Using Network Forensics to Visualize Advanced Persistent Threats

Similar documents
Getting Ahead of Advanced Threats

BIG DATA. Shaun McLagan General Manager, RSA Australia and New Zealand CHANGING THE REALM OF POSSIBILITY IN SECURITY

Advanced Persistent Threats

RSA Security Anatomy of an Attack Lessons learned

Bernard Montel Directeur Technique RSA. Copyright 2012 EMC Corporation. All rights reserved.

Security Analytics for Smart Grid

RSA Security Analytics the complete approach to security monitoring or how to approach advanced threats

The Next Generation Security Operations Center

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

The Future of the Advanced SOC

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

Discover & Investigate Advanced Threats. OVERVIEW

Joining Forces: Bringing Big Data to your Security Team

Detect & Investigate Threats. OVERVIEW

RSA Security Analytics

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Advanced Threats: The New World Order

Rashmi Knowles Chief Security Architect EMEA

After the Attack. The Transformation of EMC Security Operations

Defending Against Cyber Attacks with SessionLevel Network Security

The session is about to commence. Please switch your phone to silent!

Comprehensive Advanced Threat Defense

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Unified Security, ATP and more

THE EVOLUTION OF SIEM

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

IBM SECURITY QRADAR INCIDENT FORENSICS

Security strategies to stay off the Børsen front page

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Advanced Threat Protection with Dell SecureWorks Security Services

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Data Analytics for a Secure Smart Grid

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Spear Phishing Attacks Why They are Successful and How to Stop Them

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

A Case for Managed Security

Defending Against Data Beaches: Internal Controls for Cybersecurity

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

IBM Security Intelligence Strategy

DYNAMIC DNS: DATA EXFILTRATION

GOOD GUYS VS BAD GUYS: USING BIG DATA TO COUNTERACT ADVANCED THREATS. Joe Goldberg. Splunk. Session ID: SPO-W09 Session Classification: Intermediate

Ovation Security Center Data Sheet

Presentation Title: When Anti-virus Doesn t Cut it: Catching Malware with SIEM

A New Perspective on Protecting Critical Networks from Attack:

Evolution Of Cyber Threats & Defense Approaches

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

Ovation Security Center Data Sheet

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

How To Create Situational Awareness

Fighting Advanced Threats

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

End-user Security Analytics Strengthens Protection with ArcSight

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Evolving Threat Landscape

Software that provides secure access to technology, everywhere.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

IBM Security IBM Corporation IBM Corporation

How To Create An Insight Analysis For Cyber Security

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Bridging the gap between COTS tool alerting and raw data analysis

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Performing Advanced Incident Response Interactive Exercise

Endpoint Threat Detection without the Pain

Data Science Transforming Security Operations

Unknown threats in Sweden. Study publication August 27, 2014

SPEAR-PHISHING ATTACKS

Protecting Your Organisation from Targeted Cyber Intrusion

Enterprise Cybersecurity: Building an Effective Defense

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

IBM Security re-defines enterprise endpoint protection against advanced malware

The webinar will begin shortly

Malicious Network Traffic Analysis

The Sumo Logic Solution: Security and Compliance

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

Agenda , Palo Alto Networks. Confidential and Proprietary.

RAVEN, Network Security and Health for the Enterprise

ThreatSpike Dome: A New Approach To Security Monitoring

SIEM is only as good as the data it consumes

SECURITY MEETS BIG DATA. Achieve Effectiveness And Efficiency. Copyright 2012 EMC Corporation. All rights reserved.

IBM Security Strategy

High End Information Security Services

Combating a new generation of cybercriminal with in-depth security monitoring

Redefining SIEM to Real Time Security Intelligence

Transcription:

Using Network Forensics to Visualize Advanced Persistent Threats Dale Long, Sr. Technology Consultant, RSA Security 1

The Problem 2

Traditional Security Is Not Working 99% of breaches led to compromise within days or less with 85% leading to data exfiltration in the same time 85% of breaches took weeks or more to discover Source: Verizon 2012 Data Breach Investigations Report 3

Security Is Becoming A Big Data Problem From a global survey of 200 respondents with an information security focus working for/with organizations of 1,000 personnel or more 40% of all survey respondents are overwhelmed with the security data they already collect 35% have insufficient time or expertise to analyze what they collect Sample Size = 200 EMA, The Rise of Data-Driven Security, Crawford, Aug 2012 4

Reducing Attacker Free Time Attacker Surveillance Target Analysis Access Probe Attack Setup System Intrusion Attack Begins Discovery/ Persistence Cover-up Starts Leap Frog Attacks Complete Cover-up Complete Maintain foothold TIME ATTACKER FREE TIME Need to collapse free time TIME Physical Security Threat Analysis Attack Forecast Monitoring & Controls Defender Discovery Attack Identified Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/hilf.pdf) Containment & Eradication Incident Reporting Impact Analysis Damage Identification Response System Reaction Recovery 5

Examples 6

Suspect Attack Scenario Spike in Suspect Network Traffic IP Address shows multiple RDP connections tunneled over non-standard port Authorized User Logged in to AD AD Logs show user logged in from suspect IP with authorized credentials 1 2 PASSWORD Different user logged into VPN from same IP VPN logs show a different set of authorized credentials used to log into VPN 3 4 PASSWORD Data ex-filtration Encrypted ZIP file transferred out to Internet via FTP server 7

Only RSA Security Analytics can tell you the impact of the attack Attack Step Alert for RDP tunneled over non-standard port Recreate activity of suspect IP address across environment Show user activity across AD and VPN Alert for different credentials used for AD and VPN Reconstruct exfiltrated data Traditional SIEM RSA Security Analytics No No Yes Yes No Yes Yes Yes Yes Yes 8

Investigation Scenario Find Workstation acting as SPAM host Multiple outbound SMTP connections from workstation. Multiple internet DNS connections from workstation 1 Find out how the workstation got infected User clicked on the link and got infected by Trojan from drive-by download. 2 Analyze malware Determine whether targeted or vanilla malware in use 4 Recreate phishing e-mail message Determine whether targeted phishing attack at play 3 9

Only RSA Security Analytics can tell if this is a targeted attack Attack Step Alert for suspected SPAM host Show all WWW requests where executable downloaded Traditional SIEM RSA Security Analytics Yes No Yes Yes Recreate email with suspect link No Yes Analyze malware and incorporate community intelligence Determine whether attack is part of a targeted campaign No No Yes Yes 10

Finding bad things on the network: Are all ZeuS variants created equal? 11

APT Realities: Continued Targeted Attacks Against USG Assets There has been an ongoing campaign associated with forged emails containing targeted ZeuS infections Typical scenario is email from some trusted email address containing spear phishing text of interest and link to custom ZeuS site Parallels: this approach directly imitates non-usg mass ecrime ZeuS approaches Subject: DEFINING AND DETERRING CYBER WAR From: ctd@nsa.gov U.S. Army War College, Carlisle Barracks, PA 17013 5050 December 2009 DEFINING AND DETERRING CYBER WAR Since the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state s national security, and examines cyber attack as an act of war. The paper examines efforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests. Source: isightpartners 12

13

DPRK has carried out nuclear missile attack on Japan Only 1 of 42 AV vendors indentified the file as malicious on 03.05.2010 www.virustotal.com 14

DPRK has carried out nuclear missile attack on Japan AV effectively neutered by overwriting the OS hosts file Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1 Result: if AV didn t pick up the malware initially, it never will now 15

Infection Progression Nothing Unusual After a user clicks on the link, the file report.zip is downloaded from dnicenter.com If user opens the file, the malware is installed Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary 16

Further Network Forensics Evidence» ZeuS configuration file download» This type of problem recognition can be automated 17

Malware stealing files of interest to the drop server in Minsk FTP drop server still is resolving to same address Early on March 8, 2010, server cleaned out and account disabled username: mao2 password: [captured] 18

Files harvested from victim machines in drop server (located in Minsk, Belarus)» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data 19

» Time graph of beaconing activity and metadata showing comms to C&C server all via allowed pathways 20

What Needs To Be Done? 21

Today s Security Requirements Comprehensive Visibility Analyze everything happening in my infrastructure Agile Analytics Enable me to analyze and investigate potential threats in near real time Actionable Intelligence Help me identify targets, threats & incidents Scalable Infrastructure Need a flexible infrastructure to conduct short term and long term analysis 22

Introducing Security Analytics 23

RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance 24

RSA Security Analytics: Changing The Security Management Status Quo Unified platform for security monitoring, incident investigations and compliance reporting SIEM Compliance Reports Device XMLs Log Parsing RSA Security Analytics Fast & Powerful Analytics Logs & Packets Unified Interface Analytics Warehouse Network Security Monitoring High Powered Analytics Big Data Infrastructure Integrated Intelligence SEE DATA YOU DIDN T SEE BEFORE, UNDERSTAND DATA YOU DIDN T EVEN CONSIDER BEFORE 25

RSA Security Analytics Architecture Long Term Analysis Metadata, Raw Logs, Select Payload Correlation Real Time Investigations (hours days) Metadata, Packets 26

What Makes Security Analytics Different? The only security management solution that has both speed & smarts Big Data Infrastructure Fast & Scalable Logs & Packets Security data warehouse plus proven NetWitness infrastructure High Powered Analytics The speed and smarts to detect, investigate & understand advanced threats Comprehensive visibility to see everything happening in an environment Short term & long term analytics plus compliance Removes the hay vs. digging for needles Integrated Intelligence Intelligence from the global security community and RSA FirstWatch fused with your organization s data Understand what to look for and utilize what others have already found 27

Big Data Infrastructure Single platform for capturing and analyzing large amounts of network and log data Distributed, scale-out architecture Unique architecture to support both speed and smarts for threat analysis Security data warehouse for long term analytics & compliance Proven NetWitness infrastructure of short term analytics and investigations 28

High Powered Analytics Eliminates blind spots to achieve comprehensive visibility across the enterprise Real-time and after-the-fact investigations Uses the industry s most comprehensive and easily understandable analytical workbench Proven, patented analytics applies business context to security investigations Automates the generation of compliance reports and supports long term forensic analysis 29

Full Network Visibility Network traffic Logs Gain full visibility into your network including both logs and packets Discover advanced threats missed by traditional security approaches Completely reconstruct network sessions for real time analysis and investigation Capture all data from the network to the application layer Perform detailed session analysis regardless of port or protocol 30

Single Platform for Network Packet and Log Data Collection Network traffic Logs Both network packet capture and log collection. Patented methods of network capture, processing, data extraction and service/protocol identification Consolidates disparate sources Instantly analyzes massive data sets 31

Reimagining what SIEM can do: Removing hay vs. digging for needles All Network Traffic & Logs Downloads of executables Type does not match extension! Terabytes of data - 100% of total Thousands of data points 5% of total Hundreds of data points 0.2% of total Create alerts to/from critical assets A few dozen alerts 32

Integrated Intelligence How Do I Know What To Look For? Gathers advanced threat intelligence and content from the global security community & RSA FirstWatch Aggregates & consolidates the most pertinent information and fuses it with your organization's data Automatically distributes correlation rules, blacklists, parsers, views, feeds Operationalize Intelligence: Take advantage of what others have already found and apply against your current and historical data 33

Security Analytics Live Content Fuses open source, commercial, and confidential threat and fraud intelligence with an organization s live and recorded network traffic 34

RSA FirstWatch Providing RSA Security Analytics customers covert tactical and strategic threat intelligence on advanced threats & actors RSA s elite, highly trained global threat research & intelligence team Heritage dating back to the late 1990s featuring a who s who of researchers Backgrounds in government, military, financial services and information technology Focused on threats unknown to the security community Malicious code & content analysis Threat research & ecosystem analysis Profiling threat actors Research operationalized automatically via RSA Live 35

Results Reduce risk by compressing attacker free time Continuous analysis of terabytes of security data through big data architecture, reducing the threat analysis time from days to minutes Level the playing field with adversaries Incorporate operationalized intelligence to defend with confidence Elevate the security team to another level of effectiveness Increase teams collective skill by gaining analytical firepower Investigate more rapidly, centralize information, automate alerts and reports Meet compliance requirements 36

Demonstration 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information