![Page 1: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/1.jpg)
Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9
![Page 2: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/2.jpg)
About Me
• Chief Security Officer @ Bit9
• Former Director of Technical Operations and Information Security
@ Center for American Progress
• Former Director of Global Systems and Tools @ NASDAQ:IAWK
• Practicing professionally since 1997
• Certified Information Systems Security Professional
• Educational background in Communications
• Areas of focus:
– Information Warfare
– Cyber Counterintelligence
– Security Operations
– Development Operations
– Social Media / Social Network Analysis
• NJ TN Silicon Valley Asia * DC MA
* Frequent movement between aforementioned locations
![Page 3: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/3.jpg)
the assumption of
breach the inevitability of
compromise
![Page 4: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/4.jpg)
“In 2020, enterprises will be in a state of continuous compromise.”
-- Gartner
more like 2010…
![Page 5: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/5.jpg)
Rethink Your Security Strategy
security is not a solution it is a process
prevention is no longer enough invest in detection and response
consider your technologies move from reactive to proactive
![Page 6: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/6.jpg)
“The attacker has the advantage.” The attacker does not have the advantage,
unless we cede it to them.
![Page 7: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/7.jpg)
Enterprise Network as a Battlespace
![Page 8: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/8.jpg)
Situational awareness enables real-time, accurate
decisions in tactical situations.
Most enterprises have no internal or endpoint situational awareness.
![Page 9: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/9.jpg)
the battlefield prepare
the battle win
![Page 10: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/10.jpg)
Prepare for breach. Avoid forensics & expensive
consultants.
![Page 11: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/11.jpg)
Defense-in-depth / Layered Controls
• Network security controls – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation
• Service security controls – Authentication, permissions, naming lookup, lots of logging
• Endpoint security controls – Anti-virus, application control, endpoint threat detection and
response
If you are depending on one control to stop an attack,
you are doing it wrong.
![Page 12: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/12.jpg)
The Attacker’s Process & Enterprise Capabilities
• The often misunderstood meaning of “empathy”
• The “Cyber Kill Chain”™ model
– Developed by Mike Cloppert, Rohan Amin, and Eric Hutchens at
Lockheed Martin
– Useful for …
• Breaking down stages of an attacker’s process
• Formulating strategy for deploying security controls
• Facilitating iterative intelligence gathering
• Effective intelligence use
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
DETECT – DENY – DISRUPT – DEGRADE – DECEIVE
![Page 13: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/13.jpg)
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in the Kill Chain
Preventing Exploitation Patching matters! (Most basic way to minimize threat surface) Enforce ASLR/DEP (Microsoft EMET) Inter-process memory controls Unfortunately, there’s little you can do at this stage
Preventing Installation
Dropping of binaries, touching other processes, et cetera Blacklist approaches – Default-Allow Sandbox approaches – Default-Allow + “Deny-over-there” Trust based approaches – Default-Deny (Application Whitelisting) Hybrid approaches – Detonate-and-Deny, Detect-and-Deny
![Page 14: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/14.jpg)
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in Focus – Prevention
Default-Allow Blacklisting – Blocking known bad Traditional AV, based on signatures Ineffective for anything other than nuisance threats Local blacklists are still tactically useful
![Page 15: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/15.jpg)
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
OP
PO
RTU
NIS
TIC
“A
dva
nce
d”
Goal is to maximize slope.
Goal is to minimize slope.
Opportunistic vs “Advanced” Attacks
![Page 16: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/16.jpg)
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
Ho
sts
Co
mp
rom
ised
Time
10
100
1k
10k
100k
Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7
OP
PO
RTU
NIS
TIC
“A
dva
nce
d”
THRESHOLD OF DETECTION
THRESHOLD OF DETECTION
Goal is to maximize slope.
Goal is to minimize slope.
Opportunistic vs “Advanced” Attacks
![Page 17: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/17.jpg)
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in Focus – Prevention
Default-Deny Whitelisting – Trust Based – Known Good Most effective protection Easy on servers and fixed function systems Can be challenging on dynamic endpoints Good application governance is key to successful implementation Still not a silver bullet
![Page 18: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/18.jpg)
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
The Endpoint in Focus – Prevention
Sandboxes Mitigation of application compromise, not system protection Application specific sandboxes (e.g. Java, Chrome) Virtualization based EPP solutions Covers only a limited portion of the threat surface Can’t prevent/detect lateral movement
![Page 19: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/19.jpg)
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
Challenges stopping attacks at Delivery
Network detonation solutions often not in-line “Known Bad” point comes after delivery, becomes detection only
Network assets often are not the first time a bad file is seen Encrypted (No SSL MITM inspection) In a container (Password protected zip/rar) Removable media (USB stick, DVD/CDs, et cetera)
![Page 20: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/20.jpg)
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO
Actionable intelligence passing
Transfer alerts
Submit files automatically Submit files on-demand
Incoming files on
network
“Detonate” files for analysis
Prioritize network alerts
Investigate scope of the threat
Remediate endpoints and servers
Correlate endpoint/server
and network data
Automatic analysis of all suspicious files
On-demand analysis of suspicious files
Endpoint and server files
![Page 21: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/21.jpg)
Threat Intelligence
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
Leveraging Indicators to Facilitate Detection
IP Addresses Hostnames File Hashes Et cetera
![Page 22: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/22.jpg)
Threat Intelligence
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
Leveraging Intelligence to Determine Trust
Software Reputation Service (SRS)
Reputation levels for files Thresholds can drive approvals
Firefox == 10 Keylogger == 0
![Page 23: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/23.jpg)
Complete Forensic Record of Endpoint Activity
Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI
All file modifications
All file executions
All registry modifications
All network connections
Copy of every executed binary
All the information you need to respond
![Page 24: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/24.jpg)
telemetry
![Page 25: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/25.jpg)
telemetry
![Page 26: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/26.jpg)
![Page 27: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/27.jpg)
detection focus
![Page 28: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/28.jpg)
seconds to minutes w e e k s t o y e a r s
detection focus
![Page 29: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/29.jpg)
detection focus
seconds to minutes w e e k s t o y e a r s
detection focus
![Page 30: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/30.jpg)
seco
nds
to
min
ute
s
we
ek
s
to
y
ea
rs
detection focus
?
![Page 31: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/31.jpg)
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
Attacks happen on the endpoint
How can you protect your assets if you don’t know what’s running on them?
Traditional security tools provide no visibility
Visibility needs to be live, not poll or scan-based
![Page 32: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/32.jpg)
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
Reducing your attack surface
Symantec saw 240 million unique threats in 2009 – we’ve crossed the billion mark cumulatively
Apply trust-based policies to allow only known good software to run
Prevent
Stop threats with proactive,
customizable prevention
![Page 33: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/33.jpg)
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
See and record everything
You can’t always know what’s “bad” ahead of time
Apply advanced indicators to detect unknown threats in real-time Detect
Detect threats in real-time without
signatures
Prevent
Stop threats with proactive,
customizable prevention
![Page 34: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/34.jpg)
Establishing a Continuous Security Process
Visibility Know what’s
running on every computer right now
Traditional incident response is expensive and time consuming
With historical recording, you can identify scope and impact in minutes, not weeks
Use that information to contain, remediate and further reduce attack surface
Detect
Detect threats in real-time without
signatures
Respond See the full
evolution of a threat; contain
and control
Prevent
Stop threats with proactive,
customizable prevention
![Page 35: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/35.jpg)
Endpoint and Server Telemetry/Control
• Monitor & Record:
– File executions
– File modifications
– Registry modifications
– Network connections
• Retain:
– Telemetry from periods when system is offline
– Copies of all executed binaries
• Control:
– File executions
– Inter-process memory access
– Registry modifications
![Page 36: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/36.jpg)
Conclusions
• Compromise is inevitable; You must plan for response
• Proactive defense starts with visibility
• You’ve got to collect telemetry from EVERYTHING
• You can leverage the home-field advantage against adversaries
• Defense tactics are changing – Shift from Default-Allow to Default-Deny
• Not all assets are protected the same way
• Your endpoints and network must work together
• There are no silver bullets
• THERE ARE TWO THINGS YOU NEED TO DO: – Decrease your threat surface
– Increase your response capabilities
![Page 37: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/37.jpg)
All questions welcome
Share experiences
Keep it short & leave room for others
Discussion
![Page 38: Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation](https://reader036.vdocuments.us/reader036/viewer/2022063009/5fc0d65a169ff04a246a8794/html5/thumbnails/38.jpg)
Thank You!