Security as a Service

Transcription

1 Security as a Service 360 Living Security Assessment Why Traditional Security Assessments Are Failing To Keep Up Professional Services Whitepaper April 2014 Craig D'Abreo, CISSP GCIH Vice President - Masergy Professional Services

2 Contents Introduction... 2 Case Study Synopsis... 2 Issues With Traditional Assessments... 3 There Is A Better Way: 360 Living Security Assessment... 6 A Practical Application Case Study: Data Integration At Various Layers Conclusion Introduction With the proliferation of sophisticated modern malware distribution methods and a sharp increase in data breaches across a variety of global industries as a direct result of these infection methods, a new generation of security assessment technique have evolved that positively identifies these targeted attacks and helps organizations protect their critical assets. This white paper describes the problems with traditional security assessments and explain the holistic methodology this sophisticated class of integrated assessment technology utilizes to test for, identify sources of data leakage, block and remediate security incidents across an enterprise. Case Study Synopsis The following case-study is an example of one of the many information security incidents that occurs on a daily basis across the globe that is devastating to an organizations' reputation and business as a result of a simple yet sophisticated set of attacks to which most companies are susceptible: A security breach has been identified by a 3 rd party provider and the victim organization (a defense contractor) has just been notified that its critical documents which includes sensitive classified proprietary business information, user data and compromised data files have been found on servers several states away. The victim organization approaches a local security company to conduct an emergency network security assessment and assess the situation. On completion of the traditional security assessment which included scanning the external and internal network the consultants find no evidence of malware, data leakage or are able to identify any compromised machines. They do however identify and report on a few general vulnerabilities. After delivering their reports and invoices the security consultants are done with the project. 2

3 Issues With Traditional Assessments In order to realize why traditional security assessments are no longer sufficient or effective in detecting sophisticated infections, whether it's the run-of-the-mill type infections or specifically targeted attacks such as Advanced Persistent Threats (APTs), it is imperative to understand how modern malware typically operates. Malware is most effectively propagated due to vulnerabilities (very often zero-day) in regular desktop applications like PDF readers, various web browsers, flash and movie players etc. Unsuspecting users are tricked into accessing malicious websites or even regular websites that may have malicious advertising banners (funded by organized crime groups) or in more specifically targeted attacks the users of the victim organizations are tricked into opening up attachments or clicking cleverly disguised links through various social engineering techniques such as spoofed s. The following is an example of a malicious request in which a user is persuaded to open the attachment claiming to be a valid online purchase: Once at these websites, specially-crafted exploits residing on the webservers are launched against the user's machine that targets weaknesses in the users' browsers, desktop applications and other software. As soon as the exploit is executed the malware embeds itself deep into the victim machine unannounced to the user, and also installs backdoors and other command and control applications that enable a hacker to take complete control of the system. In addition to having access to these systems the malware is capable of recording all user keystrokes via key loggers, sniffing for sensitive information like usernames, passwords, credit card info, financial data, Personally Identifiable Information (PII) etc. that can be securely ex-filtrated out of the network through encrypted communication channels. Sophisticated malware even has the capability of hiding itself deep in the operating systems or changing its form (signature) also known as polymorphism so that traditional antivirus programs are unable to detect and quarantine them. Logic bombs are also common, where the malware will stay silent for extended periods of time and at random intervals will awake to send small amounts of data to the attackers in order to go undetected. 3

4 The following diagram is a high level representation of the attack flow in order to compromise a target network: Once an attacker has a foothold on the network via zero-day attacks such as spear-phishing they begin to start targeting various other network components and infrastructure within the victims' environment. This leads to further exploitation and data compromise of systems as they move through the organization undetected. Planting additional backdoors, Trojans, logic bombs etc. across the environment is a common practice to ensure they maintain access if discovered or accidentally shut down. Very often the goal is to stay on the network for an extended period of time and continue exfiltrating data for as long as possible thus maintaining stealth by covering up their tracks is an important component of the attack. 4

5 The following high level process summarizes a general targeted attack: High Level APT Process The sophisticated attack techniques that target zero-day vulnerabilities, also known as Advanced Persistent Threats (APTs), cannot be identified by traditional vulnerability assessments. These traditional security assessments (such as vulnerability scanning) are looking for standalone known vulnerabilities with previously identified and reported signatures and are unable to alert on zero-day vulnerabilities that do not have a known signature. By inherent design another weakness of the scanning engines is that they do not attempt to look at the holistic network and simply do not indicate what hosts have been compromised and if they are bleeding critical data offsite to malicious location. Unfortunately very often these types of traditional assessments are standard check box' items for various compliance frameworks and standard audits to answer questions such as: Have you run vulnerability scans and fixed patched? Yes, we have box checked, point closed, move on and only the bare minimum has been accomplished while the attackers still have complete control of a network and continue to ship off data unscathed by the traditional vulnerability scan. As we break down each component of the various stages that comprise the APT attack into sub section components to understand the specific tools and techniques used to further penetrate the environment, maintain access and ex-filtrate data we can start mapping out these component based on tradition assessment techniques. Our research has shown that these assessment methods are able to identify just a few components within the attacks and we have found that over 85% of attack vectors cannot be detected by traditional assessment techniques. 5

6 The subsystem APT process below highlights the attack vectors components that are typically identified by traditional assessments techniques (< 15%): Subsystem APT Process There Is A Better Way: 360 Living Security Assessment There is no single appliance or technology that will detect and prevent every single kind of cyber-attack, but due to the large gap (>85%) in what is potentially identified by traditional security assessment techniques, our understanding of APT attacks and how they are able to easily infiltrate organization, we have started to see a new generation of assessment techniques. 6

7 These next-gen techniques combine several security initiatives that specialize in detecting a compromised network infrastructure based on the following assessment steps: Step 1: (24/7 Behavioral based network traffic monitoring + APT Detection) Due to the inherent nature of sophisticated malware most antivirus programs are unable to detect deeply embedded rootkits and kernel malware that is installed deep within the operating system. The only way to determine if these systems are compromised is to watch their network traffic pattern behaviors across the wire. These communication channels tend to be encrypted and also may not follow any particular timeframe/range. We have seen malware hibernate for several weeks and unexpectedly wake up and begin to talk back to their command and control (C&C) servers for a few seconds but during that time they tend to send back a large chuck of information that usually related to ex-filtration of data. It is thus important to watch for and analyze any suspicious patterns of network activity that is out of the normal behavior. Since this type of activity is extremely laborious from a manual perspective it is necessary to employ automated pattern analysis techniques that have the ability to analyze and keep track of historic network data as well as correlate current anomaly detection to previously observed traffic patterns in order to determine changes in normal network behavior. These types of network monitoring tools also help determine zero-day attacks. Install and configure network packet monitoring tools at strategic location with anomaly detection and behavioral traffic analysis. These tools should be setup at several locations across the enterprise such in front of the firewall on the perimeter (on the external network), behind the firewall on the internal network), in front of any trusted computing zones such as server farms, DMZ etc. The specific placement of the packet analysis and monitoring tool are extremely important so that maximum visibility is achieved across the environment. Core switch are recommended as spanning these traffic points provide as much coverage as possible from a network level. In addition the behavioral pattern analysis it is important that these monitoring tools also have the capability of signature analysis to help determine when known malware may be present as well as detect when malware or attacks are attempting to exploit specific vulnerabilities in software or 7

8 operating systems. It is the combination of signature and behavioral traffic pattern analysis that will help detect anomalous activity on a network. All the security technology in the world is not effective unless a team of security specialists are actively monitoring and assessing these solutions. When considering packet analysis solutions it is extremely important to employ a Managed Security Services Provider (MSSP) type model in which there is a team of specially trained security analysts to not only monitor but also analyze and interpret suspicious behavior that can be acted on and translated to incident response of your team to take action on. By focusing on anomalous network behavior the team is able to determine if there is suspicious network traffic behavior such as DNS queries to odd servers, random use or certain protocols and services, large file transfers to external sources, compromised systems on the network, new servers and workstation alive on the network etc. Another advantage of 24/7 monitoring is the immediate response capabilities of your security team no matter what time of day, or day of week to block an attack again the network. Step 2: (Penetration Testing, Vuln Analysis and Firewall Assessments) Once monitoring has been implemented across the network the next step is to begin penetration testing and vulnerability analysis assessments on the external and internal network. Penetration testing is an important aspect of overall network security since it takes a much different approach than automated vulnerability scanning. In automated scanning an assessor points network and application scanners at targets in order to determine the know vulnerabilities that may be present. While this assessment may account for identification of vulnerabilities and missing patches, penetration testing take vulnerability analysis and exploitation of these vulnerabilities to a whole different level. In pentration testing, the assessors simulate what a determined hacker would do in order to exploit a target network and potentially gain access. A majority of the time spent during such as assessment is focused on manual attack and exploitation techniques that typical vulnerability scanner are not sophisticated enough to perform. The goal is not to bring down the network but rather to attempt to gain access into the environment like a determined hacker would attempt to exploit. In addition to looking for holes within the network a penetration testing assessments tests the incident response 8

9 procedures of the organization as well as clearly demonstrates to management the security issues that may be present. At this stage of the overall assessment since the perimeter is currently being assessed using penetration testing techniques and vulnerability analysis tools the next step in securing the perimeter is to perform a detailed assessment on the security of the firewall. Since this is the main gateway in and out of the network it is extremely important to ensure the proper rules are in place. Very often organizations do not have any kind of egress (outbound) rules in place. Thus all (potentially 65,535) ports are allowed outbound. Through our research we have come across several forms of malware that propagate on high ports and even switch between several ports while connecting and establishing tunnels to external entities to transfer out data. These techniques are used by malware developers so that they can avoid commonly inspected traffic such as port 80 (http) and 443 (https) type connections by security devices. It is thus essential to ensure firewalls are locked down to only the necessary inbound and outbound ports based on business requirements. Temporary Access Control Lists (ACLs) and overlapping ACLs should also be checked to ensure there are no conflicting rules that could create a hole into the network. It is common for firewall administrators to create temporary rules that facilitate an emergency service and several weeks or months after allowing access to the environment human nature tends to forget to go back and shut these services off. An equally essential monitoring task while assessing the firewall is to make sure the firewall logs are being monitored on a consistent basis. Firewalls do generate a high volume of logs but it is necessary to capture and alert on significant events such as firewall login attempts, failed login attempts, changes to ACLs, any kind of brute force attacks, blocked traffic event etc. These kinds of events provide the most amount of value when co-related with network based events from the packet monitoring tools. Since analysts are constantly watching the network events on a 24/7 basis for the duration of the assessment it will be beneficial to capture the firewall logs and alerts and thus co-relate with other network based activity. 9

10 Step 3: (Internal Assessment, Security Policy, MDM & Cyber Liability Coverage) With several key security initiatives in place that have targeted the perimeter (Step 2) as well as 24/7 network packet analysis (Step 1) that covers overall network monitoring to determine where the data exfiltration may occur, these various steps has already automatically created a well-positioned security assessment shell around the target network infrastructure. It is now time to start working on the core of the network which not only includes technical analysis of the internal network but also focuses on the administrative and compliance security initiatives such as policy, information security awareness programs, mobile device management, log monitoring and critical server analysis. Security policy in any organization should be a top down initiative. Management must be able to establish baseline security policies for the organization and actively ensure that these policies are being distilled through the organization on a regular basis in the form of policy review, security awareness training sessions and ongoing monitoring to ensure these policies are being followed. Organizations often have elaborate security policies that employees are required to sign at their time of hire but are not disseminated on a regular basis. A majority of the modern malware attacks are successful as a result of a user being tricked into clicking/downloading/accessing content they should not have in the first place. With the rise of employee-owned personal mobile devices (BYOD) and corporate data stored on the devices such as sensitive corporate and files, organization are having a challenge with securing data on these devices as well as having to deal with the security challenge facing the app marketplace such as rogue apps that are designed to steal data by accessing other apps on the mobile platform that are unknowingly downloaded by users. Due to the significant challenges with mobile platforms it is necessary to assess and understand how the organization is equipped to deal with their mobile user and more importantly is there a policy in place to address mobile device management (MDM). Mobile devices that have been compromised once connected to the corporate network have the potential of attempting to identify and target network resources. It is thus necessary to assess and if found deficient employ corporate policies for MDM as well as deploy solutions that help protect corporate data from being exposed on these devices. 10

11 Another aspect of organization risk transference is to ensure that the organization has sufficient insurance coverage in case of a data breach. With the cost of global cybercrime topping $114 billion i annually and with average estimates of each compromised record costing an organization $214 ii the need for external cyber liability coverage is vital for the financial survival and rebuilding of an organization in the event of a data breach that become public. While tradition insurance covers tangible property and third party liability, cyber insurance covers the bits and bits of data that is processed by your organization and covers information such as Social Security numbers, credit card data, health records and PII information, financial records (banking and investments, credit info, pension, retirement) etc. Network Security and Privacy coverage begins with the first and third party coverage for loss and damage that may result from digital data that the organization may store such as files on stolen employee laptops or even information lost as a result of malware and data leakage from a network. With a good cyber policy in place costs for notification as well as fines and penalties are covered in addition to costs of resolving public relations in the event of a disaster. As a result of increasing data loss over the past several years across various industries, major frameworks and federal regulations have been put in place such as HIPPA (Health Insurance Portability & Accountability Act) for healthcare, PCI-DSS (Payment Card Industry Security Standards Council) for retailers credit card and PII transaction, FERPA (Family Education Rights Privacy Act) for educators, FCRA (Fair Credit Reporting Act) and GLBA (Graham-Leach-Bliley Act) for financial institutions etc. to regulate and impose penalties as a result of negligence with the handling of sensitive and privacy data. Thus as part of the assessment it is imperative to assess, evaluate and if insufficient coverage is found explore options that will sufficiently cover the organization in the case of a breach or data loss. A Practical Application Case Study: Data Integration At Various Layers The true power of the above three assessment layers exists in the intergration and sharing of information by each security initiative across the various layers. While a single layer is not sufficient to completely determine overall security posture, the sharing and intrepreting of data gathered across several layers helps paint an accurate picture of what is actually occuring on the network and which systems have been compromised and may be currently leaking critical data. The following case study which was an actual assessment that was performed by using the above assessment methodology to find source of compromise that occurred on a corporate network (We have mapped the assessment initiative to the steps outlined above) - Once onsite, installed monitoring devies at perimeter, internal core switch, and server ranges. At this point the entire network traffic is being monitored and every single packet passing in and out of the network is being carefully tracked. [Step 1] 11

12 - While traffic is being captured and behavioral profile is forming of network, the core firewalls are undergoing assessment. All firewall ACLs (Access Control Lists) are investigated and audited to determine security risks. [Step 2] Findings: Security Audit determined the absence of egress (outbound) filtering in addition to the presence of several non-required inbound ports rule to unused services. Remediation included blocking all outbound traffic with explicit rule for business related traffic. - External penetration test and vulnerability analysis conducted on network perimeter. [Step 2] Findings: Several static vulnerabilities are identified and mail server has been found to allow any one from the internet to relay off mail server and spoof of any company official. Proof of concept (POC) is carried out to confirm. sent to employess spoofed from CEO inbox. Remediation included patching of all vulnerable services and disabling externally accessible mail relay service. - Internal security assessment conducted with focus on servers. Implemented specialized host based monitoring tools on critical servers to logs and capture suspicious process behavior. [Step 1 + 2] Findings: Around 4am the logging tools detects 2 outbound connection on port tcp/443 from main file server to 2 distinct IP addresses. Furthur investigation reveals IP address are part of botnet and are associated with hosting malware - Malicious IP address are co-related across network packet capture devices to determine if similar traffic was observed across the network. [Intergration of Step ] Findings: Behavioral patterns and packet capture analysis found 12 computers on the network including 5 servers to have random outbound activity on port tcp/443 to the same IP address at random intervals times over the past several days. Remediations include reimaging of all found compromised machines including servers and workstations. - Captured live memory dumps from all servers and workstation to analyze contents. [Step 3 + 1] Findings: Memory analysis revealed the presence of malware files attempting outbound communication. Remediations include reimaging of all found compromised machines including servers and workstations. 12

13 - Reviewed Security policy, Mobile Device management implementation, endpoint security coverage and cyber liability insurance coverage. [Step 3] Finding: Organization severely lacked security policy and employee awareness training programs. Mobile device managemnt solution in place with minor tweaks needed for security. Cyber liability coverage was not sufficient based on business practices and data help and needed review. Conclusion As this whitepaper has demonstrated through illustration of modern malware techniques and case study analysis, the traditional security assessments are no longer able to keep up with the sophistication and propagation of complex and targeted attacks. But as clearly shown above the next generation of security assessment techniques which combines a variety of initiatives and specialized tools that specialize in anomaly detection, share information and work together in various layers does enable a security assessment team to quickly identify and contain the source of network compromises and data leakage. 13

14 Sources: i ii 2010 U.S. Cost of a Data Breach Study by the Ponemon Institute 14