Security Leadership: Preven4ng and Responding to Future Cyber A<acks Mark Seward, Sr. Director, Security and Compliance
Agenda Why are a<acks successful? How does big data help Changing our thinking The advanced threat playbook Thinking security talking business risk Ques4ons
Advanced threats are hard to detect 100% Valid creden4als were used 40 Average # of systems accessed Source: Mandiant M- Trends Report 2012 and 2013 243 Median # of days before detec4on 63% Of vic4ms were no4fied by external en4ty 3
A<acker think A<ackers don t want to work too hard to get what they want. What s the easiest way to target the right people who have access (creden7als) to the stuff I can steal? Source: Mandiant M- Trends 2013 4
Why are a<acks successful - - Silos " Defenders are isolated focused on narrow defensive zones " Opponents are organized, persistent and crea4ve 5
Why are a<acks successful People They are the weak point in our cyber defense Vulnerable to trust issues Only takes one 4me (click) to be right Employee ac4vi4es once creden4aled are usually trusted Need a real- 4me big data approach to security and sta4s4cal analysis of the data 6
Why are a<acks successful Your Partners Monitoring the partner and service provider access is about what s normal and what s not Understand your partner s cyber posture and policy 7
Why are a<acks successful Data reduc4on Typical SIEM Architecture Data Reduc1on Model Have to know what you need for inves4ga4on before you need it Useful data can come from anywhere not just what s supported by the vendor Lack of scalability restricts visibility Creates vendor dependency (people forget how to wade into their data) The cold case problem 8
How much and what kinds of data do we need? 9
Telling your data security story The 5 Ws of Journalism The 5 Ws of Informa4on Security 10
Unstructured industrial control data: Key piece of your security story Security teams not focused on machine generated data Machines deliver goods or services Machines monitor product quality Machine health affects product/ service quality Industrial Control Systems support JiT supply chains Environmental control data Machine Generated Data 11
A constantly growing universe of security data Security Relevant Data Security Relevant Data (IT infrastructure logs / Physical Security / Communica4on systems logs / Applica4on data / non- tradi4onal data sources) SIEM Expanded context (more data) required for who, what, when, where, and why Limited to security point products. An incomplete story will olen tell you something happened Without enough context to get to Why. 12
Detec4ng the malicious insider requires context Time (When) Email (How) Proxy data Browsing History (What) Loca4on (Where) IP Address DHCP / DNS (Who) Date (When) Badge (Who) Supervisor (Why)
The False Promise of SIEM and Data Reduc4on 14
Security posture homogenized Data reduc4on and normaliza4on at collec4on 4me gives analysts a Skim Milk view of security posture The data fat can be relevant to an inves4ga4on All data is relevant for security 15
Moving to a data inclusion model Specific behavior based pa<ern modeling for humans and machines Based on combina4ons of: Loca4on Role Data/Asset type Data/Asset cri4cality Time of day Ac4on type Ac4on length of 4me No up front normaliza1on Time- indexed Data Analy1cs and Sta1s1cs Commands Correla1on PaIern Analysis Data Inclusion Model 16
Crea4ng a single data layer IT Opera4ons Business Intelligence Compliance & Audit Security Web Analy4cs 17
What s the playbook for advanced persistent a<ackers? 18
What is the Kill Chain? " Represents the typical phases of an advanced a<ack " What are the characteris4cs of an advanced threat or a<ack Stealth Stay resident as long as possible Collec4on of high value data Can be na4on state driven Malware acts as a proxy for the malicious insider Hacking the human trust The Kill- chain is a game film of typical adack ac7vi7es a list of things that almost always happen but maybe not in order. 19
Kill- chain idea origin " In military parlance, a Kill Chain is a phase- based model to describe the stages of an a<ack, which also helps inform ways to prevent such a<acks. These stages are referred to as: Find Fix Track Target Engage Assess The further towards the beginning of the Kill Chain an a<ack can be stopped, the be<er. 20
Kill- chain for cyber security as outlined by Miter A successful strategy requires analysis of the game film called the advanced threat kill- chain 21
Kill- Chain ac4vi4es defined 22
Monitoring the Kill- chain Web Analy4cs Get an understanding of clicks to the management or board member por4on of your website from outside the country where your company is based. Google Analy4cs visitor flow report can help you understand where visitors come from how they troll and access the site. Social Media Monitor out- going data, especially file sharing that may help an a<acker with social engineering Monitor company sen4ment to understand whether a storm is gathering that may result in an a<ack Traffic origina4ng from data center (know IP address spaces) Web crawling and bots 23
Monitoring the Kill- chain Iden4fy Threat Characteris4cs Iden4fy the domain the email came from as a legi4mate business Use analy4cs to understand if the email is seen for the first 4me from the sender. Monitor the types of a<achments and perform packet level inspec4on to understand file a<achment content (what is the a<achment? Javascript,.exe, or does it contain a launch ac4on) 24
Monitoring the Kill- chain Malware Behavior Iden4fica4on and Detec4on Use Virus Total or GTRI s Apiary to iden4fy malware ac4ons and characteris4cs Import Data from services into Splunk to monitor for infec4on characteris4cs not detected by AV engines o Collect malware Hash o Communica4on IPs, ports and protocols used o File or registry key changes o Domain the email came from as a legi4mate business o Network connec4on(s) o DLL changes Correlate this data with host data collected Are changes made outside of change windows Monitor for unusual rare traffic between hosts for lateral movement Monitor changes to hosts processes 25
Monitoring the Kill- chain Malware Communica4on Analy4cs Monitor URL / and user agent strings for embedded command and control o Lengths above par4cular standard devia4on Monitor web traffic to known bad IPs and domains Monitor web traffic to domains registered in the last 24-72 hours Monitor web traffic w/o referrer Use Virus Total or GTRI s Apiary to iden4fy malware ac4ons and characteris4cs Outbound encrypted traffic (from DMZ, webservers, DBs, other hosts that should not be ini4a4ng connec4ons Iden4fy self- signed cer4ficates Falsified HTTP headers Beaconing hosts Non- standard encryp4on over allowed paths Use of Remote windows shell or remote desktop 26
Monitoring the Kill- chain DDoS from the inside CPU cycles eaten up Performance degrada4on Land and expand (what hosts are exhibi4ng same issues) Webserver content replaced Log files missing/erased New executable on host Host AV not upda4ng Elevated privileges Movement of encrypted.rar or.zip files Use of slp or lp to a controlled host Use of pwdump tool 27
A tall order for the average security team? " Take small measures/steps " Pick one phase and focus then pick the next one Stopping the a<acker at any one phase is good " The earlier in the chain you are able to focus the be<er " Know your environment you can bet the a<acker will try to know it " What informa4on does your web presence tell an a<acker? 28
Don t let vendors tell you what ques4ons you can ask their solu4on about your data. Ask the ques4ons your business cares about. 29
A Process for Using Big Data for Security: Iden4fy the Business Issue What does the business care about? What could cause loss of service or financial harm? Performance Degrada4on Unplanned outages (security related) Intellectual property access Data thel 30
A Process for Using Big Data for Security: Construct a Hypothesis How could someone gain access to data that should be kept private? What could cause a mass system outage does the business care about? What could cause performance degrada4on resul4ng in an increase in customers dissa4sfac4on? 31
A Process for Using Big Data for Security: It s about the Data Where might our problem be in evidence? For data thel start with unauthorized access issues Facility access data, VPN, AD, Wireless, Applica4ons, others Beg, Borrow, SME from system owners 32
A Process for Using Big Data for Security: Data Analysis For data thel start with what s normal and what s not (create a sta4s4cal model) How do we normally behave? What pa<erns would we see to iden4fy outliers? Pa<erns based on ToD, Length of 4me, who, organiza4onal role, IP geo- lookups, the order in which things happen, how olen a thing normally happens, etc.
A Process for Using Big Data for Security: Interpret and Identify What are the mi4ga4ng factors? Does the end of the quarter cause increased access to financial data? Does our sta4s4cal model need to change due to network architecture changes, employee growth, etc? Can we gather vaca4on informa4on to know when it is appropriate for HPA users to access data from foreign soil. What are the changes in a<ack pa<erns? 34
A<acks of the future Will require risk scenario thinking Will grow in sophis4ca4on Will be more individualized (business specific) Will be mo4vated by: Acquiring customer private data Stealing intellectual property Damaging reputa4on Holding companies ransom Will find vulnerabili4es wherever they are Will require risk measurement for priori4za4on 35
Big Data Plavorm: Insight for Business Risk App Monitoring Data Security Data IT Operations Data LDAP, AD Watch Lists Business Process Data Distribution System Data Business Risk and Security Security & Compliance IT Opera4ons Management Business Analy4cs 36 Web Intelligence Applica4on Monitoring
Thank You
Outside Live Threat Intelligence " Live data sampling from 38 interna4onal data centers " Presence in top 20 Internet Exchange (IX) points world wide " Core Long haul fiber access from 4er 1 operators with several 10 Gbps pipes " 1500 factors for crea4ng an IPQ risk score to asses poten4al a<acks 38