Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

War on Stealth Cyberattacks that Target Unknown Vulnerabilities

759 views

Published on

War on Stealth Cyberattacks that Target Unknown Vulnerabilities

Published in: Technology
  • Be the first to comment

  • Be the first to like this

War on Stealth Cyberattacks that Target Unknown Vulnerabilities

  1. 1. War on Stealth Cyberattacks that Target Unknown Vulnerabilities Investigate, Threat Scope Analysis & Forensics of Advanced Cyber Threats with Apache Metron George Vetticaden & James Sirota Apache Metron Committers
  2. 2. 2 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Use Case: Phishing Attack
  3. 3. 3 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Phishing Attack on Company FOO
  4. 4. 4 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Phishing Attacks  What is a Phishing Attack? – An attack that “baits” unsuspecting workers into clicking on links in emails and unknowingly giving attackers a toehold in their employers’ systems.  From NYTIMES Article (6/13/2016) “Phishing attacks have become an epidemic. To date, more than 90 percent of breaches have begun with a phishing attack, according to Verizon. Intelligence experts say that phishing attacks are the preferred method of Chinese hackers who have managed to steal things as varied as nuclear propulsion technology and Silicon Valley’s most guarded software code.”
  5. 5. 5 © Hortonworks Inc. 2011 – 2016. All Rights Reserved DocuSign Phishing Attacks What is DocuSign? • Provides electronic signature technology and Digital Transaction Management services for facilitating electronic exchanges of contracts and signed documents. • E.g: If you get a new job, the offer letter will most likely be presented to you as a “DocuSign Doc” which requires electronic signature. What is a DocuSign Phishing Attack? • Active phishing campaigns using fake DocuSign trying to trap employees into opening them up • These "secure doc" emails are one of the most misflagged categories of real emails • Users have trouble figuring out whether a "secure doc" email is real or a phish
  6. 6. 6 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Use Case Setup  On 4/10, an internal User named Ethan V at Company X submits a security ticket complaining about a potential “Docu-Sign” Phishing Email.  The Details provided by the Ethan V in the ticket are the following – Ethan receives an email from an internal employee Sonja Lar who works on the Equity – The email states that a signature is required for a new Docu-Sign document for a new Stock Option grant for granted to Ethan – There is a link in the email to the Docu-Sign Document – Ethan clicks on the link, and login appears – Ethan enters his SSO credentials and submits – On submission, nothing happens – Ethan calls Sonja but Sonja states she didn’t send an email – Ethan is worried and then files help desk security ticket  A security ticket is created and assigned to the SOC Team  A SOC analyst James picks up the case to investigate it.
  7. 7. 7 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Typical Workflow if Company Foo uses traditional SIEM tool
  8. 8. 8 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Systems Accessed for Investigation/Context “Investigation” Workflow Steps • Step 1: Analyst James searches in SIEM for any events associated with the user Sonja over the last 24 hours • Step 1 Result: Most events are coming from IP Y. But 1 event from from IP X where she logs into Corp Google Apps Gmail. • Step 2: James does geo-lookup of IP X and Y n Maxmind • Step 2 Result: IP X is from Ireleand and IP y is from Southern Cali • Step 3 Corp Foo has offices in Ireland & Los Angeles. James files a ticket with AD team to find groups that Sonja belongs to. • Step 3 Result: The groups she belongs to is only associated with Los Angeles and not Ireland Story Unfolding • Step 1 Insight: Anomalous Event – Corp Gmail was decommissioned on behalf of exchange months back and only few users are currently using it • Step 2 Insight: Not possible for the same user be logging in from Ireland & Southern Cali at the same time. • Step 3 Insight: Unauthorized access is occurring from Los Angeles SIEM Search Maxmind (IP Geo DB) AD (Identity Mgmt.) • Step 4: James logs into Foo’s Asset Mgmt system to determine asset the IP belong to • Step 4 Result: IP Y is from Sonja’s workstation while IP X is an unidentified Asset • Step 4 Insight: Seems like Sonja is in Southern Cali but someone else pretending to be her is logging in from unidentified Asset Asset Mgmt. Inventory • Step 5: James log into Soltra a threat intel aggregation service to see if IP X has a threat intel hit. • Step 5 Result: IP X has a threat intel hit and Sonja’s account is immediately shutdown & Ethan’s credentials have been reset • Step 5 Insight: Sonja’s account has been compromised. Shut it down and Ethan’s credentials have been reset. But what others users are affected like Ethan? Soltra (Threat Intel)
  9. 9. 9 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Systems Accessed for Threat Scope Systems Accessed for Forensics Systems Accessed for Investigation/Context SIEM “Scope of Threat” Workflow Steps • Step 6: Searches SIEM for Fireye and IronPort email events associated with Sonja. The SIEM doesn’t have that info • Step 6 Result: Need to log into Fireye and IronPort • Step 7: Log into Fireye Email Threat Prevention Cloud & IronPort to find all emails sent from Sonja from that malicious IP • Step 7 Result: Have a list of all users that the Phishing email was sent to. Can reset the password for all those users Maxmind (IP Geo DB) AD (Identity Mgmt.) Asset Mgmt. Inventory Soltra (Threat Intel) Story Unfolding • Step 1 Insight: Anomalous Event – Corp Gmail was decommissioned on behalf of exchange months back and only few users are currently using it • Step 2 Insight: Not possible for the same user be logging in from Ireland & Southern Cali at the same time. • Step 3 Insight: Unauthorized access is occurring from Ireland • Step 4 Insight: Seems like Sonja is in Southern Cali but someone else pretending to be her is logging in from unidentified Asset • Step 5 Insight: Sonja’s account has been compromised. Shut it down and Ethan’s credentials have been reset. But what others users are affected like Ethan? • Step 6 Insight: SIEM doesn’t have all the fireye email events I need to determine scope • Step 7 Insight: Understand the scope of the threat and can can contain it. “Forensics” Workflow Steps • Step 8: Logs into Cisco IronPort to determine when the attacker first compromised Sonja’s Gmail account • Step 8 Result: On 3/26, a user from Ireleand logged into Sony’s Corp Gmail Account • Step 8 Insight: Understands when Sonja’s Gmail Account was first compromised • Step 9: Logs into Intermedia, an email archive system, to understand how the account was compromised • Step 9 Result: Sees a set of emails where the attacker spoofed someone else email address “warmed up’ her with a few emails and then sent an email with an link that Sonja clicked on which stole her credentials from her chain • Step 9 Insight: Understand how Sonja’s account got compromised Systems Accessed for Remediation Exchange (Primary Email Service) Corp Gmail (Secondary Email Service) AD & OKTA (Identity Provider & SSO) Search FireEye (Email Cloud Security ) Cisco IronPort (Email On-Premise Security ) Intermedia (Email Archive)
  10. 10. 10 © Hortonworks Inc. 2011 – 2016. All Rights Reserved The “Threat Story” the Workflow Told….
  11. 11. 11 © Hortonworks Inc. 2011 – 2016. All Rights Reserved The Challenges faced by the SOC Analyst to Create this Story… Challenge • The analyst had to jump from the SIEM to more than 7 different tools that took up valuable time. • It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation. • Half of my time was spending getting the context needed for me to create the story • The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address Need • Want a Centralized View of my data so I don’t have to jump around and learn other tools Eliminate manual tasks to investigate a case • Need to discover bad stuff quicker • Need the System to create the context for me in real-time • The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on: • User Sonja hasn’t used corp gmail in the last 3 months • User Sonja can’t login from Ireland and Southern Cali at the same time
  12. 12. 12 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Same Workflow if Company Foo used Apache Metron
  13. 13. 13 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Demo
  14. 14. 14 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Do Investigation, Find Scope and Perform Forensics Using only Metron Systems Accessed for Remediation Exchange (Primary Email Service) Corp Gmail (Secondary Email Service) AD & OKTA (Identity Provider & SSO) Maxmind (IP Geo DB) AD (Identity Mgmt.) Asset Mgmt. Inventory Soltra (Threat Intel) Systems Accessed for Investigation/Context Systems Accessed to Determine Scope FireEye (Email Cloud Security ) Cisco IronPort (Email On-Premise Security ) Intermedia (Email Archive) Systems Accessed for Forensics
  15. 15. 15 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Do Investigation, Find Scope and Perform Forensics Using only Metron Metron will make it easier and faster to find the real issues I need to act on with real-time enrichment Provides Single Pane of Glass for Investigation, Scope Analysis and Forensics Metron can take everything that is known about a threat and check for it in real time For Advanced Persistent Threats (APT), Metron can model historical behavior of whoever I am impersonating and flag me as I try to deviate
  16. 16. 16 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Metron Architecture Telemetry Parsers TELEMETRYINGESTBUFFER Enrichment Indexers & Writers Telemetry Parsers Real-Time Processing Cyber Security Engine Threat Intel Alert Triage Cyber Security Stream Processing Pipeline DATASERVICES&INTEGRATIONLAYER Performant Network Ingest Probes Real-Time Enrich/ Threat Intel Streams Telemetry Data Collectors / Other..
  17. 17. 17 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Real-time Processing Engine PCAP NETFLOW DPI IDS AV EMAIL FIREWALL HOST LOGS PARSE NORMALIZE TAG VALIDATE PROCESS USER ASSET GEO WHOIS CONN ENRICH STIX Flat Files Aggregators Model As A Service Cloud Services LABEL PCAP Store ALERT PERSIST Alert Security Data Vault Network Tap Custom Metron UI/Portals Real-Time Search Interactive Dashboards Data Modelling Integration Layer PCAP Replay Security Layer Data & Integration Services Apache Metron Apache Metron Logical Architecture
  18. 18. 18 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Analytics
  19. 19. 19 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Old School vs. New School Security Controls Email Security Rules Firewall Rules IDS Rules Sandbox Rules DLP RulesOld School -> (1-1) New School -> (1-*) Email Classifier Alerts Triage Malware Family Classifier Network Behavior Classifier UEBA System
  20. 20. 20 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Analytics Descriptive Diagnostic Predictive Prescriptive Metron Security Data Analytics Platform HDF HDP Deep Packet Model as a Service Netflow Applianc e Logs Alerts Host Logs Geo Enrich Host Enrich App. Enrich Identity Enrich Domain Enrich Social Media Email Chat Forums Playbook WokflowHR IRMobile Devices Machine Exhaust IoT DatasetsAccess Logs Malware Binaries Sandbox Honeypo t Deceptio n SaaS Business Enrich CMDB Enrich Compl. Enrich Knowled ge Graph Entity Profiles Interacti on Graph Web Mining Use Cases Insider Threat Data Access Manage ment Breach Detection Exfiltration Lateral Movement Malware Detection Alerts Triage Remediation
  21. 21. 21 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Thank You George Vetticaden & James Sirota Apache Metron Committers
  22. 22. 22 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Learn, Share at Birds of a Feather Streaming, DataFlow & Cybersecurity Thursday June 30 6:30 pm, Ballroom C

×