24/7 Visibility into Advanced Malware on Networks and Endpoints

Transcription

1

2 WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014

3 Table of Contents Introduction 3 Terminology 3 Challenges in Detecting Advanced Malware 3 Unmanaged/Unpatched Systems 4 Signature-based Controls are Ineffective 4 Zero-day Vulnerabilities Go Undetected 4 Long Delays between Detection to Response 4 A Holistic Approach to Malware Detection 4 Tenable Malware Detection Solution 5 SecurityCenter Continuous View Platform 5 Malware Detection Capabilities 5 Built-in Threat Intelligence 6 Malware Detection Dashboards and Reports 6 Tenable Malware Detection Use Cases 7 Use Case: Direct Malware Detection 7 Use Case: Indirect Malware Detection 7 Unique Malware Detection Solution 8 Conclusion 8 About Tenable Network Security 8 2

4 Introduction Cyber criminals are using advanced malware, innovative delivery mechanisms and clever social engineering techniques to exploit vulnerabilities and launch very large-scale security breaches. In the past 12 months alone, high-profile organizations in a range of industries have been impacted. The blatant theft of millions of payment card records, personal identifiable information, and customer account details has already produced hundreds of millions of dollars in economic losses. In the case of the Target breach, some experts believe total losses will exceed one billion dollars. Even though companies have invested in several classes of security products to combat malware-based threats, and have spent even more money on quarterly/annual compliance audits, security breaches are a persistent feature of the news. Containing this problem will require a more holistic approach one that addresses vulnerabilities and threats at the network and system levels, and leverages threat intelligence to accurately identify advanced attacks in progress. This whitepaper describes the challenges associated with defending against advanced attacks. It provides insight into the multi-pronged approach of continuously monitoring for advanced threats on the network and endpoints. And, illustrates how continuous monitoring lets you proactively detect and rapidly respond to advanced threats, before they turn into security breaches. Terminology Vulnerability: a flaw or weakness in hardware, software, or process that exposes any asset (device/system) to compromise. Exploit: a piece of software, chunk of data, or sequence of commands that takes advantage of some vulnerability, in order to cause harmful behavior in software/hardware. Threat: an event that can adversely impact an asset through unauthorized access, disclosure, destruction, or denial of service. Malware: malicious software. Types of Malware 1 virus, worms, trojans, adware, ransomware, rootkits, bots. Advanced Malware: malware that uses multiple attack vectors (web, , file) to compromise systems and evade traditional security controls. Advanced Persistent Threat (APT): advanced malware, persistent in nature, using threats targeted at specific businesses/nations, to steal data that has monitory/political value Botnets: a large number of infected computers, which are acting as robots on behalf of remote attacker Command and Control (CnC) Server: a remote server that can control a group of bots/botnets, often for criminal purposes Challenges in Detecting Advanced Malware 20% of all malware created appeared in 2013 alone 30 million new malicious strains - average 82,000/day 2 Fig. 1: Malware Creation Hits a New Milestone in 2013 There are several challenges affecting the efficiency and cost of security operations, preventing businesses from proactively defending against advanced attacks. Here are the major reasons why and how they can be addressed. 1 Definitions of Malware types 2 Panda Security 2013 Report 3

5 Unmanaged/Unpatched Systems Security operations staff in most enterprises are typically not discovering, auditing, and patching transient IT infrastructure. This encompasses personal mobile devices accessing company data, business-critical workloads on virtual machines, or cloud-based SaaS applications, such as Dropbox, which are being used to share sensitive information. Automated discovery and auditing of such unmanaged infrastructure is necessary. Signature-based Controls are Ineffective Anti-virus and anti-malware security products cannot keep up with the deluge of new malware strains 30 million in 2013 alone (Fig. 1). In addition, advanced malware is delivered via multiple delivery mechanisms (over , web,usb drive) that are not detectable by AV vendors. A multi-pronged approach is needed to find indicators of compromise on networks and endpoints using real-time threat intelligence. Zero-day Vulnerabilities Go Undetected Advanced attackers usually target new vulnerabilities which may have known exploits, like Heartbleed, where one could steal usernames/ passwords by exploiting a vulnerability in OpenSSL, or Shellshock, where one could gain administrative access to Unix/Linux systems by exploiting vulnerability in the Bash shell. To address this problem, your vulnerability assessment solution should have policy-based auditing and scanning capabilities for the latest vulnerabilities across multiple asset types. Long Delays between Detection to Response It takes a long time (average 229 days 3 ) after an attack is detected to accurately respond to an attack and mitigate or prevent future attacks. You need actionable forensic data to accurately identify the source and destination of the attack, and indicators of compromise (executables, registry changes), to confirm an endpoint has been infected. A Holistic Approach to Malware Detection Perform Audits Detect Vulnerabilities Discover Assets Discover Assess Identify Anomalies Take Action Report & Analyze Detect Threats Responds to Incidents Discover Breaches Fig. 2: Best Practices for Detecting Exploitable Vulnerabilities and Threats A holistic approach to continuous security monitoring requires detecting and containing exploitable vulnerabilities and advanced threats, outlined in the following four phases: Discover: Discover all assets on your network including hosts, network devices, and software assets. This discovery should also include details like what OS versions, network services, and applications are running on those assets, and what cloud-based services are being accessed. Set up network and system access control policies to reduce the attack surface. Assess: Perform vulnerability assessments on the discovered network, hardware, and software assets. Flag known vulnerabilities in those assets. Track any changes to OS platforms and applications and measure residual risk. Report and Analyze: Correlate suspicious activity with real-time threat intelligence and monitor for changes to systems/endpoints to see if they match known indicators of compromise. Produce actionable reports using accurate forensic data and present this in a consumable way. Take Action: Generate alert notifications to enable prompt manual (workflow-based) actions or automated (API-based) actions to prevent threats from resulting in security breaches. 3 Mandiant 2014 Threat Report M Trends Beyond the Breach 4

6 Tenable Malware Detection Solution Nessus Scan all endpoints Reduce Attack Surface PVS Sniff network Monitor Traffic SecurityCenter Management Console Dashboards/Reports/Alerts LCE Log everything Identify Anomalies Figure 3: Tenable SecurityCenter Continuous View Platform SecurityCenter Continuous View Platform The Tenable SecurityCenter Continuous View (SC CV) platform includes the following components: Nessus : is the industry s most widely-deployed vulnerability, configuration, and compliance scanner. Nessus features high-speed discovery, configuration auditing, asset profiling, malware detection, sensitive data discovery, patch management integration, and vulnerability analysis. Passive Vulnerability Scanner (PVS): is a non-intrusive network monitor that discovers all devices, applications, services, and their relationships currently active on your network. It automatically pinpoints potential security risks posed by assets compromised by advanced malware. Log Correlation Engine (LCE): collects and correlates logs from Nessus, PVS, and external sources on the network, including firewalls, switches, routers, endpoints, and servers. It also detects and generates alerts for malware matching indicators of compromise from internal/ external threat intelligence sources. SecurityCenter : provides one management console across all components of SC CV, with configurable dashboards, reports, and notifications to provide a comprehensive visualization of a company s vulnerabilities, threats, and compliance posture. Malware Detection Capabilities The SC CV solution includes the following advanced malware detection capabilities: Malware Indicators Nessus Host Scans Nessus Web Scans SecurityCenter w/ PVS & LCE External Indicators Threat Intelligence Malicious Hashes Identifies known malware and suspicious processes Identifies compromised websites hosting malicious binaries Identifies activity associated with malware in real-time Custom hashes can be used in Nessus and LCE client 1 Billion hashes built-in List of CVEs exploited by malware Malicious IP, URL s, and DNS Identifies systems connected to botnets/cncs Identifies compromised websites hosting malicious links Correlates traffic meta-data from PVS and NetFlow to known Botnets Custom lists of IPs can be added to LCE for PVS correlation 250K malicious IPs and URLs dynamically checked Malicious Windows Registry, AutoRuns Identifies hostile Windows settings indicative of malware N/A N/A Can write custom Nessus audits for malware Dynamic matching w/ Zeroday malware signatures Anomalies Identifies suspicious processes and auto-runs that were not in baseline scan N/A Detects anomalies in network traffic, to identify activity associated with malware N/A N/A 5

7 Built-in Threat Intelligence Real-time threat intelligence feeds are built into Tenable s solution, enabling customers to more accurately detect advanced malware on endpoint systems and in the network traffic, at various stages of its life-cycle. Threat intelligence about malware typically contains: Malware indicators: hashes of suspicious processes, configuration settings of auto-runs and registry keys. Reputation information: of IP addresses, domains, and URLs of websites Command and control servers and botnet sites Tenable s solution leverages threat intelligence from the following sources that is built into our products (available for free), further enhancing real-time detection of advanced attacks. Malware Indicators: over one billion indicators from Reversing Labs and Threat Grid, which are used to identify endpoints infected by malware. Reputation Information: over 250K IPs/domains/URLs from IID, used to identify suspicious network traffic associated with CnC and botnets. Tenable also supports integration with threat intelligence from partners, including FireEye or ThreatConnect. Malware Detection Dashboards and Reports Figure 4: Tenable SecurityCenter Dashboard for Malware Detection The Malware Detection dashboard 4 in SC CV provides an executive summary of any malware indicators and activity found on your endpoints or network. Top IPs with malware indicators Top IPs with malware-related events/activity Trends of malware indicators over last 7 days Top malware related to Backdoors, detected by Nessus and PVS Top malware events of type Virus collected by LCE Known Botnet interactions using both inbound and outbound connections Known connections to blacklisted IPs/domains on Threatlist Related executive-level reports 5 can be generated on demand. 4 Malware Detection Dashboard 5 Malware Detection Report 6

8 Tenable Malware Detection Use Cases Tenable provides a unique multipronged approach to detecting malware in your enterprise using the SC CV platform. Using a combination of direct scanning using Nessus, indirect network sniffing using PVS, and log collection capabilities, SC CV detects sophisticated malware that other anti-virus and anti-malware products could miss. Use Case: Direct Malware Detection Nessus has multiple plug-ins (some listed below), that enable you to directly detect malware on endpoints using credential scans, and check for malware indicators built into Tenable products. Tenable s host-based malware detection supplements your existing host-based AV solution and is not intended to replace it. Nessus 58420: DNS server configured on endpoint is on botnet list Nessus 59275: Detection of Known Malicious Windows Processes Nessus 71263: Detection of Known Malicious MacOS processes Nessus 74442: Microsoft Windows known Bad AutoRuns Nessus 52670, 71024: Detection of infected website hosting malicious URLs and executables Beyond detecting known malware indicators like processes or auto-runs, Nessus will also check detection rates against 29 different AV engines, as shown in Fig. 5 below. This will enable you to verify the accuracy of the AV engine you are currently using. Fig. 5: Nessus Plug-in 59275: Known Malicious Windows Processes with AV Detection Rates Use Case: Indirect Malware Detection Nessus, PVS, and LCE have multiple ways of indirectly detecting malware activity via inbound and outbound network connections to botnets and CnC servers. Examples of related Nessus plug-ins and LCE correlation techniques for detecting advanced malware include: Active Scanning with Nessus: Nessus 58420, 58430, host communicating with known botnet Nessus never before seen process or unique process Nessus unique Auto-Run settings Nessus unknown process reputation Log Correlation (LCE) with Nessus and PVS: LCE and Nessus detection of never before seen processes LCE and PVS detection of malicious web queries in network traffic Log Correlation (LCE) only Botnet activity in network and logs Detection of new user activity and creation of new accounts Anomaly detection in DNS and Network Traffic SC CV provides a way to correlate events from Nessus, PVS, and third-party devices to identify intrusion detection events, network anomalies, and botnet activity as shown in the Fig. 6 below. You can further drill down from this dashboard to identify specific endpoints that have been compromised. 7

9 Fig. 6: SecurityCenter Dashboard; Summarizes Botnet Activity and Intrusion Events associated with Malware Unique Malware Detection Solution Tenable is the only vendor that provides a comprehensive solution to identify exploitable vulnerabilities and advanced threats on the network and on endpoints, using built-in threat intelligence with the following capabilities: Automatically discovers and tags assets based on business relevance, such as webservers, mail servers, mobile devices, virtual machines, etc. Scans assets for known vulnerabilities and threats using flexible policies that apply to the type of asset or the type of vulnerability or threat Discovers known malware by directly scanning for indicators of compromise from internal and external threat intelligence sources Add custom malware indicators before they show up in your AV vendor s black-list. Indicators include custom hashes of executables used by Nessus/LCE, and custom IPs/URLs/domain-names used by PVS/LCE Monitors suspicious network activity to identify compromised systems connected to botnets and command and control servers Generates dashboards, reports, and notifications to enable security team members to rapidly take action Conclusion In spite of all the investments companies have made in defensive technologies for detecting advanced malware that exploit zero-day vulnerabilities, security breaches continue to grow exponentially. Overcoming this problem requires a multi-pronged approach that addresses vulnerabilities and threats, and enables customers to provide continuous visibility into advanced malware that may have compromised IT resources. By combining endpoint scanning, network sniffing, and log correlation into one solution, Tenable SecurityCenter Continuous View enables customers to monitor all IT assets 24/7, providing visibility into exploitable vulnerabilities and advanced threats using real-time threat intelligence. Tenable SecurityCenter Continuous View works with your existing security technologies, and reducing the business risk posed by advanced malware. About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive and integrated view of network health, and Nessus, the global standard in detecting and assessing network data. Tenable is relied upon by many of the world s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense. For more information, please visit tenable.com. For More Information: Please visit tenable.com Contact Us: Please us at [email protected] or visit tenable.com/contact Copyright Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. EN-FEB V5 8