hunting attackers with network audit trails
DESCRIPTION
Sophisticated, targeted attacks have become increasing difficult to detect and analyze. Attackers can employ 0-day vulnerabilities and exploit obfuscation techniques to evade detection systems and “fly under the radar” for long periods of time. Gartner estimates 85% of breaches go completely undetected and 92% of the detected breaches are reported by third parties. New strategies for identifying network attack activity are necessary. Learn how network logging technologies such as NetFlow and IPFIX can be applied to the problem of detecting sophisticated, targeted attacks and used to create an audit trail of network activity that can be analyzed, both automatically and by skilled investigators, to uncover anomalous traffic. Lancope will demonstrate how to these records can be used to: Discover active attacks in each phase of the attacker’s “kill chain.” Determine the scope of successful breaches and document the timeline of the attacksTRANSCRIPT
WHAT IS DIGITAL FORENSICS?WHAT IS INCIDENT RESPONSE?
2
WHAT IS FORENSICS?
3
Visibility through out the Kill Chain
4
Recon
Exploitation (Social Engineering?)
Initial Infection
Internal Pivot
Data Preparation
& Exfiltration
Command and
Control
4© 2013 Lancope, Inc. All rights reserved.
Intrusion Audit Trails
1:06:15 PM: Internal Host
Visits Malicious Web Site
1:06:30 PM: Malware Infection
Complete, Accesses Internet Command and
Control
1:06:35 PM:Malware begins
scanning internal network
1:13:59 PM:Multiple internal
infected hosts
1:07:00 PM: Gateway malware analysis identifies the transaction
as malicious
1:14:00 PM: Administrators
manually disconnect the initial infected host
Do you know what went on while you were mitigating?
5© 2013 Lancope, Inc. All rights reserved.
Audit Trail Sources
• Firewall logs – Are you logging everything or just denies?
• Internal & Host IPS systems– HIPS potentially has a lot of breadth– Can be expensive to deploy– Signature based
• Log Management Solutions/SIEM– Are you collecting everything?– You can only see what gets logged
• Netflow– Lots of breadth, less depth– Lower disk space requirements
• Full Packet Capture– Deep but not broad– Expensive– High disk space requirements
6
Tradeoffs:• Record everything vs
only bad things• Breadth vs Depth• Time vs Depth• Privacy
6© 2013 Lancope, Inc. All rights reserved.
DMZ
VPN
Internal Network
Internet
3GInternet
3G Internet
Tradeoffs
Tradeoffs
8
NetFlow
RICHNESS
Disk Space Required
Full Packet Capture
8© 2013 Lancope, Inc. All rights reserved.
NETWORK AUDIT LOG DETECTION
9
10©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Realtime Netflow Monitoring
Loss of Protected Data
What Can Behavioral NetFlow Analysis Do?
Reveal Recon
What Can Behavioral NetFlow Analysis Do?
What can you detect with the audit log?
Reveal BotNet Hosts
Layer 3 Layer 4 and URL
FORENSIC INVESTIGATIONS USING THE NETWORK AUDIT TRAIL
14
APT1
15
Best Practice – Running Reports in StealthWatch
• Always run Flow Traffic or Top reports before the Flow Table for flow queries beyond 1 day to summarize the results and the most efficient processing
The Flow Traffic and Top reports are a summary of the flow data and much quicker to process
It’s like going fishing in the ocean, you know there are fish in there but if you use a fishing radar you know where to drop your line and pull the fish (data) back from.
16
17
Following IOC
Waterhole campaign targeting your industryhas been publicly disclosed.
A quick search of yournetwork audit trailreveals an internal hostthat accessed the disclosed site.
18
Following IOC
Check host details around that time
Suspicious HTTP connections right after contact- good candidate for a drive-by download
Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
19
Following IOC
Attacker recons your network. Investigate any hosts contacted by the compromised host.Additionally- look for any other hosts scanning for 445 and 135.
20
Following IOC
Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), weShould check to see if that host has touched the network anywhere else.
Another host showing a reverse shell
21
SQL Injection
Large data transfer from your web server to an outside host was detected
22
SQL Injection
Where did the data go?
23
SQL Injection
Look for suspicious activity targeting the web server and your DMZ
• IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.
• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions?• IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having?• Are you applying policies consistently?
Combating Insider Threat is a multidisciplinary challenge
2424© 2013 Lancope, Inc. All rights reserved.
IT
HR Legal
25
Following the User
Sometimes investigations start with user intelligence
26
Following the User
27
Beron’s abnormal disclosure
One of your users has uploaded a large amount of data to the internet.
Data Theft
28
What did Beron send? Who received it?
Data Theft
29
Where could have Beron gotten the data?
Data Theft
30
Data Theft
31
Why did Beron do it?
Data Theft
The Five W’s
• Who did this?
– Usernames, IP Addresses
• What did they do?
– What behavior did they engage in?
• Where did they go?
– What hosts on my network were accessed?
• When?
– Have we investigated the full intrusion timeline?
• Why? What is their objective?
32
Tom CrossDirector of Research, [email protected]
www.lancope.com
@Lancope (company)@netflowninjas (company blog)
https://www.facebook.com/Lancope
http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about
https://plus.google.com/u/0/103996520487697388791/posts
http://feeds.feedburner.com/NetflowNinjas