targeted cyber attack everyone is a target...company proprietary ©2013 isc8 inc. all rights...

Company Proprietary

©2013 ISC8 Inc. All rights reserved

®

Targeted Cyber Attack

Everyone is a Target

ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 2

Always Connected Always Exposed

Modern media keeps us constantly connected and in contact with other people

Most of the time we do not have explicit visibility of what kind of data have been exchanged by our device

• Where we are (Geo information)

• Who we are (MSISDN, IMIEI, etc)

• What we are doing (FB, Twitter, and so on)


Always Connected Always Exposed

Personal information as well as business related information can be “exfiltrated” without leaving evidence

Personal information are silently disseminated everywhere

Footprints are left everywhere


Footprint Left


Social Networking


Traditional Attacks

Category What is it Spread Technique

Virus Malicious code embedded in program or file

Human Intervention (USB, download, Email, etc.)

Worm Stand alone malicious program Replicates itself by Exploiting OS vulnerabilities

Trojan Attack software disguised as useful program

Trickery – disguised as something the user wants

Botnet Group of infected computers operating with common purpose

Usually delivered as Trojans

Spyware Software that collects personal and sometimes confidential information

Trickery – disguised as something the user wants


Social Engineering Attacks


Baiting Tempting an individual to put themselves at risk

‘Lost’ or ‘Free’ Physical device like USB stick or CD-ROM

Phishing Tricking a user to reveal confidential information to a mistakenly ‘trusted’ source

Email links

Pharming DNS poisoning to return false results to query resolutions

Constantly spread, effecting


Vulnerability Exploit Attacks


Buffer Overflow Intentional overflow of memory to execute invalid instruction

Direct machine attack

SQL Injection Attempts to execute privileged SQL command in database to extract information

Direct machine attack

ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved

Advanced Persistent Threat Market Statistics

Notable victims of attacks in 2012 (countless more victims go unreported)

75 million

Unique examples of malware in

2012(2), growing at 50,000 / day

1Unattributed data courtesy of M-Trends Report 2012 www.mandiant.com

2 Network World 3 www.bit9.com

APT Victims by sector (n = 120 firms)

59% of enterprises are “certain or fairly

certain” that they’ve been the target of an APT(3)

69% of APT victims are NOTIFIED BY AN

EXTERNAL ENTITY, not internal detection

416 Median number of

days that the attackers were

present on a victim network BEFORE

detection(1)

Commercial Sector Breakdown

Automotive 2%

Space and Satellites and Imagery 19%

Cryptograph & Communications 20%

Mining 2%

Energy 18%

Legal 9%

Investment Banking 3%

Media/Public Relations 10%

Hospitality 2%

Chemical 5%

Technology 10%

42%

31%

13%

7% 5%

2% Commercial

Defense Industrial Base

Non-profit/think tank/ non-government organizations Foreign Government

U.S. Government

9

http://www.bit9.com/


Today’s Perimeter Defenses Do Not Stop APTs

Gartner “Traditional malware protection systems are well past the peak of their effectiveness. ...Malware threats continue to overwhelm traditional defensive techniques.“(1)

(1) Gartner - Endpoint Protection in the Age of Tablets and Cloud, Peter Firstbrook, 2/1/2012


External vs. Internal Threats

Most external threats are defeated by traditional means.

Next-generation malware and Advanced Persistent Threats (APTs) are different.


Typical Attack Lifecycle of APTs

Maintain

Persistence

Exploration

Obtain User

Credentials

Data

Extraction

Persistence

Intrusion

Establish

Presence

& Backdoor

Pivoting


Example Case

Scenario: Sensitive or Personal information found on public site such as Blog or Forum

Need: Identify the author from the fact

Requirement: Monitor activities and correlate actions with their respective authors

13


Cyber adAPT – Architecture

Sensor Collection Points • Monitors trunk ports

going into core • Generates events and

collects summary data • Passive network sensor • 10G interfaces

Control System Unit • Controls and configures

adAPT devices • Provides UI for adAPT • Provides main interface

for all adAPT components

Analytics Correlation System • Rules-based analysis of events

from SCPs • Alarm generation and

summary data correlation • Collection and storage of

summary data from suspected host

14


Cyber adAPT Value Propositions

• Detection of advance malware techniques and behavior inside a network prior to harm occurring

• Detection of malicious activity within an enterprise network undetectable by perimeter security devices

• Doesn’t depend on patterns that require updating as new malware is detected

• Tracking of malicious activity back to infected host

– Malware propagation detection

• Collection of summary data to provide post alarm analytics and forensics

• High bandwidth (10Gbps+) sensors to allow monitoring near core of network

• Multi-tiered rules based analytics to reduce false positives and provide enhanced correlated evidence of malicious activity


Threat Management Cases

Identify Established Malware • Malware bypasses traditional security

perimeter using USB Drive • Elevated permissions allow malware to

hide from client software • Detect malware as it moves inside the

network • Shut down access before malware

completes objective

Improve Security Posture • Identify weaknesses in current security

capabilities • Executable movement • Command and Control activities • Network / Target scanning • Data Staging • Date Exfiltration

• Provide necessary tools to develop higher security capabilities

Baseline Network Behavior • Identify Anomalous Behaviors

• Unauthorized Protocols • Excessive data volume transfers • Unusual time-of-day accesses • Connections to fake update servers • Out-of-policy encryption techniques

• Improved understanding of network activity enables better security

Secure VPN • Remote partner must have VPN access into

parts of corporate network • VPN hosts are restricted via ACL’s • Additional monitoring required to ensure

VPN users do not circumvent restrictions • Behavior-based adAPT monitors usage of

all network resources done by VPN users • Quickly alert if unauthorized servers,

protocols or data is accessed


Main Screen

17


Notifications by Volume

18


Disallowed Application by Subnet Report

19


Notification Details

20


What about our personal data?

Provide long-term retention including associated author

• Assumptions:

- The author is not known – Action deducted because public

- Identify authors of inappropriate activities (e.g.: youtube, forum posts).

Extract valuable data from ALL the communication flows and label them with their authors

21


ISC8 Cyber NetFalcon

The first Big Data solution for Cyber Security

• Long-term record of network traffic activity: months and years

• Application, protocol and user-level information

• Near real-time analytics, search and retrieval

• Scalability to largest networks and long time windows

• Cost effective to deploy and scale

• Fine-grained administrative controls

Complements packet capture and LI technologies

Proven: deployed in scale worldwide

22

Networking Big Data

Cyber NetFalcon


NetFalcon – Instantaneous Analysis of Big Network Data

Machine Activity Network Activity

Scale (throughput speeds + historical log)

Big Machine Data Tools

Packet capture limited to 10GBs traffic over hours / days

SIEM

Weeks / Months @ 40Gbs = Big Network Data

Big

Small

Data Source

Logs, Data dumps, Configuration, events

Real time activity between network devices

BIG Data Large complex data sets that are difficult to capture, store search, share, analyze or visualize. 10Gb/s = 216TBytes/day


NetFalcon Benefits

Cyber event attribution

Fast and effective incident response

Investigate insider or outsider threats

Map relationships between individuals in cyberspace

Associate cyber to real-world identity

Establish communication histories between individuals

Identify individuals responsible for “anonymous” criminal communications

24


Other Compelling Use Cases

Investigate the organization of illegal and violent demonstrations

Identify origin of publicly declared threats

Track the Leak of Classified Documents

Uncover the associates of an identified criminal

Identify bloggers/owners of anonymous comments on the blog site

Identify Hackers of Government or commercial websites

25


Deep Packet Inspection Probing

Far beyond legacy Layer 3/4 flow recording

Far beyond protocol DPI

Extraction of specific protocol or application info

Enables vastly richer data mining and information set

Enables run-time “user” identification through correlation

Ethernet

Internet

Protocol

(IP)

Transport

Email (SMTP, POP3, IMAP) Web (HTTP/S)

File Transfer (FTP, Gopher)

Instant Messaging (IM)

Peer - to - Peer (P2P) Applications

L2 L4

Deep Protocol Inspection Packet Identification

Ethernet

Internet

Protocol

(IP)

Transport

Layer

(TCP/UDP)

L3 L5 – L7

Email (SMTP, POP3, IMAP), Web (HTTP)

File Transfer (FTP, Gopher)

Peer to Peer (P2P) Applications

Instant Messagning (IM)


Deep Packet Inspection Probing

No. Time Source Destination Protocol Info

167207 0.756202890 10.145.19.66 10.145.19.90 GTP <HTTP> GET /img/2009/11/21/90x90-

alg_image.jpg HTTP/1.1

Frame 167207 (671 bytes on wire, 671 bytes captured)

Ethernet II, Src: Ericsson_ed:81:b0 (00:01:ec:ed:81:b0), Dst: JuniperN_67:5f:f1 (00:23:9c:67:5f:f1)

802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 202

Internet Protocol, Src: 65.213.148.66 (65.213.148.66), Dst: 65.213.148.6 (65.213.148.6)

User Datagram Protocol, Src Port: blackjack (1025), Dst Port: gtp-user (2152)

GPRS Tunneling Protocol

Internet Protocol, Src: 10.145.19.66 (10.145.19.66), Dst: 10.145.19.90 (10.145.19.90)

Transmission Control Protocol, Src Port: 53585 (53585), Dst Port: http (80), Seq: 1, Ack: 3683, Len: 565

Hypertext Transfer Protocol

GET /img/2009/11/21/90x90-alg_image HTTP/1.1\r\n

[Expert Info (Chat/Sequence): GET /img/2009/11/21/90x90-alg_image.jpg HTTP/1.1\r\n]

[Message: GET /img/2009/11/21/90x90-alg_image.jpg HTTP/1.1\r\n]

[Severity level: Chat]

[Group: Sequence]

Request Method: GET

Request URI: /img/2009/11/21/90x90-alg_image.jpg

Request Version: HTTP/1.1

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us) AppleWebKit/525.18

(KHTML, like Gecko) Version/3.1.1 Safari/525.18\r\n

Referer: http://www.nydailynews.com/real_estate/2010/01/01/2010-01-

01_iconic_nyc_restaurant_tavern_on_the_green_closes_its_doors_friday_after_a_final_.html\r\n

Accept: */*\r\n

Accept-Language: en-us\r\n

Accept-Encoding: gzip, deflate\r\n

Cookie: WT_FPC=id=18.15.2.12-3609171504.30087201:lv=1277848799597:ss=1277848799597\r\n

Connection: keep-alive\r\n

Host: assets.nydailynews.com\r\n

\r\n

D

e

e

p

A

p

p

l

i

c

a

t

i

o

n

I

n

s

p

e

c

t

i

o

n


Intelligent Metadata Summaries

Protocol Email

Application POP3

UserID Alice_bad

Password hav0c

Following crime

Members Bob, Charlie

Posts 2345 bytes

…

…

Protocol SIP

Application Yate, etc.

PhoneID 4237893547

ServerID hav0c

Contacts crime

Call Status Bob, Charlie

… 2345 bytes

…

…

Protocol MSN

Application Messenger

UserID Alice_bad

Password hav0c

Chatroom crime

Members Bob, Charlie

Chat size 2345 bytes

…

…

100s of protocols with 1000s of metadata attributes

turn network activity into powerful searchable medium


Data Collection and Correlation

Receives flow records from multiple probes • Ensures correlation of asymmetric flows

Watchlist for data reduction

Integrated support for management infrastructure • RADIUS user authentication • Mobile network support (i.e. GGSN Links) • WiMax • 3G • 4G/LTE


Data Collection and Correlation

Provides correlation of related data prior to storage writing • User information • CPE registration information • Geo-location data • L7 content, such as VoIP phone numbers • Integration of other data structures

Real-time event triggering


Challenge: Physical Identification

Physical

Identity

Electronic

Identity

Cyber

Identity


Different pieces of the same puzzle

IM handle

Geo location

MAC Address

Radius ID

Web user

Jane Smith

BSID

VoIP number

Physical

Identity

Electronic

Identity

Cyber

Identity

Email


Applications

33

Correlation Example

IP

Infrastructure


Applications

34

Correlation Example- Traditional Approach

IP

Infrastructure

BSID:786514234

+1-415-555-1111/EMEI:00382934093/IMSI:17868A

+39-06-5567111/EMEI:0098765/IMSI:27868B

FTPLogin:Mickey/Passwd:duck/Action:PutFile

BSID:786514243

SRC:28.74.54.10/DST:1.1.1.1/Port:80/Prot:HTTP

SRC:128.74.54.10/DST:1.1.1.1/Port:21/Prot:FTP

SRC:128.74.54.10/DST:2.2.2.2/Port:8080/App:Webmail


Applications

35

Correlation Example- NetFalcon Approach

IP

Infrastructure

BSID:786514234

+1-415-555-1111/EMEI:00382934093/IMSI:17868A

+39-06-5567111/EMEI:0098765/IMSI:27868B


BSID:786514243




+1-415-555-1111 00382934093 17868A

786514243

FTP 1.1.1.1

Mickey duck PutFile


Applications

36

Correlation Example- NetFalcon Approach

IP

Infrastructure

BSID:786514234

+1-415-555-1111/EMEI:00382934093/IMSI:17868A

+39-06-5567111/EMEI:0098765/IMSI:27868B


BSID:786514243




+1-415-555-1111

00382934093 17868A 786514243

FTP 1.1.1.1

Mickey/duck

PutFile

RecNo:02A78BH83:

[EMEI: /IMSI: ]frm

{Session Info: IP:

Credential:

Action:

+1-415-555-1111 00382934093 17868A

786514243

FTP 1.1.1.1

Mickey duck PutFile


Cyber NetFalcon Correlation

Mixes and merges information coming from different sources (probes, network elements, static DB)

Dynamically creates the links between the various entities (Cyber Identity, Electronic Identity and Physical Identity)

Enables real-time synthesis of actionable information

Converts fragmented data into meaningful, actionable intelligence: Who, What, Where and When

Solving the Puzzle


Historical Data Mining / Reporting

Cyber Threat T1

Cyber Threat T2

Analyst

Cyber NetFalcon

Cyber Threat T3

Cyber Threat T4

NetFalcon NF collects and

stores communication

records (IPDR, CDR)

Match -

Between 1/1 – 1/7:

T1 contacted Posted T3;

T3 FTPed to T2;

T2 posted on youtube

?

Analyst post queries to

retrieve actions’

authors and network

presence

Inappropriate

content poster

spotted


Example Queries

Which IP address is user “bob” associated at a particular timeframe?

In the past 12 months, which websites have user “bob” visited?

Which websites were visited with greatest frequency?

Which other users did user “bob” contact via email, IM, and VoIP?

What users visited site www.publishsomedata.com?

http://www.bombmaking.com/


Near Real Time Analytics

Near real-time query response regardless of network size and search time window

Proprietary storage system overcomes performance limitations of relational databases

Simple GUI with powerful query structure


Near Real Time Analytics


Summary

Assure your assets are protected

Monitor device behavior and identify what is not ‘normal’ in the specific environment

Ensure a complete, long-term record of network activity

Ability to search back in time and identify who did what, when, where and with whom

Near real-time analytics, regardless of network size and data collected

42