cyber analytics – a proactive approach to cyber attacks
DESCRIPTION
TRANSCRIPT
Cyber Analytics – A Proactive Approach to Cyber Attacks1:30 p.m. -2:10 p.m.
Speakers include:• Jeff Kidwell, Big Data Federal Sales Leader, IBM• Wayne Wheeles, Cybersecurity Network Forensics Analytic Developer, Six 3 Systems
Cyber Analytics – A Proactive Approach to Cyber Attacks
Wayne WheelesCyber Security Network Forensics Analytic DeveloperSix 3 Systems
Jeff KidwellBig Data Federal ExecutiveIBM
3
About Us
Wayne Wheeles
Developer for Six3 Systems, Cyber and Enterprise Systems Group
Network Forensics, Analytic Developer (CND-OPS)
24 analytics in production, 34 forms of enrichment
Managing Contributor/Committer of SHERPA Project
Jeff Kidwell
4
AGENDA
1
2 Cybersecurity Capabilities
2
3
Key Challenges : V T
4 Proactive Approach to Cyber Attacks : Practical Cyber
5
3
Current : Cyber Security Old School Approach
1 IBM Big Data Strategy : Move Analytics to the Data
Conclusions : Questions and Discussion
5
5
Meeting Today’s Analytic Challenges Means Thinking Differently about Architecture
• Data systems optimized for analytic workloads
• Support for different types of analytics
• Simplicity as a design requirement
• Agility as a deployment requirement
6
BI / Reportin
g
BI / Reporting
Exploration / Visualization
FunctionalApp
IndustryApp
Predictive Analytics
Content Analytics
Analytic Applications
IBM Big Data Platform
Systems Management
Application Development
Visualization & Discovery
Accelerators
Information Integration & Governance
HadoopSystem
Stream Computing
DataWarehouse
New analytic applications drive the requirements for a big data platform
• Integrate and manage the full variety, velocity and volume of data
• Apply advanced analytics to information in its native form
• Visualize all available data for ad-hoc analysis
• Development environment for building new analytic applications
• Workload optimization and scheduling
• Security and Governance
IBM Big Data Strategy … Move Analytics to the Data
7
7Six3 Systems, www.six3systems.com
root ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) sshserve ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) sshserve ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) bin ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) user0 ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) user0 ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) joyko ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) joyko ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:10 - 14:10 (00:00) svn ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) svn ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) nagios ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) nagios ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) lday ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) lday ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) michael ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) michael ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) paulb ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) paulb ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:09 - 14:09 (00:00) root ssh:notty 59.**.**.* Sat Oct 13 14:08 - 14:08 (00:00) PruncuTz ssh:notty 59.**.**.* Sat Oct 13 14:08 - 14:08 (00:00) …… (two attacking servers 45000 hits )
SSH brute force assault on port 22, using a Common password list, (45000 times on one Saturday)
The Cyber Threat: Traditional Threat
Country: China
State/Region: Jiangxi
City: Nanchang
Latitude: 28.55
Longitude: 115.9333
According to statistics supplied to the commission by San Francisco-based service provider CloudFlare Inc., attacks account for about 15 percent of global internet traffic on any given day. That “plummeted to about 6.5 percent” around Oct. 1, 2011, China’s National Day, “when many workers take leave,” according to the draft report.
Coincidence to ponder ?
Source: http://sg.entertainment.yahoo.com/news/slightly-suspicious-worldwide-hack-attacks-152725959.html
8
8
The Cyber Threat: Real World Incident ** DISCLAIMERS **
- The IP Addresses have been changed so please do not look them up.- This is not a government network.- This is an actual real world event on a real network using a honeypot.
What are we going to see?
Stage 1 - The surveillance of the target server to determine attack surfaceStage 2 – Infection of the target serverStage 3 – Data theft from the target serverStage 4 – Beaconing, p0wn3d -> target server is under their control
9
9
The Cyber Threat: Real World Incident
In a world so full of slides, articles, powerpoint-ware and that is awash in a sea of whitepapers….
internet
Router/firewall
IDSNetflow
Honeypot:Bueller
192.168.10.155
Honeypot Network
10
10
Stage 1: Surveillance of the Target Server Attacking IP Address: 162.198.10.15(1 of 16)
Victim IP Address: 192.168.10.155
Scanning Ports: 32772 – 60986 (Y Axis below)
Timeframe: 3 months
Total Ports Evaluated: 1439 Scan Types: 6 distinct classes of scan
Scanning Networks: 5 different Class A Scanning Servers: 16 different servers
11
11
Stage 2: Infection of the Target Server
Country Attacker Victim Destination Port STIME Packets Byte
NOT US 162.198.10.15 192.168.10.155 36549 2012-09-21 21:25:05 380 557810
Attacking IP Address: 162.198.10.15
Victim IP Address: 192.168.10.155
Delivered Packets: 380
Signature: Precedes Beaconing & Data Theft
Port Accessed: 36549
12
12
COUNTRY_CODE Attacker Victim Source Port STIME Packets Byte
NOT US 162.168.10.155 192.168.10.155 80 9/23/12 9:25 PM 606 31853
NOT US 162.168.10.155 192.168.10.155 80 9/27/12 10:29 PM 211 11298
NOT US 162.168.10.155 192.168.10.155 80 10/13/12 4:25 PM 201 11102
NOT US 162.168.10.155 192.168.10.155 80 12/20/12 9:29 PM 197 10570
NOT US 162.168.10.155 192.168.10.155 80 12/20/12 12:29 AM 182 9791
NOT US 162.168.10.155 192.168.10.155 80 01/14/13 1:29 PM 134 7295
NOT US 162.168.10.155 192.168.10.155 80 01/15/13 9:29 PM 91 5214
NOT US 162.168.10.155 192.168.10.155 80 01/16/13 1:29 AM 75 4377
Attacking IP Address: 162.198.10.15
Victim IP Address: 192.168.10.155 Attempted Extractions: 2025
Extraction Technique: Small Packages
Stage 3: Data Theft from Target Server Timeframe: 6 months
Source Ports: 80
13
13
Redirected C&C : 142.192.10.21
Victim IP Address: 192.168.10.155
Beaconing Interval: hourly
Stage 4: Target Server begins Beaconing
Country Code Attacker Victim Victim Outbound STIME Packets Byte
NOT US 142.192.10.21 192.168.10.155 80 8/9/12 9:40 PM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/9/12 10:40 PM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/9/12 11:40 PM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 12:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 1:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 2:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 3:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 4:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 5:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 6:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 7:40 AM 4 216
NOT US 142.192.10.21 192.168.10.155 80 8/10/12 8:40 AM 4 216
Status: p0wn3d
1414
Netflow Events: 886,147,719
Seems so Simple: The Rest of the StoryIDS Signatures: 68,014,256
Description Event Result Sets Response Time (s)
Stage 1 – Surveillance 1439/578230
Stage 2 – Infection 3142
Stage 3 – Data Theft 202582
Stage 4 – P0wn3d 42110
IBM Pure Data Powered by Netezza
SO how was that possible? Analytics running on one of the most powerful platforms ever built: IBM Pure Data by Netezza
15
15
The Cyber Threat: CRM for Hackers
16
16
Practical Cyber: “Stop Talking, Start Doing”
Lesson Learned #1 – The Op Tempo of the design/development/delivery effort must match the mission op tempo.
Practical Cyber is Built on five key principles and countless lessons learned derived from over a decade in the Cybersecurity domain
Answering your first question:
Yes, it has been in production
for over 6 years
17
17
630; 33%
252; 13%
1008; 53%
Data Retrieval
Research
Analysis
Analyst Yearly Activity Metrics
Analysis Metrics
47% of time dedicatedTo “getting in position” to
perform analysis
Meanwhile
Global IP traffic has increased eightfold over the past 5 years, and will increase threefold over the next 5 years. Overall, IP traffic will grow at a compound annual growth rate (CAGR) of 29 percent from 2011 to 2016. (source: CISCO)
The number of malicious emails as a proportion of total email traffic increased in 2011. Large companies saw the greatest rise, with 1 in 205.1 emails being identified as malicious for large enterprises with more than 2,500 employees. (1 malicious email every two days on average)
The number of targeted attacks increased dramatically during 2011 from an average of 77 per day in 2010 to 82 per day in 2011. And advanced persistent threats (APTs) attracted more public attention as the result of some well publicized incidents.
Key Principle 1: Humans are not scaling
18
18
Key Principle 2: Threat Rich Environment
THREATS InsiderOutsider
Lesson Learned #2 – The threat environment is rich with both internal and external threats, known and unknown…….
UNCHARACTERIZED ACTIVITY
19
19
Key Principle 3: Handling Data at Scale/Speed
DataLesson Learned #3 – A new era of data solutions must be investigated, data volumes are ever increasing and NO ONE WANTS A RETROSPECTIVE !
3,524,984,302 Packet Records a day
503,569,186 Netflow Records a day
Medium Sized Network
Analysts
Near Real Time SLA
Maximize use of analyticsAnswers in seconds/minutes
20
20
Data
Key Principle 4: All data = Net Situational Awareness
Malware/Application Logs
Network Packet Data
IPS/IDS Data
Lesson Learned #4 – Smash the silos and bring the different forms of data together(PCAP, IDS, SILK, MALWARE) and add enrichment
21
21
Key Principle 5: Metrics are not just important in September/October
Lesson Learned #5 – Instrumentation is a must to collect metrics for ease of reporting daily, monthly, yearly.
• Instrument Everything
Analytics
Enrichment
• How much is stored
• How much is processed
• How much is reported on
• How much is retired
• Report Card on IDS Signatures
22
22
Distilled Down: A Cyber Security Solution Should
So, to start being defensive, I need a data-centric system that is, at a minimum,...
Analytics - NOT THE EASY BUTTON, Analytics help the human scale
Real-Time – Forget minutes, milliseconds matter
Flexible – No monoliths, Platform Neutrality, Deal with Malware identification in the
morning, investigate data theft in the afternoon and management reporting in the
evening on the same platform…..
Powerful – Take on all comers…. Simple queries, statistical analysis, analytics
across massive amounts of data.
Instrumented - Collecting metrics on all data being processed
Simple to use - People are The essential element of defensive cyber!
23
23
TopicReader
IngestionTier
Stream 1IDS
Stream 2Netflow
Stream 3PCAP
Stream 4Web Proxy
Extract TransformLoad
TippingFramework
StorageTier
Near Real (NRTDM)Time Data Mart (90 days)
IBM Pure Data Netezza
AnalyticalTier Data Service
BusinessTier Reports
SituationalAwareness Rollups Business
AdaptersANALYTIC
FRAMEWORK
System Reference Model
Long Term (LTDM)Data Mart (18 months)IBM BIG Insights
Enrichment
Sensors
Anal
ytic
1An
alyti
c 2
Anal
ytic
3
24
24
Conclusion: Take away points 99% Rule….Eliminate where possible mundane “data retrieval/manipulation”
tasks (one analytic = 1315hrs per year)
Analytics are not the easy button…..
IBM has a complete proven solution to deliver this capability
Enrichment !! Make sure data is “prepared” for analysis
Scale! ensure that the platform is up to the task (many billions of records)
Keep it simple, ensure that the platform is mission agnostic; no UBER solution!
25
25
QUESTIONS AND DISCUSSION?
“Imagination is more important than knowledge. For knowledge is limited to all we now know and understand, while imagination embraces the entire world, and all there ever will be to know and understand.”
~Albert Einstein
Thanks, I am honored and humbled to have been invited today
@WayneWheeles
26
26
Six3 Systems
27
For Additional Information
Visit the Agile Summit Solution Center for demonstrations of these capabilities.
Ask an IBM Ambassador for additional information (case study, white paper, solution brief, etc.) related to the content shared during this session.
For a follow up discussion, complete the IBM Response Card on the table in front of you.