war on stealth cyberattacks that target unknown vulnerabilities

War on Stealth Cyberattacks that Target Unknown Vulnerabilities

Investigate, Threat Scope Analysis & Forensics of Advanced Cyber Threats with Apache Metron

George Vetticaden & James SirotaApache Metron Committers

2 © Hortonworks Inc. 2011 – 2016. All Rights Reserved

Use Case: Phishing Attack


Phishing Attack on Company FOO


Phishing Attacks

What is a Phishing Attack?– An attack that “baits” unsuspecting workers into clicking on links in emails and

unknowingly giving attackers a toehold in their employers’ systems.

From NYTIMES Article (6/13/2016)

“Phishing attacks have become an epidemic. To date, more than 90 percent of breaches have begun with a phishing attack, according to Verizon.

Intelligence experts say that phishing attacks are the preferred method of Chinese hackers who have managed to steal things as varied as nuclear propulsion technology and Silicon Valley’s most guarded software code.”


DocuSign Phishing Attacks

What is DocuSign?• Provides electronic signature technology and

Digital Transaction Management services for facilitating electronic exchanges of contracts and signed documents.

• E.g: If you get a new job, the offer letter will most likely be presented to you as a “DocuSign Doc” which requires electronic signature.

What is a DocuSign Phishing Attack?• Active phishing campaigns using fake

DocuSign trying to trap employees into opening them up

• These "secure doc" emails are one of the most misflagged categories of real emails

• Users have trouble figuring out whether a "secure doc" email is real or a phish


Use Case Setup

On 4/10, an internal User named Ethan V at Company X submits a security ticket complaining about a potential “Docu-Sign” Phishing Email.

The Details provided by the Ethan V in the ticket are the following– Ethan receives an email from an internal employee Sonja Lar who works on the Equity – The email states that a signature is required for a new Docu-Sign document for a new Stock Option grant

for granted to Ethan– There is a link in the email to the Docu-Sign Document– Ethan clicks on the link, and login appears– Ethan enters his SSO credentials and submits– On submission, nothing happens– Ethan calls Sonja but Sonja states she didn’t send an email– Ethan is worried and then files help desk security ticket

A security ticket is created and assigned to the SOC Team

A SOC analyst James picks up the case to investigate it.


Typical Workflow if Company Foo uses traditional SIEM tool


Systems Accessed for Investigation/Context“Investigation”Workflow Steps

• Step 1: Analyst James searches in SIEM for any events associated with the user Sonja over the last 24 hours

• Step 1 Result: Most events are coming from IP Y. But 1 event from from IP X where she logs into Corp Google Apps Gmail.

• Step 2: James does geo-lookup of IP X and Y n Maxmind

• Step 2 Result: IP X is from Ireleand and IP y is from Southern Cali

• Step 3 Corp Foo has offices in Ireland & Los Angeles. James files a ticket with AD team to find groups that Sonja belongs to.

• Step 3 Result: The groups she belongs to is only associated with Los Angeles and not Ireland

Story Unfolding• Step 1 Insight: Anomalous Event –

Corp Gmail was decommissioned on behalf of exchange months back and only few users are currently using it

• Step 2 Insight: Not possible for the same user be logging in from Ireland & Southern Cali at the same time.

• Step 3 Insight: Unauthorized access is occurring from Los Angeles

SIEM

Search

Maxmind (IP Geo DB)

AD (Identity Mgmt.)

• Step 4: James logs into Foo’s Asset Mgmt system to determine asset the IP belong to

• Step 4 Result: IP Y is from Sonja’s workstation while IP X is an unidentified Asset

• Step 4 Insight: Seems like Sonja is in Southern Cali but someone else pretending to be her is logging in from unidentified Asset

Asset Mgmt. Inventory

• Step 5: James log into Soltra a threat intel aggregation service to see if IP X has a threat intel hit.

• Step 5 Result: IP X has a threat intel hit and Sonja’s account is immediately shutdown & Ethan’s credentials have been reset

• Step 5 Insight: Sonja’s account has been compromised. Shut it down and Ethan’s credentials have been reset. But what others users are affected like Ethan?

Soltra (Threat Intel)


Systems Accessed for Threat Scope

Systems Accessed for Forensics

Systems Accessed for Investigation/Context

SIEM

“Scope of Threat”Workflow Steps

• Step 6: Searches SIEM for Fireye and IronPort email events associated with Sonja. The SIEM doesn’t have that info

• Step 6 Result: Need to log into Fireye and IronPort

• Step 7: Log into Fireye Email Threat Prevention Cloud & IronPort to find all emails sent from Sonja from that malicious IP

• Step 7 Result: Have a list of all users that the Phishing email was sent to. Can reset the password for all those users

Maxmind (IP Geo DB)

AD (Identity Mgmt.)



Story Unfolding• Step 1 Insight: Anomalous Event –

Corp Gmail was decommissioned on behalf of exchange months back and only few users are currently using it

• Step 2 Insight: Not possible for the same user be logging in from Ireland & Southern Cali at the same time.

• Step 3 Insight: Unauthorized access is occurring from Ireland

• Step 4 Insight: Seems like Sonja is in Southern Cali but someone else pretending to be her is logging in from unidentified Asset

• Step 5 Insight: Sonja’s account has been compromised. Shut it down and Ethan’s credentials have been reset. But what others users are affected like Ethan?

• Step 6 Insight: SIEM doesn’t have all the fireye email events I need to determine scope

• Step 7 Insight: Understand the scope of the threat and can can contain it.

“Forensics”Workflow Steps

• Step 8: Logs into Cisco IronPort to determine when the attacker first compromised Sonja’s Gmail account

• Step 8 Result: On 3/26, a user from Ireleand logged into Sony’s Corp Gmail Account

• Step 8 Insight: Understands when Sonja’s Gmail Account was first compromised

• Step 9: Logs into Intermedia, an email archive system, to understand how the account was compromised

• Step 9 Result: Sees a set of emails where the attacker spoofed someone else email address “warmed up’ her with a few emails and then sent an email with an link that Sonja clicked on which stole her credentials from her chain • Step 9 Insight: Understand how

Sonja’s account got compromised

Systems Accessed for Remediation

Exchange (Primary

Email Service)

Corp Gmail (Secondary

Email Service)

AD & OKTA(Identity Provider

& SSO)

Search

FireEye (Email

Cloud Security )

Cisco IronPort(Email

On-Premise Security )

Intermedia (Email Archive)


The “Threat Story” the Workflow Told….


The Challenges faced by the SOC Analyst to Create this Story…

Challenge• The analyst had to jump from the SIEM to

more than 7 different tools that took up valuable time.

• It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.

• Half of my time was spending getting the context needed for me to create the story

• The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address

Need• Want a Centralized View of my data so I don’t

have to jump around and learn other tools Eliminate manual tasks to investigate a case

• Need to discover bad stuff quicker

• Need the System to create the context for me in real-time

• The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:

• User Sonja hasn’t used corp gmail in the last 3 months

• User Sonja can’t login from Ireland and Southern Cali at the same time


Same Workflow if Company Foo used Apache Metron


Demo


Do Investigation, Find Scope and Perform Forensics Using only Metron

Systems Accessed for Remediation

Exchange (Primary

Email Service)

Corp Gmail (Secondary

Email Service)

AD & OKTA(Identity Provider

& SSO)

Maxmind (IP Geo DB)

AD (Identity Mgmt.)



Systems Accessed for Investigation/Context

Systems Accessed to Determine Scope

FireEye (Email

Cloud Security )

Cisco IronPort(Email

On-Premise Security )

Intermedia (Email Archive)

Systems Accessed for Forensics


Do Investigation, Find Scope and Perform Forensics Using only Metron

Metron will make it easier and faster to findthe real issues I need to act on with real-time enrichment

Provides Single Pane of Glass for Investigation, Scope Analysis and Forensics

Metron can take everything that is known about a threat and check for it in real time

For Advanced Persistent Threats (APT), Metron can model historical behavior of whoever I am impersonating and flag me as I try to deviate


Metron Architecture

17 © Hortonworks Inc. 2011 – 2016. All Rights Reserved Real-time Processing Engine

PCAP

NETFLOW

DPI

IDS

AV

EMAIL

FIREWALL

HOST LOGS

PARSE

NORMALIZE

TAG

VALIDATE

PROCESS

USER

ASSET

GEO

WHOIS

CONN

ENRICH

STIX

Flat Files

Aggregators

Model As AService

Cloud Services

LABEL

PCAPStore

ALERTPERSIST

Alert

Security Data Vault

Network Tap

Custom Metron UI/Portals

Real-TimeSearch

InteractiveDashboards

DataModelling

IntegrationLayer

PCAPReplay

SecurityLayer

Data & Integration Services

Apache Metron

Apache Metron Logical Architecture


Analytics


Old School vs. New School Security ControlsEmail

Security Rules

Firewall Rules IDS Rules Sandbox

Rules DLP RulesOld School ->(1-1)

New School ->(1-*) Email

Classifier Alerts TriageMalware

Family Classifier

Network Behavior Classifier

UEBA System


Analytics

Descriptive Diagnostic Predictive Prescriptive

Metron Security Data Analytics Platform

HDF HDP

Deep Packet

Model as a Service

Netflow

Appliance Logs

Alerts

Host Logs

Geo Enrich

Host Enrich

App. Enrich

Identity Enrich

Domain Enrich

Social Media

Email

Chat

Forums

Playbook

WokflowHR

IRMobile Devices

Machine Exhaust IoT

DatasetsAccess Logs

Malware Binaries Sandbox

Honeypot

Deception

SaaS

Business Enrich

CMDB Enrich

Compl. Enrich

Knowledge Graph

Entity Profiles

Interaction Graph

Web Mining

Use CasesInsider Threat

Data Access

Management

Breach Detection

Exfiltration

Lateral Movement

Malware Detection

Alerts Triage

Remediation


Thank YouGeorge Vetticaden & James Sirota

Apache Metron Committers


Learn, Share at Birds of a Feather Streaming, DataFlow & Cybersecurity

Thursday June 306:30 pm, Ballroom C

war on stealth cyberattacks that target unknown vulnerabilities

Technology