NetWitness

Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary

Presentation for:Presented By:

APTs and the Failure of PreventionWayne Goeckeritz

Director of Channels, NetWitness Corporation

[email protected]

Wayne Goeckeritz


Agenda

»Discussion Regarding Threat Environment

»Advanced / Persistent Threats – In Context

»Rethinking Network Monitoring – A Quick Case Study

»Take-Aways and Q&A


Malware/APT continues to grow

“State of the Internet” Report, Akamai Technologies

SecuritySUCKS!


Risk Management 101?

» Spear phishing attacks

» Poisoned websites and DNS – “Drive-by” attacks

» Pervasive infection (e.g., ZeuS, Aurora, Stuxnet, Night Dragon, / etc.)

» Malware and more malware resulting from all of the above…

» Undetected data exfiltration, leakage, and covert network comms

» Ongoing product vulnerabilities (e.g. Adobe, Microsoft, Oracle )

» Social Networking / Mobility / Web 2.0

» Cloud Computing / Other unknown risk profiles

Who Really 0wns Your Network?


Drop Sites

Phishing Keyloggers

BotnetOwners

SpammersBotnet

Services

MalwareDistribution

Service

DataAcquisition

Service

DataMining &

Enrichment

DataSales Cashing $$$

MalwareWriters

IdentityCollectors

CreditCard Users

MasterCriminals

ValidationService

(Card Checkers)

CardForums

ICQ

eCommerceSite

Retailers

Banks

eCurrency

DropService

WireTransfer

Gambling

PaymentGateways

Tracking the Opposing I/T Organization


Are Security Teams Failing? Definitely…

»People

Underestimate the complexity and capability of the threat actors

Do not take proactive steps to detect threats

»Process

Organizations have misplaced IT measurements and program focus

IR processes lack correct data and focus

»Technology

Current technology is failing to detect APT, APA, and other threatss

Deep holes in network visibility

RISK= Threats xAssets xVulnerabilities

Something missing here…


The Malware Problem

»54% of breaches involved customized malware (no signature was available at time of exploit (VzB/USSS, 2010)

»87% of records stolen were from Highly Sophisticated Attacks (VzB/USSS, 2010)

»91% of organizations believe exploits bypassing their IDS and AV systems to be advanced threats (Ponemon, 2010)

"With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming." (GTISC Emerging Cyber Threats Report 2011)


Current Technologies Are Failing - Firewalls

Intent – Prevent or limit unauthorized connections into and out of your networkReality – Adversaries are designing malware to use “allowed paths” (DNS, HTTP, SMTP, etc) to provide reliable and hard to detect C&C and data exfiltration channels from inside your internal network. Even worse, they are using encrypted tunnels to provide “reverse-connect” for full remote control capabilities.

Firewalls


The Gaps in Status Quo Security – IDS/ IPS

Intent – Alert on or prevent known malicious network traffic Reality – Attackers are using obfuscation methods to prevent IDS signatures from recognizing malicious traffic and client-side attacks that don’t perform “network-based” exploitationEven worse: Intrusion Prevention Systems are largely left unimplemented or crippled due to fears of business impact

Intrusion Detection/ Prevention Systems


The Gaps in Status Quo Security – Anti-Malware

Intent – Prevent malicious code from running on an endpoint, or from traversing your network

Reality – Most current anti-malware technologies are signature-based, requiring constant signature updates to remain effective. Due to the current level of malware production, these signatures lag behind from days to weeks

Even worse…adversaries create custom malware for high value targets. If they don’t use widespread distribution, you are even less likely to have timely signatures.

Anti-Malware Technologies

From a top AV Vendor Forum


2010 Ponemon Institute Advanced Threats Survey

»We know what we need to do, but we are not doing it…


2010 Ponemon Institute Advanced Threats Survey

»Do the math yourself…


ATTACKER FREE TIME

AttackAttackBeginsBegins

SystemSystemIntrusionIntrusion

Attacker SurveillanceAttacker Surveillance

Cover-upCover-upCompleteComplete

Access Access ProbeProbe

Leap Frog Leap Frog AttacksAttacks

Complete Complete

TargetTarget AnalysisAnalysis

Time

AttackAttackSet-upSet-up

Discovery / Discovery / PersistencePersistence

Maintain foothold

Cover-up Starts

Attack Attack ForecastForecast

Physical Physical SecuritySecurity

Containment Containment & eradication& eradication

System System ReactionReaction

Damage Damage IdentificationIdentification

RecoveryRecovery

Defender discoveryDefender discovery

Monitoring & Monitoring & ControlsControls

Impact Impact AnalysisAnalysis

ResponseResponseThreat Threat

AnalysisAnalysis

Attack Attack IdentifiedIdentified

Incident Incident ReportingReporting

Need to collapse attacker free time

Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)

New Security Concept:“OFFENSE IN DEPTH”

Copyright 2007 NetWitness Corporation

John SmithCISO

John SmithCISO

Copyright 2011 © All rights reserved. NetWitness Corporation | Confidential and ProprietaryCopyright 2011 © All rights reserved. NetWitness Corporation | Confidential and Proprietary

Thinking Differently about Network Monitoring…or, how I learned to love full packet capture…

There ARE specific targets…


What Questions Are Vexing Today?

» Why are packed or obfuscated executables being used on our systems?

» What critical threats are my Anti-Virus and IDS missing?

» I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment?

» We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior?

» On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented?

» How can I detect new variants of Zeus or other 0day malware on my network?

» We need to examine critical incidents as if we had an HD video camera recording it all…


Typical Scenario These Days…

»Visit from the FBI saying, “You have a problem – information is being taken”

Perhaps IP addresses of compromised machines are provided

You might be told that certain types of files or email is being stolen

The CEO does not pay much attention to cyber, generally, but now it has his/her full attention

What do you do now?

»Knee-jerk reaction: take down these systems/networks, image the drives, rebuild the machines, life goes on, etc.

WRONG!!

»How do you know what has happened or is really still happening on the network?


What’s really happening (in many cases)…

»If it’s an advanced persistent threat (APT), the adversary is quite entrenched and has been there for a while

It’s not simply a piece of malware you can detect and eradicate

Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)

»They have the ability to change techniques, control channels, SSL certs, hours of operation, etc.

Commands scheduled on individual Windows machines

Text files containing lists of target files

RAR’d bunches of targeted files ready to be moved off the network in any number of communication pathways

Spear phishing attacks using bogus mailboxes created on mail system

»Their true approach is not always the obvious one

C & C servers in places like HVAC or other low profile systems, versus file servers

Drop locations are not in China or Belarus, but in the U.S.


Sample Approach to Resilience


Today’s adversaries leverage every weakness

»Failure of AV and IDS to detect both ZeuS and other known exploits, and unknown emerging threat problems

»Security program weaknesses:

Open domain admin accounts

Passwords backed up in clear text files

Postings on public forums containing questions regarding organization’s firewall rules

Flat security architecture (no segmentation of traffic)

Inadequate use of firewall ACLs and logging

»Lack of other prudent security techniques such as full packet capture, DNS blackholing, two factor authentication, etc.


Who is NetwitnessA quick introduction


Security teams in high threat environments:

•5 of the Fortune 10

•70% of US Federal agencies

•Over 45,000 security experts around the world

Recognize for outstanding performance:

•#21 in the 2010 Inc. 500, including #1 in the U.S. in enterprise software companies

•Winner of the SC People’s Choice Award and numerous other industry achievements

Security Leaders Leverage NetWitness

“Traditional security measures like firewalls, intrusion detection, patch management, anti-virus, single tier DMZs are not enough to stop the new threats.”

CISOMajor U.S. Federal Agency

“NetWitness is the last security appliance you will ever need to buy.”

Josh Corman451 Group

“NetWitness is a cutting edge vendor for Network Analysis and Visibility.”

John KindervagForrester Research

“I rely upon NetWitness to detect and analyze malware that no other product can find.”

Director of Incident ResponseNY Health Care Provider


Changes on the horizon…


Enabling A Revolution in Network MonitoringNetWitness Product Tour


Understanding the NetWitness Network Monitoring Platform

29

Automated Malware Analysis and Prioritization

Automated Threat Reporting, Alerting and Integration

Freeform Analytics for Investigations and Real-time Answers

Revolutionary Visualization of Content for Rapid Review


Signature-Free, Automated Malware Analysis, Prioritization, and Workflow

Spectrum• Mimics the techniques of leading malware

analysts by asking thousands of questions about an object without requiring a signature or a known “bad” action

• Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks

• Utilizes NetWitness’ pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications

• Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals


Automated Analysis, Reporting and Alerting

Informer• Flexible dashboard, chart and

summary displays for unified view of threat vectors

• Get automatic answers to any question for…

• Network Security• Security / HR• Legal / R&D / Compliance • I/T Operations

• HTML, CSV and PDF report formats included

• Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management


Getting Answers to the Toughest Questions

Investigator»I

nteractive data-driven session analysis of layer 2-7 content

»Award-winning, patented, port agnostic session analysis

»Infinite freeform analysis paths and content /context investigation points

»Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.)

»Supports massive data-sets

Instantly navigate terabytes of data Fast analytics - analysis that once took days,

now takes minutes

»Freeware Version used by over 45,000 security experts worldwide


A New Way to Look at Information

Visualize» Revolutionary visual

interface to content on the network

Extracts and interactively presents images, files, objects, audio, and voice for analysis

Supports multi-touch, drilling, timeline and automatic “play” browsing

Rapid review and triage of content


Case StudyUnderstanding a Custom ZeuS-based APT Spear Phishing Attack

Finding bad things on the

network:Are all ZeuS

variants created equal?


Realities: Continued Targeted Attacks Against USG Assets

»There has been an ongoing campaign associated with forged emails containing targeted ZeuS infections

»Typical scenario is email from some “reliable” email address containing spear phishing text of interest and link to custom ZeuS site

»Parallels: this approach directly imitates non-USG mass eCrime ZeuS approaches

Subject: DEFINING AND DETERRING CYBER WARFrom: [email protected]. Army War College, Carlisle Barracks, PA 17013‐5050December 2009DEFINING AND DETERRING CYBER WARSince the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state’s national security, and examines cyber attack as an act of war. The paper examinesefforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests.

Subject: DEFINING AND DETERRING CYBER WARFrom: [email protected]. Army War College, Carlisle Barracks, PA 17013‐5050December 2009DEFINING AND DETERRING CYBER WARSince the advent of the Internet in the 1990s, not all users have acted in cyberspace for peaceful purposes. In fact, the threat and impact of attack in and through cyberspace has continuously grown to the extent that cyberspace has emerged as a setting for war on par with land, sea, air, and space, with increasing potential to damage the national security of states, as illustrated by attacks on Estonia and Georgia. Roughly a decade after the advent of the Internet, the international community still has no codified, sanctioned body of norms to govern state action in cyberspace. Such a body of norms, or regime, must be established to deter aggression in cyberspace. This project explores the potential for cyber attack to cause exceptionally grave damage to a state’s national security, and examines cyber attack as an act of war. The paper examinesefforts to apply existing international norms to cyberspace and also assesses how traditional concepts of deterrence apply in cyberspace. The project concludes that cyber attack, under certain conditions, must be treated as an act of war, that deterrence works to dissuade cyber aggression, and provides recommendations to protect American national interests.

Source: iSightpartners



Which AV Product Sucks the LEAST!!! ?


“DPRK has carried out nuclear missile attack on Japan”

»AV effectively “neutered” by overwriting the OS hosts file

»Attempts to retrieve updates from vendor update server hosts routed to 127.0.0.1

»Back to our “ATTACKER FREE TIME” DISCUSSION: if AV didn’t pick up the malware initially, it never will now


Infection Progression – Nothing Unusual

»After a user clicks on the link, the file “report.zip” is downloaded from dnicenter.com

»If user opens the file, the malware is installed

»Malware is actually a Zeus variant; author used techniques to hamper reverse-engineering / analysis of the binary


Further Network Forensics Evidence…

» ZeuS configuration file download

» This type of problem recognition can be automated

» ZeuS configuration file download

» This type of problem recognition can be automated


»Malware stealing files of interest to the drop server in Minsk

»FTP drop server still is resolving to same address

»Early on March 8, 2010, server cleaned out and account disabled

»username: mao2 password: [captured]

»Malware stealing files of interest to the drop server in Minsk

»FTP drop server still is resolving to same address

»Early on March 8, 2010, server cleaned out and account disabled

»username: mao2 password: [captured]


Files harvested from victim machines in drop server (located in Minsk, Belarus)

» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data

» FTP drop hosted in Minsk, with directory listing of 14 compromised hosts containing exfiltrated data


» Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”

» Time graph of beaconing activity and metadata showing comms to C&C server – all via “allowed pathways”


Conclusions


Hig

hest

Val

ue

L

owes

t V

alue

Combating Advanced Threats Requires More and Better Information…

Data Source Description

Firewalls, Gateways, etc.

IDS Software

NetFlow Monitoring

SEIM Software

Real-time Network Forensics (NetWitness)

Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics.

For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries.

Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content.

Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics.

Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.


Take-Away

»Advanced adversaries and emerging threats require revolutionary thinking

»Current security paradigms are completely broken -- all organizations (including yours) will be compromised – no matter how good your security team

»The real objective should be improving visibility at the application layer -- this goal requires complete knowledge of the network and powerful analytic tools and processes

»Goals:

»Lower risk to the organization

Improve incident response through shortened time to problem recognition and resolution

Reduce impact and cost related to cyber incidents

Generate effective threat intelligence and cyber investigations

»Reduce uncertainty surrounding the impact of new threat vectors

»Conduct continuous monitoring of critical security controls

»Achieve situational \awareness – being able to answer any conceivable cyber security question – past, present or future

Copyright 2007 NetWitness Corporation


Q&A

»Email: [email protected]

»Website: http://www.netwitness.com

»Twitter:

@netwitness

»Blog: http://www.networkforensics.com

Know Everything…Answer Anything.

Date post:	12-Jan-2015
Category:	Technology
Upload:	techbiz-forense-digital
View:	3,378 times
Download:	10 times