Using Network Forensics to Visualize Advanced Persistent Threats

Transcription

1 Using Network Forensics to Visualize Advanced Persistent Threats Dale Long, Sr. Technology Consultant, RSA Security 1

2 The Problem 2

3 Traditional Security Is Not Working 99% of breaches led to compromise within days or less with 85% leading to data exfiltration in the same time 85% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report 3

4 Security Is Becoming A Big Data Problem From a global survey of 200 respondents with an information security focus working for/with organizations of 1,000 personnel or more 40% of all survey respondents are overwhelmed with the security data they already collect 35% have insufficient time or expertise to analyze what they collect Sample Size = 200 EMA, The Rise of Data-Driven Security, Crawford, Aug

5 Reducing Attacker Free Time Attacker Surveillance Target Analysis Access Probe Attack Setup System Intrusion Attack Begins Discovery/ Persistence Cover-up Starts Leap Frog Attacks Complete Cover-up Complete Maintain foothold TIME ATTACKER FREE TIME Need to collapse free time TIME Physical Security Threat Analysis Attack Forecast Monitoring & Controls Defender Discovery Attack Identified Source: NERC HILF Report, June 2010 ( Containment & Eradication Incident Reporting Impact Analysis Damage Identification Response System Reaction Recovery 5

6 Examples 6

7 Suspect Attack Scenario Spike in Suspect Network Traffic IP Address shows multiple RDP connections tunneled over non-standard port Authorized User Logged in to AD AD Logs show user logged in from suspect IP with authorized credentials 1 2 PASSWORD Different user logged into VPN from same IP VPN logs show a different set of authorized credentials used to log into VPN 3 4 PASSWORD Data ex-filtration Encrypted ZIP file transferred out to Internet via FTP server 7

8 Only RSA Security Analytics can tell you the impact of the attack Attack Step Alert for RDP tunneled over non-standard port Recreate activity of suspect IP address across environment Show user activity across AD and VPN Alert for different credentials used for AD and VPN Reconstruct exfiltrated data Traditional SIEM RSA Security Analytics No No Yes Yes No Yes Yes Yes Yes Yes 8

9 Investigation Scenario Find Workstation acting as SPAM host Multiple outbound SMTP connections from workstation. Multiple internet DNS connections from workstation 1 Find out how the workstation got infected User clicked on the link and got infected by Trojan from drive-by download. 2 Analyze malware Determine whether targeted or vanilla malware in use 4 Recreate phishing message Determine whether targeted phishing attack at play 3 9

10 Only RSA Security Analytics can tell if this is a targeted attack Attack Step Alert for suspected SPAM host Show all WWW requests where executable downloaded Traditional SIEM RSA Security Analytics Yes No Yes Yes Recreate with suspect link No Yes Analyze malware and incorporate community intelligence Determine whether attack is part of a targeted campaign No No Yes Yes 10

11 Finding bad things on the network: Are all ZeuS variants created equal? 11

12 APT Realities: Continued Targeted Attacks Against USG Assets There has been an ongoing campaign associated with forged s containing targeted ZeuS infections Typical scenario is from some trusted address containing spear phishing text of interest and link to custom ZeuS site Parallels: this approach directly imitates non-usg mass ecrime ZeuS approaches Subject: DEFINING AND DETERRING CYBER WAR From: U.S. Army War College, Carlisle Barracks, PA December 2009 DEFINING AND DETERRING CYBER WAR Since the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state s national security, and examines cyber attack as an act of war. The paper examines efforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests. Source: isightpartners 12

13 13

14 DPRK has carried out nuclear missile attack on Japan Only 1 of 42 AV vendors indentified the file as malicious on

15 DPRK has carried out nuclear missile attack on Japan AV effectively neutered by overwriting the OS hosts file Attempts to retrieve updates from vendor update server hosts routed to Result: if AV didn t pick up the malware initially, it never will now 15

16 Infection Progression Nothing Unusual After a user clicks on the link, the file report.zip is downloaded from dnicenter.com If user opens the file, the malware is installed Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary 16

17 Further Network Forensics Evidence» ZeuS configuration file download» This type of problem recognition can be automated 17

18 Malware stealing files of interest to the drop server in Minsk FTP drop server still is resolving to same address Early on March 8, 2010, server cleaned out and account disabled username: mao2 password: [captured] 18

19 Files harvested from victim machines in drop server (located in Minsk, Belarus)» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data 19

20 » Time graph of beaconing activity and metadata showing comms to C&C server all via allowed pathways 20

21 What Needs To Be Done? 21

22 Today s Security Requirements Comprehensive Visibility Analyze everything happening in my infrastructure Agile Analytics Enable me to analyze and investigate potential threats in near real time Actionable Intelligence Help me identify targets, threats & incidents Scalable Infrastructure Need a flexible infrastructure to conduct short term and long term analysis 22

23 Introducing Security Analytics 23

24 RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance 24

25 RSA Security Analytics: Changing The Security Management Status Quo Unified platform for security monitoring, incident investigations and compliance reporting SIEM Compliance Reports Device XMLs Log Parsing RSA Security Analytics Fast & Powerful Analytics Logs & Packets Unified Interface Analytics Warehouse Network Security Monitoring High Powered Analytics Big Data Infrastructure Integrated Intelligence SEE DATA YOU DIDN T SEE BEFORE, UNDERSTAND DATA YOU DIDN T EVEN CONSIDER BEFORE 25

26 RSA Security Analytics Architecture Long Term Analysis Metadata, Raw Logs, Select Payload Correlation Real Time Investigations (hours days) Metadata, Packets 26

27 What Makes Security Analytics Different? The only security management solution that has both speed & smarts Big Data Infrastructure Fast & Scalable Logs & Packets Security data warehouse plus proven NetWitness infrastructure High Powered Analytics The speed and smarts to detect, investigate & understand advanced threats Comprehensive visibility to see everything happening in an environment Short term & long term analytics plus compliance Removes the hay vs. digging for needles Integrated Intelligence Intelligence from the global security community and RSA FirstWatch fused with your organization s data Understand what to look for and utilize what others have already found 27

28 Big Data Infrastructure Single platform for capturing and analyzing large amounts of network and log data Distributed, scale-out architecture Unique architecture to support both speed and smarts for threat analysis Security data warehouse for long term analytics & compliance Proven NetWitness infrastructure of short term analytics and investigations 28

29 High Powered Analytics Eliminates blind spots to achieve comprehensive visibility across the enterprise Real-time and after-the-fact investigations Uses the industry s most comprehensive and easily understandable analytical workbench Proven, patented analytics applies business context to security investigations Automates the generation of compliance reports and supports long term forensic analysis 29

30 Full Network Visibility Network traffic Logs Gain full visibility into your network including both logs and packets Discover advanced threats missed by traditional security approaches Completely reconstruct network sessions for real time analysis and investigation Capture all data from the network to the application layer Perform detailed session analysis regardless of port or protocol 30

31 Single Platform for Network Packet and Log Data Collection Network traffic Logs Both network packet capture and log collection. Patented methods of network capture, processing, data extraction and service/protocol identification Consolidates disparate sources Instantly analyzes massive data sets 31

32 Reimagining what SIEM can do: Removing hay vs. digging for needles All Network Traffic & Logs Downloads of executables Type does not match extension! Terabytes of data - 100% of total Thousands of data points 5% of total Hundreds of data points 0.2% of total Create alerts to/from critical assets A few dozen alerts 32

33 Integrated Intelligence How Do I Know What To Look For? Gathers advanced threat intelligence and content from the global security community & RSA FirstWatch Aggregates & consolidates the most pertinent information and fuses it with your organization's data Automatically distributes correlation rules, blacklists, parsers, views, feeds Operationalize Intelligence: Take advantage of what others have already found and apply against your current and historical data 33

34 Security Analytics Live Content Fuses open source, commercial, and confidential threat and fraud intelligence with an organization s live and recorded network traffic 34

35 RSA FirstWatch Providing RSA Security Analytics customers covert tactical and strategic threat intelligence on advanced threats & actors RSA s elite, highly trained global threat research & intelligence team Heritage dating back to the late 1990s featuring a who s who of researchers Backgrounds in government, military, financial services and information technology Focused on threats unknown to the security community Malicious code & content analysis Threat research & ecosystem analysis Profiling threat actors Research operationalized automatically via RSA Live 35

36 Results Reduce risk by compressing attacker free time Continuous analysis of terabytes of security data through big data architecture, reducing the threat analysis time from days to minutes Level the playing field with adversaries Incorporate operationalized intelligence to defend with confidence Elevate the security team to another level of effectiveness Increase teams collective skill by gaining analytical firepower Investigate more rapidly, centralize information, automate alerts and reports Meet compliance requirements 36

37 Demonstration 37

38