War on stealth cyber attacks phishing docusign apache metron

transcript

WaronStealthCybera/acksthatTargetUnknownVulnerabili:esInves:gate,ThreatScopeAnalysis&ForensicsofAdvancedCyberThreatswithApacheMetron

GeorgeVeFcaden&JamesSirotaApacheMetronCommi0ers

2 ©HortonworksInc.2011–2016.AllRightsReserved

UseCase:PhishingA/ack

PhishingA/acks

Ã WhatisaPhishingA0ack?–  Ana0ackthat“baits”unsuspecJngworkersintoclickingonlinksinemailsandunknowinglygivinga0ackersatoeholdintheiremployers’systems.

Ã  FromNYTIMESArJcle(6/13/2016)

“Phishinga*ackshavebecomeanepidemic.Todate,morethan90percentofbreacheshavebegunwithaphishinga*ack,accordingtoVerizon.

Intelligenceexpertssaythatphishinga*acksarethepreferredmethodofChinesehackerswhohavemanagedtostealthingsasvariedasnuclearpropulsiontechnologyandSiliconValley’smostguardedsoGwarecode.”

DocuSignPhishingA/acks

WhatisDocuSign?•  Provideselectronicsignaturetechnology

andDigitalTransacJonManagementservicesforfacilitaJngelectronicexchangesofcontractsandsigneddocuments.

•  E.g:Ifyougetanewjob,theofferle0erwillmostlikelybepresentedtoyouasa“DocuSignDoc”whichrequireselectronicsignature.

WhatisaDocuSignPhishingA0ack?•  AcJvephishingcampaignsusingfake

DocuSigntryingtotrapemployeesintoopeningthemup

•  These"securedoc"emailsareoneofthemostmisflaggedcategoriesofrealemails

•  Usershavetroublefiguringoutwhethera"securedoc"emailisrealoraphish

DocuSignPhishingA/ackonCompanyFOO

UseCaseSetup

Ã  On4/10,ausernamedEthanVatCompanyFoosubmitsasecurity:cketcomplainingaboutapoten:alPhishingEmail.

Ã  TheDetailsprovidedbytheEthanVintheJcketarethefollowing–  EthanreceivesanemailfromaninternalemployeeSonjaLarwhoworksontheFinanceTEam–  TheemailstatesthatasignatureisrequiredforanewDocu-SigndocumentforanewStockOpJongrant

forgrantedtoEthan–  ThereisalinkintheemailtotheDocu-SignDocument–  Ethanclicksonthelink,andloginappears–  EthanentershisSSOcreden:alsandsubmits–  Onsubmission,nothinghappens–  EthancallsSonjabutSonjastatesshedidn’tsendanemail–  Ethanisworriedandthenfileshelpdesksecurity:cket

Ã  Asecurity:cketiscreatedandassignedtotheSOCTeam

Ã  ASOCanalystJamespicksupthecasetoinvesJgateit.

TypicalWorkflowifCompanyFoousestradi:onalSIEMtool

SystemsAccessedforInves:ga:on/Context“InvesJgaJon”WorkflowSteps

•  Step1:AnalystJamessearchesinSIEMforanyeventsassociatedwiththeuserSonjaoverthelast24hours

•  Step1Result:MosteventsarecomingfromIPY.ButfeweventsfromfromIPXwheresheissendingemailviaCorpGmailaccount.

•  Step2:Jamesdoesgeo-lookupofIPXandYnMaxmind

•  Step2Result:IPXisfromIreleandandIPyisfromSouthernCali

•  Step3CorpFoohasofficesinIreland&LosAngeles.JamesfilesaJcketwithADteamtofindgroupsthatSonjabelongsto.

•  Step3Result:ThegroupsshebelongstoisonlyassociatedwithLosAngelesandnotIreland

StoryUnfolding•  Step1Insight:AnomalousEvent–CorpGmailwasdecommissionedonbehalfofexchangemonthsbackandonlyfewusersarecurrentlyusingit

•  Step2Insight:NotpossibleforthesameuserbelogginginfromIreland&SouthernCaliatthesameJme.

•  Step3Insight:UnauthorizedaccessisoccurringfromIreland

Search

Maxmind(IPGeoDB)

AD(IdenJtyMgmt.)

•  Step4:JameslogsintoFoo’sAssetMgmtsystemtodetermineassettheIPbelongto

•  Step4Result:IPYisfromSonja’sworkstaJonwhileIPXisanunidenJfiedAsset

•  Step4Insight:SeemslikeSonjaisinSouthernCalibutsomeoneelsepretendingtobeherislogginginfromunidenJfiedAsset

AssetMgmt.Inventory4

•  Step5:JameslogintoSoltraathreatintelaggregaJonservicetoseeifIPXhasathreatintelhit.

•  Step5Result:IPXhasathreatintelhitandSonja’saccountisimmediatelyshutdown&Ethan’scredenJalshavebeenreset

•  Step5Insight:Sonja’saccounthasbeencompromised.ShutitdownandEthan’scredenJalshavebeenreset.ButwhatothersusersareaffectedlikeEthan?

Soltra(ThreatIntel)

SystemsAccessedforThreatScope

SystemsAccessedforForensics

SystemsAccessedforInves:ga:on/Context

“ScopeofThreat”WorkflowSteps

•  Step6:SearchesSIEMforFireyeandIronPortemaileventsassociatedwithSonja.TheSIEMdoesn’thavethatinfo

•  Step6Result:NeedtologintoFireyeandIronPort

•  Step7:LogintoFireyeEmailThreatPrevenJonCloud&IronPorttofindallemailssentfromSonjafromthatmaliciousIP

•  Step7Result:HavealistofallusersthatthePhishingemailwassentto.Canresetthepasswordforallthoseusers

Maxmind(IPGeoDB)

AD(IdenJtyMgmt.)

AssetMgmt.Inventory

Soltra(ThreatIntel)

StoryUnfolding•  Step1Insight:AnomalousEvent–CorpGmailwasdecommissionedonbehalfofexchangemonthsbackandonlyfewusersarecurrentlyusingit

•  Step2Insight:NotpossibleforthesameuserbelogginginfromIreland&SouthernCaliatthesameJme.

•  Step3Insight:UnauthorizedaccessisoccurringfromIreland

•  Step4Insight:SeemslikeSonjaisinSouthernCalibutsomeoneelsepretendingtobeherislogginginfromunidenJfiedAsset

•  Step5Insight:Sonja’saccounthasbeencompromised.ShutitdownandEthan’scredenJalshavebeenreset.ButwhatothersusersareaffectedlikeEthan?

•  Step6Insight:SIEMdoesn’thaveallthefireyeemaileventsIneedtodeterminescope

•  Step7Insight:Understandthescopeofthethreatandcancancontainit.

“Forensics”WorkflowSteps

•  Step8:LogsintoCiscoIronPorttodeterminewhenthea0ackerfirstcompromisedSonja’sGmailaccount

•  Step8Result:On3/26,auserfromIreleandloggedintoSony’sCorpGmailAccount

•  Step8Insight:UnderstandswhenSonja’sGmailAccountwasfirstcompromised

•  Step9:LogsintoIntermedia,anemailarchivesystem,tounderstandhowtheaccountwascompromised

•  Step9Result:Seesasetofemailswherethea0ackerspoofedsomeoneelseemailaddress“warmedup’herwithafewemailsandthensentanemailwithanlinkthatSonjaclickedonwhichstolehercredenJalsfromherchain

•  Step9Insight:UnderstandhowSonja’saccountgotcompromised

SystemsAccessedforRemedia:on

Exchange(Primary

EmailService)

CorpGmail(Secondary

EmailService)

AD&SSO(IdenJtyProvider

Search

2 3 4 5

FireEye(Email

CloudSecurity)

CiscoIronPort(Email

On-PremiseSecurity)

Intermedia(EmailArchive)

The“ThreatStory”theWorkflowTold….

The Challenges faced by the SOC Analyst to Create this Story…

Challenge •  The analyst had to jump from the SIEM to

more than 7 different tools that took up valuable time.

•  It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.

•  Half of my time was spending getting the context needed for me to create the story

•  The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address

Need •  Want a Centralized View of my data so I don’t

have to jump around and learn other tools Eliminate manual tasks to investigate a case

•  Need to discover bad stuff quicker

•  Need the System to create the context for me in real-time

•  The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:

•  UserSonjahasn’tusedcorpgmailinthelast3months

•  UserSonjacan’tloginfromIrelandandSouthernCaliatthesameJme

SameWorkflowifCompanyFoousedApacheMetron

DoInves:ga:on,FindScopeandPerformForensicsUsingonlyMetron

SystemsAccessedforRemediaJon

Exchange(Primary

EmailService)

CorpGmail(Secondary

EmailService)

AD&OKTA(IdenJtyProvider

Maxmind(IPGeoDB)

AD(IdenJtyMgmt.)

AssetMgmt.Inventory

Soltra(ThreatIntel)

SystemsAccessedforInvesJgaJon/Context

SystemsAccessedtoDetermineScope

FireEye(Email

CloudSecurity)

CiscoIronPort(Email

On-PremiseSecurity)

Intermedia(EmailArchive)

SystemsAccessedforForensics

DoInves:ga:on,FindScopeandPerformForensicsUsingonlyMetron

MetronwillmakeiteasierandfastertofindtherealissuesIneedtoactonwithreal-Jmeenrichment

ProvidesSinglePaneofGlassforInvesJgaJon,ScopeAnalysisandForensics

MetroncantakeeverythingthatisknownaboutathreatandcheckforitinrealJme

ForAdvancedPersistentThreats(APT),MetroncanmodelhistoricalbehaviorofwhoeverIamimpersonaJngandflagmeasItrytodeviate

MetronArchitecture

Network Data (PCAP, Netflow, Bro, etc)

IDS (suricata, Snort, etc)

Threat Intelligence Feeds(Soltra, OpenTaxi, Third

party Feeds)

Security Endpoint Devices (Fireye, Palo Alto, BlueCoat,

etc..)

Telemetry Data Sources

Machine Generated Logs (AD, App/Web Server,

Firewall, VPN, etc.)

Telemetry Parsers

TELEMETRY ING

EST BUFFER

Enrichment Indexers & Writers

Telemetry Parsers

Real-Time Processing Cyber Security Engine

Threat Intel Alert Triage

Cyber Security Stream Processing Pipeline

DATA SERVICES & INTEGRATIO

N LAYER

Modules

Community Analytical Models

Search and Dashboarding

Portal

Security Data Vault

Provisioning, Mgmt & Monitoring

Performant Network Ingest

Probes

Real-Time Enrich/

Threat Intel Streams

Telemetry Data Collectors

/ Other..

17 ©HortonworksInc.2011–2016.AllRightsReserved Real-JmeProcessingEngine

NETFLOW

FIREWALL

HOSTLOGS

Telemetry Event Buffer

NORMALIZE

VALIDATE

PROCESS

ENRICH

FlatFiles

Aggregators

ModelAsAService

CloudServices

PCAPStore

ALERTPERSIST

SecurityDataVault

NetworkTap

Fast Telemetry Ingest

Telemetry Ingest

Custom Performant Probes

CustomMetronUI/Portals

Real-TimeSearch

InteracJveDashboards

DataModelling

IntegraJonLayer

PCAPReplay

SecurityLayer

Data&Integra:onServices

Apache Metron

ApacheMetronLogicalArchitecture

Analy:cs

OldSchoolvs.NewSchoolSecurityControlsEmail

SecurityRules

FirewallRules IDSRules Sandbox

Rules DLPRulesOldSchool->(1-1)

NewSchool->(1-*) Email

Classifier AlertsTriageMalwareFamilyClassifier

NetworkBehaviorClassifier

UEBASystem

Analy:cs

DescripJve DiagnosJc PredicJve PrescripJve

MetronSecurityDataAnalyJcsPlavorm

HDF HDP

DeepPacket

ModelasaService

Nevlow

ApplianceLogs

Alerts

HostLogs

GeoEnrich

HostEnrich

App.Enrich

IdenJtyEnrich

DomainEnrich

SocialMedia

Forums

Playbook

WokflowHR

IRMobileDevices

MachineExhaust IoT

DatasetsAccessLogs

MalwareBinaries Sandbox

Honeypot

DecepJon

BusinessEnrich

CMDBEnrich

Compl.Enrich

KnowledgeGraph

EnJtyProfiles

InteracJonGraph

WebMining

UseCasesInsiderThreat

DataAccessManagement

BreachDetecJon

ExfiltraJon

LateralMovement

MalwareDetecJon

AlertsTriage

RemediaJon

ThankYouGeorgeVeFcaden&JamesSirota

ApacheMetronCommi/ers

Learn,ShareatBirdsofaFeatherStreaming,DataFlow&Cybersecurity

ThursdayJune306:30pm,BallroomC

War on stealth cyber attacks phishing docusign apache metron

Data & Analytics