intelligent incident response: protecting your organization

Intelligent incident response: Protec1ng your organisa1on

EUROPE

Intelligent incident response: Protec1ng your organisa1on Darren Anstee 29/04/14

Company logo

EUROPE29 April - 01 May 2014 Earls Court London UK

Company logo EUROPE

29 April - 01 May 2014 Earls Court London UK

§  An Economist Intelligence Unit (EIU) report, sponsored by Arbor Networks. -  Intended to gauge the level of

corporate preparedness for data-‐related incidents

§  Data Sources: -  360 survey respondents, 73% C-‐

Level. -  In-‐depth interviews with key

individuals

29% 30% 29% 28%

17% 17% 17% 17%

31% 33% 29% 31%

23% 20% 25% 24%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Overall North America

Europe APAC

None

Same

Less

More

Incidents ARE Increasing in Frequency

hNp://www.arbornetworks.com/ciso/eiureport

Incident Frequency

Company logo EUROPE


§  An Economist Intelligence Unit (EIU) report, sponsored by Arbor Networks. -  Intended to gauge the level of

corporate preparedness for data-‐related incidents

§  Data Sources: -  360 survey respondents, 73% C-‐

Level. -  In-‐depth interviews with key

individuals

Incidents ARE Increasing in Frequency

hNp://www.arbornetworks.com/ciso/eiureport

17% 27% 2%

55% 67%

36%

20% 67%

43%

7% 6% 20%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Overall With Incident Response Plan

Without Incident

Response Plan

Not at all Prepared

Somewhat Unprepared

Somewhat Prepared

Fully Prepared

How Prepared are You?

Company logo EUROPE


Cost Business DisrupSon

Loss of Customer Trust

Company logo EUROPE


0

10

20

30

40

50

60

Advanced Persistent Threat

BoNed or Compromised

Hosts

Under-‐capacity for bandwidth

Industrial Espionage

Malicious Insider

Other

Threats On Corporate Network

•  Huge number of ‘ways in’ –  Drive By Download –  SPAM/Phishing –  Watering Hole –  USB

•  Leveraging vulnerabilities in:

–  JavaScript –  Java applets –  Compound Documents –  Anything Adobe

•  Many Threat Vectors -  New AND Old -  IPS / AV Limited coverage -  Patching lag

How are threats getting through?

Company logo EUROPE


•  ANackers will always choose to obfuscate vs. finding a new aNack vector

What New Threats? Just New Techniques!

Company logo EUROPE


What does Java Script Obfuscation Look Like?

Company logo EUROPE


And in the Real World……..

Company logo EUROPE


Bot Builder with Anti-Detection

Company logo EUROPE


Cyber Crime Service Industry •  Crypters bypass an1-‐malware and other security solu1ons •  DDoS bots, banking trojans, password stealers, ransomware (“blockers”), etc. •  Crypter service -‐ $20 per bot, cyber-‐crime service industry

Company logo EUROPE


Lots of Methods and Mechanisms….and Guidance

Company logo EUROPE


At Boston Mpaperwork-‐clipart4edical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”

"Alarm fapaperwork-‐clipart43gue is when there are so many noises on the unit that it actually desensi3zes the staff

Alert Fatigue

•  At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.” –  "Alarm fa3gue is when there are

so many noises on the unit that it actually desensi3zes the staff”

Company logo EUROPE


At Boston Medical Center they were experiencing 12,000 alarms a day, on average. That kind of cacophony was producing a growing problem known as "alarm fa1gue.”

"Alarm fa3gue is when there are so many noises on the unit that it actually desensi3zes the staff

So, how do we get ‘better’ at this?

•  Ac1onable Threat Intelligence –  Use the exper1se within vendors, integrators to

maximise our own effec1veness

•  Broad Visibility –  Monitor within the network, not just at the

perimeter

•  Deep Visibility –  Packet capture and threat detec1on at key

network loca1ons.

•  Workflow –  Solu1ons that fit into an IR workflow and enable

personnel and processes.

Company logo EUROPE




Actionable Threat Intelligence - Reputation

•  Can be VERY effec1ve, if it is derived in the right way… –  Granular data to prevent false

posi1ves / nega1ves •  IP address and port, not just address •  Layer 7 Hostnames, URLs etc..

–  Data based on in-‐depth research and monitoring

•  Not just aNack behavior

–  Historical context for confidence •  Understanding of threat ‘family’ + confidence

CnC

Phishing

DriveBy

Variant 1

Variant 2

Company logo EUROPE




•  Can be VERY effec1ve, if it is derived in the right way… –  Granular data to prevent false

posi1ves •  IP address and port, not just address •  Layer 7 Hostnames, URLs etc..

–  Data based on in-‐depth research and monitoring

•  Not just aNack behavior

–  Historical context for confidence •  Understanding of threat ‘family’ + confidence

AcSve Campaigns Gameover Zeus ZeroAccess Citadel DarkComet Simda Gh0strat Shylock Ramnit Xtreme RAT Ponmocup Cridex NetTraveler Carberp Bifrost Hangover Pony PoisonIvy Taidoor Specifix Spyeye

Actionable Threat Intelligence - Reputation

Company logo EUROPE




Broad Visibility - Flow •  Leverage Flow technologies for:

•  Cost-‐effec1ve, scalable visibility •  Layer 3/4 picture of internal network

•  Who talks to who, when and how much

•  Develop a model of normal network / user behavior

•  Build policy/visibility around user-‐iden1ty

•  Correlate •  With ac1onable threat intelligence

•  Detect suspicious or malicious ac1vi1es wherever they occur

Company logo EUROPE




Deep Visibility - Packet Capture •  Use high-‐speed packet capture

for deeper visibility •  Monitor for specific threats at

network / data-‐centre edge. •  Store forensic data for interav1ve,

retrospec1ve analysis •  Inves1gate scope of compromise /

kill chain

•  Correlate (repeatedly) •  With ac1onable threat intelligence

18

Company logo EUROPE




Deep Visibility - Packet Capture •  Correlate (repeatedly)

•  With ac1onable threat intelligence

19

Month 1 Traffic Month 2 Traffic Month 3 Traffic

Zero Day attack here

Intelligence update without signature for the Zero Day attack

Intelligence updates INCLUDING signature for the Zero Day attack

Detection capability updates occur at different times. Stored traffic can be correlated with updated threat intelligence

All Traffic Correlated - Zero Day not found

All Traffic Correlated - Zero Day FOUND

Now that Zero Day attack has been identified, the attack timeline can be established

Company logo EUROPE




Workflow - Maximise Effectiveness •  Put the power back in the hands of the analysts

–  Network & Threat Visibility, in context –  Incident Response Workflow

•  Technology should enable personnel & process investment –  Regardless of how many you have –  Or skillset

PROTECT

Provide surgical mi1ga1on and forensic capabili1es.

React

ANALYZE

Situa1onal Awareness. Augment detected events with relevant

context

PrioriSze

Comprehensive monitoring and threat

detec1on

IDENTIFY

Company logo EUROPE




13+ Years of InnovaSon •  The Internet and security is our heritage •  Founded from a DARPA grant •  Over 40 networking and security patents

•  Across 60 countries •  Service Providers, Hosters, Fortune 50 companies •  Largest financials and online giants

Serving The Worlds Most Demanding Networks

Trusted Experts Globally

•  Over 400 employees around the globe •  >50% in Engineering, Service and Support •  Best in class support experts, global infrastructure

ATLAS / ASERT •  Unrivalled visibility, analyzing 80Tb/sec of data •  Well regarded security research exper1se •  Threat Intelligence

intelligent incident response: protecting your organization

Technology

companylogo europe

company logo europe

north america europe

alarms aday

notjustaddress layer7hostnames

sponsoredbyarbor networks

frequency hnp

new threats