To Catch A Thief

Sam CurryChief Technology Officer

RSA, The Security Division of EMC

Security is about…

Security isn’t about security. It is about managing risk at some

cost. In the absence of metrics, we tend to over compensate

and focus on risks that are either familiar or recent.

Hugh Thompson, Chief Security StrategistPeople Security

“

”

2

Disruptors to IT (and the world)

Keep in mind today and in the coming days that there are three concurrent disruptors in IT…

1. Cloud (Private, Public, Hybrid et al)

2. User-driven IT / Consumer Computing

3. Proliferation and Maturation of Cybercrime

3

The Criminal Reality today…

4

Context: The Dark Cloud

5

There is an underground economy

Asset Going-rate

Pay-out for each unique adware installation

30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere

Malware package, basic version $1,000 – $2,000

Malware package with add-on services Varying prices starting at $20

Exploit kit rental – 1 hour $0.99 to $1

Exploit kit rental – 2.5 hours $1.60 to $2

Exploit kit rental – 5 hours $4, may vary

Undetected copy of a certain information-stealing Trojan

$80, may vary

Distributed Denial of Service attack $100 per day

10,000 compromised PCs 1,000 $

Stolen bank account credentials Varying prices starting at $50

1 million freshly-harvested emails (unverified)

$8 up, depending on quality

Sample data from research on the underground digital economy in 2007

6

Commercial Motivations: you don’t have to be faster than the bear…

Probability

Total

RewardProbability

Total

Risk

Therefore

Probability ∝Total Reward

Total Risk

Or…

PV ∝AV

DV * RV

• When you are dealing with an intelligent

opponent and quantifiable gains (reward)

and losses (risks), you can apply Game

Theory

• You can determine to some level of

accuracy the relative probability of a set of

attack types with respect to one another

• You can use this information to implement

stronger controls against a dynamic and

increasingly hostile threat environment

• You can use this outlook to examine the

effects of world events and small changes

in “State of the Art” or even the introduction

of disruptive technologies

7

Content Races, Decision Loops and Operational Efficiency

Products and systems always end up in a content race

Who wins in this picture?

It’s all about decision loops

• OODA

• Command-and-control

We have an intelligent opponent

• Adapt and change

• Improve / we improve

GRC APT

8

What does the risk curve look like?

9

Ris

k

1stin

fection

R&

D/B

eta

Zero

-tim

e

1stS

ignatu

re

Solu

tion

Sig

natu

re

The…

.

Long…

.

Wait…

.

9

How do we reduce the “risk window”?

10

Ris

k

1stin

fection

R&

D/B

eta

Zero

-tim

e

1stS

ignatu

re

Solu

tion

Sig

natu

re

The…

.

Long…

.

Wait…

.

10

The APT Challenge: you do have to be faster than the bear

GREATER COMPLEXITY

Architecture of the Virtual Data center and Cloud environments

Consumerization of IT – the growing demand for more unmanaged machines, applications, and

information sharing tools

Increase in information to analyze and correlate

BIGGER THREATS

Prevalence and sophistication of security threats will increase

Advanced Persistent Threat (APT) will become more predominant

Attack vectors continue to make use of infrastructure vulnerabilities and exploit human

vulnerabilities

RESPONSE TIME

Responding to an attack can potentially slow due to increase in data (and noise)

Important to be able stay ahead of the attackers and continue to stay in front of them

11

Advanced Persistent ThreatsThe Ultimate Problem

12

Multiple attack

methodologies

“Low and Slow” Specific objective

Well organized and

funded

Human involvement

Can leverage

automated techniques

The Future Solution: Intelligent SOCA Holistic Approach

Risk Planning 1

▪ First and foremost requirement for building a focused, effective security operations program

▪ Information centric approach to security risk planning

▪ Knowledge determines how fast and well the SOC can react to problem

Attack Modeling 2

▪ Determine which systems, people and processes have access to valuable, protected

information

▪ Model threat surface: normal traffic patterns and potential attack vectors for this information

▪ Determine potential attack vectors, examine all defensive steps, devise optimal defense

Virtualized

Environments 3

▪ Virtualization will be a core capability of the Intelligent SOC

▪ Sandboxing: suspicious file could be launched in an isolated hypervisor and VM cut off from

the rest of the system

▪ “Isolation in depth” for most sensitive information and virtual nodes

Self Learning

Predictive

Analytics4

▪ Continually monitor and learn typical states to identify problematic patterns early

▪ Configuration data, events, contextual information and risk profiles connect unrelated events

to detect high-risk activities instantaneously.

▪ Integrated feedback loops use confirmed alerts to help the system improve threat detection

Automated,

Risk-based

Decision Systems5

▪ Assess risks almost instantly and vary responses accordingly

▪ Automated topography: remap entire network infrastructure to disrupt an attacker’s

reconnaissance efforts

Improvement with

Forensic Analysis

Community

Learning

6

▪ Virtualized environments provide snapshots of the IT environment at the time of the security

event. Provides useful information if detection of the attack was delayed

▪ Information collected centrally and shared among partnering organizations to analyze and

help defend against similar security threats.

13

Modeling an AttackRSA Labs in Collaboration with Ron Rivest

NO

COMPROMISE

INFECT FTP SERVER VM

COMPROMISE

CLIENT

MACHINE

STEAL

SENSITIVE

INFORMATION

Exploit FTP Server

User OpensPDF in time < t

Log intoDocument

Store

User OpensPDF in time > t

Deployment Dynamics

Within time t the FTP server is re-provisioned from a clean VM image

Opportunity for attack is time interval t

Attacker uses stolen credentials from compromised machine to log into

document store

Probability that attacker accesses the document store in the expected context

is low

Attack is blocked with high probability

Adaptive Authentication

Attacker manages to get to the target, but attack is revealed by external

triggering mechanism

Can detect time correlation between FTP server exploit and opening of

malformed PDF file

Assume tamper-resistant logs

Log Analysis

Time Correlation

EMAIL

DELIVERED

INFECT

CLIENT

MACHINE

WITH ZEUS

NO

COMPROMISE

STEAL

SENSITIVE

INFORMATION

Social Engineering

Attack

User opens email

Access Document

Store

Behavior Analytics

Through a social engineering attack, a Zeus variant is installed on an

Internal machine

By monitoring file and network access patterns at the hypervisor layer,

behavior analytics can detect compromise

Log analysis can be used to backtrack the attack path and remove that

attack vector

14

The APT Challenge…in simple terms

TargetThe Game

The Goals

Attacker

Attacker must gain access to the target

Defender must defend access to the target

Both must stay within their financial means

Defender must know which controls cover the attack vectors

15

Modeling an AttackRSA Labs in Collaboration with Ron Rivest

NO

COMPROMISE

INFECT FTP SERVER VM

COMPROMISE

CLIENT

MACHINE

STEAL

SENSITIVE

INFORMATION

EMAIL

DELIVERED

INFECT

CLIENT

MACHINE

WITH ZEUS

Deployment Dynamics

Behavior Analytics

RiskAnalytics

Log Analysis

Exploit FTP Server

Log intoDocument

Store

User OpensPDF in time < t

User OpensPDF in time > t

User OpensEmail

Social Engineering

Attack

Log Analysis

AccessDocument

Store

16

The Right MeasuresSimulate an APT like attack on an Intelligent SOC

NO

COMPROMISE

INFECT FTP SERVER VM

COMPROMISE

CLIENT

MACHINE

STEAL

SENSITIVE

INFORMATION

EMAIL

DELIVERED

INFECT

CLIENT

MACHINE

WITH ZEUS

AccessDocument

Store

Exploit FTP Server

Log intoDocument

Store

User OpensPDF

User OpensEmail

Social Engineering

Attack

Dynamics

Adaptive

BehavioralAssessmentAnalytics

Risk Model

17

Deployment DynamicsDefensive Approach

Attacker

How it works

Deployment Dynamics Server (DDS) instantiates clean FTP server from FTP VM image and moves to production area.

DDS instructs Load Balancer to add FTP Server to the pool of available servers providing FTP service.

After time (t), DDS instructs Load Balancer to remove FTP server from the pool of servers providing FTP service.

DDS destroys FTP Server, and begins process again.

18

Adaptive AuthenticationPreventive Approach

Username:

wolfd

Password:

0ct0rulz

HIGH RISK:

Require

stronger

authentication

How it works

Attacker tries to log into internal restricted document store that leverages adaptive authentication functionality.

Document Store passes authentication credentials and observed network data (IP, device fingerprint) to AMx

AMx calculates high risk score as authentication credentials had not been previously used from observed device.

Document Store prompts Attacker for Secondary Authentication OTP which are sent via SMS to user.

19

AnalyticsResponsive Approach

Data Center

Risk ProfileLogs

Watch ListsContextual Data

Security Management Data Warehouse

How it works

Logs from Endpoints, Servers and VM snapshot data from Deployment Dynamics services are stored in Greenplum.

Given knowledge of a document leak from external sources, the system backtracks through the log-data to identify

past network activity of all endpoints which accessed the leaked document.

Intermediate results are further correlated with VM Re-provisioning's snapshot meta-data to narrow down on

suspicious points of server infection and sources of document leak.

20

Behavior Analytics Learning Approach

Analytics

EngineFolder

Creation

File creation

Read/Write

Activity

Network Activity

Dynamic Reputation

Blacklist

Payload Analysis

How it works

Data flows from multiple VMs, mirrored by the hypervisor and sent to the analytics engine

The engine analyzes the individual input and their relationships

The engine ties multiple events together and if they look suspicious - an alert is generated

Every alert arrives with a severity-score, and the reason of why the alert was generated

User opens

email

Zeus infects

VMs

21

Techniques used in an Intelligent SOC

Risk Model Adaptive AnalyticsBehavioral

assessmentDynamics

22

The Future Solution: Intelligent SOCA Holistic Approach

Protect what is important

Efficiently, aggressively and thoroughly secure and

comply according to best practices

Make advanced exploits harder: dynamics, sand-

boxing, isolation in depth, stack integrity monitoring

Identify what is important

Assets and asset relationships

Services and service dependencies

User credentials

Sensitive data

Minimize damage

Leverage comprehensive visibility

Focus using analytics

Respond quickly

Adapt by improving response efficiency by

addressing discovered weakness

Disrupt the objective

Interrupt the transaction

Discover the leaked information

Share cyber intelligence (collaborate)

Prosecute aggressively (increase attacker’s cost)

23

SummaryCORE Elements of Intelligent SOC model

“Risk based” security strategy

Predictive modeling and analysis

Leverage techniques in virtualized environments

Self-learning predictive analytics

Automated, adaptive systems

Continual improvement through forensic analysis and community learning

24

2011+

The Future

The bad guys will keep getting worse: we have an intelligent opponent!• E.g. expect a bleed v. butcher approach in malware

• E.g. expect benefits built into malware

• E.g. expect APTs to converge vectors and get faster and more directed to IP

Expect Cybercrime to continue to flourish

Expect a resurgence in non-financially, motivated, sophisticated APT

Move to a progressively more “intelligent” SOC

GRC gives “Security Management” a chance…• To be about risk mitigation

• To become more transparent

• To get close to the business

• To be more efficient and reduce focus on tools

25

26

Thank you!

27