combating apts with stealthwatch slides
TRANSCRIPT
-
7/31/2019 Combating APTs With StealthWatch Slides
1/49
Combating Advanced Persistent Threats
with Flow-based Security Monitoring
Jeffrey M. Wells, CCIE, CISSP
Sr. Systems Engineer
Lancope
Know Your Network, Run Your Business
Thank you for joining. We will begin shortly.
-
7/31/2019 Combating APTs With StealthWatch Slides
2/49
Poll Question
What is your organizations top security concern?
A. Insider Threats
B. Advanced Persistent Threats (Directed Attacks)
C. Virtualization / Cloud Computing
D. IT Consumerization / User Mobility / BYOD
E. Compliance
2 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
3/49
What is an Advanced Persistent Threat?
3 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
4/49
What is an Advanced Persistent Threat?
Examples: Operation Aurora against Google and at least 20 other large companies in 2009, the
HBGary attack, the RSA attack against over 700 companies over 2011
4 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
in that the attacker uses the full spectrum of available tools, including socialengineering, to accomplish his or her goals. The toolset and methods meanthese will likely evade traditional signature-based detection methods.
Its Advanced
in that the attacker defines a target and then focuses resources on that target,rather than casting a net in the dark. This is what makes this type of attack sodangerous. Rather than playing the odds, one must actively defend oneselffrom it.
Its Persistent
this should be self-explanatory.
Its a Threat
-
7/31/2019 Combating APTs With StealthWatch Slides
5/49
Anatomy of an APT attack - HBGary
HBGary was attacked by Anonymous in February 2011 in response to
provocation by an HBGary employee.
HBGary Federal sought to out WikiLeaks and associated Anonymous hacker
organization
Anonymous finds out and launches full frontal assault on HBGary HBGary website defaced, emails stolen, backups deleted,
twitter and LinkedIn accounts hacked, etc.
Massive damage to HBGarys reputation
Cleanup could take weeks or
months
5 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
HBGary vs. Anonymous: Story byArs Technicahttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.arshttp://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars -
7/31/2019 Combating APTs With StealthWatch Slides
6/49
Anatomy of an APT attack - RSA
In February 2011 RSA was subjected to an attack by Chinese
hackers.
RSA suffered enormous brand damage and was forced to replace
existing tokens in the field.
Read more: http://blogs.rsa.com/rivner/anatomy-of-an-attack/
6 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Footnote: this attack was repeated against hundreds of other companies, as revealed last Fall by the FBI.
-
7/31/2019 Combating APTs With StealthWatch Slides
7/49
APTs in the news
7 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
8/49
APTs are here to stay
Facts:
APTs are an evolution of cybercrime. They are the beginnings of truly organized
behavior designed to cost you money.
APTs are proliferating. There are many many examples, and they target pretty
much every large company.
APTs evade traditional detection.
Many companies do not discover that theyve been targeted until long after its
over.
8 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
9/49
APT characteristics for the investigator
APT will generally involve:
Information gathering via social media and Google search. It is via this that the
targets for the social engineering phase are identified.
Exploit of common vulnerabilities in support of the above.
Targeted social engineering attacks against identified users.
Compromise of one or more internal machines and installation of remote control
software of some kind.
Data mining from the inside.
Exfiltration of data.
9 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Network-based APT detection boils down to discovering
the command-and-control connections, the data mining,
and the exfiltration activity. As with all attacks, success is
measured by the time lapsed between attack and
discovery.
-
7/31/2019 Combating APTs With StealthWatch Slides
10/49
APT Survey by Ponemon Institute, June 2010
Prevention and detection of advanced threats is difficult. Organizations risk a
costly data breach because detection of an advanced threat takes too long. 80
percent of respondents say it takes a day or longer to detect an advanced
threat and 46 percent say it takes 30 days or longer. This leaves a huge window
of opportunity to steal confidential or sensitive information. In addition, 79
percent believe that advanced threats are very difficult to prevent, detect and
resolve.
The most effective technologies have yet to be deployed. 92 percent of
respondents believe network and traffic intelligence solutions are essential,
very important or important. Yet, only 8 percent say these technologies are
their first choice to detect or prevent an advanced threat. 69 percent of
respondents say that AV and 61 percent of respondents say that IDS are
typically used to detect or discover advanced threats. Yet, 90 percent reportthat exploits or malware have either evaded their IDS systems or they are
unsure. 91 percent say that exploits and malware have evaded their AV
systems or they are unsure. The same percentage (91 percent) believes
exploits bypassing their IDS and AV systems to be advanced threats .
10 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
11/49
User Behavior
DMZ
Internal
Network
Internet
11
This goes on, day after day
And then
FTP to foreign destination.
This is a Behavioral Anomaly
-
7/31/2019 Combating APTs With StealthWatch Slides
12/49
-
7/31/2019 Combating APTs With StealthWatch Slides
13/49
Brains and Computers
Our brains happen to be good at focusing on detail or recognizing patterns in
limited datasets but very bad at dealing with huge amounts of rapidly-evolving
data at once.
Computers, on the other hand, do not suffer from this limitation.
13 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
14/49
Email interconnection graph
14 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
This is a network of devices speaking SMTP. If they
spoke something else it would be trivial to detect
as long as we were focusing on this network as a
group and not trying to watch all the other systems
that live alongside these devices.
-
7/31/2019 Combating APTs With StealthWatch Slides
15/49
3G
Internet
3G
Internet
Typical Corporate Environment
DMZ
VPN
Internal
Network
Internet
3G
Internet
3G
Internet
15
Even though it seems difficult to
enumerate the protocols and behaviorson such a network, a statistical system
can do so with ease.
-
7/31/2019 Combating APTs With StealthWatch Slides
16/49
APT Detection Objectives and Requirements
Objectives:
Discover APT behavior as rapidly as possible
Discover compromised machines in my environment
Discover potential exfiltrations of data
Some sort of scoring or prioritization of alarms to direct response
Requirements:
Need data sources
Need collection infrastructure
Need analysis infrastructure
Need reporting and alerting engine
Potential data sources:
SYSLOG, IDS/IPS probes, distributed data capture, SNMP, RMON probes, host AV/ASagents, host IDS/IPS agents
Netflow
16 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
17/49
Data Source Caveats
SYSLOG: Very painful to parse due to the vast number of different potential messages.May or may not contain what you need.
IDS/IPS probes: Expensive to install and maintain, reliance on signature-basedtechnologies makes them less useful for APT detection.
Distributed data capture: Extremely expensive to install and maintain, large amountof hardware required, very inefficient: most of the useful information comes from a
tiny percentage of the gathered data.
SNMP: Not enough information on its own to be particularly useful, very slow.
RMON: Expensive to install and maintain, limited support.
Host agents: Expensive to install and maintain, reliance on signature-based
technologies not particularly useful, proprietary data output difficult to integrate andcorrelate, host context limits understanding of network behavior.
Flow-based technology: May not be supported by all of your network hardware.
17 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
18/49
-
7/31/2019 Combating APTs With StealthWatch Slides
19/49
Major advantages of flow-based telemetry
Fixed and highly-standardized records easy to create, transport, compress and
parse.
Generated by the network hardware you already own.
Generation not specifically limited by topology or data rates.
Simple record types lend themselves to rapid and near-real-time analysis on
even the biggest, busiest networks.
Most of visibility objectives achievable with no need for probes or signatures.
Generation technology eliminates evasion techniques. All network traffic will
generate flow data for analysis.
Can easily be correlated to other data sources to enrich the results.
19 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
20/49
DMZ
Internet
Atlanta
San Jose
New York
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
ASR-1000
Cat6k
UCS with
Nexus 1000v
ASA
Cat6k
3925 ISR3560-X
NetFlow
NetFlow
NetFlow
NetFlow
Lancope NetFlow
Collector
Datacenter
3750-X
Stack(s)
NetFlow
NetFlow
Cat4k
NetFlow
NetFlowWAN
Example: NetFlow Technology in a Cisco environment
-
7/31/2019 Combating APTs With StealthWatch Slides
21/49
NetFlow at 10G+
21
Lancope
NetFlow
Collector
-
7/31/2019 Combating APTs With StealthWatch Slides
22/49
NetFlow Collection in the WAN
22
Lancope NetFlow
Collector
-
7/31/2019 Combating APTs With StealthWatch Slides
23/49
-
7/31/2019 Combating APTs With StealthWatch Slides
24/49
-
7/31/2019 Combating APTs With StealthWatch Slides
25/49
-
7/31/2019 Combating APTs With StealthWatch Slides
26/49
D i f l b h i Ci 2003!
-
7/31/2019 Combating APTs With StealthWatch Slides
27/49
Detection of anomalous behavior. Circa 2003!
27
M l l i
-
7/31/2019 Combating APTs With StealthWatch Slides
28/49
Manual analysis
Deduplicated Host Groups provide the basis
for many Reports, Baselines, Top N lists,
etc.
28
M l l i ti d
-
7/31/2019 Combating APTs With StealthWatch Slides
29/49
Manual analysis, continued
5 hour 6 Mbps ssh connection?
29
Fl St ti ti l A l i
-
7/31/2019 Combating APTs With StealthWatch Slides
30/49
Flow Statistical Analysis
30
St lthW t h Th t I d Att k D t ti With t Si
-
7/31/2019 Combating APTs With StealthWatch Slides
31/49
StealthWatch Threat Indexes Attack Detection Without Sigs
31
StealthWatch tracks not only the statistical behavior of normal
traffic, but also the behavior of well over a hundred specific
network traffic patterns. Concern points are generated by
anomalous changes in anyand all of these.
Examples: number of new connections to or from a device.
Connection attempts that go unanswered (common in
scanning). New ports seen. Number of clients for a server or
service. Rejected traffic. Long-lived connections.StealthWatch also alerts when the concern index itself changes.
Target and speciali ed protocol tracking
-
7/31/2019 Combating APTs With StealthWatch Slides
32/49
Target and specialized protocol tracking
StealthWatch pays particular attention to hosts touched by a host with high
concern.
StealthWatch creates Target Index reporting for these hosts, including
Touched Hosts and Touched Hosts with high CI.
StealthWatch has special handling for protocols commonly used for file
sharing.
StealthWatch has special logic to watch for and alert on worm behavior.
All of these are completely automatic, out-of-the-box capabilities of the system.
32 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Host Group tracking
-
7/31/2019 Combating APTs With StealthWatch Slides
33/49
Host Group tracking
33 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Creating host groups by function, type or location allows the system to easily spot and
track anomalous behavior for hosts with high degrees of inherent predictability. The
system will for example automatically tell you when your Webservers have stopped
behaving like Webservers
Relational Flow Maps
-
7/31/2019 Combating APTs With StealthWatch Slides
34/49
Relational Flow Maps
34
The powerful Relational Flow Mapping feature allows you to track the relationships between
your host groups as well as their relationships to external groups whether they are business
partners, Internet hosts, countries, or suspicious hosts from threat feeds. Once the
relationsnip is established, StealthWatch automatically creates a statistical baseline and
applies its powerful anomaly detection logic to the relationship.
-
7/31/2019 Combating APTs With StealthWatch Slides
35/49
-
7/31/2019 Combating APTs With StealthWatch Slides
36/49
Drill down from anywhere to any level of detail
-
7/31/2019 Combating APTs With StealthWatch Slides
37/49
Drill down from anywhere to any level of detail
37 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Every object is active and can be used as a starting point to drill in for investigation.
Enhanced Application Monitoring
-
7/31/2019 Combating APTs With StealthWatch Slides
38/49
Enhanced Application Monitoring
Accelerates troubleshooting and forensic
investigations
Quickly differentiate between applications
Easily determine which applications are causing
performance or security problems
Displays URL information in flow records
Identifies hostname of the server and errormessages within the flow
2011 Lancope, Inc. All rights reserved.38
4/18/2012
Other resources for detection of anomalous behavior
-
7/31/2019 Combating APTs With StealthWatch Slides
39/49
21
Botnet - 315,000 nodes, 3 billion connections
39
Other resources for detection of anomalous behavior
Threat feed correlation and host locking
-
7/31/2019 Combating APTs With StealthWatch Slides
40/49
Threat feed correlation and host locking
40 2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
-
7/31/2019 Combating APTs With StealthWatch Slides
41/49
Putting it all together:
Detection Examples
Knowing Will Help Decision Making
-
7/31/2019 Combating APTs With StealthWatch Slides
42/49
2011 Lancope, Inc. All rights reserved.42
Knowing Will Help Decision Making
Is there internal spreading malware?
Knowing Will Help Decision Making
-
7/31/2019 Combating APTs With StealthWatch Slides
43/49
Knowing Will Help Decision Making
Bot Detection:
Are there bot infected hosts within the network?
Knowing Will Help Decision Making
-
7/31/2019 Combating APTs With StealthWatch Slides
44/49
Knowing Will Help Decision Making
Suspect Data Loss:
Is there any sensitive data being uploaded to the Internet?
Knowing Will Help Decision Making
-
7/31/2019 Combating APTs With StealthWatch Slides
45/49
Knowing Will Help Decision Making
Reconnaissance Detection:
What hosts are trying to find resources to compromise?
Quick Recap
-
7/31/2019 Combating APTs With StealthWatch Slides
46/49
Quick Recap
NetFlow analysis gives us APT defense via
A PROVEN, time-honored end-to-end rich view of every conversationTopology independence
Deep statistical analysis and alerting
Very high performance and scale
Flow telemetry is available from all over the network
RoutersSwitches
Load Balancers
Firewalls
FlowSensors
Even the virtual network! Once youve enabled flow collection you can...
Gain deep traffic analysis and network visibility
Detect attacks and network anomalies faster
Investigate incidents and build up operational context
46
Next Steps
-
7/31/2019 Combating APTs With StealthWatch Slides
47/49
Next Steps
47
Contact Lancope:
Jeffrey M. Wells
Lancope
Lancope Marketing
Visit Lancope for a live demonstration of
the StealthWatch System @
InfoSecurity Europe booth F61
Cisco Live US booth 944
Thank You
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
7/31/2019 Combating APTs With StealthWatch Slides
48/49
Thank You
Webhttp://www.lancope.com
Bloghttp://netflowninjas.lancope.com
Twitter@netflowninjas
LinkedIn : NetFlow Ninjashttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro
NetFlow Ninjas Challenge
http://www.lancope.com/netflow-ninja-quiz
http://www.lancope.com/http://www.lancope.com/http://netflowninjas.lancope.com/http://netflowninjas.lancope.com/http://twitter.com/netflowninjashttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.lancope.com/netflow-ninja-quizhttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grpprohttp://twitter.com/netflowninjashttp://twitter.com/netflowninjashttp://netflowninjas.lancope.com/http://netflowninjas.lancope.com/http://www.lancope.com/http://www.lancope.com/ -
7/31/2019 Combating APTs With StealthWatch Slides
49/49
Q&A