Company Proprietary
©2013 ISC8 Inc. All rights reserved
®
Targeted Cyber Attack
Everyone is a Target
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 2
Always Connected Always Exposed
Modern media keeps us constantly connected and in contact with other people
Most of the time we do not have explicit visibility of what kind of data have been exchanged by our device
• Where we are (Geo information)
• Who we are (MSISDN, IMIEI, etc)
• What we are doing (FB, Twitter, and so on)
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 3
Always Connected Always Exposed
Personal information as well as business related information can be “exfiltrated” without leaving evidence
Personal information are silently disseminated everywhere
Footprints are left everywhere
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 4
Footprint Left
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 5
Social Networking
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 6
Traditional Attacks
Category What is it Spread Technique
Virus Malicious code embedded in program or file
Human Intervention (USB, download, Email, etc.)
Worm Stand alone malicious program Replicates itself by Exploiting OS vulnerabilities
Trojan Attack software disguised as useful program
Trickery – disguised as something the user wants
Botnet Group of infected computers operating with common purpose
Usually delivered as Trojans
Spyware Software that collects personal and sometimes confidential information
Trickery – disguised as something the user wants
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 7
Social Engineering Attacks
Category What is it Spread Technique
Baiting Tempting an individual to put themselves at risk
‘Lost’ or ‘Free’ Physical device like USB stick or CD-ROM
Phishing Tricking a user to reveal confidential information to a mistakenly ‘trusted’ source
Email links
Pharming DNS poisoning to return false results to query resolutions
Constantly spread, effecting
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 8
Vulnerability Exploit Attacks
Category What is it Spread Technique
Buffer Overflow Intentional overflow of memory to execute invalid instruction
Direct machine attack
SQL Injection Attempts to execute privileged SQL command in database to extract information
Direct machine attack
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Advanced Persistent Threat Market Statistics
Notable victims of attacks in 2012 (countless more victims go unreported)
75 million
Unique examples of malware in
2012(2), growing at 50,000 / day
1Unattributed data courtesy of M-Trends Report 2012 www.mandiant.com
2 Network World 3 www.bit9.com
APT Victims by sector (n = 120 firms)
59% of enterprises are “certain or fairly
certain” that they’ve been the target of an APT(3)
69% of APT victims are NOTIFIED BY AN
EXTERNAL ENTITY, not internal detection
416 Median number of
days that the attackers were
present on a victim network BEFORE
detection(1)
Commercial Sector Breakdown
Automotive 2%
Space and Satellites and Imagery 19%
Cryptograph & Communications 20%
Mining 2%
Energy 18%
Legal 9%
Investment Banking 3%
Media/Public Relations 10%
Hospitality 2%
Chemical 5%
Technology 10%
42%
31%
13%
7% 5%
2% Commercial
Defense Industrial Base
Non-profit/think tank/ non-government organizations Foreign Government
U.S. Government
9
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 10
Today’s Perimeter Defenses Do Not Stop APTs
Gartner “Traditional malware protection systems are well past the peak of their effectiveness. ...Malware threats continue to overwhelm traditional defensive techniques.“(1)
(1) Gartner - Endpoint Protection in the Age of Tablets and Cloud, Peter Firstbrook, 2/1/2012
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 11
External vs. Internal Threats
Most external threats are defeated by traditional means.
Next-generation malware and Advanced Persistent Threats (APTs) are different.
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 12
Typical Attack Lifecycle of APTs
Maintain
Persistence
Exploration
Obtain User
Credentials
Data
Extraction
Persistence
Intrusion
Establish
Presence
& Backdoor
Pivoting
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Example Case
Scenario: Sensitive or Personal information found on public site such as Blog or Forum
Need: Identify the author from the fact
Requirement: Monitor activities and correlate actions with their respective authors
13
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Cyber adAPT – Architecture
Sensor Collection Points • Monitors trunk ports
going into core • Generates events and
collects summary data • Passive network sensor • 10G interfaces
Control System Unit • Controls and configures
adAPT devices • Provides UI for adAPT • Provides main interface
for all adAPT components
Analytics Correlation System • Rules-based analysis of events
from SCPs • Alarm generation and
summary data correlation • Collection and storage of
summary data from suspected host
14
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 15
Cyber adAPT Value Propositions
• Detection of advance malware techniques and behavior inside a network prior to harm occurring
• Detection of malicious activity within an enterprise network undetectable by perimeter security devices
• Doesn’t depend on patterns that require updating as new malware is detected
• Tracking of malicious activity back to infected host
– Malware propagation detection
• Collection of summary data to provide post alarm analytics and forensics
• High bandwidth (10Gbps+) sensors to allow monitoring near core of network
• Multi-tiered rules based analytics to reduce false positives and provide enhanced correlated evidence of malicious activity
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 16
Threat Management Cases
Identify Established Malware • Malware bypasses traditional security
perimeter using USB Drive • Elevated permissions allow malware to
hide from client software • Detect malware as it moves inside the
network • Shut down access before malware
completes objective
Improve Security Posture • Identify weaknesses in current security
capabilities • Executable movement • Command and Control activities • Network / Target scanning • Data Staging • Date Exfiltration
• Provide necessary tools to develop higher security capabilities
Baseline Network Behavior • Identify Anomalous Behaviors
• Unauthorized Protocols • Excessive data volume transfers • Unusual time-of-day accesses • Connections to fake update servers • Out-of-policy encryption techniques
• Improved understanding of network activity enables better security
Secure VPN • Remote partner must have VPN access into
parts of corporate network • VPN hosts are restricted via ACL’s • Additional monitoring required to ensure
VPN users do not circumvent restrictions • Behavior-based adAPT monitors usage of
all network resources done by VPN users • Quickly alert if unauthorized servers,
protocols or data is accessed
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Main Screen
17
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Notifications by Volume
18
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Disallowed Application by Subnet Report
19
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Notification Details
20
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
What about our personal data?
Provide long-term retention including associated author
• Assumptions:
- The author is not known – Action deducted because public
- Identify authors of inappropriate activities (e.g.: youtube, forum posts).
Extract valuable data from ALL the communication flows and label them with their authors
21
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
ISC8 Cyber NetFalcon
The first Big Data solution for Cyber Security
• Long-term record of network traffic activity: months and years
• Application, protocol and user-level information
• Near real-time analytics, search and retrieval
• Scalability to largest networks and long time windows
• Cost effective to deploy and scale
• Fine-grained administrative controls
Complements packet capture and LI technologies
Proven: deployed in scale worldwide
22
Networking Big Data
Cyber NetFalcon
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 23
NetFalcon – Instantaneous Analysis of Big Network Data
Machine Activity Network Activity
Scale (throughput speeds + historical log)
Big Machine Data Tools
Packet capture limited to 10GBs traffic over hours / days
SIEM
Weeks / Months @ 40Gbs = Big Network Data
Big
Small
Data Source
Logs, Data dumps, Configuration, events
Real time activity between network devices
BIG Data Large complex data sets that are difficult to capture, store search, share, analyze or visualize. 10Gb/s = 216TBytes/day
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
NetFalcon Benefits
Cyber event attribution
Fast and effective incident response
Investigate insider or outsider threats
Map relationships between individuals in cyberspace
Associate cyber to real-world identity
Establish communication histories between individuals
Identify individuals responsible for “anonymous” criminal communications
24
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Other Compelling Use Cases
Investigate the organization of illegal and violent demonstrations
Identify origin of publicly declared threats
Track the Leak of Classified Documents
Uncover the associates of an identified criminal
Identify bloggers/owners of anonymous comments on the blog site
Identify Hackers of Government or commercial websites
25
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 26
Deep Packet Inspection Probing
Far beyond legacy Layer 3/4 flow recording
Far beyond protocol DPI
Extraction of specific protocol or application info
Enables vastly richer data mining and information set
Enables run-time “user” identification through correlation
Ethernet
Internet
Protocol
(IP)
Transport
Email (SMTP, POP3, IMAP) Web (HTTP/S)
File Transfer (FTP, Gopher)
Instant Messaging (IM)
Peer - to - Peer (P2P) Applications
L2 L4
Deep Protocol Inspection Packet Identification
Ethernet
Internet
Protocol
(IP)
Transport
Layer
(TCP/UDP)
L3 L5 – L7
Email (SMTP, POP3, IMAP), Web (HTTP)
File Transfer (FTP, Gopher)
Peer to Peer (P2P) Applications
Instant Messagning (IM)
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 27
Deep Packet Inspection Probing
No. Time Source Destination Protocol Info
167207 0.756202890 10.145.19.66 10.145.19.90 GTP <HTTP> GET /img/2009/11/21/90x90-
alg_image.jpg HTTP/1.1
Frame 167207 (671 bytes on wire, 671 bytes captured)
Ethernet II, Src: Ericsson_ed:81:b0 (00:01:ec:ed:81:b0), Dst: JuniperN_67:5f:f1 (00:23:9c:67:5f:f1)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 202
Internet Protocol, Src: 65.213.148.66 (65.213.148.66), Dst: 65.213.148.6 (65.213.148.6)
User Datagram Protocol, Src Port: blackjack (1025), Dst Port: gtp-user (2152)
GPRS Tunneling Protocol
Internet Protocol, Src: 10.145.19.66 (10.145.19.66), Dst: 10.145.19.90 (10.145.19.90)
Transmission Control Protocol, Src Port: 53585 (53585), Dst Port: http (80), Seq: 1, Ack: 3683, Len: 565
Hypertext Transfer Protocol
GET /img/2009/11/21/90x90-alg_image HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /img/2009/11/21/90x90-alg_image.jpg HTTP/1.1\r\n]
[Message: GET /img/2009/11/21/90x90-alg_image.jpg HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /img/2009/11/21/90x90-alg_image.jpg
Request Version: HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us) AppleWebKit/525.18
(KHTML, like Gecko) Version/3.1.1 Safari/525.18\r\n
Referer: http://www.nydailynews.com/real_estate/2010/01/01/2010-01-
01_iconic_nyc_restaurant_tavern_on_the_green_closes_its_doors_friday_after_a_final_.html\r\n
Accept: */*\r\n
Accept-Language: en-us\r\n
Accept-Encoding: gzip, deflate\r\n
Cookie: WT_FPC=id=18.15.2.12-3609171504.30087201:lv=1277848799597:ss=1277848799597\r\n
Connection: keep-alive\r\n
Host: assets.nydailynews.com\r\n
\r\n
D
e
e
p
A
p
p
l
i
c
a
t
i
o
n
I
n
s
p
e
c
t
i
o
n
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 28
Intelligent Metadata Summaries
Protocol Email
Application POP3
UserID Alice_bad
Password hav0c
Following crime
Members Bob, Charlie
Posts 2345 bytes
…
…
Protocol SIP
Application Yate, etc.
PhoneID 4237893547
ServerID hav0c
Contacts crime
Call Status Bob, Charlie
… 2345 bytes
…
…
Protocol MSN
Application Messenger
UserID Alice_bad
Password hav0c
Chatroom crime
Members Bob, Charlie
Chat size 2345 bytes
…
…
100s of protocols with 1000s of metadata attributes
turn network activity into powerful searchable medium
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 29
Data Collection and Correlation
Receives flow records from multiple probes • Ensures correlation of asymmetric flows
Watchlist for data reduction
Integrated support for management infrastructure • RADIUS user authentication • Mobile network support (i.e. GGSN Links) • WiMax • 3G • 4G/LTE
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 30
Data Collection and Correlation
Provides correlation of related data prior to storage writing • User information • CPE registration information • Geo-location data • L7 content, such as VoIP phone numbers • Integration of other data structures
Real-time event triggering
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 31
Challenge: Physical Identification
Physical
Identity
Electronic
Identity
Cyber
Identity
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 32
Different pieces of the same puzzle
IM handle
Geo location
MAC Address
Radius ID
Web user
Jane Smith
BSID
VoIP number
Physical
Identity
Electronic
Identity
Cyber
Identity
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Applications
33
Correlation Example
IP
Infrastructure
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Applications
34
Correlation Example- Traditional Approach
IP
Infrastructure
BSID:786514234
+1-415-555-1111/EMEI:00382934093/IMSI:17868A
+39-06-5567111/EMEI:0098765/IMSI:27868B
FTPLogin:Mickey/Passwd:duck/Action:PutFile
BSID:786514243
SRC:28.74.54.10/DST:1.1.1.1/Port:80/Prot:HTTP
SRC:128.74.54.10/DST:1.1.1.1/Port:21/Prot:FTP
SRC:128.74.54.10/DST:2.2.2.2/Port:8080/App:Webmail
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Applications
35
Correlation Example- NetFalcon Approach
IP
Infrastructure
BSID:786514234
+1-415-555-1111/EMEI:00382934093/IMSI:17868A
+39-06-5567111/EMEI:0098765/IMSI:27868B
FTPLogin:Mickey/Passwd:duck/Action:PutFile
BSID:786514243
SRC:28.74.54.10/DST:1.1.1.1/Port:80/Prot:HTTP
SRC:128.74.54.10/DST:1.1.1.1/Port:21/Prot:FTP
SRC:128.74.54.10/DST:2.2.2.2/Port:8080/App:Webmail
+1-415-555-1111 00382934093 17868A
786514243
FTP 1.1.1.1
Mickey duck PutFile
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Applications
36
Correlation Example- NetFalcon Approach
IP
Infrastructure
BSID:786514234
+1-415-555-1111/EMEI:00382934093/IMSI:17868A
+39-06-5567111/EMEI:0098765/IMSI:27868B
FTPLogin:Mickey/Passwd:duck/Action:PutFile
BSID:786514243
SRC:28.74.54.10/DST:1.1.1.1/Port:80/Prot:HTTP
SRC:128.74.54.10/DST:1.1.1.1/Port:21/Prot:FTP
SRC:128.74.54.10/DST:2.2.2.2/Port:8080/App:Webmail
+1-415-555-1111
00382934093 17868A 786514243
FTP 1.1.1.1
Mickey/duck
PutFile
RecNo:02A78BH83:
[EMEI: /IMSI: ]frm
{Session Info: IP:
Credential:
Action:
+1-415-555-1111 00382934093 17868A
786514243
FTP 1.1.1.1
Mickey duck PutFile
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 37
Cyber NetFalcon Correlation
Mixes and merges information coming from different sources (probes, network elements, static DB)
Dynamically creates the links between the various entities (Cyber Identity, Electronic Identity and Physical Identity)
Enables real-time synthesis of actionable information
Converts fragmented data into meaningful, actionable intelligence: Who, What, Where and When
Solving the Puzzle
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 38
Historical Data Mining / Reporting
Cyber Threat T1
Cyber Threat T2
Analyst
Cyber NetFalcon
Cyber Threat T3
Cyber Threat T4
NetFalcon NF collects and
stores communication
records (IPDR, CDR)
Match -
Between 1/1 – 1/7:
T1 contacted Posted T3;
T3 FTPed to T2;
T2 posted on youtube
?
Analyst post queries to
retrieve actions’
authors and network
presence
Inappropriate
content poster
spotted
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 39
Example Queries
Which IP address is user “bob” associated at a particular timeframe?
In the past 12 months, which websites have user “bob” visited?
Which websites were visited with greatest frequency?
Which other users did user “bob” contact via email, IM, and VoIP?
What users visited site www.publishsomedata.com?
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 40
Near Real Time Analytics
Near real-time query response regardless of network size and search time window
Proprietary storage system overcomes performance limitations of relational databases
Simple GUI with powerful query structure
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved 41
Near Real Time Analytics
ISC8 Company Proprietary ©2013 ISC8 Inc. All rights reserved
Summary
Assure your assets are protected
Monitor device behavior and identify what is not ‘normal’ in the specific environment
Ensure a complete, long-term record of network activity
Ability to search back in time and identify who did what, when, where and with whom
Near real-time analytics, regardless of network size and data collected
42