protecting financial networks from cyber crime

Netflow &Financial Services

Tom Cross, Director of Security Researchtcross@lancope.com(770) 225-6557

3

Is your network secured like a house or like a bank?“If someone breaks into your house, trying to figure where they went and

what they took is pretty difficult because, unlike a bank, you don’t have cameras in your house, you don’t have motion sensors,” says Jason Syversen, chief executive officer of Siege Technologies, a security firm in Manchester, N.H. “In terms of cybersecurity, most companies are more like a house than a bank.”

3© 2013 Lancope, Inc. All rights reserved.

4

Perimeter Security

• Much of the practice of computer security has to do with making sure the doors are locked. – When we have incidents we spend more money on prevention.– We tend to assume that if the bad guys are in, its game over.

• Systems will stop working or money will be instantly stolen.

4© 2013 Lancope, Inc. All rights reserved.

5

Audit Trail Sources• Syslog/SIEM

– Are you collecting everything?– You can’t trust compromised

hosts

• Netflow– Lots of breadth, less depth– Lower disk space requirements

• Full Packet Capture– Deep but not broad– Expensive– High disk space requirements

Tradeoffs:• Record everything vs

only bad things• Breadth vs Depth• Time vs Depth• Privacy

5© 2013 Lancope, Inc. All rights reserved.

DMZ

VPN

Internal Network

Internet

3GInternet

3G Internet

Network Visibility

6© 2013 Lancope, Inc. All rights reserved.

Transactional Audits of ALL activities

7© 2013 Lancope, Inc. All rights reserved.

8

Netflow Basics• Devices with one or more Flow producing interfaces are

“Exporters”• Exporters cache and forward records to “Collectors”• Common Exporters include firewalls, switches, and routers

NetFlow Collector

Internet

DMZ

VPN

3G

NetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -

9

How do I want to cache information

Which interface do I want to monitor?

What data do I want to meter?Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes

Where do I want my data sent?Router(config)# flow exporter my-exporter

Router(config-flow-exporter)# destination 1.1.1.1

Router(config)# flow monitor my-monitor

Router(config-flow-monitor)# exporter my-exporter

Router(config-flow-monitor)# record my-record

Router(config)# interface gi0/1

Router(config-if)# ip flow monitor my-monitor input

1. Configure the Exporter

2. Configure the Flow Record

3. Configure the Flow Monitor

4. Apply to an Interface

DMZ

VPN

Internal Network

InternetNetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -NetFlow

3GInternet

3G Internet

NetFlow

NetFlow

NetFlow

Internal Visibility Through NetFlow

NetFlow

NetFlow Collector

10© 2013 Lancope, Inc. All rights reserved.

11

Netflow Advantages• Its easy to configure

– Your network already speaks it– Its standardized– It doesn’t need to be configured on every endpoint

• Visibility down to the access layer• Compact records are inexpensive to store

NetFlow Collector

Internet

DMZ

VPN

3G

NetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -

Intrusion Audit Trails

1:06:15 PM: Internal Host Visits

Malicious Web Site

1:06:30 PM: Malware Infection

Complete, Accesses Internet Command and

Control

1:06:35 PM:Malware begins

scanning internal network

1:13:59 PM:Multiple internal

infected hosts

1:07:00 PM: Gateway malware analysis identifies the transaction

as malicious

1:14:00 PM: Administrators

manually disconnect the initial infected host

Do you know what went on while you were mitigating?

12© 2013 Lancope, Inc. All rights reserved.

13

Following IOC

Malware campaign targeting your industryhas been publicly disclosed.

A quick search of yournetwork audit trailreveals an internal hostthat accessed the malicious site.

14

Following IOC

Check host details around that time

Suspicious HTTP connections right after contact- good candidate for a drive-by download

Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”

15

Following IOC

Attacker recons your network. Investigate any hosts contacted by the compromised host.Additionally- look for any other hosts scanning for 445 and 135.

16

Following IOC

Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), weShould check to see if that host has touched the network anywhere else.

Another host showing a reverse shell

17

A Four Dimensional View of Attacker Behavior

• A sophisticated attack on a network involves a series of steps• Traditional thinking views any system compromise as a successful breach• Any successful action taken to stop an infection prior to data exfiltration can be

considered a win• This is the Kill Chain concept introduced by Mike Cloppert at Lockheed• Controls should be put in place at each stage of the chain

ReconExploitation

(Social Engineering?)Initial

Infection

Internal Pivot

Data Preparation

& Exfiltration

Command and

Control

17© 2013 Lancope, Inc. All rights reserved.

18

The Changing Nature of Incident Response

Detect

Respond

Analyze

Distill Intel

Continuous Response is the centerpiece of advanced threat defense.

18© 2013 Lancope, Inc. All rights reserved.

Factors driving the change:

• The persistent nature of the threat.

• Other organizations aren’t necessarily experiencing the same attacks.

• The desire to collect threat intelligence that can be used to detect future incidents.

Threat Intelligence Sharing

1919© 2013 Lancope, Inc. All rights reserved.

20

• IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.

• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions?• IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having?• Are you applying policies consistently?

Combating Insider Threat is a multidisciplinary challenge

20© 2013 Lancope, Inc. All rights reserved.

IT

HR Legal

21

Cisco Identity Services Engine (ISE)• Cisco ISE is a context aware, policy based 802.1x authentication solution• Detect

– Device type, operating system and patch level– Time and location from which user attempting to gain access

User Name MAC Address Device Type

Bob.Smith8c:77:12:a5:64:05

(SamsungElectronics Co.,Ltd)

Android

John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone

22

Lancope Identity 1000

23

User Reports

24

User Reports

25

User Reports

26

Flow Statistical Analysis

26© 2013 Lancope, Inc. All rights reserved.

27© 2013 Lancope, Inc. All rights reserved.

Suspect Data Hoarding

Unusually large amount of data inbound from other hosts

Scan Detection – External Recon and Internal Pivoting

2828© 2013 Lancope, Inc. All rights reserved.

HeartBleed Detection in StealthWatch

2007 2014

MarchStealthWatchIntroducesSuspect LongFlow Alarm

MarchOpenSSL withHeartBleedvulnerabilityreleased

April 7HeartBleedvulnerabilitypubliclydisclosed

Sometime Later…You patchedyour servers

April 8Attackers hijackSSL VPNconnectionswith HeartBleed,bypassingtwo-factorauthentication

April 15Teenagerarrested forsiphoningdata fromthe CanadianRevenue Agencyusing HeartBleed

2012

30©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)

Investigating Performance Issues

DDOS Attacks More Automated & Powerful

Font used is Arial

Bullet Point 2

Bullet Point 3

• Prolexic Q2 2012 to Q2 2013– 33% increase in attacks– 925% increase in bandwidth

• 4.47 Gbps to 49.24 Gbps– 1655% increase in packets per second

• 2.7 Mpps to 47.4 Mpps

32

StealthWatch DDoS Dashboards

© 2012 Lancope, Inc. All rights reserved.

Top Targeted Hosts

Application traffic view (drill down

into spikes)

Alarms for Internet facing

applications

Custom Flow Maps

Overall traffic views (drill down

into spikes)Top target hosts

End to End Visibility of DDoS Activity

Visualize Alarms, traffic anomalies and network degradation

Understand impact to back-end applications

34

Relational anomaly detection can identify internal pivoting

Secure Zone

34© 2013 Lancope, Inc. All rights reserved.

Thank You

Tom Cross, Director of Security Researchtcross@lancope.com(770) 225-6557