Combating Advanced Persistent Threats with Flow-based Security Monitoring

Combating Advanced Persistent Threats with Flow-based Security Monitoring

Jeffrey M. Wells, CCIE, CISSP

Sr. Systems Engineer

Lancope

Know Your Network, Run Your Business

Thank you for joining. We will begin shortly.

Poll Question

What is your organization’s top security concern? A. Insider Threats B. Advanced Persistent Threats (Directed Attacks) C. Virtualization / Cloud Computing D. IT Consumerization / User Mobility / BYOD E. Compliance

2 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)

What is an Advanced Persistent Threat?


What is an Advanced Persistent Threat?

Examples: “Operation Aurora” against Google and at least 20 other large companies in 2009, the HBGary attack, the RSA attack against over 700 companies over 2011


• in that the attacker uses the full spectrum of available tools, including social engineering, to accomplish his or her goals. The toolset and methods mean these will likely evade traditional signature-based detection methods.

It’s Advanced…

• in that the attacker defines a target and then focuses resources on that target, rather than casting a net in the dark. This is what makes this type of attack so dangerous. Rather than playing the odds, one must actively defend oneself from it.

It’s Persistent…

• this should be self-explanatory.

It’s a Threat…

Anatomy of an APT attack - HBGary

HBGary was attacked by Anonymous in February 2011 in response to provocation by an HBGary employee.

HBGary Federal sought to “out” WikiLeaks and associated Anonymous hacker organization

Anonymous finds out and launches full frontal assault on HBGary

HBGary website defaced, emails stolen, backups deleted, twitter and LinkedIn accounts hacked, etc.

Massive damage to HBGary’s reputation

Cleanup could take weeks or months


HBGary vs. Anonymous: Story by Ars Technica http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars



















Anatomy of an APT attack - RSA

In February 2011 RSA was subjected to an attack by Chinese hackers.

RSA suffered enormous brand damage and was forced to replace existing tokens in the field.

Read more: http://blogs.rsa.com/rivner/anatomy-of-an-attack/


Footnote: this attack was repeated against hundreds of other companies, as revealed last Fall by the FBI.

APTs in the news


APTs are here to stay

Facts:

• APTs are an evolution of cybercrime. They are the beginnings of truly organized behavior designed to cost you money.

• APTs are proliferating. There are many many examples, and they target pretty much every large company.

• APTs evade traditional detection.

• Many companies do not discover that they’ve been targeted until long after it’s over.


APT characteristics for the investigator

APT will generally involve:

– Information gathering via social media and Google search. It is via this that the targets for the social engineering phase are identified.

– Exploit of common vulnerabilities in support of the above.

– Targeted social engineering attacks against identified users.

– Compromise of one or more internal machines and installation of remote control software of some kind.

– Data mining from the inside.

– Exfiltration of data.


Network-based APT detection boils down to discovering the command-and-control connections, the data mining, and the exfiltration activity. As with all attacks, success is measured by the time lapsed between attack and discovery.

APT Survey by Ponemon Institute, June 2010

“Prevention and detection of advanced threats is difficult. Organizations risk a costly data breach because detection of an advanced threat takes too long. 80 percent of respondents say it takes a day or longer to detect an advanced threat and 46 percent say it takes 30 days or longer. This leaves a huge window of opportunity to steal confidential or sensitive information. In addition, 79 percent believe that advanced threats are very difficult to prevent, detect and resolve.”

“The most effective technologies have yet to be deployed. 92 percent of respondents believe network and traffic intelligence solutions are essential, very important or important. Yet, only 8 percent say these technologies are their first choice to detect or prevent an advanced threat. 69 percent of respondents say that AV and 61 percent of respondents say that IDS are typically used to detect or discover advanced threats. Yet, 90 percent report that exploits or malware have either evaded their IDS systems or they are unsure. 91 percent say that exploits and malware have evaded their AV systems or they are unsure. The same percentage (91 percent) believes exploits bypassing their IDS and AV systems to be advanced threats.”


User Behavior

DMZ

Internal Network

Internet

11

This goes on, day after day…

And then…

FTP to foreign destination.

This is a Behavioral Anomaly

Anomalous Behavior

If you’re focused solely on a single actor, behavioral anomalies are relatively simple to spot.


As the observed population increases, it becomes increasingly difficult to spot anomalies.

Where’s Waldo?

Brains and Computers

Our brains happen to be good at focusing on detail or recognizing patterns in limited datasets but very bad at dealing with huge amounts of rapidly-evolving data at once.

Computers, on the other hand, do not suffer from this limitation.


Email interconnection graph


This is a network of devices speaking SMTP. If they spoke something else it would be trivial to detect – as long as we were focusing on this network as a group and not trying to watch all the other systems that live alongside these devices.

3G Internet

3G Internet

Typical Corporate Environment

DMZ

VPN

Internal Network

Internet

3G Internet

3G Internet

15

Even though it seems difficult to enumerate the protocols and behaviors on such a network, a statistical system

can do so with ease.

APT Detection Objectives and Requirements

Objectives:

– Discover APT behavior as rapidly as possible

– Discover compromised machines in my environment

– Discover potential exfiltrations of data

– Some sort of scoring or prioritization of alarms to direct response

Requirements:

– Need data sources

– Need collection infrastructure

– Need analysis infrastructure

– Need reporting and alerting engine

Potential data sources:

– SYSLOG, IDS/IPS probes, distributed data capture, SNMP, RMON probes, host AV/AS agents, host IDS/IPS agents

– Netflow


Data Source Caveats

SYSLOG: Very painful to parse due to the vast number of different potential messages. May or may not contain what you need.

IDS/IPS probes: Expensive to install and maintain, reliance on signature-based technologies makes them less useful for APT detection.

Distributed data capture: Extremely expensive to install and maintain, large amount of hardware required, very inefficient: most of the useful information comes from a tiny percentage of the gathered data.

SNMP: Not enough information on its own to be particularly useful, very slow.

RMON: Expensive to install and maintain, limited support.

Host agents: Expensive to install and maintain, reliance on signature-based technologies not particularly useful, proprietary data output difficult to integrate and

correlate, host context limits understanding of network behavior.

Flow-based technology: May not be supported by all of your network hardware.


3G Internet

Flow-based monitoring basics

DMZ

VPN

Internal Network

Internet

NetFlow

3G Internet

3G Internet

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -

FlowCollector

Major advantages of flow-based telemetry

Fixed and highly-standardized records easy to create, transport, compress and parse.

Generated by the network hardware you already own.

Generation not specifically limited by topology or data rates.

Simple record types lend themselves to rapid and near-real-time analysis on even the biggest, busiest networks.

Most of visibility objectives achievable with no need for probes or signatures.

Generation technology eliminates evasion techniques. All network traffic will generate flow data for analysis.

Can easily be correlated to other data sources to enrich the results.


DMZ

Internet

Atlanta

San Jose

New York

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

ASR-1000

Cat6k

UCS with Nexus 1000v

ASA

Cat6k

3925 ISR 3560-X

NetFlow

NetFlow

NetFlow

NetFlow

Lancope NetFlow Collector

Datacenter

3750-X Stack(s)

NetFlow

NetFlow Cat4k

NetFlow

NetFlow WAN

Example: NetFlow Technology in a Cisco environment

NetFlow at 10G+

21


NetFlow Collection in the WAN

NetFlow Packet

NetFlow Packet

22


NetFlow Technology simplified

telephone bill

NetFlow

23

The Science of Flow Analysis

• Lancope specializes in Behavior-based Network Flow Analysis • Detects attacks by baselining and analyzing network traffic patterns • Excellent defense in depth strategy to aid in defense of critical assets • Over 600 customers world-wide • Designed for the large enterprise

http://netflowninjas.lancope.com

24

Flow-based telemetry in action

Visibility into “normal” network behavior.

What is all this HTTP traffic?

26

Detection of anomalous behavior. Circa 2003!

27

Manual analysis

Deduplicated Host Groups provide the basis for many Reports, Baselines, Top N lists, etc.

28

Manual analysis, continued

5 hour 6 Mbps ssh connection?

29

Flow Statistical Analysis

30

StealthWatch Threat Indexes – Attack Detection Without Sigs

31

StealthWatch tracks not only the statistical behavior of normal traffic, but also the behavior of well over a hundred specific network traffic patterns. Concern points are generated by

anomalous changes in any –and all – of these. Examples: number of new connections to or from a device.

Connection attempts that go unanswered (common in scanning). New ports seen. Number of clients for a server or

service. Rejected traffic. Long-lived connections. StealthWatch also alerts when the concern index itself changes.

Target and specialized protocol tracking

StealthWatch pays particular attention to hosts “touched” by a host with high concern.

StealthWatch creates “Target Index” reporting for these hosts, including “Touched Hosts” and “Touched Hosts with high CI.”

StealthWatch has special handling for protocols commonly used for file sharing.

StealthWatch has special logic to watch for and alert on “worm behavior”.

All of these are completely automatic, out-of-the-box capabilities of the system.


Host Group tracking


Creating host groups by function, type or location allows the system to easily spot and track anomalous behavior for hosts with high degrees of inherent predictability. The system will for example automatically tell you when your Webservers have stopped

behaving like Webservers

Relational Flow Maps

34

The powerful Relational Flow Mapping feature allows you to track the relationships between your host groups as well as their relationships to external groups whether they are business

partners, Internet hosts, countries, or suspicious hosts from threat feeds. Once the relationsnip is established, StealthWatch automatically creates a statistical baseline and

applies its powerful anomaly detection logic to the relationship.

Relational Anomaly Detection example: PCI hosts

Secure Zone

35

Custom views match your particular area of interest


Custom charts focusing on particular alerts related to APT events

Relational flow map to track behavior between areas of high interest

List of hosts currently creating high concern

List of internal hosts exhibiting active scanning behavior

All documents are active – current alerts shown over objects as callouts in real

time

Drill down from anywhere to any level of detail


Every object is active and can be used as a starting point to drill in for investigation.

Enhanced Application Monitoring

Accelerates troubleshooting and forensic investigations

Quickly differentiate between applications

Easily determine which applications are causing performance or security problems

Displays URL information in flow records

Identifies hostname of the server and error messages within the flow

© 2011 Lancope, Inc. All rights reserved. 38

21

Botnet - 315,000 nodes, 3 billion connections

39

4/18/2012

Other resources for detection of anomalous behavior

Threat feed correlation and host locking


Putting it all together: Detection Examples


Bot Detection: Are there bot infected hosts within the network?


Suspect Data Loss: Is there any sensitive data being uploaded to the Internet?


Reconnaissance Detection: What hosts are trying to find resources to compromise?

Quick Recap

• NetFlow analysis gives us APT defense via A PROVEN, time-honored end-to-end rich view of every conversation Topology independence Deep statistical analysis and alerting Very high performance and scale

• Flow telemetry is available from all over the network … Routers Switches Load Balancers Firewalls FlowSensors Even the virtual network!

• Once you’ve enabled flow collection you can... Gain deep traffic analysis and network visibility Detect attacks and network anomalies faster Investigate incidents and build up operational context

46

Next Steps

47

Contact Lancope: Jeffrey M. Wells [email protected] Lancope [email protected] Lancope Marketing [email protected]

Visit Lancope for a live demonstration of the StealthWatch System @

InfoSecurity Europe booth F61

Cisco Live US booth 944

mailto:[email protected]

mailto:[email protected]

Thank You

Web http://www.lancope.com

Blog http://netflowninjas.lancope.com

Twitter @netflowninjas

LinkedIn : NetFlow Ninjas http://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro

NetFlow Ninjas Challenge

http://www.lancope.com/netflow-ninja-quiz

http://www.lancope.com

http://www.lancope.com



http://twitter.com/netflowninjas

http://twitter.com/netflowninjas

http://www.linkedin.com/groups?about=&gid=2261596&trk=anet_ug_grppro










Combating Advanced Persistent Threats with Flow-based Security Monitoring

Technology

Transcript of Combating Advanced Persistent Threats with Flow-based Security Monitoring