apts and the failure of prevention - isaca melbourne...spear phishing attacks using bogus mailboxes...

Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary

Presentation for: Presented By:

APTs and the Failure of Prevention Eddie Schwartz, PMP, CISSP, CISA, CISM, ISSEP

CSO, NetWitness Corporation

[email protected]

ISACA Melbourne Eddie Schwartz


Agenda

» Discussion Regarding Threat Environment » Advanced / Persistent Threats – In Context » Rethinking Network Monitoring – A Quick Case Study » Take-Aways and Q&A


Risk Management 101?

»  Spear phishing attacks

»  Poisoned websites and DNS – “Drive-by” attacks

»  Pervasive infection (e.g., ZeuS, Aurora, Stuxnet, Night Dragon, / etc.)

»  Malware and more malware resulting from all of the above…

»  Undetected data exfiltration, leakage, and covert network comms

»  Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle )

»  Social Networking / Mobility / Web 2.0

»  Cloud Computing / Other unknown risk profiles


Drop Sites

Phishing Keyloggers

Botnet Owners

Spammers Botnet

Services

Malware Distribution

Service

Data Acquisition

Service

Data Mining &

Enrichment Data Sales Cashing $$$

Malware Writers

Identity Collectors

Credit Card Users

Master Criminals

Validation Service

(Card Checkers)

Card Forums

ICQ

eCommerce Site

Retailers

Banks

eCurrency

Drop Service

Wire Transfer

Gambling Payment Gateways

Tracking the Opposing I/T Organization


Are Security Teams Failing? Definitely…

»  People }  Underestimate the complexity

and capability of the threat actors

}  Do not take proactive steps to detect threats

»  Process }  Organizations have misplaced

IT measurements and program focus

}  IR processes lack correct data and focus

»  Technology }  Current technology is failing to

detect APT, APA, and other threatss

}  Deep holes in network visibility


The Malware Problem

» 54% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2010) » 87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010) » 91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010)

"With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011)


Current Technologies Are Failing - Firewalls

Intent – Prevent or limit unauthorized connections into and out of your network Reality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities.

Firewalls


The Gaps in Status Quo Security – IDS/ IPS

Intent – Alert on or prevent known malicious network traffic Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitation Even worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact

Intrusion Detection/ Prevention Systems


The Gaps in Status Quo Security – Anti-Malware

Intent – Prevent malicious code from running on an endpoint, or from traversing your network Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures.

Anti-Malware Technologies

From a top AV Vendor Forum


2010 Ponemon Institute Advanced Threats Survey

» We know what we need to do, but we are not doing it…


2010 Ponemon Institute Advanced Threats Survey

» Do the math yourself…


ATTACKER FREE TIME

Attack Begins

System Intrusion

Attacker Surveillance

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

Time

Attack Set-up

Discovery / Persistence

Maintain foothold

Cover-up Starts

Attack Forecast

Physical Security

Containment & eradication

System Reaction

Damage Identification

Recovery

Defender discovery

Monitoring &

Controls Impact Analysis

Response Threat

Analysis

Attack Identified

Incident Reporting

Need to collapse attacker free time

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

New Security Concept: “OFFENSE IN DEPTH”

Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary

Thinking Differently about Network Monitoring …or, how I learned to love full packet capture…

There ARE specific targets…


Difficult Questions for Security and Audit Staff..

»  Why are packed or obfuscated executables being used on our systems?

»  What critical threats are my Anti-Virus and IDS missing?

»  I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?

»  We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior?

»  On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?

»  How can I detect new variants of Zeus or other 0day malware on my network?

»  We need to examine critical incidents as if we had an HD video camera recording it all…


Typical Scenario These Days…

» Visit from the FBI saying, “You have a problem – information is being taken”

}  Perhaps IP addresses of compromised machines are provided }  You might be told that certain types of files or email is being stolen

}  The CEO does not pay much attention to cyber, generally, but now it has his/her full attention

}  What do you do now?

» Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc.

}  WRONG!! » How do you know what has happened or is really still happening on the network?


What’s really happening (in many cases)…

»  If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while

}  It’s not simply a piece of malware you can detect and eradicate

}  Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)

»  They have the ability to change techniques, control channels, SSL certs, hours of operation, etc.

}  Commands scheduled on individual Windows machines

}  Text files containing lists of target files

}  RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways

}  Spear phishing attacks using bogus mailboxes created on mail system

»  Their true approach is not always the obvious one }  C & C servers in places like HVAC or other low profile systems, versus file servers

}  Drop locations are not in China or Belarus, but in the U.S.


Sample Approach to Resilience

Stage 1: malware with dyndns -enabled host names -- exclusively routed to non-routable IP addresses – later, FTP (or other pathway) out to domestic system

Stage 2: XOR'd traffic over port 443 for data exfiltration and C&C, resolving to legitimate IP addresses -- blending in with legitimate traffic

Stage 3: very long beacon times: >2 weeks, SSL communications, not using dyndns domains -- hard-coded IP addresses, desperate to maintain access to the network


Today’s adversaries leverage every weakness

»  Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems

»  Security program weaknesses – ongoing failure of controls and visibility:

}  Open domain admin accounts

}  Passwords backed up in clear text files

}  Postings on public forums containing questions regarding organization’s firewall rules

}  Flat security architecture (no segmentation of traffic)

}  Inadequate use of firewall ACLs and logging

»  Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc.


Case Study Understanding a Custom ZeuS-based APT Spear Phishing Attack

Finding bad things on the

network: Are all ZeuS

variants created equal?


“DPRK has carried out nuclear missile attack on Japan”

»  AV effectively “neutered” by overwriting the OS hosts file

»  Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1

»  Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now


Infection Progression – Nothing Unusual

» After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com » If user opens the file, the malware is installed » Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary


Further Network Forensics Evidence…

»  ZeuS configuration file download

»  This type of problem recognition can be automated


» Malware stealing files of interest to the drop server in Minsk »  FTP drop server still is resolving to same address » Early on March 8, 2010, server cleaned out and account disabled »  username: mao2 password: [captured]


Files harvested from victim machines in drop server (located in Minsk, Belarus)

»  FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data


»  Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”


Example: Good network visualization

» Find Compromises

½ Million sessions 100 % of Total





HTTP ~125,400 Sessions

25 % of Total






25 % of Total

HTTP w/ abnormal headers

~100,000 20 % of Total






25 % of Total


~100,000 20 % of Total

Non-standard

countries (or destinations

) 670

0.1 % of Total






25 % of Total


~100,000 20 % of Total

Non-standard


) 670

0.1 % of Total

Interesting file types

200 0.04 % of Total






25 % of Total


~100,000 20 % of Total

Non-standard


) 670

0.1 % of Total

Interesting file types

200 0.04 % of Total

195 of these 200 are actual compromises missed by

traditional network security technologies


Conclusions


Hig

hest

Val

ue

Low

est

Valu

e Combating Advanced Threats Requires More and Better Information…

DATA SOURCE DESCRIPTION

Firewalls, Gateways, etc.

IDS Software

NetFlow Monitoring

SEIM Software

Real-time Network Forensics (NetWitness)

Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics.

For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries.

Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content.

Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics.

Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.


Take-Away

»  Advanced adversaries and emerging threats require revolutionary thinking

»  Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team

»  The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes

»  Goals:

»  Lower risk to the organization }  Improve incident response through

shortened time to problem recognition and resolution

}  Reduce impact and cost related to cyber incidents

}  Generate effective threat intelligence and cyber investigations

»  Reduce uncertainty surrounding the impact of new threat vectors

»  Conduct continuous monitoring of critical security controls

»  Achieve situational \awareness – being able to answer any conceivable cyber security question – past, present or future

Copyright 2007 NetWitness Corporation


Q&A

»  Email: [email protected] » Websites: http://www.netwitness.com and http://www.rsa.com

»  Twitter: }  @eddieschwartz

}  @netwitness

»  Blog: http://www.networkforensics.com

Know Everything…Answer Anything.

apts and the failure of prevention - isaca melbourne...spear phishing attacks using bogus mailboxes...

Documents