War on Stealth Cyberattacks that Target Unknown Vulnerabilities

War on Stealth Cyberattacks that
Target Unknown Vulnerabilities
Investigate, Threat Scope Analysis & Forensics of
Advanced Cyber Threats with Apache Metron
George Vetticaden & James Sirota
Apache Metron Committers

2 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Use Case: Phishing Attack

Phishing Attack on Company FOO

Phishing Attacks
 What is a Phishing Attack?
– An attack that “baits” unsuspecting workers into clicking on links in emails and
unknowingly giving attackers a toehold in their employers’ systems.
 From NYTIMES Article (6/13/2016)
“Phishing attacks have become an epidemic. To date, more than 90 percent of
breaches have begun with a phishing attack, according to Verizon.
Intelligence experts say that phishing attacks are the preferred method of
Chinese hackers who have managed to steal things as varied as nuclear
propulsion technology and Silicon Valley’s most guarded software code.”

DocuSign Phishing Attacks
What is DocuSign?
• Provides electronic signature technology and
Digital Transaction Management services for
facilitating electronic exchanges of contracts
and signed documents.
• E.g: If you get a new job, the offer letter will
most likely be presented to you as a
“DocuSign Doc” which requires electronic
signature.
What is a DocuSign Phishing Attack?
• Active phishing campaigns using fake
DocuSign trying to trap employees into
opening them up
• These "secure doc" emails are one of the
most misflagged categories of real emails
• Users have trouble figuring out whether a
"secure doc" email is real or a phish

Use Case Setup
 On 4/10, an internal User named Ethan V at Company X submits a security ticket complaining about a
potential “Docu-Sign” Phishing Email.
 The Details provided by the Ethan V in the ticket are the following
– Ethan receives an email from an internal employee Sonja Lar who works on the Equity
– The email states that a signature is required for a new Docu-Sign document for a new Stock Option grant
for granted to Ethan
– There is a link in the email to the Docu-Sign Document
– Ethan clicks on the link, and login appears
– Ethan enters his SSO credentials and submits
– On submission, nothing happens
– Ethan calls Sonja but Sonja states she didn’t send an email
– Ethan is worried and then files help desk security ticket
 A security ticket is created and assigned to the SOC Team
 A SOC analyst James picks up the case to investigate it.

Typical Workflow if Company Foo
uses traditional SIEM tool

Systems Accessed for Investigation/Context
“Investigation”
Workflow Steps
• Step 1: Analyst James searches in SIEM for
any events associated with the user Sonja
over the last 24 hours
• Step 1 Result: Most events are coming from
IP Y. But 1 event from from IP X where she
logs into Corp Google Apps Gmail.
• Step 2: James does geo-lookup of IP X and Y n
Maxmind
• Step 2 Result: IP X is from Ireleand and IP y is
from Southern Cali
• Step 3 Corp Foo has offices in Ireland & Los
Angeles. James files a ticket with AD team to
find groups that Sonja belongs to.
• Step 3 Result: The groups she belongs to is
only associated with Los Angeles and not
Ireland
Story Unfolding
• Step 1 Insight: Anomalous Event –
Corp Gmail was decommissioned
on behalf of exchange months
back and only few users are
currently using it
• Step 2 Insight: Not possible for
the same user be logging in from
Ireland & Southern Cali at the
same time.
• Step 3 Insight: Unauthorized
access is occurring from Los
Angeles
SIEM
Search
Maxmind
(IP Geo DB)
AD
(Identity
Mgmt.)
• Step 4: James logs into Foo’s Asset Mgmt
system to determine asset the IP belong to
• Step 4 Result: IP Y is from Sonja’s workstation
while IP X is an unidentified Asset
• Step 4 Insight: Seems like Sonja is
in Southern Cali but someone
else pretending to be her is
logging in from unidentified
Asset
Asset Mgmt.
Inventory
• Step 5: James log into Soltra a threat intel
aggregation service to see if IP X has a threat
intel hit.
• Step 5 Result: IP X has a threat intel hit and
Sonja’s account is immediately shutdown &
Ethan’s credentials have been reset
• Step 5 Insight: Sonja’s account
has been compromised. Shut it
down and Ethan’s credentials
have been reset. But what others
users are affected like Ethan?
Soltra
(Threat
Intel)

Systems Accessed
for Threat Scope
Systems Accessed
for Forensics
SIEM
“Scope of Threat”
Workflow Steps
• Step 6: Searches SIEM for Fireye and IronPort
email events associated with Sonja. The SIEM
doesn’t have that info
• Step 6 Result: Need to log into Fireye and
IronPort
• Step 7: Log into Fireye Email Threat
Prevention Cloud & IronPort to find all emails
sent from Sonja from that malicious IP
• Step 7 Result: Have a list of all users that the
Phishing email was sent to. Can reset the
password for all those users
Maxmind
(IP Geo DB)
AD
(Identity
Mgmt.)
Asset Mgmt.
Inventory
Soltra
(Threat
Intel)
Story Unfolding
• Step 1 Insight: Anomalous Event –
Corp Gmail was decommissioned
on behalf of exchange months
back and only few users are
currently using it
• Step 2 Insight: Not possible for
the same user be logging in from
Ireland & Southern Cali at the
same time.
• Step 3 Insight: Unauthorized
access is occurring from Ireland
• Step 4 Insight: Seems like Sonja is
in Southern Cali but someone
else pretending to be her is
logging in from unidentified
Asset
• Step 5 Insight: Sonja’s account
has been compromised. Shut it
down and Ethan’s credentials
have been reset. But what others
users are affected like Ethan?
• Step 6 Insight: SIEM doesn’t have
all the fireye email events I need
to determine scope
• Step 7 Insight: Understand the
scope of the threat and can can
contain it.
“Forensics”
Workflow Steps
• Step 8: Logs into Cisco IronPort to determine
when the attacker first compromised Sonja’s
Gmail account
• Step 8 Result: On 3/26, a user from Ireleand
logged into Sony’s Corp Gmail Account
• Step 8 Insight: Understands when
Sonja’s Gmail Account was first
compromised
• Step 9: Logs into Intermedia, an email
archive system, to understand how the
account was compromised
• Step 9 Result: Sees a set of emails where the
attacker spoofed someone else email address
“warmed up’ her with a few emails and then
sent an email with an link that Sonja clicked
on which stole her credentials from her chain • Step 9 Insight: Understand how
Sonja’s account got compromised
Systems Accessed for Remediation
Exchange
(Primary
Email Service)
Corp Gmail
(Secondary
Email Service)
AD & OKTA
(Identity Provider
& SSO)
Search
FireEye
(Email
Cloud Security
)
Cisco IronPort
(Email
On-Premise
Security )
Intermedia
(Email Archive)

The “Threat Story” the Workflow Told….

The Challenges faced by the SOC Analyst to Create this Story…
Challenge
• The analyst had to jump from the SIEM to
more than 7 different tools that took up
valuable time.
• It took more than 24 hours across 2 SOC
shifts to investigate, determine scope,
remediate and do further
forensics/investigation.
• Half of my time was spending getting
the context needed for me to create the story
• The threat was detected too late. Instead of
detecting the incident on 4/9, the threat should
have been detected on 3/20 when the attacker
spoofed Sonja’s email address
Need
• Want a Centralized View of my data so I don’t
have to jump around and learn other tools
Eliminate manual tasks to investigate a case
• Need to discover bad stuff quicker
• Need the System to create the context for me
in real-time
• The current static rules in the SIEM didn’t
detect the threat. Need smart analytics based
on:
• User Sonja hasn’t used corp gmail in the last 3 months
• User Sonja can’t login from Ireland and Southern Cali at the
same time

Same Workflow if Company Foo
used Apache Metron

Demo

Do Investigation, Find Scope and Perform Forensics Using only Metron
Systems Accessed for Remediation
Exchange
(Primary
Email Service)
Corp Gmail
(Secondary
Email Service)
AD & OKTA
(Identity Provider
& SSO)
Maxmind
(IP Geo DB)
AD
(Identity
Mgmt.)
Asset Mgmt.
Inventory
Soltra
(Threat
Intel)
Systems Accessed to
Determine Scope
FireEye
(Email
Cloud Security
)
Cisco IronPort
(Email
On-Premise
Security )
Intermedia
(Email Archive)
Systems Accessed
for Forensics

Do Investigation, Find Scope and Perform Forensics Using only Metron
Metron will make it easier and faster to find
the real issues I need to act on with real-time enrichment
Provides Single Pane of Glass for Investigation, Scope Analysis and Forensics
Metron can take everything that is known about a threat and check for it in real
time
For Advanced Persistent Threats (APT), Metron can model historical behavior of
whoever I am impersonating and flag me as I try to deviate

Metron Architecture
Telemetry
Parsers
TELEMETRYINGESTBUFFER
Enrichment
Indexers &
Writers
Telemetry
Parsers
Real-Time Processing
Cyber Security Engine
Threat Intel Alert Triage
Cyber Security
Stream Processing Pipeline
DATASERVICES&INTEGRATIONLAYER
Performant
Network
Ingest
Probes
Real-Time
Enrich/
Threat Intel
Streams
Telemetry
Data Collectors
/ Other..

Real-time Processing Engine
PCAP
NETFLOW
DPI
IDS
AV
EMAIL
FIREWALL
HOST LOGS
PARSE
NORMALIZE
TAG
VALIDATE
PROCESS
USER
ASSET
GEO
WHOIS
CONN
ENRICH
STIX
Flat Files
Aggregators
Model As A
Service
Cloud
Services
LABEL
PCAP
Store
ALERT
PERSIST
Alert
Security Data
Vault
Network
Tap
Custom Metron UI/Portals
Real-Time
Search
Interactive
Dashboards
Data
Modelling
Integration
Layer
PCAP
Replay
Security
Layer
Data & Integration Services
Apache Metron
Apache Metron Logical Architecture

Analytics

Old School vs. New School Security Controls
Email
Security
Rules
Firewall
Rules
IDS Rules Sandbox
Rules
DLP RulesOld School ->
(1-1)
New School ->
(1-*)
Email
Classifier
Alerts Triage
Malware
Family
Classifier
Network
Behavior
Classifier
UEBA System

Analytics
Descriptive Diagnostic Predictive Prescriptive
Metron Security Data Analytics Platform
HDF HDP
Deep
Packet
Model as a Service
Netflow
Applianc
e Logs
Alerts
Host
Logs
Geo
Enrich
Host
Enrich
App.
Enrich
Identity
Enrich
Domain
Enrich
Social
Media
Email
Chat
Forums
Playbook
WokflowHR
IRMobile
Devices
Machine
Exhaust
IoT
DatasetsAccess
Logs
Malware
Binaries Sandbox
Honeypo
t
Deceptio
n
SaaS
Business
Enrich
CMDB
Enrich
Compl.
Enrich
Knowled
ge Graph
Entity
Profiles
Interacti
on Graph
Web
Mining
Use Cases
Insider
Threat
Data
Access
Manage
ment
Breach
Detection
Exfiltration
Lateral
Movement
Malware
Detection
Alerts
Triage
Remediation

Thank You
George Vetticaden & James Sirota
Apache Metron Committers

Learn, Share at Birds of a Feather
Streaming, DataFlow & Cybersecurity
Thursday June 30
6:30 pm, Ballroom C

War on Stealth Cyberattacks that Target Unknown Vulnerabilities

More Related Content

What's hot

Viewers also liked

Similar to War on Stealth Cyberattacks that Target Unknown Vulnerabilities

More from DataWorks Summit/Hadoop Summit

Recently uploaded

War on Stealth Cyberattacks that Target Unknown Vulnerabilities