apts and the failure of prevention - isaca melbourne...spear phishing attacks using bogus mailboxes...
TRANSCRIPT
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Presentation for: Presented By:
APTs and the Failure of Prevention Eddie Schwartz, PMP, CISSP, CISA, CISM, ISSEP
CSO, NetWitness Corporation
ISACA Melbourne Eddie Schwartz
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Agenda
» Discussion Regarding Threat Environment » Advanced / Persistent Threats – In Context » Rethinking Network Monitoring – A Quick Case Study » Take-Aways and Q&A
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Risk Management 101?
» Spear phishing attacks
» Poisoned websites and DNS – “Drive-by” attacks
» Pervasive infection (e.g., ZeuS, Aurora, Stuxnet, Night Dragon, / etc.)
» Malware and more malware resulting from all of the above…
» Undetected data exfiltration, leakage, and covert network comms
» Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle )
» Social Networking / Mobility / Web 2.0
» Cloud Computing / Other unknown risk profiles
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Drop Sites
Phishing Keyloggers
Botnet Owners
Spammers Botnet
Services
Malware Distribution
Service
Data Acquisition
Service
Data Mining &
Enrichment Data Sales Cashing $$$
Malware Writers
Identity Collectors
Credit Card Users
Master Criminals
Validation Service
(Card Checkers)
Card Forums
ICQ
eCommerce Site
Retailers
Banks
eCurrency
Drop Service
Wire Transfer
Gambling Payment Gateways
Tracking the Opposing I/T Organization
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Are Security Teams Failing? Definitely…
» People } Underestimate the complexity
and capability of the threat actors
} Do not take proactive steps to detect threats
» Process } Organizations have misplaced
IT measurements and program focus
} IR processes lack correct data and focus
» Technology } Current technology is failing to
detect APT, APA, and other threatss
} Deep holes in network visibility
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
The Malware Problem
» 54% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2010) » 87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010) » 91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010)
"With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011)
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Current Technologies Are Failing - Firewalls
Intent – Prevent or limit unauthorized connections into and out of your network Reality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities.
Firewalls
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
The Gaps in Status Quo Security – IDS/ IPS
Intent – Alert on or prevent known malicious network traffic Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitation Even worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact
Intrusion Detection/ Prevention Systems
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
The Gaps in Status Quo Security – Anti-Malware
Intent – Prevent malicious code from running on an endpoint, or from traversing your network Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures.
Anti-Malware Technologies
From a top AV Vendor Forum
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
2010 Ponemon Institute Advanced Threats Survey
» We know what we need to do, but we are not doing it…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
2010 Ponemon Institute Advanced Threats Survey
» Do the math yourself…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
ATTACKER FREE TIME
Attack Begins
System Intrusion
Attacker Surveillance
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
Time
Attack Set-up
Discovery / Persistence
Maintain foothold
Cover-up Starts
Attack Forecast
Physical Security
Containment & eradication
System Reaction
Damage Identification
Recovery
Defender discovery
Monitoring &
Controls Impact Analysis
Response Threat
Analysis
Attack Identified
Incident Reporting
Need to collapse attacker free time
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
New Security Concept: “OFFENSE IN DEPTH”
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Thinking Differently about Network Monitoring …or, how I learned to love full packet capture…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Difficult Questions for Security and Audit Staff..
» Why are packed or obfuscated executables being used on our systems?
» What critical threats are my Anti-Virus and IDS missing?
» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?
» We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior?
» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?
» How can I detect new variants of Zeus or other 0day malware on my network?
» We need to examine critical incidents as if we had an HD video camera recording it all…
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Typical Scenario These Days…
» Visit from the FBI saying, “You have a problem – information is being taken”
} Perhaps IP addresses of compromised machines are provided } You might be told that certain types of files or email is being stolen
} The CEO does not pay much attention to cyber, generally, but now it has his/her full attention
} What do you do now?
» Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc.
} WRONG!! » How do you know what has happened or is really still happening on the network?
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
What’s really happening (in many cases)…
» If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while
} It’s not simply a piece of malware you can detect and eradicate
} Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)
» They have the ability to change techniques, control channels, SSL certs, hours of operation, etc.
} Commands scheduled on individual Windows machines
} Text files containing lists of target files
} RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways
} Spear phishing attacks using bogus mailboxes created on mail system
» Their true approach is not always the obvious one } C & C servers in places like HVAC or other low profile systems, versus file servers
} Drop locations are not in China or Belarus, but in the U.S.
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Sample Approach to Resilience
Stage 1: malware with dyndns -enabled host names -- exclusively routed to non-routable IP addresses – later, FTP (or other pathway) out to domestic system
Stage 2: XOR'd traffic over port 443 for data exfiltration and C&C, resolving to legitimate IP addresses -- blending in with legitimate traffic
Stage 3: very long beacon times: >2 weeks, SSL communications, not using dyndns domains -- hard-coded IP addresses, desperate to maintain access to the network
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Today’s adversaries leverage every weakness
» Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems
» Security program weaknesses – ongoing failure of controls and visibility:
} Open domain admin accounts
} Passwords backed up in clear text files
} Postings on public forums containing questions regarding organization’s firewall rules
} Flat security architecture (no segmentation of traffic)
} Inadequate use of firewall ACLs and logging
» Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc.
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Case Study Understanding a Custom ZeuS-based APT Spear Phishing Attack
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
“DPRK has carried out nuclear missile attack on Japan”
» AV effectively “neutered” by overwriting the OS hosts file
» Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1
» Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Infection Progression – Nothing Unusual
» After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com » If user opens the file, the malware is installed » Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Further Network Forensics Evidence…
» ZeuS configuration file download
» This type of problem recognition can be automated
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
» Malware stealing files of interest to the drop server in Minsk » FTP drop server still is resolving to same address » Early on March 8, 2010, server cleaned out and account disabled » username: mao2 password: [captured]
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Files harvested from victim machines in drop server (located in Minsk, Belarus)
» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
» Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Non-standard
countries (or destinations
) 670
0.1 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Non-standard
countries (or destinations
) 670
0.1 % of Total
Interesting file types
200 0.04 % of Total
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Example: Good network visualization
» Find Compromises
½ Million sessions 100 % of Total
HTTP ~125,400 Sessions
25 % of Total
HTTP w/ abnormal headers
~100,000 20 % of Total
Non-standard
countries (or destinations
) 670
0.1 % of Total
Interesting file types
200 0.04 % of Total
195 of these 200 are actual compromises missed by
traditional network security technologies
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Conclusions
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Hig
hest
Val
ue
Low
est
Valu
e Combating Advanced Threats Requires More and Better Information…
DATA SOURCE DESCRIPTION
Firewalls, Gateways, etc.
IDS Software
NetFlow Monitoring
SEIM Software
Real-time Network Forensics (NetWitness)
Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics.
For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries.
Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content.
Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics.
Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Take-Away
» Advanced adversaries and emerging threats require revolutionary thinking
» Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team
» The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes
» Goals:
» Lower risk to the organization } Improve incident response through
shortened time to problem recognition and resolution
} Reduce impact and cost related to cyber incidents
} Generate effective threat intelligence and cyber investigations
» Reduce uncertainty surrounding the impact of new threat vectors
» Conduct continuous monitoring of critical security controls
» Achieve situational \awareness – being able to answer any conceivable cyber security question – past, present or future
Copyright 2007 NetWitness Corporation
Copyright 2011 © All rights reserved. EMC Corporation | Confidential and Proprietary
Q&A
» Email: [email protected] » Websites: http://www.netwitness.com and http://www.rsa.com
» Twitter: } @eddieschwartz
} @netwitness
» Blog: http://www.networkforensics.com
Know Everything…Answer Anything.