Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
APTs and the Failure of Prevention Wayne Goeckeritz Director of Channels, NetWitness Corporation [email_address] <ul><li>W...
Agenda <ul><li>Discussion Regarding Threat Environment </li></ul><ul><li>Advanced / Persistent Threats – In Context </li><...
Malware/APT continues to grow “ State of the Internet”  Report, Akamai Technologies
Security SUCKS!
Risk Management 101? <ul><li>Spear phishing attacks </li></ul><ul><li>Poisoned websites and DNS – “Drive-by” attacks </li>...
Who Really 0wns Your Network?
Tracking the Opposing I/T Organization Drop Sites Phishing Keyloggers Botnet Owners Spammers Botnet Services Malware Distr...
Are Security Teams Failing?  Definitely… <ul><li>People  </li></ul><ul><ul><li>Underestimate the complexity and capability...
<ul><li>RISK=  </li></ul><ul><ul><li>Threats  x </li></ul></ul><ul><ul><li>Assets x </li></ul></ul><ul><ul><li>Vulnerabili...
The Malware Problem <ul><li>54% of breaches involved customized malware (no signature was available at time of exploit (Vz...
Current Technologies Are Failing - Firewalls <ul><li>Intent  – Prevent or limit unauthorized connections into and out of y...
The Gaps in Status Quo Security – IDS/ IPS <ul><li>Intent  – Alert on or prevent known malicious network traffic  </li></u...
The Gaps in Status Quo Security – Anti-Malware <ul><li>Intent  – Prevent malicious code from running on an endpoint, or fr...
2010 Ponemon Institute Advanced Threats Survey <ul><li>We know what we need to do, but we are not doing it… </li></ul>
2010 Ponemon Institute Advanced Threats Survey <ul><li>Do the math yourself… </li></ul>
New Security Concept: “OFFENSE IN DEPTH” ATTACKER FREE TIME Attack Begins System Intrusion Attacker Surveillance Cover-up ...
Copyright 2007 NetWitness Corporation John Smith CISO
Thinking Differently about Network Monitoring <ul><li>… or, how I learned to love full packet capture… </li></ul>
There ARE specific targets…
What Questions Are Vexing Today? <ul><li>Why are packed or obfuscated executables being used on our systems?  </li></ul><u...
Typical Scenario These Days… <ul><li>Visit from the FBI saying, “You have a problem – information is being taken” </li></u...
What’s really happening (in many cases)… <ul><li>If it’s an advanced persistent threat (APT), the adversary is quite entre...
Sample Approach to Resilience
Today’s adversaries leverage every weakness <ul><li>Failure of AV and IDS to detect both ZeuS and other known exploits, an...
Who is Netwitness <ul><li>A quick introduction </li></ul>
<ul><li>Security teams in high threat environments: </li></ul><ul><li>5 of the Fortune 10 </li></ul><ul><li>70% of US Fede...
Changes on the horizon…
Enabling A Revolution in Network Monitoring <ul><li>NetWitness Product Tour </li></ul>
Understanding the NetWitness Network Monitoring Platform Automated Malware Analysis and Prioritization  Automated Threat R...
Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum <ul><li>Mimics the techniques of leading...
Automated Analysis, Reporting and Alerting Informer <ul><li>Flexible dashboard, chart and summary displays for unified vie...
Getting Answers to the Toughest Questions <ul><li>Interactive data-driven session analysis of layer 2-7 content </li></ul>...
A New Way to Look at Information <ul><li>Revolutionary visual interface to content on the network </li></ul><ul><ul><li>Ex...
Case Study <ul><li>Understanding a Custom ZeuS-based APT Spear Phishing Attack </li></ul>
Finding bad things on the network: Are all ZeuS variants created equal?
Realities: Continued Targeted Attacks Against USG Assets <ul><li>There has been an ongoing campaign associated with forged...
 
Which AV Product Sucks the LEAST!!! ?
“ DPRK has carried out nuclear missile attack on Japan” <ul><li>AV effectively “neutered” by overwriting the OS hosts file...
Infection Progression – Nothing Unusual <ul><li>After a user clicks on the link, the file “report.zip” is downloaded from ...
Further Network Forensics Evidence… <ul><li>ZeuS configuration file download </li></ul><ul><li>This type of problem recogn...
<ul><li>Malware stealing files of interest to the drop server in Minsk </li></ul><ul><li>FTP drop server still is resolvin...
Files harvested from victim machines in drop server (located in Minsk, Belarus) <ul><li>FTP drop hosted in Minsk, with dir...
<ul><li>Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways” </li></ul>
Conclusions
Combating Advanced Threats Requires More and Better Information… Highest Value     Lowest  Value Data Source Description F...
Take-Away <ul><li>Advanced adversaries and emerging threats require revolutionary thinking </li></ul><ul><li>Current secur...
Q&A <ul><li>Email:  [email_address] </li></ul><ul><li>Website:  http://www.netwitness.com </li></ul><ul><li>Twitter: </li>...
Upcoming SlideShare
Loading in …5
×

NetWitness

4,035 views

Published on

As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.

Published in: Technology

NetWitness

  1. 1. APTs and the Failure of Prevention Wayne Goeckeritz Director of Channels, NetWitness Corporation [email_address] <ul><li>Wayne Goeckeritz </li></ul>
  2. 2. Agenda <ul><li>Discussion Regarding Threat Environment </li></ul><ul><li>Advanced / Persistent Threats – In Context </li></ul><ul><li>Rethinking Network Monitoring – A Quick Case Study </li></ul><ul><li>Take-Aways and Q&A </li></ul>
  3. 3. Malware/APT continues to grow “ State of the Internet” Report, Akamai Technologies
  4. 4. Security SUCKS!
  5. 5. Risk Management 101? <ul><li>Spear phishing attacks </li></ul><ul><li>Poisoned websites and DNS – “Drive-by” attacks </li></ul><ul><li>Pervasive infection (e.g., ZeuS, Aurora, Stuxnet, Night Dragon, / etc.) </li></ul><ul><li>Malware and more malware resulting from all of the above… </li></ul><ul><li>Undetected data exfiltration, leakage, and covert network comms </li></ul><ul><li>Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle ) </li></ul><ul><li>Social Networking / Mobility / Web 2.0 </li></ul><ul><li>Cloud Computing / Other unknown risk profiles </li></ul>
  6. 6. Who Really 0wns Your Network?
  7. 7. Tracking the Opposing I/T Organization Drop Sites Phishing Keyloggers Botnet Owners Spammers Botnet Services Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing $$$ Malware Writers Identity Collectors Credit Card Users Master Criminals Validation Service (Card Checkers) Card Forums ICQ eCommerce Site Retailers Banks eCurrency Drop Service Wire Transfer Gambling Payment Gateways
  8. 8. Are Security Teams Failing? Definitely… <ul><li>People </li></ul><ul><ul><li>Underestimate the complexity and capability of the threat actors </li></ul></ul><ul><ul><li>Do not take proactive steps to detect threats </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Organizations have misplaced IT measurements and program focus </li></ul></ul><ul><ul><li>IR processes lack correct data and focus </li></ul></ul><ul><li>Technology </li></ul><ul><ul><li>Current technology is failing to detect APT, APA, and other threatss </li></ul></ul><ul><ul><li>Deep holes in network visibility </li></ul></ul>
  9. 9. <ul><li>RISK= </li></ul><ul><ul><li>Threats x </li></ul></ul><ul><ul><li>Assets x </li></ul></ul><ul><ul><li>Vulnerabilities </li></ul></ul>Something missing here…
  10. 10. The Malware Problem <ul><li>54% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2010) </li></ul><ul><li>87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010) </li></ul><ul><li>91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010) </li></ul>&quot;With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming.&quot; (GTISC Emerging Cyber Threats Report 2011)
  11. 11. Current Technologies Are Failing - Firewalls <ul><li>Intent – Prevent or limit unauthorized connections into and out of your network </li></ul><ul><li>Reality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. </li></ul><ul><li>Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities. </li></ul>Firewalls
  12. 12. The Gaps in Status Quo Security – IDS/ IPS <ul><li>Intent – Alert on or prevent known malicious network traffic </li></ul><ul><li>Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitation </li></ul><ul><li>Even worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact </li></ul>Intrusion Detection/ Prevention Systems
  13. 13. The Gaps in Status Quo Security – Anti-Malware <ul><li>Intent – Prevent malicious code from running on an endpoint, or from traversing your network </li></ul><ul><li>Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures. </li></ul>Anti-Malware Technologies From a top AV Vendor Forum
  14. 14. 2010 Ponemon Institute Advanced Threats Survey <ul><li>We know what we need to do, but we are not doing it… </li></ul>
  15. 15. 2010 Ponemon Institute Advanced Threats Survey <ul><li>Do the math yourself… </li></ul>
  16. 16. New Security Concept: “OFFENSE IN DEPTH” ATTACKER FREE TIME Attack Begins System Intrusion Attacker Surveillance Cover-up Complete Access Probe Leap Frog Attacks Complete Target Analysis Time Attack Set-up Discovery / Persistence Maintain foothold Cover-up Starts Attack Forecast Physical Security Containment & eradication System Reaction Damage Identification Recovery Defender discovery Monitoring & Controls Impact Analysis Response Threat Analysis Attack Identified Incident Reporting Need to collapse attacker free time Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
  17. 17. Copyright 2007 NetWitness Corporation John Smith CISO
  18. 18. Thinking Differently about Network Monitoring <ul><li>… or, how I learned to love full packet capture… </li></ul>
  19. 19. There ARE specific targets…
  20. 20. What Questions Are Vexing Today? <ul><li>Why are packed or obfuscated executables being used on our systems? </li></ul><ul><li>What critical threats are my Anti-Virus and IDS missing? </li></ul><ul><li>I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? </li></ul><ul><li>We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? </li></ul><ul><li>On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? </li></ul><ul><li>How can I detect new variants of Zeus or other 0day malware on my network? </li></ul><ul><li>We need to examine critical incidents as if we had an HD video camera recording it all… </li></ul>
  21. 21. Typical Scenario These Days… <ul><li>Visit from the FBI saying, “You have a problem – information is being taken” </li></ul><ul><ul><li>Perhaps IP addresses of compromised machines are provided </li></ul></ul><ul><ul><li>You might be told that certain types of files or email is being stolen </li></ul></ul><ul><ul><li>The CEO does not pay much attention to cyber, generally, but now it has his/her full attention </li></ul></ul><ul><ul><li>What do you do now? </li></ul></ul><ul><li>Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc. </li></ul><ul><ul><li>WRONG!! </li></ul></ul><ul><li>How do you know what has happened or is really still happening on the network? </li></ul>
  22. 22. What’s really happening (in many cases)… <ul><li>If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while </li></ul><ul><ul><li>It’s not simply a piece of malware you can detect and eradicate </li></ul></ul><ul><ul><li>Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools) </li></ul></ul><ul><li>They have the ability to change techniques, control channels, SSL certs, hours of operation, etc. </li></ul><ul><ul><li>Commands scheduled on individual Windows machines </li></ul></ul><ul><ul><li>Text files containing lists of target files </li></ul></ul><ul><ul><li>RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways </li></ul></ul><ul><ul><li>Spear phishing attacks using bogus mailboxes created on mail system </li></ul></ul><ul><li>Their true approach is not always the obvious one </li></ul><ul><ul><li>C & C servers in places like HVAC or other low profile systems, versus file servers </li></ul></ul><ul><ul><li>Drop locations are not in China or Belarus, but in the U.S. </li></ul></ul>
  23. 23. Sample Approach to Resilience
  24. 24. Today’s adversaries leverage every weakness <ul><li>Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems </li></ul><ul><li>Security program weaknesses: </li></ul><ul><ul><li>Open domain admin accounts </li></ul></ul><ul><ul><li>Passwords backed up in clear text files </li></ul></ul><ul><ul><li>Postings on public forums containing questions regarding organization’s firewall rules </li></ul></ul><ul><ul><li>Flat security architecture (no segmentation of traffic) </li></ul></ul><ul><ul><li>Inadequate use of firewall ACLs and logging </li></ul></ul><ul><li>Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc. </li></ul>
  25. 25. Who is Netwitness <ul><li>A quick introduction </li></ul>
  26. 26. <ul><li>Security teams in high threat environments: </li></ul><ul><li>5 of the Fortune 10 </li></ul><ul><li>70% of US Federal agencies </li></ul><ul><li>Over 45,000 security experts around the world </li></ul><ul><li>Recognize for outstanding performance: </li></ul><ul><li>#21 in the 2010 Inc. 500, including #1 in the U.S. in enterprise software companies </li></ul><ul><li>Winner of the SC People’s Choice Award and numerous other industry achievements </li></ul>Security Leaders Leverage NetWitness “ Traditional security measures like firewalls, intrusion detection, patch management, anti-virus, single tier DMZs are not enough to stop the new threats.” CISO Major U.S. Federal Agency “ NetWitness is the last security appliance you will ever need to buy.” Josh Corman 451 Group “ NetWitness is a cutting edge vendor for Network Analysis and Visibility.” John Kindervag Forrester Research <ul><ul><li>“ I rely upon NetWitness to detect and analyze malware that no other product can find. ” </li></ul></ul><ul><ul><li>Director of Incident Response NY Health Care Provider </li></ul></ul>
  27. 27. Changes on the horizon…
  28. 28. Enabling A Revolution in Network Monitoring <ul><li>NetWitness Product Tour </li></ul>
  29. 29. Understanding the NetWitness Network Monitoring Platform Automated Malware Analysis and Prioritization Automated Threat Reporting, Alerting and Integration Freeform Analytics for Investigations and Real-time Answers Revolutionary Visualization of Content for Rapid Review
  30. 30. Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum <ul><li>Mimics the techniques of leading malware analysts by asking thousands of questions about an object without requiring a signature or a known “bad” action </li></ul><ul><li>Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks </li></ul><ul><li>Utilizes NetWitness’ pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications </li></ul><ul><li>Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals </li></ul>
  31. 31. Automated Analysis, Reporting and Alerting Informer <ul><li>Flexible dashboard, chart and summary displays for unified view of threat vectors </li></ul><ul><li>Get automatic answers to any question for… </li></ul><ul><ul><li>Network Security </li></ul></ul><ul><ul><li>Security / HR </li></ul></ul><ul><ul><li>Legal / R&D / Compliance </li></ul></ul><ul><ul><li>I/T Operations </li></ul></ul><ul><li>HTML, CSV and PDF report formats included </li></ul><ul><li>Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management </li></ul>
  32. 32. Getting Answers to the Toughest Questions <ul><li>Interactive data-driven session analysis of layer 2-7 content </li></ul><ul><li>Award-winning, patented, port agnostic session analysis </li></ul><ul><li>Infinite freeform analysis paths and content /context investigation points </li></ul><ul><li>Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.) </li></ul><ul><li>Supports massive data-sets </li></ul><ul><ul><li>Instantly navigate terabytes of data </li></ul></ul><ul><ul><li>Fast analytics - analysis that once took days, now takes minutes </li></ul></ul><ul><li>Freeware Version used by over 45,000 security experts worldwide </li></ul>Investigator
  33. 33. A New Way to Look at Information <ul><li>Revolutionary visual interface to content on the network </li></ul><ul><ul><li>Extracts and interactively presents images, files, objects, audio, and voice for analysis </li></ul></ul><ul><ul><li>Supports multi-touch, drilling, timeline and automatic “play” browsing </li></ul></ul><ul><ul><li>Rapid review and triage of content </li></ul></ul>Visualize
  34. 34. Case Study <ul><li>Understanding a Custom ZeuS-based APT Spear Phishing Attack </li></ul>
  35. 35. Finding bad things on the network: Are all ZeuS variants created equal?
  36. 36. Realities: Continued Targeted Attacks Against USG Assets <ul><li>There has been an ongoing campaign associated with forged emails containing targeted ZeuS infections </li></ul><ul><li>Typical scenario is email from some “reliable” email address containing spear phishing text of interest and link to custom ZeuS site </li></ul><ul><li>Parallels: this approach directly imitates non-USG mass eCrime ZeuS approaches </li></ul>Subject: DEFINING AND DETERRING CYBER WAR From: ctd@nsa.gov U.S. Army War College, Carlisle Barracks, PA 17013‐5050 December 2009 DEFINING AND DETERRING CYBER WAR Since the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state’s national security, and examines cyber attack as an act of war. The paper examines efforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests. Source: iSightpartners
  37. 38. Which AV Product Sucks the LEAST!!! ?
  38. 39. “ DPRK has carried out nuclear missile attack on Japan” <ul><li>AV effectively “neutered” by overwriting the OS hosts file </li></ul><ul><li>Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1 </li></ul><ul><li>Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now </li></ul>
  39. 40. Infection Progression – Nothing Unusual <ul><li>After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com </li></ul><ul><li>If user opens the file, the malware is installed </li></ul><ul><li>Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary </li></ul>
  40. 41. Further Network Forensics Evidence… <ul><li>ZeuS configuration file download </li></ul><ul><li>This type of problem recognition can be automated </li></ul>
  41. 42. <ul><li>Malware stealing files of interest to the drop server in Minsk </li></ul><ul><li>FTP drop server still is resolving to same address </li></ul><ul><li>Early on March 8, 2010, server cleaned out and account disabled </li></ul><ul><li>username: mao2 password: [captured] </li></ul>
  42. 43. Files harvested from victim machines in drop server (located in Minsk, Belarus) <ul><li>FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data </li></ul>
  43. 44. <ul><li>Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways” </li></ul>
  44. 45. Conclusions
  45. 46. Combating Advanced Threats Requires More and Better Information… Highest Value Lowest Value Data Source Description Firewalls, Gateways, etc. IDS Software NetFlow Monitoring SEIM Software Real-time Network Forensics (NetWitness) Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics. For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries. Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content. Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics. Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.
  46. 47. Take-Away <ul><li>Advanced adversaries and emerging threats require revolutionary thinking </li></ul><ul><li>Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team </li></ul><ul><li>The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes </li></ul><ul><li>Goals: </li></ul><ul><li>Lower risk to the organization </li></ul><ul><ul><li>Improve incident response through shortened time to problem recognition and resolution </li></ul></ul><ul><ul><li>Reduce impact and cost related to cyber incidents </li></ul></ul><ul><ul><li>Generate effective threat intelligence and cyber investigations </li></ul></ul><ul><li>Reduce uncertainty surrounding the impact of new threat vectors </li></ul><ul><li>Conduct continuous monitoring of critical security controls </li></ul><ul><li>Achieve situational awareness – being able to answer any conceivable cyber security question – past, present or future </li></ul>Copyright 2007 NetWitness Corporation
  47. 48. Q&A <ul><li>Email: [email_address] </li></ul><ul><li>Website: http://www.netwitness.com </li></ul><ul><li>Twitter: </li></ul><ul><ul><li>@netwitness </li></ul></ul><ul><li>Blog: http://www.networkforensics.com </li></ul>Know Everything…Answer Anything.

×