protecting financial networks from cyber crime

35
Netflow & Financial Services Tom Cross, Director of Security Research [email protected] (770) 225-6557

Upload: lancope-inc

Post on 15-Jan-2015

101 views

Category:

Technology


1 download

DESCRIPTION

Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks

TRANSCRIPT

Page 1: Protecting Financial Networks from Cyber Crime

Netflow &Financial Services

Tom Cross, Director of Security [email protected](770) 225-6557

Page 2: Protecting Financial Networks from Cyber Crime
Page 3: Protecting Financial Networks from Cyber Crime

3

Is your network secured like a house or like a bank?“If someone breaks into your house, trying to figure where they went and

what they took is pretty difficult because, unlike a bank, you don’t have cameras in your house, you don’t have motion sensors,” says Jason Syversen, chief executive officer of Siege Technologies, a security firm in Manchester, N.H. “In terms of cybersecurity, most companies are more like a house than a bank.”

3© 2013 Lancope, Inc. All rights reserved.

Page 4: Protecting Financial Networks from Cyber Crime

4

Perimeter Security

• Much of the practice of computer security has to do with making sure the doors are locked. – When we have incidents we spend more money on prevention.– We tend to assume that if the bad guys are in, its game over.

• Systems will stop working or money will be instantly stolen.

4© 2013 Lancope, Inc. All rights reserved.

Page 5: Protecting Financial Networks from Cyber Crime

5

Audit Trail Sources• Syslog/SIEM

– Are you collecting everything?– You can’t trust compromised

hosts

• Netflow– Lots of breadth, less depth– Lower disk space requirements

• Full Packet Capture– Deep but not broad– Expensive– High disk space requirements

Tradeoffs:• Record everything vs

only bad things• Breadth vs Depth• Time vs Depth• Privacy

5© 2013 Lancope, Inc. All rights reserved.

Page 6: Protecting Financial Networks from Cyber Crime

DMZ

VPN

Internal Network

Internet

3GInternet

3G Internet

Network Visibility

6© 2013 Lancope, Inc. All rights reserved.

Page 7: Protecting Financial Networks from Cyber Crime

Transactional Audits of ALL activities

7© 2013 Lancope, Inc. All rights reserved.

Page 8: Protecting Financial Networks from Cyber Crime

8

Netflow Basics• Devices with one or more Flow producing interfaces are

“Exporters”• Exporters cache and forward records to “Collectors”• Common Exporters include firewalls, switches, and routers

NetFlow Collector

Internet

DMZ

VPN

3G

NetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -

Page 9: Protecting Financial Networks from Cyber Crime

9

How do I want to cache information

Which interface do I want to monitor?

What data do I want to meter?Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes

Where do I want my data sent?Router(config)# flow exporter my-exporter

Router(config-flow-exporter)# destination 1.1.1.1

Router(config)# flow monitor my-monitor

Router(config-flow-monitor)# exporter my-exporter

Router(config-flow-monitor)# record my-record

Router(config)# interface gi0/1

Router(config-if)# ip flow monitor my-monitor input

1. Configure the Exporter

2. Configure the Flow Record

3. Configure the Flow Monitor

4. Apply to an Interface

Page 10: Protecting Financial Networks from Cyber Crime

DMZ

VPN

Internal Network

InternetNetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -NetFlow

3GInternet

3G Internet

NetFlow

NetFlow

NetFlow

Internal Visibility Through NetFlow

NetFlow

NetFlow Collector

10© 2013 Lancope, Inc. All rights reserved.

Page 11: Protecting Financial Networks from Cyber Crime

11

Netflow Advantages• Its easy to configure

– Your network already speaks it– Its standardized– It doesn’t need to be configured on every endpoint

• Visibility down to the access layer• Compact records are inexpensive to store

NetFlow Collector

Internet

DMZ

VPN

3G

NetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -

Page 12: Protecting Financial Networks from Cyber Crime

Intrusion Audit Trails

1:06:15 PM: Internal Host Visits

Malicious Web Site

1:06:30 PM: Malware Infection

Complete, Accesses Internet Command and

Control

1:06:35 PM:Malware begins

scanning internal network

1:13:59 PM:Multiple internal

infected hosts

1:07:00 PM: Gateway malware analysis identifies the transaction

as malicious

1:14:00 PM: Administrators

manually disconnect the initial infected host

Do you know what went on while you were mitigating?

12© 2013 Lancope, Inc. All rights reserved.

Page 13: Protecting Financial Networks from Cyber Crime

13

Following IOC

Malware campaign targeting your industryhas been publicly disclosed.

A quick search of yournetwork audit trailreveals an internal hostthat accessed the malicious site.

Page 14: Protecting Financial Networks from Cyber Crime

14

Following IOC

Check host details around that time

Suspicious HTTP connections right after contact- good candidate for a drive-by download

Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”

Page 15: Protecting Financial Networks from Cyber Crime

15

Following IOC

Attacker recons your network. Investigate any hosts contacted by the compromised host.Additionally- look for any other hosts scanning for 445 and 135.

Page 16: Protecting Financial Networks from Cyber Crime

16

Following IOC

Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), weShould check to see if that host has touched the network anywhere else.

Another host showing a reverse shell

Page 17: Protecting Financial Networks from Cyber Crime

17

A Four Dimensional View of Attacker Behavior

• A sophisticated attack on a network involves a series of steps• Traditional thinking views any system compromise as a successful breach• Any successful action taken to stop an infection prior to data exfiltration can be

considered a win• This is the Kill Chain concept introduced by Mike Cloppert at Lockheed• Controls should be put in place at each stage of the chain

ReconExploitation

(Social Engineering?)Initial

Infection

Internal Pivot

Data Preparation

& Exfiltration

Command and

Control

17© 2013 Lancope, Inc. All rights reserved.

Page 18: Protecting Financial Networks from Cyber Crime

18

The Changing Nature of Incident Response

Detect

Respond

Analyze

Distill Intel

Continuous Response is the centerpiece of advanced threat defense.

18© 2013 Lancope, Inc. All rights reserved.

Factors driving the change:

• The persistent nature of the threat.

• Other organizations aren’t necessarily experiencing the same attacks.

• The desire to collect threat intelligence that can be used to detect future incidents.

Page 19: Protecting Financial Networks from Cyber Crime

Threat Intelligence Sharing

1919© 2013 Lancope, Inc. All rights reserved.

Page 20: Protecting Financial Networks from Cyber Crime

20

• IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.

• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions?• IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having?• Are you applying policies consistently?

Combating Insider Threat is a multidisciplinary challenge

20© 2013 Lancope, Inc. All rights reserved.

IT

HR Legal

Page 21: Protecting Financial Networks from Cyber Crime

21

Cisco Identity Services Engine (ISE)• Cisco ISE is a context aware, policy based 802.1x authentication solution• Detect

– Device type, operating system and patch level– Time and location from which user attempting to gain access

User Name MAC Address Device Type

Bob.Smith8c:77:12:a5:64:05

(SamsungElectronics Co.,Ltd)

Android

John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone

Page 22: Protecting Financial Networks from Cyber Crime

22

Lancope Identity 1000

Page 23: Protecting Financial Networks from Cyber Crime

23

User Reports

Page 24: Protecting Financial Networks from Cyber Crime

24

User Reports

Page 25: Protecting Financial Networks from Cyber Crime

25

User Reports

Page 26: Protecting Financial Networks from Cyber Crime

26

Flow Statistical Analysis

26© 2013 Lancope, Inc. All rights reserved.

Page 27: Protecting Financial Networks from Cyber Crime

27© 2013 Lancope, Inc. All rights reserved.

Suspect Data Hoarding

Unusually large amount of data inbound from other hosts

Page 28: Protecting Financial Networks from Cyber Crime

Scan Detection – External Recon and Internal Pivoting

2828© 2013 Lancope, Inc. All rights reserved.

Page 29: Protecting Financial Networks from Cyber Crime

HeartBleed Detection in StealthWatch

2007 2014

MarchStealthWatchIntroducesSuspect LongFlow Alarm

MarchOpenSSL withHeartBleedvulnerabilityreleased

April 7HeartBleedvulnerabilitypubliclydisclosed

Sometime Later…You patchedyour servers

April 8Attackers hijackSSL VPNconnectionswith HeartBleed,bypassingtwo-factorauthentication

April 15Teenagerarrested forsiphoningdata fromthe CanadianRevenue Agencyusing HeartBleed

2012

Page 30: Protecting Financial Networks from Cyber Crime

30©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)

Investigating Performance Issues

Page 31: Protecting Financial Networks from Cyber Crime

DDOS Attacks More Automated & Powerful

Font used is Arial

Bullet Point 2

Bullet Point 3

• Prolexic Q2 2012 to Q2 2013– 33% increase in attacks– 925% increase in bandwidth

• 4.47 Gbps to 49.24 Gbps– 1655% increase in packets per second

• 2.7 Mpps to 47.4 Mpps

Page 32: Protecting Financial Networks from Cyber Crime

32

StealthWatch DDoS Dashboards

© 2012 Lancope, Inc. All rights reserved.

Top Targeted Hosts

Application traffic view (drill down

into spikes)

Alarms for Internet facing

applications

Custom Flow Maps

Overall traffic views (drill down

into spikes)Top target hosts

Page 33: Protecting Financial Networks from Cyber Crime

End to End Visibility of DDoS Activity

Visualize Alarms, traffic anomalies and network degradation

Understand impact to back-end applications

Page 34: Protecting Financial Networks from Cyber Crime

34

Relational anomaly detection can identify internal pivoting

Secure Zone

34© 2013 Lancope, Inc. All rights reserved.

Page 35: Protecting Financial Networks from Cyber Crime

Thank You

Tom Cross, Director of Security [email protected](770) 225-6557