protecting financial networks from cyber crime
DESCRIPTION
Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risksTRANSCRIPT
Netflow &Financial Services
Tom Cross, Director of Security [email protected](770) 225-6557
3
Is your network secured like a house or like a bank?“If someone breaks into your house, trying to figure where they went and
what they took is pretty difficult because, unlike a bank, you don’t have cameras in your house, you don’t have motion sensors,” says Jason Syversen, chief executive officer of Siege Technologies, a security firm in Manchester, N.H. “In terms of cybersecurity, most companies are more like a house than a bank.”
3© 2013 Lancope, Inc. All rights reserved.
4
Perimeter Security
• Much of the practice of computer security has to do with making sure the doors are locked. – When we have incidents we spend more money on prevention.– We tend to assume that if the bad guys are in, its game over.
• Systems will stop working or money will be instantly stolen.
4© 2013 Lancope, Inc. All rights reserved.
5
Audit Trail Sources• Syslog/SIEM
– Are you collecting everything?– You can’t trust compromised
hosts
• Netflow– Lots of breadth, less depth– Lower disk space requirements
• Full Packet Capture– Deep but not broad– Expensive– High disk space requirements
Tradeoffs:• Record everything vs
only bad things• Breadth vs Depth• Time vs Depth• Privacy
5© 2013 Lancope, Inc. All rights reserved.
DMZ
VPN
Internal Network
Internet
3GInternet
3G Internet
Network Visibility
6© 2013 Lancope, Inc. All rights reserved.
Transactional Audits of ALL activities
7© 2013 Lancope, Inc. All rights reserved.
8
Netflow Basics• Devices with one or more Flow producing interfaces are
“Exporters”• Exporters cache and forward records to “Collectors”• Common Exporters include firewalls, switches, and routers
NetFlow Collector
Internet
DMZ
VPN
3G
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
9
How do I want to cache information
Which interface do I want to monitor?
What data do I want to meter?Router(config)# flow record my-record Router(config-flow-record)# match ipv4 destination addressRouter(config-flow-record)# match ipv4 source addressRouter(config-flow-record)# collect counter bytes
Where do I want my data sent?Router(config)# flow exporter my-exporter
Router(config-flow-exporter)# destination 1.1.1.1
Router(config)# flow monitor my-monitor
Router(config-flow-monitor)# exporter my-exporter
Router(config-flow-monitor)# record my-record
Router(config)# interface gi0/1
Router(config-if)# ip flow monitor my-monitor input
1. Configure the Exporter
2. Configure the Flow Record
3. Configure the Flow Monitor
4. Apply to an Interface
DMZ
VPN
Internal Network
InternetNetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -NetFlow
3GInternet
3G Internet
NetFlow
NetFlow
NetFlow
Internal Visibility Through NetFlow
NetFlow
NetFlow Collector
10© 2013 Lancope, Inc. All rights reserved.
11
Netflow Advantages• Its easy to configure
– Your network already speaks it– Its standardized– It doesn’t need to be configured on every endpoint
• Visibility down to the access layer• Compact records are inexpensive to store
NetFlow Collector
Internet
DMZ
VPN
3G
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
Intrusion Audit Trails
1:06:15 PM: Internal Host Visits
Malicious Web Site
1:06:30 PM: Malware Infection
Complete, Accesses Internet Command and
Control
1:06:35 PM:Malware begins
scanning internal network
1:13:59 PM:Multiple internal
infected hosts
1:07:00 PM: Gateway malware analysis identifies the transaction
as malicious
1:14:00 PM: Administrators
manually disconnect the initial infected host
Do you know what went on while you were mitigating?
12© 2013 Lancope, Inc. All rights reserved.
13
Following IOC
Malware campaign targeting your industryhas been publicly disclosed.
A quick search of yournetwork audit trailreveals an internal hostthat accessed the malicious site.
14
Following IOC
Check host details around that time
Suspicious HTTP connections right after contact- good candidate for a drive-by download
Suspicious download followed by a reverse SSH shell. Most SSH bytes sent by “client”
15
Following IOC
Attacker recons your network. Investigate any hosts contacted by the compromised host.Additionally- look for any other hosts scanning for 445 and 135.
16
Following IOC
Since we have uncovered a new IOC (IP address controlling the reverse SSH shell), weShould check to see if that host has touched the network anywhere else.
Another host showing a reverse shell
17
A Four Dimensional View of Attacker Behavior
• A sophisticated attack on a network involves a series of steps• Traditional thinking views any system compromise as a successful breach• Any successful action taken to stop an infection prior to data exfiltration can be
considered a win• This is the Kill Chain concept introduced by Mike Cloppert at Lockheed• Controls should be put in place at each stage of the chain
ReconExploitation
(Social Engineering?)Initial
Infection
Internal Pivot
Data Preparation
& Exfiltration
Command and
Control
17© 2013 Lancope, Inc. All rights reserved.
18
The Changing Nature of Incident Response
Detect
Respond
Analyze
Distill Intel
Continuous Response is the centerpiece of advanced threat defense.
18© 2013 Lancope, Inc. All rights reserved.
Factors driving the change:
• The persistent nature of the threat.
• Other organizations aren’t necessarily experiencing the same attacks.
• The desire to collect threat intelligence that can be used to detect future incidents.
Threat Intelligence Sharing
1919© 2013 Lancope, Inc. All rights reserved.
20
• IT cannot address insider threat by itself– People have a tendency to think that IT is solely responsible for all computer security issues.
• Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions?• IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having?• Are you applying policies consistently?
Combating Insider Threat is a multidisciplinary challenge
20© 2013 Lancope, Inc. All rights reserved.
IT
HR Legal
21
Cisco Identity Services Engine (ISE)• Cisco ISE is a context aware, policy based 802.1x authentication solution• Detect
– Device type, operating system and patch level– Time and location from which user attempting to gain access
User Name MAC Address Device Type
Bob.Smith8c:77:12:a5:64:05
(SamsungElectronics Co.,Ltd)
Android
John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone
22
Lancope Identity 1000
23
User Reports
24
User Reports
25
User Reports
26
Flow Statistical Analysis
26© 2013 Lancope, Inc. All rights reserved.
27© 2013 Lancope, Inc. All rights reserved.
Suspect Data Hoarding
Unusually large amount of data inbound from other hosts
Scan Detection – External Recon and Internal Pivoting
2828© 2013 Lancope, Inc. All rights reserved.
HeartBleed Detection in StealthWatch
2007 2014
MarchStealthWatchIntroducesSuspect LongFlow Alarm
MarchOpenSSL withHeartBleedvulnerabilityreleased
April 7HeartBleedvulnerabilitypubliclydisclosed
Sometime Later…You patchedyour servers
April 8Attackers hijackSSL VPNconnectionswith HeartBleed,bypassingtwo-factorauthentication
April 15Teenagerarrested forsiphoningdata fromthe CanadianRevenue Agencyusing HeartBleed
2012
30©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Investigating Performance Issues
DDOS Attacks More Automated & Powerful
Font used is Arial
Bullet Point 2
Bullet Point 3
• Prolexic Q2 2012 to Q2 2013– 33% increase in attacks– 925% increase in bandwidth
• 4.47 Gbps to 49.24 Gbps– 1655% increase in packets per second
• 2.7 Mpps to 47.4 Mpps
32
StealthWatch DDoS Dashboards
© 2012 Lancope, Inc. All rights reserved.
Top Targeted Hosts
Application traffic view (drill down
into spikes)
Alarms for Internet facing
applications
Custom Flow Maps
Overall traffic views (drill down
into spikes)Top target hosts
End to End Visibility of DDoS Activity
Visualize Alarms, traffic anomalies and network degradation
Understand impact to back-end applications
34
Relational anomaly detection can identify internal pivoting
Secure Zone
34© 2013 Lancope, Inc. All rights reserved.
Thank You
Tom Cross, Director of Security [email protected](770) 225-6557