphic, if it can transfer files, etc.
43.
44. Malware’s Intended Consequence You are always vulnerable to the unknown… It is impossible to achieve impenetrability If I can get you knocked of the grid, is that a mission kill? We like “Point & Click” & “Idiot Proofed” Automated Solutions that are easy to operate and subsequently, easy to circumvent. (Plug & Pray) Appliance based sensors that you just set and forget… (Plug and Prey) Puts you in perpetual catch up mode It is called a “0-Day” for a reason They know you can’t patch against the unknown…
45. Current Methods for Finding Malware Hashing MD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash) “Fuzzy Hashing” Easy to fool Signature based detection Relies on Hashes or other Code fragments Computationally expensive, takes time Deep Packet Inspection / Stream Analysis Checking it coming in and going out
52. Polymorphic Code When creating a new instance, the malware uses code encryption to encrypt its body (Payload) Different keys are used in different instances so body is different sequence of bytes Simple signatures that are just sequences of bytes in the body are fooled Polymorphic Decryption Several algorithms Uses Code obfuscation Signature changes constantly.
53. Detection of Polymorphic Code Commercial Antivirus Software is challenged to detect polymorphic malware (viruses and trojans) in real time Signature is created to detect MUTEX code segments (vendors may take days…) Virtualization is used to Command & Control code execution to find a detectable sequence in the body APT Malware employs anti-reversing techniques to defeat code analysis (Detection of sandbox & virtualization = Morph) Polymorphic worms Cyber speed is expressed in milliseconds
54. Current Methods for Finding Malware (including polymorphic) Hashing MD5/SHA Formats Context Triggered Piecewise Hashing (ie, rolling hash) “Fuzzy Hashing” Easy to fool Signature based detection Relies on Hashes or other Code fragments Computationally expensive, takes time Deep Packet Inspection Indexing DOESN’T scale to Enterprise Code mutation used to change malware attributes makes identification difficult
55. Behavioral Detection Behavior based detection is mostly dynamic analysis based Static analysis may be combined (Streams) Sandboxed code execution Some malware exhibit identifiable run-time behavior, for example Spyware that hijack browser Bot programs that access C2 server Adware that may show popups and ads Principle Define “templates” of bad behavior Use run-time monitoring to find match Run-time monitoring is mostly system call, API or an observable behavior
56. Traditional Hash Algorithms Take an unlimited number of bytes and construct a fixed size digest AB 15 73 2F DE CB 3C 2A 14 7B 34 FF File Contents FF DE CB 15 73 2F 3C 2A 14 7B DE 2F 3C CB 15 73 2A 14 2F 3C CB 15 73 2A Hash Algorithm Hash Value 2F3CF732F3CFFDECB152A147B2F3CF56
57. Hash Properties Two files with the same hash will almost certainly have the same contents and size Great for detecting exact file matches If a singe byte changes, the hash value changes completely Actually 50% on average The hash value has no “meaning” One cannot infer information about the file from the value of the hash Good for security Examples CRC32, MD5, SHA1, SHA256
58. What is entropy? Ordered System Unordered System Low Entropy High Entropy
59. What about for files? Ordered File Unordered File 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 010101010101010101010101010101010101010101010101010101010101 019283784736284725104816351947164823264583264612864836413743 385713091470450913497583048913408975013876473465132409873443 847251048163519471648232645832648913408975013876473465137103 891340897501387647346513837847368472510481635194716482326454 847251048163519471648232645832648913408975013876473465137103 385713091470450913497583048913408975013876473465132409873443 010101018472510481635194716482326489134089750138764734651363 837847362847251048163519471648232645832646128648364137433857 385713091470450913497583048913408975013876473465132409873443 Low Entropy High Entropy
60. Entropy value range (bits per byte) Blank 0.0 Text EXE Picture Compressed Encrypted Random 8.0
64. Data is the Lifeblood of Government Intellectual Property ClassifiedInformation Government Data Epicenter of Risk Personnel Data Schematics Human Resources Budgetary Defense Contracts
70. This network had just undergone a survey… Some of the spill data was over 5 years old… Network had undergone a “technology refresh” 3 yrs previously How do you transfer files from one server to the next? Drag & Drop Backup tapes Copy to removable drives So, classified data was migrated… However, in the interest of full disclosure… #1 - No TS on UNCLAS #2 - Only 2 real scary leaks #3 - Unit tool swift action to contain & report Real Life Example #1 (cont.)
71. Performing large enterprise sweep during Intrusion Find malicious code on machines Look at naming convention of machine Indicates machine is(was) on class network Was machine improperly connected to domain? Was machine wiped and never renamed? Good news… IT personnel reapportioned asset, removed HDD Renaming was done via sticker on top of computer… Real Life Example #2
72. containing leakage Exfiltration techniques Store to USB Thumb drive Email it to the “other” account XOR the data (Bit Shifting) Encrypt it Collect and compress (ZIP/RAR) Covert Tunnel it using proprietary packers On a network share, how do you know who accessed a compromised file? Link file analysis Matching files search If you clean a shared repository, have you adequately contained? Can a user save a file to their own desktop?
84. Data-B-Gone As a side note, no entry was created in the INFO2 file and the Recycler was untouched.
85. Data Risk and Spillage AssessmentHow do You Ensure Sensitive Data is Kept in Check? Define: Create search criteria for relevant sensitive data Identify: Automatically search systems for sensitive data Enforce: Collect and/or wipe sensitive data from unauthorized locations Assess: Map data found to data policies
86. In addition to malware and suspicious activity, EnCase Cybersecurity can expose and remediate errant sensitive data Ongoing risk assessments for PII/IP and Classified Spillage Configurable for your specific data formats (e.g., contract numbers) Light passive driver as opposed to a heavy and active agent Forensic-grade disk level visibility and validation Risk mitigation and policy enforcement through remediation Data Risk and Spillage AssessmentData Remediation & Policy Enforcement
87. EnCase Cybersecurity provides… An open, web-services API to enable third-party applications to trigger investigative/forensic functions, so that automated incident response can be performed. It is optimized when triggered by a SIM/SIEM wherein threshold, prioritization and coverage are all weighted within the requesting sensor. Automated Incident Response
89. Feature Roadmap Job Scheduling Job Recurrence Examiner Affinity Security Centric User Interface Web UI Process Automation API Based integration with SIEM, IDS, IPS tools Initial integration with ArcSight Services based offering with other IDS vendors Enhanced Reporting
91. EnCaseCybersecurity AIRS module will functionally provide: An API to allow data flow between AIRS and 3rd Party security applications. The ability to automate routine job cueing and execution based on both internal (manual) and external (Semi-Automatic) triggered events. The ability to schedule job execution at a user selectable frequency and reoccurrence. Extension of pre-configured job modules that are to run based upon class of event trigger received into the cue, or as defined by the operator upon manual entry.
92. 3rd Party Application Programming Interface (API) Full API Will accept inbound event Queuing Will provide outbound job results Open API ensures open framework User writes own connectors User uses Professional Services to write connector ArcSight out of the box Partnered
93. Triggered job creation and execution Templates jobs that will ingest target data Conduct Snapshot Preserve data Image Drive Image Memory Perform System Profile Collection & Subsequent Analysis Perform Configuration Assessment (DISA STIG/FDCC) Perform PII/IP Audit Perform Entropy Remediation
94. Triggered job creation and execution Automatically Queue Run the job Automatic Semi-Automatic Manual Override Alert Threshold Asset Prioritization Event Severity Distributed Command Center Infrastructure Remote Examiner Service Jobs assigned by region/AD Forest/segment, etc…
95. Job scheduling Minimize bandwidth impact of intensive operations Ie, Full Disk Imaging Assign jobs based upon network infrastructure Keep jobs within segments Creation of reoccurring jobs Set up periodicity and intervals
96. Job status Which jobs are running Which jobs have completed Which jobs remain in the Queue
97. Job Results Viewable via Web Interface within Cybersecurity Open API pushes results to requesting sensor Optional write results to Database
98. User Interface and Report Generator Results delivered to “non experts” via web interface Consolidate and Simplify Results Provide Report Generation of items of interest Export significant items for archive
99. Saturation Safeguards / “Run Now” Operator Override Set Job Queue to auto run Run continuously as licensing permits Preconfigured batch limit Spool like jobs and run concurrently Operator will be able to select and override Immediately trigger jobs.
100. Job Refresh / Export XML to 3rd Party Refresh Job Status Alert 3rd Party Solution that jobs have completed Export XML to: Database 3rd Party Solution Ready to review
101. Major Defense Contractor US Military Federal and State Departments Critical Infrastructure (Oil/Water/Gas) UK Office of Govt Commerce NATO Financial Industry Bio Research Real World Use Cases