White paper / Network Monitoring. Network Monitoring. Context Response April response@contextis.com. Context Information Security 1 / 15

Transcription

1 Network Monitoring Context Response April 2013 Context Information Security 1 / 15

2 Contents Background 3 Devising a Monitoring Strategy 5 Three Key Questions 6 The Kill Chain 8 Bringing in Outside Help 11 About Context 14 Context Information Security 2 / 15

3 Background The times have changed quickly within the realm of Information Technology. Only 30 years ago most people barely used computers and very few concerned themselves with computer security. But even in the 1980s there were already viruses, albeit limited in number, complexity and impact; and Clifford Stoll s 1989 book The Cuckoo s Egg demonstrated the intent of states to exploit the new connected world, even in a pre-internet age. Even if anyone had managed to foresee the growth in popularity of the PC and a world where individuals, homes, businesses, and government were connected all the time to a high speed Internet, it is far from certain that they would have been able to predict the staggering number of threats to data security that we see today. Reducing the risks to network security in the early days was reasonably easy. First, organisations acquired firewalls, which protected them from many external threats. Remember, these were the days where the average threat was more likely to come from port scanning script kiddies than from organised crime or foreign states. A short time after, basic perimeter defences were introduced which saw the implementation of the first desktop antivirus and Intrusion Detection/Prevention Systems. These services would come to be regarded as the staples of network security. For many years company executives assumed that, because they had these security measures in place, their data was safe. And who could blame them? IT security managers had told them that if they spent the millions required to keep subscriptions up to date they would be protected. So effective was this protection that other basic security measures, such as penetration testing and even patching, were lower priorities. Today we find ourselves in a different and much more difficult position. Most security professionals understand that there are threats which traditional signature-based security measures will not be able to detect. However, not all IT managers are as well informed and are hesitant to tell their employers that the money spent on security over the years has not protected them from more sophisticated and dangerous threat actors. And given that for many years IT security has largely been a hands-off, automated activity, most organisations have relatively small security departments, and lack individuals with the skills to monitor network activity and detect malicious traffic. A lack of money, understanding and resource: things don t look good. Not every organisation needs to go the extra mile to diligently monitor all their network traffic and to instrument all their systems, collecting and analysing data to look for intrusions. But how can anyone be sure into which category their organisation falls? Before starting to think about capturing and analysing network traffic, host and log data, perhaps the best first step is to stress the importance of this issue within the organisation because the targeted attacks most likely to evade existing security measures and cause the most damage are not solely an IT problem, but rather a business issue. The IT department in general and the IT security function in particular are unlikely to be fully engaged in the business, so are likely to lack a complete understanding of which data is of most value, the threats to that data, or where it is stored. Only effective communication within the organisation will reveal where the most valuable data is generated and stored. Is it intellectual property created by engineers? Financial reports? Legal data? Strategic data? Those at the top of the organisation are most likely to understand where to start looking. Sometimes the answers will be relatively easy, but Context Information Security 3 / 15

4 sometimes, as we have discovered when working through this process with clients, it can be quite surprising. What an organisation s own staff regard as its most valuable data may not be the data that attackers see as being of the greatest potential value. The next step can be tricky. For a commercial organisation it may depend on a thorough knowledge of domestic and international competitors. Knowledge of established competitors is valuable, but so is awareness of competitors who are just trying to establish their place in the market; some of them may be prepared to try to gain a competitive advantage through foul play. It is perfectly possible that the threat may come from a state sponsored attacker. This is not just something you see in the movies, but an international phenomena occurring on an industrial scale and conducted by many different players. There will always be a customer for state sponsored hacking: possibly a state owned enterprise, perhaps the military, or an intelligence agency. If an organisation is able to identify its most important data assets, it knows what it is trying to protect and can focus its monitoring efforts in the most appropriate places, whether that be on desktops, laptops, mobile devices, external hard disks, servers, intranet web applications, a network share or somewhere else if data is already in the cloud you don t know exactly where it is. At the end of this process, many businesses may conclude that they are not holding any data which will be particularly attractive to an attacker. At that point, armed with the information that led to that conclusion, the decision not to start a monitoring program is perfectly valid. This is a risk-based approach and if the organisation has no data which it cannot afford to lose, then there is virtually no risk to the organisation s survival even if all data were to be compromised. However, plenty of businesses will decide that they do hold data in need of better protection. Perhaps the data is intellectual property which the company will rely upon for its revenue streams and competitive advantage for years to come, or perhaps it is critical for business continuity reasons. Figure 1: The Threat Triangle Context Information Security 4 / 15

5 Devising a Monitoring Strategy Once the decision to monitor a network has been made, there is a need to understand the structure of the network and the available sources of evidence. Corporate networks have become horrendously complicated; some or all of their components may be outsourced, which may prevent monitoring altogether or mean fees have to be paid to the outsourcer in return for access to the organisation s own data. Companies which have grown over the years may find that no single individual actually understands what the network looks like today. Mergers and acquisitions may have added whole new domains, which may have been plugged straight into the existing network with varying levels of security or network architecture standards. Is there a standard build across the whole estate? Are there restrictions on what users can download and install? If users have local administrator rights, it is quite likely that understanding what is going on will be virtually impossible. During our engagements with clients we have found peer to peer networks running and users illegally downloading music and videos. They are consuming valuable bandwidth, potentially putting the company at risk of legal action and providing attackers with an easy way to infiltrate the network and exfiltrate data. A network where users only have access to the resources given to them, or where they have to apply for access to resources, is easier to monitor, because administrators know what sorts of traffic should and should not be there. Even those who administer the network should carry out tasks at the appropriate level, rather than simply logging into one account as a domain administrator because it s an easy option. We find that a majority of our clients benefit from a gap analysis exercise, which seeks to establish the client s current security posture in the areas of network, domain, application, host and policy. This entails analysis of each area in depth, then a comparison between the current situation and best practice. IT managers and senior decision makers can then read a single report to see where improvements need to be made and can make an informed decision on how to prioritise implementation of those improvements. The exercise can be repeated at regular intervals to map progress. Once the basics are taken care of, monitoring becomes more straightforward. The next choice is what to monitor. Do you start with existing sources of information (if you have them), or by capturing traffic for analysis? We suggest that an organisation with a relatively immature capability and a non-specific requirement as when monitoring is to be conducted as a pro-active detection exercise rather than in response to a specific threat should begin by developing an understanding of what is already available. Switching on logging wherever possible and storing logs for as long as possible is always a good start. Storage may be an issue, depending on the size of your network and the amount of traffic going through it. It may be that trying to monitor everything is too large a task for the resources available, but rather like the answer to How do you eat an elephant? (one bite at a time), beginning to collect evidence now may help later, when capacity and capabilities are increased or the organisation engages outside help able to offer more advanced capabilities. Good data sources to start collecting include firewall logs, proxy logs, DHCP lease logs, DNS logs and netflow. It is important to ensure that they all use the same, accurate time source, or making sense of what has happened will become even more difficult. Context Information Security 5 / 15

6 Three Key Questions All being well, the organisation will now be collecting logs. But it now needs to answer three key questions: who is going to look at the output of the monitoring; what will they be looking for; and what are they going to do if and when they find something? Securing analyst resource is difficult. Context is constantly hunting for people with the technical skills and analytic minds required to make sense of masses of data. Very few people make the cut, because being an analyst isn t always enough you also have to be an investigator. This is not an easy combination to master, made even more difficult when the individual is trying to do multiple tasks within a team. The analyst needs to be able to conduct analysis, get to know the network and hone their investigative skills. This requires concentrated effort: it is not something you can dip in and out of between other duties. This is often the limit of an organisation s desire to carry out network monitoring, because few internal personnel possess the skills needed to perform the role and there may be limited funding available to recruit for it. But hiring analysts has advantages: the act of advertising for full time security analysts forces managers to recognise that the role is necessary and means they have to start thinking about how best analysts can be utilized. Analysts may bring valuable experience from their previous roles and are likely to be able to use the tools required to make sense of all the data being collected. Some of these tools may already be available on the organisation s network, but are likely to be under-utilised if they are used at all. Many security tools can be also be acquired in free trial versions. These may be limited either by capacity or time, but are probably good enough to make a start. Using these versions will also make it clear whether or not it is appropriate to buy the full license. Developing knowledge of what to look for requires more than just a skill for following hunches. There is a need to understand the sorts of threats an organisation faces and the capabilities and techniques threat actors could deploy against the organisation. For example, if an organisation processes financial data such as credit card transactions, the threat is less likely to come from state sponsored groups than from criminals. Whether those criminals are part of a sophisticated organisation or are financially motivated lone hackers, the analyst can consider the sorts of tools the attackers are likely to use and the sort of data under threat. They can then gradually start to narrow down what they should be looking for among the terabytes of legitimate data. Some things are easier to find than others: although there is no shortage of information online about criminal malware, trying to understand Advanced Persistent Threats (APT) is a much more daunting task. APT means different things to different people. Perhaps the greatest misunderstanding of the term is the false idea that it refers to the malware used, rather than the threat actor. When the phrase was first coined, by the US military, it referred exclusively to China as a threat actor, whose persistence in attacking the same targets over long periods of time until an attack succeeded was complemented by an advanced approach: remote attacks were not their only vector when necessary the attacker would use additional vectors to compromise a target. Keeping on top of what state sponsored attackers are doing is a full time job, even for a team with a great depth of experience and expertise. It requires reading all blogs and papers released on the subject, experience of tracking attacks on networks and complementary skills such as malware reverse engineering, host intrusion forensics and code Context Information Security 6 / 15

7 breaking. Expecting a single network analyst or investigator to be able to counter the efforts of sophisticated attackers is unrealistic. The danger is, if they fail to find any evidence there will be an assumption that there is no illicit activity to be found which will not always be the case. The third question what happens if the investigator does find something? looks like it ought to have a simple answer. Surely you stop the activity straight away? Not always. An organisation needs to consider their policy in advance: is the business prepared to allow the activity to continue, for the purposes of investigating and learning more about an attack; accepting the risk that confidential data is being removed? Or is the policy to stop malicious activity as soon as it is found? Sometimes the value of the data under threat is such that allowing the attack to continue is an unacceptable course of action, but often there is a very good argument for doing so. Only by understanding what the attacker is doing and identifying the data in which they are interested can you develop an effective way to protect the data at risk. But there are other steps to take. Incident response plans must be put in place to help inform the damage assessment process once the activity is closed down. Never assume that a compromise is linked only to one machine on the network; sophisticated attackers escalate privileges locally and often on the domain. This allows them to move laterally within the network to compromise further systems and accounts until they are able to access the data they want. Part of the attacker s process (as discussed below, see The Kill Chain) is to ensure network persistence by installing back-doors (sleeping implants) on other machines. That way, if the main systems go offline or are cleaned up, the attacker has a Plan B or Plan C. Maybe even a Plan D. Incident response processes need to be well tested to guarantee that when the time comes to pull the plug on an attack, evidence is preserved for offline analysis (and to confirm that the incident has been cleaned). This evidence may give investigators important information which will help them spot the next instance of the attack. If the data is valuable enough, the attacker will return to try again. Context Information Security 7 / 15

8 The Kill Chain Under the title of Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin described the process by which an attack could be broken up into discrete sections, each of which must be completed before an attacker can steal data from a network. If any one stage of the attack is disrupted, the stages that follow cannot be completed and this particular attack will be unsuccessful. More importantly, by understanding each of the steps that an attacker took once the compromise was identified, the analyst or investigator will have a collection of signatures for that attack. That means the attacker s persistence becomes a source of weakness, because not every aspect of their now recognisable tradecraft will be easy to substitute in the next attack. IP addresses can easily be changed, but this is not always true of tools and techniques (crypt, persistence mechanisms, custom protocols, etc.), so the next attack campaign is likely to include reused components that will be detected by signatures and other techniques developed in response to the previous attack. This helps to build the case for analysis as a means of learning more about the attackers. Mapping the Kill Chain for attacks starts to give the defender an advantage over the attacker. The concept was originally applied by the US military to the task of reducing death and injury caused by Improvised Explosive Devices in Iraq and Afghanistan. Previous efforts at detecting IEDs had always concentrated on detection immediately before the bomb was to be triggered, but the military saw the potential for stopping the bomb ever getting to the roadside, by identifying and disrupting the preceding stages, such as the transport of materials, reconnaissance of targets and assembly of the devices. A number of different models of the cyber Kill Chain have been developed. The adaptation which Context prefers to use is seen in the diagram below: Figure 2: The Kill Chain and the rising level of impact for each stage successfully completed by an attacker. Context Information Security 8 / 15

9 To summarise each stage: Reconnaissance the attacker collects information about the target organisation, such as personal data, addresses, IP addresses, publicly available documents from the company which could be Trojanised etc.; Attack Delivery the attacker launches their attack, most likely in the form of a wellcrafted, socially engineered carrying a Trojanised attachment or containing a malicious URL; Client Exploitation the target activates the attack by either opening the attachment or clicking on the URL, thus installing the payload (first stage implant); Command & Control the successfully executed attack establishes communication with its controller, extra implant modules may be downloaded and implant configuration changed or updated; Local Compromise the attacker has full control over the target machine; Internal Reconnaissance the attacker begins to map out the network to understand how to get to the systems and data they want as well as achieving the aim of privilege escalation ideally to Domain Adminstrator; Lateral Movement the attacker starts to traverse the network to reach the resources they want; Persistence the attacker safeguards their access to the network by ensuring they have multiple routes back into it should their initial compromise be detected; Exfiltration the attacker locates the information they want and successfully egresses it without detection. A good network analyst will aim to attach evidence sources to each Kill Chain category. That means capturing extra data sources. A good place to start is with anti-virus logs. Every organisation Context has worked with has had anti-virus deployed to all hosts, but very few have ever tried to understand what anti-virus has been doing. If configured correctly antivirus will tell you exactly what it is finding and on which machines. That can tell a good investigator a great deal. Open source searching of malware names will also reveal the sorts of threat actor using them and the frequency of attacks. Anti-virus will not find targeted attacks, which are packaged to avoid signature based detection, but this exercise still has value. Anti-virus will also make it clear if certain members of staff appear to have more issues with viruses than do their colleagues. This could be the result of more attacks being targeted at those individuals, or it may be because those individuals tend to open attachments and click on links that they should be leaving alone. Even if or especially if that person happens to be a senior figure in the organisation, this may show they are in need of a refresher course on IT security! DNS logs are a fantastic source of information too. However, they are captured in a very analyst-unfriendly style by default in Microsoft installations. With some simple scripting this problem can be solved, meaning these logs become a rich source of network intelligence. Checking DNS logs against the many free and well maintained blacklists online will provide clear indications of whether known malware is operating on the network and has not been detected by other desktop protection applications. Thus with a minimum of effort we have visibility of the Client Exploitation, Command & Control, and Lateral Movement stages of the Kill Chain, albeit probably only for lower level threats. Context Information Security 9 / 15

10 Continuing the theme of living off the fat of the land and using tools which are already available, Microsoft System Center Configuration Manager (SCCM), Microsoft System Center Operations Manager (SCOM) and the open source infrastructure monitoring software Nagios can all be used to collect all sorts of information about activity across the network, including software inventories, use of executables, account usage, event logs, and lots of other data. SCCM can also be configured to collect data on just about anything across the network, all of which can be stored in and then mined from a SQL database. These tools can add detail to seven out of the nine Kill Chain stages and are an invaluable part of the investigator s toolset. archiving can help to answer the question as to how a compromise occurred. As is the vector in a majority of cases, having the original piece of evidence is vital. The contains signatures of the attack (sender address, originating IP, mail agent details), provides clues as to how well targeted and crafted the social engineering aspect of the attack was; and shows whether there were multiple victims or just one. It will also have the original malware attached (or potentially downloadable via a link), enabling malware analysis. Context Information Security 10 / 15

11 Bringing in Outside Help If the requisite skills are unavailable in-house, an organisation may choose to work with a third party to carry out an assessment. There are plenty of different models for such an exercise. When Context performs this task for a client we install equipment to capture and store every packet entering or leaving the network and analyse it in near real time for several weeks, to build up in depth assessment of network traffic. However, network investigation only reveals part of the picture if you want to find malware, particularly the most sophisticated, targeted and stealthy malware, you need evidence from three areas: network, host and log. Malware cannot easily hide from all three of these sources, but will evade network detection as long as it is dormant on a machine or if its traffic is well encrypted. Many companies specializing in the detection of malware use a host agent. This is a piece of software which collects information about what is happening on the machine, looking at the file system and the registry, watching processes, services, drivers and more ephemeral data, comparing these with indicators of compromise, but most importantly conducting significant manual analysis on the data. We find that automated solutions can only help to a certain extent and that better results are obtained by asking an expert analyst to look at the traffic, logs and host data. Our model looks like this: Figure 3: The Context Approach Detection informs Response and vice versa, both lead feed intelligence to the client in order that they Understand their attack. Only through understanding the attack can a client Protect their data. The start point for a network investigation can be either Detect (the client is taking proactive measures in order to identify nefarious traffic) or Respond (the client knows there is a Context Information Security 11 / 15

12 problem and wants to understand the extent of that problem). Detect phase tasks usually lead to the identification of incidents which require a response, which in turn allows for more detection work and vice versa. The key point is that at every stage, the findings inform the client, allowing them to Understand the risk to their data. From an understanding of the risk comes agreement on the best way to Protect the data. This will almost always involve implementation and tightening of the most basic security controls: removal of administrator privileges for users, more efficient patching regimes, user awareness courses and better logging. Context has been carrying out investigations into targeted attacks on networks for over seven years. We have experience of finding solutions for global companies with tens of thousands of employees and for small businesses employing several hundred people. The solution is different each time, because every organisation faces its own unique set of challenges. We know our service works and were recently endorsed by CESG, the Information Assurance arm of the UK s intelligence organisation GCHQ, as a company with a proven track record in the investigation of targeted attacks. However, as stated above, there are a small number of providers in this space and each offers different methodologies and experience. Some will have no real experience and no proven methodology. Not every organisation seeking an information security provider will have the time to interview multiple companies about their offerings, or possess the specialist knowledge needed to compare and interrogate those companies. But here are some of the questions which should be asked of any third party provider: Do you collect information from the network, hosts and log sources? What do you understand the threat against our organisation to be? Do you simply remediate issues or investigate them? How do you help us mitigate attacks in the future? Do you have references from companies prepared to endorse the service? Do you simply provide a service or is there an opportunity for upskilling of internal staff? If at all possible speak to other companies in your industry about their experiences, whether they have tackled the problem in-house or with the support of a third party. This is not only a chance to hopefully learn something from someone else s mistakes (if they are prepared to talk about them!); but also be an opportunity to share information on attacks and learn what has and hasn t worked in terms of remediation. Sharing a third party supplier can offer some advantages, especially if both organisations are being attacked by the same adversary. If your competitors aren t willing to talk, maybe a national infrastructure protection body, such as the Centre for the Protection of National Infrastructure (CPNI) in the UK, will be able to add value and advise on how to address the issues for your organisation. But, regrettably, there is a general shortage of good, easily available advice. Looking further ahead, as more organisations take network monitoring more seriously the amount of publicly available information and guidance will grow. There will still be pressures on a limited resource pool able to carry out the analyst function, but, eventually, with demand comes supply. Context Information Security 12 / 15

13 Malware is here to stay and if attackers have more success in stealing a target s crown jewels this will drive demand for further exploitation and data theft. Product-based counter measures will continue to improve but are likely to remain a step behind the attacker. Security is always a game of cat and mouse, but simply hoping that you will be unaffected is not a good strategy. There are challenges, there are associated costs and you may uncover things which you might wish had remained hidden, but this also represents an amazing opportunity to move security back to the top of the agenda within your organisation; a chance to highlight the threat and prove the risk is real. Go for it. Context Information Security 13 / 15

14 About Context Response Context has worked for an extraordinary range of clients, including some of the most high profile financial companies in the world and government organisations, to identify and nullify security vulnerabilities and compromises. Our monitoring and investigative services are tailored to meet the needs of each client and designed to help them understand the security risks facing the organisation and the potential implications of those risks. Services can be offered on a one-off or managed service basis, with forensic, analytical and reverse engineering techniques complemented by network monitoring and attack detection services. Many clients ask Context to help them re-examine the security of their technology infrastructures: performing risk, impact and gap analysis exercises, studying network design and data handling and storage practices. We can help clients to establish which of their data are of most value to them and of most interest to an attacker; and the potential impacts of that data being lost. We can also advise on changes that might be made to security policies and can help clients to embed security awareness and best practice more effectively within the culture of their organisations. About Context Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our productagnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. For more news on Context follow us on or LinkedIn Context Information Security 14 / 15

15 Context Information Security London (HQ) Cheltenham Düsseldorf Melbourne 4th Floor Corinth House Adersstr. 28, 1.OG 4th Floor 30 Marsh Wall 117 Bath Road D Queen Street London E14 9TP Cheltenham GL53 7LS Düsseldorf Melbourne VIC 3000 United Kingdom United Kingdom Germany Australia Context Information Security 15 / 15