war on stealth cyberattacks that target unknown vulnerabilities
TRANSCRIPT
War on Stealth Cyberattacks that Target Unknown Vulnerabilities
Investigate, Threat Scope Analysis & Forensics of Advanced Cyber Threats with Apache Metron
George Vetticaden & James SirotaApache Metron Committers
2 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Use Case: Phishing Attack
3 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Phishing Attack on Company FOO
4 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Phishing Attacks
What is a Phishing Attack?– An attack that “baits” unsuspecting workers into clicking on links in emails and
unknowingly giving attackers a toehold in their employers’ systems.
From NYTIMES Article (6/13/2016)
“Phishing attacks have become an epidemic. To date, more than 90 percent of breaches have begun with a phishing attack, according to Verizon.
Intelligence experts say that phishing attacks are the preferred method of Chinese hackers who have managed to steal things as varied as nuclear propulsion technology and Silicon Valley’s most guarded software code.”
5 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
DocuSign Phishing Attacks
What is DocuSign?• Provides electronic signature technology and
Digital Transaction Management services for facilitating electronic exchanges of contracts and signed documents.
• E.g: If you get a new job, the offer letter will most likely be presented to you as a “DocuSign Doc” which requires electronic signature.
What is a DocuSign Phishing Attack?• Active phishing campaigns using fake
DocuSign trying to trap employees into opening them up
• These "secure doc" emails are one of the most misflagged categories of real emails
• Users have trouble figuring out whether a "secure doc" email is real or a phish
6 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Use Case Setup
On 4/10, an internal User named Ethan V at Company X submits a security ticket complaining about a potential “Docu-Sign” Phishing Email.
The Details provided by the Ethan V in the ticket are the following– Ethan receives an email from an internal employee Sonja Lar who works on the Equity – The email states that a signature is required for a new Docu-Sign document for a new Stock Option grant
for granted to Ethan– There is a link in the email to the Docu-Sign Document– Ethan clicks on the link, and login appears– Ethan enters his SSO credentials and submits– On submission, nothing happens– Ethan calls Sonja but Sonja states she didn’t send an email– Ethan is worried and then files help desk security ticket
A security ticket is created and assigned to the SOC Team
A SOC analyst James picks up the case to investigate it.
7 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Typical Workflow if Company Foo uses traditional SIEM tool
8 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Systems Accessed for Investigation/Context“Investigation”Workflow Steps
• Step 1: Analyst James searches in SIEM for any events associated with the user Sonja over the last 24 hours
• Step 1 Result: Most events are coming from IP Y. But 1 event from from IP X where she logs into Corp Google Apps Gmail.
• Step 2: James does geo-lookup of IP X and Y n Maxmind
• Step 2 Result: IP X is from Ireleand and IP y is from Southern Cali
• Step 3 Corp Foo has offices in Ireland & Los Angeles. James files a ticket with AD team to find groups that Sonja belongs to.
• Step 3 Result: The groups she belongs to is only associated with Los Angeles and not Ireland
Story Unfolding• Step 1 Insight: Anomalous Event –
Corp Gmail was decommissioned on behalf of exchange months back and only few users are currently using it
• Step 2 Insight: Not possible for the same user be logging in from Ireland & Southern Cali at the same time.
• Step 3 Insight: Unauthorized access is occurring from Los Angeles
SIEM
Search
Maxmind (IP Geo DB)
AD (Identity Mgmt.)
• Step 4: James logs into Foo’s Asset Mgmt system to determine asset the IP belong to
• Step 4 Result: IP Y is from Sonja’s workstation while IP X is an unidentified Asset
• Step 4 Insight: Seems like Sonja is in Southern Cali but someone else pretending to be her is logging in from unidentified Asset
Asset Mgmt. Inventory
• Step 5: James log into Soltra a threat intel aggregation service to see if IP X has a threat intel hit.
• Step 5 Result: IP X has a threat intel hit and Sonja’s account is immediately shutdown & Ethan’s credentials have been reset
• Step 5 Insight: Sonja’s account has been compromised. Shut it down and Ethan’s credentials have been reset. But what others users are affected like Ethan?
Soltra (Threat Intel)
9 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Systems Accessed for Threat Scope
Systems Accessed for Forensics
Systems Accessed for Investigation/Context
SIEM
“Scope of Threat”Workflow Steps
• Step 6: Searches SIEM for Fireye and IronPort email events associated with Sonja. The SIEM doesn’t have that info
• Step 6 Result: Need to log into Fireye and IronPort
• Step 7: Log into Fireye Email Threat Prevention Cloud & IronPort to find all emails sent from Sonja from that malicious IP
• Step 7 Result: Have a list of all users that the Phishing email was sent to. Can reset the password for all those users
Maxmind (IP Geo DB)
AD (Identity Mgmt.)
Asset Mgmt. Inventory
Soltra (Threat Intel)
Story Unfolding• Step 1 Insight: Anomalous Event –
Corp Gmail was decommissioned on behalf of exchange months back and only few users are currently using it
• Step 2 Insight: Not possible for the same user be logging in from Ireland & Southern Cali at the same time.
• Step 3 Insight: Unauthorized access is occurring from Ireland
• Step 4 Insight: Seems like Sonja is in Southern Cali but someone else pretending to be her is logging in from unidentified Asset
• Step 5 Insight: Sonja’s account has been compromised. Shut it down and Ethan’s credentials have been reset. But what others users are affected like Ethan?
• Step 6 Insight: SIEM doesn’t have all the fireye email events I need to determine scope
• Step 7 Insight: Understand the scope of the threat and can can contain it.
“Forensics”Workflow Steps
• Step 8: Logs into Cisco IronPort to determine when the attacker first compromised Sonja’s Gmail account
• Step 8 Result: On 3/26, a user from Ireleand logged into Sony’s Corp Gmail Account
• Step 8 Insight: Understands when Sonja’s Gmail Account was first compromised
• Step 9: Logs into Intermedia, an email archive system, to understand how the account was compromised
• Step 9 Result: Sees a set of emails where the attacker spoofed someone else email address “warmed up’ her with a few emails and then sent an email with an link that Sonja clicked on which stole her credentials from her chain • Step 9 Insight: Understand how
Sonja’s account got compromised
Systems Accessed for Remediation
Exchange (Primary
Email Service)
Corp Gmail (Secondary
Email Service)
AD & OKTA(Identity Provider
& SSO)
Search
FireEye (Email
Cloud Security )
Cisco IronPort(Email
On-Premise Security )
Intermedia (Email Archive)
10 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
The “Threat Story” the Workflow Told….
11 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
The Challenges faced by the SOC Analyst to Create this Story…
Challenge• The analyst had to jump from the SIEM to
more than 7 different tools that took up valuable time.
• It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.
• Half of my time was spending getting the context needed for me to create the story
• The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address
Need• Want a Centralized View of my data so I don’t
have to jump around and learn other tools Eliminate manual tasks to investigate a case
• Need to discover bad stuff quicker
• Need the System to create the context for me in real-time
• The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:
• User Sonja hasn’t used corp gmail in the last 3 months
• User Sonja can’t login from Ireland and Southern Cali at the same time
12 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Same Workflow if Company Foo used Apache Metron
13 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Demo
14 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Do Investigation, Find Scope and Perform Forensics Using only Metron
Systems Accessed for Remediation
Exchange (Primary
Email Service)
Corp Gmail (Secondary
Email Service)
AD & OKTA(Identity Provider
& SSO)
Maxmind (IP Geo DB)
AD (Identity Mgmt.)
Asset Mgmt. Inventory
Soltra (Threat Intel)
Systems Accessed for Investigation/Context
Systems Accessed to Determine Scope
FireEye (Email
Cloud Security )
Cisco IronPort(Email
On-Premise Security )
Intermedia (Email Archive)
Systems Accessed for Forensics
15 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Do Investigation, Find Scope and Perform Forensics Using only Metron
Metron will make it easier and faster to findthe real issues I need to act on with real-time enrichment
Provides Single Pane of Glass for Investigation, Scope Analysis and Forensics
Metron can take everything that is known about a threat and check for it in real time
For Advanced Persistent Threats (APT), Metron can model historical behavior of whoever I am impersonating and flag me as I try to deviate
16 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Metron Architecture
17 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Real-time Processing Engine
PCAP
NETFLOW
DPI
IDS
AV
FIREWALL
HOST LOGS
PARSE
NORMALIZE
TAG
VALIDATE
PROCESS
USER
ASSET
GEO
WHOIS
CONN
ENRICH
STIX
Flat Files
Aggregators
Model As AService
Cloud Services
LABEL
PCAPStore
ALERTPERSIST
Alert
Security Data Vault
Network Tap
Custom Metron UI/Portals
Real-TimeSearch
InteractiveDashboards
DataModelling
IntegrationLayer
PCAPReplay
SecurityLayer
Data & Integration Services
Apache Metron
Apache Metron Logical Architecture
18 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Analytics
19 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Old School vs. New School Security ControlsEmail
Security Rules
Firewall Rules IDS Rules Sandbox
Rules DLP RulesOld School ->(1-1)
New School ->(1-*) Email
Classifier Alerts TriageMalware
Family Classifier
Network Behavior Classifier
UEBA System
20 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Analytics
Descriptive Diagnostic Predictive Prescriptive
Metron Security Data Analytics Platform
HDF HDP
Deep Packet
Model as a Service
Netflow
Appliance Logs
Alerts
Host Logs
Geo Enrich
Host Enrich
App. Enrich
Identity Enrich
Domain Enrich
Social Media
Chat
Forums
Playbook
WokflowHR
IRMobile Devices
Machine Exhaust IoT
DatasetsAccess Logs
Malware Binaries Sandbox
Honeypot
Deception
SaaS
Business Enrich
CMDB Enrich
Compl. Enrich
Knowledge Graph
Entity Profiles
Interaction Graph
Web Mining
Use CasesInsider Threat
Data Access
Management
Breach Detection
Exfiltration
Lateral Movement
Malware Detection
Alerts Triage
Remediation
21 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Thank YouGeorge Vetticaden & James Sirota
Apache Metron Committers
22 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Learn, Share at Birds of a Feather Streaming, DataFlow & Cybersecurity
Thursday June 306:30 pm, Ballroom C