combating apts with stealthwatch slides

7/31/2019 Combating APTs With StealthWatch Slides

1/49

Combating Advanced Persistent Threats

with Flow-based Security Monitoring

Jeffrey M. Wells, CCIE, CISSP

Sr. Systems Engineer

Lancope

Know Your Network, Run Your Business

Thank you for joining. We will begin shortly.


2/49

Poll Question

What is your organizations top security concern?

A. Insider Threats

B. Advanced Persistent Threats (Directed Attacks)

C. Virtualization / Cloud Computing

D. IT Consumerization / User Mobility / BYOD

E. Compliance

2 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)


3/49

What is an Advanced Persistent Threat?



4/49

What is an Advanced Persistent Threat?

Examples: Operation Aurora against Google and at least 20 other large companies in 2009, the

HBGary attack, the RSA attack against over 700 companies over 2011


in that the attacker uses the full spectrum of available tools, including socialengineering, to accomplish his or her goals. The toolset and methods meanthese will likely evade traditional signature-based detection methods.

Its Advanced

in that the attacker defines a target and then focuses resources on that target,rather than casting a net in the dark. This is what makes this type of attack sodangerous. Rather than playing the odds, one must actively defend oneselffrom it.

Its Persistent

this should be self-explanatory.

Its a Threat


5/49

Anatomy of an APT attack - HBGary

HBGary was attacked by Anonymous in February 2011 in response to

provocation by an HBGary employee.

HBGary Federal sought to out WikiLeaks and associated Anonymous hacker

organization

Anonymous finds out and launches full frontal assault on HBGary HBGary website defaced, emails stolen, backups deleted,

twitter and LinkedIn accounts hacked, etc.

Massive damage to HBGarys reputation

Cleanup could take weeks or

months


HBGary vs. Anonymous: Story byArs Technicahttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars


6/49

Anatomy of an APT attack - RSA

In February 2011 RSA was subjected to an attack by Chinese

hackers.

RSA suffered enormous brand damage and was forced to replace

existing tokens in the field.

Read more: http://blogs.rsa.com/rivner/anatomy-of-an-attack/


Footnote: this attack was repeated against hundreds of other companies, as revealed last Fall by the FBI.


7/49

APTs in the news



8/49

APTs are here to stay

Facts:

APTs are an evolution of cybercrime. They are the beginnings of truly organized

behavior designed to cost you money.

APTs are proliferating. There are many many examples, and they target pretty

much every large company.

APTs evade traditional detection.

Many companies do not discover that theyve been targeted until long after its

over.



9/49

APT characteristics for the investigator

APT will generally involve:

Information gathering via social media and Google search. It is via this that the

targets for the social engineering phase are identified.

Exploit of common vulnerabilities in support of the above.

Targeted social engineering attacks against identified users.

Compromise of one or more internal machines and installation of remote control

software of some kind.

Data mining from the inside.

Exfiltration of data.


Network-based APT detection boils down to discovering

the command-and-control connections, the data mining,

and the exfiltration activity. As with all attacks, success is

measured by the time lapsed between attack and

discovery.


10/49

APT Survey by Ponemon Institute, June 2010

Prevention and detection of advanced threats is difficult. Organizations risk a

costly data breach because detection of an advanced threat takes too long. 80

percent of respondents say it takes a day or longer to detect an advanced

threat and 46 percent say it takes 30 days or longer. This leaves a huge window

of opportunity to steal confidential or sensitive information. In addition, 79

percent believe that advanced threats are very difficult to prevent, detect and

resolve.

The most effective technologies have yet to be deployed. 92 percent of

respondents believe network and traffic intelligence solutions are essential,

very important or important. Yet, only 8 percent say these technologies are

their first choice to detect or prevent an advanced threat. 69 percent of

respondents say that AV and 61 percent of respondents say that IDS are

typically used to detect or discover advanced threats. Yet, 90 percent reportthat exploits or malware have either evaded their IDS systems or they are

unsure. 91 percent say that exploits and malware have evaded their AV

systems or they are unsure. The same percentage (91 percent) believes

exploits bypassing their IDS and AV systems to be advanced threats .



11/49

User Behavior

DMZ

Internal

Network

Internet

11

This goes on, day after day

And then

FTP to foreign destination.

This is a Behavioral Anomaly


12/49


13/49

Brains and Computers

Our brains happen to be good at focusing on detail or recognizing patterns in

limited datasets but very bad at dealing with huge amounts of rapidly-evolving

data at once.

Computers, on the other hand, do not suffer from this limitation.



14/49

Email interconnection graph


This is a network of devices speaking SMTP. If they

spoke something else it would be trivial to detect

as long as we were focusing on this network as a

group and not trying to watch all the other systems

that live alongside these devices.


15/49

3G

Internet

3G

Internet

Typical Corporate Environment

DMZ

VPN

Internal

Network

Internet

3G

Internet

3G

Internet

15

Even though it seems difficult to

enumerate the protocols and behaviorson such a network, a statistical system

can do so with ease.


16/49

APT Detection Objectives and Requirements

Objectives:

Discover APT behavior as rapidly as possible

Discover compromised machines in my environment

Discover potential exfiltrations of data

Some sort of scoring or prioritization of alarms to direct response

Requirements:

Need data sources

Need collection infrastructure

Need analysis infrastructure

Need reporting and alerting engine

Potential data sources:

SYSLOG, IDS/IPS probes, distributed data capture, SNMP, RMON probes, host AV/ASagents, host IDS/IPS agents

Netflow



17/49

Data Source Caveats

SYSLOG: Very painful to parse due to the vast number of different potential messages.May or may not contain what you need.

IDS/IPS probes: Expensive to install and maintain, reliance on signature-basedtechnologies makes them less useful for APT detection.

Distributed data capture: Extremely expensive to install and maintain, large amountof hardware required, very inefficient: most of the useful information comes from a

tiny percentage of the gathered data.

SNMP: Not enough information on its own to be particularly useful, very slow.

RMON: Expensive to install and maintain, limited support.

Host agents: Expensive to install and maintain, reliance on signature-based

technologies not particularly useful, proprietary data output difficult to integrate andcorrelate, host context limits understanding of network behavior.

Flow-based technology: May not be supported by all of your network hardware.



18/49


19/49

Major advantages of flow-based telemetry

Fixed and highly-standardized records easy to create, transport, compress and

parse.

Generated by the network hardware you already own.

Generation not specifically limited by topology or data rates.

Simple record types lend themselves to rapid and near-real-time analysis on

even the biggest, busiest networks.

Most of visibility objectives achievable with no need for probes or signatures.

Generation technology eliminates evasion techniques. All network traffic will

generate flow data for analysis.

Can easily be correlated to other data sources to enrich the results.



20/49

DMZ

Internet

Atlanta

San Jose

New York

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

ASR-1000

Cat6k

UCS with

Nexus 1000v

ASA

Cat6k

3925 ISR3560-X

NetFlow

NetFlow

NetFlow

NetFlow

Lancope NetFlow

Collector

Datacenter

3750-X

Stack(s)

NetFlow

NetFlow

Cat4k

NetFlow

NetFlowWAN

Example: NetFlow Technology in a Cisco environment


21/49

NetFlow at 10G+

21

Lancope

NetFlow

Collector


22/49

NetFlow Collection in the WAN

22

Lancope NetFlow

Collector


23/49


24/49


25/49


26/49

D i f l b h i Ci 2003!


27/49

Detection of anomalous behavior. Circa 2003!

27

M l l i


28/49

Manual analysis

Deduplicated Host Groups provide the basis

for many Reports, Baselines, Top N lists,

etc.

28

M l l i ti d


29/49

Manual analysis, continued

5 hour 6 Mbps ssh connection?

29

Fl St ti ti l A l i


30/49

Flow Statistical Analysis

30

St lthW t h Th t I d Att k D t ti With t Si


31/49

StealthWatch Threat Indexes Attack Detection Without Sigs

31

StealthWatch tracks not only the statistical behavior of normal

traffic, but also the behavior of well over a hundred specific

network traffic patterns. Concern points are generated by

anomalous changes in anyand all of these.

Examples: number of new connections to or from a device.

Connection attempts that go unanswered (common in

scanning). New ports seen. Number of clients for a server or

service. Rejected traffic. Long-lived connections.StealthWatch also alerts when the concern index itself changes.

Target and speciali ed protocol tracking


32/49

Target and specialized protocol tracking

StealthWatch pays particular attention to hosts touched by a host with high

concern.

StealthWatch creates Target Index reporting for these hosts, including

Touched Hosts and Touched Hosts with high CI.

StealthWatch has special handling for protocols commonly used for file

sharing.

StealthWatch has special logic to watch for and alert on worm behavior.

All of these are completely automatic, out-of-the-box capabilities of the system.


Host Group tracking


33/49

Host Group tracking


Creating host groups by function, type or location allows the system to easily spot and

track anomalous behavior for hosts with high degrees of inherent predictability. The

system will for example automatically tell you when your Webservers have stopped

behaving like Webservers

Relational Flow Maps


34/49

Relational Flow Maps

34

The powerful Relational Flow Mapping feature allows you to track the relationships between

your host groups as well as their relationships to external groups whether they are business

partners, Internet hosts, countries, or suspicious hosts from threat feeds. Once the

relationsnip is established, StealthWatch automatically creates a statistical baseline and

applies its powerful anomaly detection logic to the relationship.


35/49


36/49

Drill down from anywhere to any level of detail


37/49

Drill down from anywhere to any level of detail


Every object is active and can be used as a starting point to drill in for investigation.

Enhanced Application Monitoring


38/49

Enhanced Application Monitoring

Accelerates troubleshooting and forensic

investigations

Quickly differentiate between applications

Easily determine which applications are causing

performance or security problems

Displays URL information in flow records

Identifies hostname of the server and errormessages within the flow

2011 Lancope, Inc. All rights reserved.38

4/18/2012

Other resources for detection of anomalous behavior


39/49

21

Botnet - 315,000 nodes, 3 billion connections

39

Other resources for detection of anomalous behavior

Threat feed correlation and host locking


40/49

Threat feed correlation and host locking



41/49

Putting it all together:

Detection Examples

Knowing Will Help Decision Making


43/49


Bot Detection:

Are there bot infected hosts within the network?



44/49


Suspect Data Loss:

Is there any sensitive data being uploaded to the Internet?



45/49


Reconnaissance Detection:

What hosts are trying to find resources to compromise?

Quick Recap


46/49

Quick Recap

NetFlow analysis gives us APT defense via

A PROVEN, time-honored end-to-end rich view of every conversationTopology independence

Deep statistical analysis and alerting

Very high performance and scale

Flow telemetry is available from all over the network

RoutersSwitches

Load Balancers

Firewalls

FlowSensors

Even the virtual network! Once youve enabled flow collection you can...

Gain deep traffic analysis and network visibility

Detect attacks and network anomalies faster

Investigate incidents and build up operational context

46

Next Steps


47/49

Next Steps

47

Contact Lancope:

Jeffrey M. Wells

[email protected]

Lancope

[email protected]

Lancope Marketing

[email protected]

Visit Lancope for a live demonstration of

the StealthWatch System @

InfoSecurity Europe booth F61

Cisco Live US booth 944

Thank You
mailto:[email protected]:[email protected]:[email protected]:[email protected]


48/49

Thank You

Webhttp://www.lancope.com

Bloghttp://netflowninjas.lancope.com

Twitter@netflowninjas

LinkedIn : NetFlow Ninjashttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro

NetFlow Ninjas Challenge

http://www.lancope.com/netflow-ninja-quiz
http://www.lancope.com/http://www.lancope.com/http://netflowninjas.lancope.com/http://netflowninjas.lancope.com/http://twitter.com/netflowninjashttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://twitter.com/netflowninjashttp://twitter.com/netflowninjashttp://netflowninjas.lancope.com/http://netflowninjas.lancope.com/http://www.lancope.com/http://www.lancope.com/


49/49

Q&A

combating apts with stealthwatch slides

Documents