Security is hard job You are everyone’s friend, or enemy People want to see you or they dread seeing you in the hallway You know what you need to do, but good luck getting it done. Today: Talk about why security sucks and what’s wrong with security today in most organizations Some brief examples of why security teams are failing Maybe it will suck less when we are done
Electronic Criminal Groups: Established Underground Industry (continued examples of successful large scale operations) Organization: Low to High Capability: High Intent: High for financial gain “ Kneber” ZeuS BotNet – information sold to anybody Nation-Sponsored Activities: From Intelligence Gathering to Network-Centric Warfare Organization: High Capability: High Intent: Connected to national policy Operation Aurora, Titan Rain, etc.
OK, back to being the CIO of an organized criminal group…
Build Slide…. SUCKER!!!
Unfortunately, our job is usually not as much fun and doesn’t pay as well. So in the face of all this, what’s your job strategy? Maybe you should go work for the government? They have more money and better resources…and you get to wear a tie to work…
The government has it’s problems too….security sucks there too… Advanced - the adversary can operate in the full spectrum of computer intrusion Persistent - the adversary is driven to accomplish a mission Threat - the adversary is: Organized Funded Motivated Analysts speak of multiple &quot;groups&quot; consisting of dedicated &quot;crews&quot; with various missions
Who is NetWitness? Ask the Industry! Ultimately, we can say whatever we want about the value we will bring to your organization, but that value is best defined by what others in the industry say about us. The best security teams on the planet are using NetWitness: Our customers include: 5 of the Fortune 10 A large number of the Global 1000, including 3 of the Top 10 banks. Over 70% of U.S. Federal Agencies are enterprise customers of NetWitness, and most are planning larger deployments Over 45,000 security experts use NetWitness Investigator Freeware. The Analysts agree too: Forrester says that in 2011 all enterprises should inspect and analyze all network traffic to obtain better visibility and that NetWitness is a cutting edge vendor in this space. Gartner says that current malware threats will require approaches other than signature, and named NetWitness as a technology offering an important solution using forensics, behavioral, and reputational based techniques 451 Group says that “ If you can handle the truth, NetWitness can show it to you.” and that “NetWitness is the last security appliance you will ever need to buy.” The company has received a number of awards: Inc.500 -- #21 overall and #1 in Software and DC area WBJ #3 in Wash DC area SC Mag numerous awards Customer Testimonials ----- Meeting Notes (1/16/11 13:33) ----- The people that know a lot about the high threat environment use us.
NetWitness infrastructure builds a pervasive and complete understanding of what is happening across your network Layer 2 to layer 7 – characteristics of network behavior Real-time knowledge Fused with the knowledge of the global security community Threat and fraud intel Business intelligence Community and reputation-based Cloud-based
Just like every other application, provides completeness and security rigor.
How many people have worked with Zeus? There are many commercial and non-commercial variants of Trojans such as ZeuS that have been developed by eCrime groups for specific targets of interest: Banks, DIB, specific government agencies in U.S. and Europe Numerous signs of collaboration among malware writers, including “best practices” for improving techniques for detection avoidance and resilience (e.g. ZeuS and Waledac collaboration noted in NetWitness “Kneber” report) New features, such as the inclusion of robust Backconnect reverse proxy capabilities Many of these non-commercial variants are invisible to typical security tools
This particular directory contains files harvested by the attackers from my bait PC that I set up and infected; each directory (top listing in graphic for “/”) is associated with one victim.
APTs and the Failure of Prevention Wayne Goeckeritz Director of Channels, NetWitness Corporation [email_address] <ul><li>Wayne Goeckeritz </li></ul>
Agenda <ul><li>Discussion Regarding Threat Environment </li></ul><ul><li>Advanced / Persistent Threats – In Context </li></ul><ul><li>Rethinking Network Monitoring – A Quick Case Study </li></ul><ul><li>Take-Aways and Q&A </li></ul>
Malware/APT continues to grow “ State of the Internet” Report, Akamai Technologies
Risk Management 101? <ul><li>Spear phishing attacks </li></ul><ul><li>Poisoned websites and DNS – “Drive-by” attacks </li></ul><ul><li>Pervasive infection (e.g., ZeuS, Aurora, Stuxnet, Night Dragon, / etc.) </li></ul><ul><li>Malware and more malware resulting from all of the above… </li></ul><ul><li>Undetected data exfiltration, leakage, and covert network comms </li></ul><ul><li>Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle ) </li></ul><ul><li>Social Networking / Mobility / Web 2.0 </li></ul><ul><li>Cloud Computing / Other unknown risk profiles </li></ul>
Tracking the Opposing I/T Organization Drop Sites Phishing Keyloggers Botnet Owners Spammers Botnet Services Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing $$$ Malware Writers Identity Collectors Credit Card Users Master Criminals Validation Service (Card Checkers) Card Forums ICQ eCommerce Site Retailers Banks eCurrency Drop Service Wire Transfer Gambling Payment Gateways
Are Security Teams Failing? Definitely… <ul><li>People </li></ul><ul><ul><li>Underestimate the complexity and capability of the threat actors </li></ul></ul><ul><ul><li>Do not take proactive steps to detect threats </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Organizations have misplaced IT measurements and program focus </li></ul></ul><ul><ul><li>IR processes lack correct data and focus </li></ul></ul><ul><li>Technology </li></ul><ul><ul><li>Current technology is failing to detect APT, APA, and other threatss </li></ul></ul><ul><ul><li>Deep holes in network visibility </li></ul></ul>
<ul><li>RISK= </li></ul><ul><ul><li>Threats x </li></ul></ul><ul><ul><li>Assets x </li></ul></ul><ul><ul><li>Vulnerabilities </li></ul></ul>Something missing here…
The Malware Problem <ul><li>54% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2010) </li></ul><ul><li>87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010) </li></ul><ul><li>91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010) </li></ul>"With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011)
Current Technologies Are Failing - Firewalls <ul><li>Intent – Prevent or limit unauthorized connections into and out of your network </li></ul><ul><li>Reality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. </li></ul><ul><li>Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities. </li></ul>Firewalls
The Gaps in Status Quo Security – IDS/ IPS <ul><li>Intent – Alert on or prevent known malicious network traffic </li></ul><ul><li>Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitation </li></ul><ul><li>Even worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact </li></ul>Intrusion Detection/ Prevention Systems
The Gaps in Status Quo Security – Anti-Malware <ul><li>Intent – Prevent malicious code from running on an endpoint, or from traversing your network </li></ul><ul><li>Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures. </li></ul>Anti-Malware Technologies From a top AV Vendor Forum
2010 Ponemon Institute Advanced Threats Survey <ul><li>We know what we need to do, but we are not doing it… </li></ul>
2010 Ponemon Institute Advanced Threats Survey <ul><li>Do the math yourself… </li></ul>
New Security Concept: “OFFENSE IN DEPTH” ATTACKER FREE TIME Attack Begins System Intrusion Attacker Surveillance Cover-up Complete Access Probe Leap Frog Attacks Complete Target Analysis Time Attack Set-up Discovery / Persistence Maintain foothold Cover-up Starts Attack Forecast Physical Security Containment & eradication System Reaction Damage Identification Recovery Defender discovery Monitoring & Controls Impact Analysis Response Threat Analysis Attack Identified Incident Reporting Need to collapse attacker free time Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
Copyright 2007 NetWitness Corporation John Smith CISO
Thinking Differently about Network Monitoring <ul><li>… or, how I learned to love full packet capture… </li></ul>
What Questions Are Vexing Today? <ul><li>Why are packed or obfuscated executables being used on our systems? </li></ul><ul><li>What critical threats are my Anti-Virus and IDS missing? </li></ul><ul><li>I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? </li></ul><ul><li>We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? </li></ul><ul><li>On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? </li></ul><ul><li>How can I detect new variants of Zeus or other 0day malware on my network? </li></ul><ul><li>We need to examine critical incidents as if we had an HD video camera recording it all… </li></ul>
Typical Scenario These Days… <ul><li>Visit from the FBI saying, “You have a problem – information is being taken” </li></ul><ul><ul><li>Perhaps IP addresses of compromised machines are provided </li></ul></ul><ul><ul><li>You might be told that certain types of files or email is being stolen </li></ul></ul><ul><ul><li>The CEO does not pay much attention to cyber, generally, but now it has his/her full attention </li></ul></ul><ul><ul><li>What do you do now? </li></ul></ul><ul><li>Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc. </li></ul><ul><ul><li>WRONG!! </li></ul></ul><ul><li>How do you know what has happened or is really still happening on the network? </li></ul>
What’s really happening (in many cases)… <ul><li>If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while </li></ul><ul><ul><li>It’s not simply a piece of malware you can detect and eradicate </li></ul></ul><ul><ul><li>Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools) </li></ul></ul><ul><li>They have the ability to change techniques, control channels, SSL certs, hours of operation, etc. </li></ul><ul><ul><li>Commands scheduled on individual Windows machines </li></ul></ul><ul><ul><li>Text files containing lists of target files </li></ul></ul><ul><ul><li>RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways </li></ul></ul><ul><ul><li>Spear phishing attacks using bogus mailboxes created on mail system </li></ul></ul><ul><li>Their true approach is not always the obvious one </li></ul><ul><ul><li>C & C servers in places like HVAC or other low profile systems, versus file servers </li></ul></ul><ul><ul><li>Drop locations are not in China or Belarus, but in the U.S. </li></ul></ul>
Today’s adversaries leverage every weakness <ul><li>Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems </li></ul><ul><li>Security program weaknesses: </li></ul><ul><ul><li>Open domain admin accounts </li></ul></ul><ul><ul><li>Passwords backed up in clear text files </li></ul></ul><ul><ul><li>Postings on public forums containing questions regarding organization’s firewall rules </li></ul></ul><ul><ul><li>Flat security architecture (no segmentation of traffic) </li></ul></ul><ul><ul><li>Inadequate use of firewall ACLs and logging </li></ul></ul><ul><li>Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc. </li></ul>
Who is Netwitness <ul><li>A quick introduction </li></ul>
<ul><li>Security teams in high threat environments: </li></ul><ul><li>5 of the Fortune 10 </li></ul><ul><li>70% of US Federal agencies </li></ul><ul><li>Over 45,000 security experts around the world </li></ul><ul><li>Recognize for outstanding performance: </li></ul><ul><li>#21 in the 2010 Inc. 500, including #1 in the U.S. in enterprise software companies </li></ul><ul><li>Winner of the SC People’s Choice Award and numerous other industry achievements </li></ul>Security Leaders Leverage NetWitness “ Traditional security measures like firewalls, intrusion detection, patch management, anti-virus, single tier DMZs are not enough to stop the new threats.” CISO Major U.S. Federal Agency “ NetWitness is the last security appliance you will ever need to buy.” Josh Corman 451 Group “ NetWitness is a cutting edge vendor for Network Analysis and Visibility.” John Kindervag Forrester Research <ul><ul><li>“ I rely upon NetWitness to detect and analyze malware that no other product can find. ” </li></ul></ul><ul><ul><li>Director of Incident Response NY Health Care Provider </li></ul></ul>
Enabling A Revolution in Network Monitoring <ul><li>NetWitness Product Tour </li></ul>
Understanding the NetWitness Network Monitoring Platform Automated Malware Analysis and Prioritization Automated Threat Reporting, Alerting and Integration Freeform Analytics for Investigations and Real-time Answers Revolutionary Visualization of Content for Rapid Review
Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum <ul><li>Mimics the techniques of leading malware analysts by asking thousands of questions about an object without requiring a signature or a known “bad” action </li></ul><ul><li>Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks </li></ul><ul><li>Utilizes NetWitness’ pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications </li></ul><ul><li>Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals </li></ul>
Automated Analysis, Reporting and Alerting Informer <ul><li>Flexible dashboard, chart and summary displays for unified view of threat vectors </li></ul><ul><li>Get automatic answers to any question for… </li></ul><ul><ul><li>Network Security </li></ul></ul><ul><ul><li>Security / HR </li></ul></ul><ul><ul><li>Legal / R&D / Compliance </li></ul></ul><ul><ul><li>I/T Operations </li></ul></ul><ul><li>HTML, CSV and PDF report formats included </li></ul><ul><li>Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management </li></ul>
Getting Answers to the Toughest Questions <ul><li>Interactive data-driven session analysis of layer 2-7 content </li></ul><ul><li>Award-winning, patented, port agnostic session analysis </li></ul><ul><li>Infinite freeform analysis paths and content /context investigation points </li></ul><ul><li>Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.) </li></ul><ul><li>Supports massive data-sets </li></ul><ul><ul><li>Instantly navigate terabytes of data </li></ul></ul><ul><ul><li>Fast analytics - analysis that once took days, now takes minutes </li></ul></ul><ul><li>Freeware Version used by over 45,000 security experts worldwide </li></ul>Investigator
A New Way to Look at Information <ul><li>Revolutionary visual interface to content on the network </li></ul><ul><ul><li>Extracts and interactively presents images, files, objects, audio, and voice for analysis </li></ul></ul><ul><ul><li>Supports multi-touch, drilling, timeline and automatic “play” browsing </li></ul></ul><ul><ul><li>Rapid review and triage of content </li></ul></ul>Visualize
Case Study <ul><li>Understanding a Custom ZeuS-based APT Spear Phishing Attack </li></ul>
Finding bad things on the network: Are all ZeuS variants created equal?
Realities: Continued Targeted Attacks Against USG Assets <ul><li>There has been an ongoing campaign associated with forged emails containing targeted ZeuS infections </li></ul><ul><li>Typical scenario is email from some “reliable” email address containing spear phishing text of interest and link to custom ZeuS site </li></ul><ul><li>Parallels: this approach directly imitates non-USG mass eCrime ZeuS approaches </li></ul>Subject: DEFINING AND DETERRING CYBER WAR From: firstname.lastname@example.org U.S. Army War College, Carlisle Barracks, PA 17013‐5050 December 2009 DEFINING AND DETERRING CYBER WAR Since the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state’s national security, and examines cyber attack as an act of war. The paper examines efforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests. Source: iSightpartners
“ DPRK has carried out nuclear missile attack on Japan” <ul><li>AV effectively “neutered” by overwriting the OS hosts file </li></ul><ul><li>Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1 </li></ul><ul><li>Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now </li></ul>
Infection Progression – Nothing Unusual <ul><li>After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com </li></ul><ul><li>If user opens the file, the malware is installed </li></ul><ul><li>Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary </li></ul>
Further Network Forensics Evidence… <ul><li>ZeuS configuration file download </li></ul><ul><li>This type of problem recognition can be automated </li></ul>
<ul><li>Malware stealing files of interest to the drop server in Minsk </li></ul><ul><li>FTP drop server still is resolving to same address </li></ul><ul><li>Early on March 8, 2010, server cleaned out and account disabled </li></ul><ul><li>username: mao2 password: [captured] </li></ul>
Files harvested from victim machines in drop server (located in Minsk, Belarus) <ul><li>FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data </li></ul>
<ul><li>Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways” </li></ul>
Combating Advanced Threats Requires More and Better Information… Highest Value Lowest Value Data Source Description Firewalls, Gateways, etc. IDS Software NetFlow Monitoring SEIM Software Real-time Network Forensics (NetWitness) Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics. For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries. Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content. Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics. Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.
Take-Away <ul><li>Advanced adversaries and emerging threats require revolutionary thinking </li></ul><ul><li>Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team </li></ul><ul><li>The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes </li></ul><ul><li>Goals: </li></ul><ul><li>Lower risk to the organization </li></ul><ul><ul><li>Improve incident response through shortened time to problem recognition and resolution </li></ul></ul><ul><ul><li>Reduce impact and cost related to cyber incidents </li></ul></ul><ul><ul><li>Generate effective threat intelligence and cyber investigations </li></ul></ul><ul><li>Reduce uncertainty surrounding the impact of new threat vectors </li></ul><ul><li>Conduct continuous monitoring of critical security controls </li></ul><ul><li>Achieve situational awareness – being able to answer any conceivable cyber security question – past, present or future </li></ul>Copyright 2007 NetWitness Corporation