1 © Copyright 2011 EMC Corporation. All rights reserved.
Security Analytics Architecture for APT
Dale Long, Sr. Technology Consultant, RSA Security
2 © Copyright 2011 EMC Corporation. All rights reserved.
Agenda • APT: Defined • Methodology • APTs are Nasty Because • Evolution • Response • The Challenge of Cleanup • Needed Capabilities • Lessons Learned • Introduction to Security Analytics
3 © Copyright 2011 EMC Corporation. All rights reserved.
You Down With APT?
4 © Copyright 2011 EMC Corporation. All rights reserved.
Advanced Persistent Threats • Operators behind the threat have:
• a full spectrum of intelligence gathering techniques at their disposal.
• May include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging.
• Often combine multiple targeting methods, tools and techniques in order to reach and compromise their target and maintain access to it.
• Can use malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials
• Can typically access and develop more advanced tools as required.
5 © Copyright 2011 EMC Corporation. All rights reserved.
Advanced Persistent Threats • Operators give priority to a specific task, rather than
opportunistically seeking information for financial or other gain.
• Implies that attackers are guided by external entities.
• Targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates.
• In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully.
6 © Copyright 2011 EMC Corporation. All rights reserved.
Advanced Persistent Threats
• APTs are a threat because they have both capability and intent.
• A level of coordinated human involvement in the attack, rather than a mindless and automated piece of code.
• The operators have a specific objective and are skilled, motivated, organized and well funded.
7 © Copyright 2011 EMC Corporation. All rights reserved.
APTs Key Features 1. Highly-targeted
• Tailored to an individual organization
2. Well-researched • Reconnaissance on people and processes
3. Well-funded • Financial backing for intensive, long-term attacks
4. Designed to evade detection • “Low and slow”
5. Multiple vectors • Social engineering, application-layer exploits, zero-day malware, and
data exfiltration techniques, etc.
8 © Copyright 2011 EMC Corporation. All rights reserved.
APT: Methodology
Step One: C2 Communication The malware contacts C2 servers for instructions, such as downloading and executing new malware or opening a reverse backdoor — allowing the attacker full access to the compromised system, bypassing firewall restrictions. Step Two: Attack The attacker (through the reverse backdoor) compromises multiple sources of interest, such as database servers, email servers, and file share servers. Step Three: Data Staging The attacker sends data to a staging server. Once the data is set, the attacker then compresses the data (using the rar.exe utility) and password protects it. Step Four: Data Exfiltration The attacker uses malware to send the data through an encrypted tunnel to a malicious external IP address. • The use of “staging servers” to aggregate the data they intend to
steal. • Encryption and compression of the data they steal. • Deleting the compressed files they exfiltrated from the “staging
server”.
9 © Copyright 2011 EMC Corporation. All rights reserved.
APTs are Nasty Because • Little opportunity for correlation
– Focused, so no community sourced warning based on correlation across victims
– Zero-day heavy, so ineffective behavioral pattern or footprint signature correlation
– Complex and resilient CnC -> hard to correlate on attack source
– CnC Operators change as botnets are transferred by section or by victim.
– Low and Slow, so no temporal correlation. Signal to noise ration is low. Touch to compromise ration 1.4.
• APT Malware avoids anomaly detection through:
– Outbound HTTP connections – Process injection – Service persistence
• APT Malware Analysis: – Average File Size: 121.85 KB – Only 10% of APT backdoors were packed – Packing is not as common in Standard APT
malware – Packing is common in advanced APT Malware
and used by more advanced APT groups
• Most Common APT Filenames: – svchost.exe (most common) – iexplore.exe – iprinp.dll – winzf32.dll
10 © Copyright 2011 EMC Corporation. All rights reserved.
Technical Infrastructure Specialists & Organizations
Cash Out
The APT Supply Chain: Choose Your Career Path
Harvesting
Operational Infrastructure Specialists & Organizations
Communication Fraud forum / chat room
Target Data & User Accounts
Tools Hosting Delivery Mules Drops Monetizing
11 © Copyright 2011 EMC Corporation. All rights reserved.
The “Community’ of Attackers
Criminals
Petty criminals
Organized crime
Organized, sophisticated supply chains (PII, financial services, retail)
Unsophisticated
Non-state actors
Terrorists Anti-establishment
vigilantes
“Hacktivists” Targets of opportunity
PII, Government, critical infrastructure
Nation states PII, government, defense industrial base, IP rich organizations
12 © Copyright 2011 EMC Corporation. All rights reserved.
Advanced Threats 1.0
abc.com
def.com 1.2.3.4
Clear-text & custom protocol
Clear-text & normal protocol
Custom encryption
Content Inspection
Protocol Anomalies
Network Traffic Anomalies
Known Bad Endpoints
C2 Traffic SSL or other standards
based encryption. Custom malware w/ no signature.
C2 Traffic (port 80/443)
abc.com
def.com
1.2.3.4
def.com
3.7.9.1
8.2.3.3
Advanced Threats 2.0
1% of attacks discovered by Anti-Virus, <1% by IDS. (Verizon 2011 DBIR)
13 © Copyright 2011 EMC Corporation. All rights reserved.
APT: Evolution Intrusion Phase Non-APT (DoS) Obsolete Current
Reconnaissance None Scanning, opportunistic
OSINT, targeted
Weaponization Blast, Stress Layer 4 payload Layer 7 payload
Delivery Opportunistic: non-targeted Vulnerable protocol Standard Comm. Prot.
Exploit Client-side, Server-side Server-side (svc) Client-side (app)
Installation Rapid Sibling infection Plain sight ADS, anti-reversing
Command & Ctrl None Custom protocol Protocol compliant
Actions on Intent Propagate, Disrupt, Deface Propagate or PII Exfiltrate
14 © Copyright 2011 EMC Corporation. All rights reserved.
APT: Response
Intrusion Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance Web
Analytics Firewall
ACL
Weaponization NIDS NIPS
Delivery Vigilant
User Proxy Filter In-Line AV Queuing
Exploit HIDS Patch DEP
Installation HIDS “chroot”
Jail AV
Command & Ctrl NIDS Firewall
ACL NIPS Tarpit
DNS Redirect
Actions Audit Log Quality of
Service Honeypot
15 © Copyright 2011 EMC Corporation. All rights reserved.
ADVANCED CYBER
DEFENSE APPROACH
CYBER CYCLE
BREACH EXPOSURE TIME “BET”
Data Exfiltration
Late Detection
Threat Vector “Malware”
(Undetected)
Cyber Kill Chain
“Breach Life Cycle”
Establish Network Foothold
Target Threat Visibility &
Mitigation Goal
Attack Kill Chain Life Cycle
16 © Copyright 2011 EMC Corporation. All rights reserved.
APT: The Challenge of Cleanup
• Did you get it all? – Cleaning
• Do you adequately understand how it happened? – Forensic
• Will the exploits work again? – Remediation
• Is Damage understood and contained? – Risk Model and Reduction
17 © Copyright 2011 EMC Corporation. All rights reserved.
APT: Needed Capabilities
• Network Visibility
• Critical Info Ident and Tracking
• IPS Active Blocking
• Continuous Monitoring
• Cyber Threat Awareness
• Attack Ident and Triage
• Collaboration
• Incident Response
• Network Traffic Analysis
• Host-Based Forensics
• Malware Forensics
• Sig and IOC Development
• Cyber Threat and Intelligence
• Security Infrastructure
18 © Copyright 2011 EMC Corporation. All rights reserved.
APT: Lessons Learned 1. There are no trivial systems 2. Collect the right info 3. Have a plan 4. User Awareness 5. Be able to look back (forensics) 6. Know thyself (Crown Jewels) 7. Have the right people 8. It takes a village (or an ecosystem) 9. A holistic view is key 10.Get smart(er) with the data you collect
19 © Copyright 2011 EMC Corporation. All rights reserved.
Introducing Security Analytics
20 © Copyright 2011 EMC Corporation. All rights reserved.
Today’s Security Requirements
Comprehensive Visibility
“Analyze everything happening in my infrastructure”
Agile Analytics
“Enable me to analyze and investigate potential threats
in near real time”
Actionable Intelligence
“Help me identify targets, threats & incidents”
Scalable Infrastructure
“Need a flexible infrastructure to conduct short term and
long term analysis”
21 © Copyright 2011 EMC Corporation. All rights reserved.
RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance
22 © Copyright 2011 EMC Corporation. All rights reserved.
RSA Security Analytics: Changing The Security Management Status Quo Unified platform for security monitoring, incident investigations and compliance reporting
SIEM Compliance Reports
Device XMLs Log Parsing
Network Security Monitoring
High Powered Analytics Big Data Infrastructure Integrated Intelligence
RSA Security Analytics
Fast & Powerful Analytics Logs & Packets
Unified Interface Analytics Warehouse
SEE DATA YOU DIDN’T SEE BEFORE, UNDERSTAND DATA YOU DIDN’T EVEN CONSIDER BEFORE
23 © Copyright 2011 EMC Corporation. All rights reserved.
RSA Security Analytics Architecture
Real Time Investigations (hours days) Metadata, Packets
Correlation Long Term Analysis Metadata, Raw Logs, Select Payload
24 © Copyright 2011 EMC Corporation. All rights reserved.
What Makes Security Analytics Different?
• Big Data Infrastructure • Fast & Scalable • Logs & Packets • Security data warehouse plus proven NetWitness infrastructure
• High Powered Analytics • The speed and smarts to detect, investigate & understand advanced threats • Comprehensive visibility to see everything happening in an environment • Short term & long term analytics plus compliance • Removes the hay vs. digging for needles
• Integrated Intelligence • Intelligence from the global security community and RSA FirstWatch fused with
your organization’s data
• Understand what to look for and utilize what others have already found
The only security management solution that has both speed & smarts
25 © Copyright 2011 EMC Corporation. All rights reserved.
Big Data Infrastructure • Single platform for capturing and
analyzing large amounts of network and log data
• Distributed, “scale-out” architecture
• Unique architecture to support both “speed” and “smarts” for threat analysis
• Security data warehouse for long term analytics & compliance
• Proven NetWitness infrastructure of short term analytics and investigations
26 © Copyright 2011 EMC Corporation. All rights reserved.
High Powered Analytics • Eliminates blind spots to achieve
comprehensive visibility across the enterprise
• Real-time and “after-the-fact” investigations
• Uses the industry’s most comprehensive and easily understandable analytical workbench
• Proven, patented analytics applies business context to security investigations
• Automates the generation of compliance reports and supports long term forensic analysis
27 © Copyright 2011 EMC Corporation. All rights reserved.
Full Network Visibility
Network traffic
Logs
• Gain full visibility into your network including both logs and packets
• Discover advanced threats missed by traditional security approaches
• Completely reconstruct network sessions for real time analysis and investigation
• Capture all data from the network to the application layer
• Perform detailed session analysis – regardless of port or protocol
28 © Copyright 2011 EMC Corporation. All rights reserved.
Network traffic
Logs
• Both network packet capture and log collection.
• Patented methods of network capture, processing, data extraction and service/protocol identification
• Consolidates disparate sources • Instantly analyzes massive data sets
Single Platform for Network Packet and Log Data Collection
29 © Copyright 2012 EMC Corporation. All rights reserved.
Reimagining what SIEM can do: Removing hay vs. digging for needles
All Network Traffic & Logs
Downloads of executables
Type does not match extension
!
Terabytes of data – 100% of total
Thousands of data points – 5% of total
Hundreds of data points – 0.2% of total
Create alerts to/from critical assets
A few dozen alerts
30 © Copyright 2011 EMC Corporation. All rights reserved.
Integrated Intelligence How Do I Know What To Look For?
Gathers advanced threat intelligence
and content from the global security
community & RSA FirstWatch ®
Aggregates & consolidates the most pertinent information and fuses it with your
organization's data
Automatically
distributes correlation rules,
blacklists, parsers, views, feeds
Operationalize Intelligence: Take advantage of what others have already found and apply against your current and historical data
31 © Copyright 2011 EMC Corporation. All rights reserved.
• Fuses open source, commercial, and confidential threat and fraud intelligence with an organization’s live and recorded network traffic
Security Analytics Live Content
32 © Copyright 2011 EMC Corporation. All rights reserved.
RSA FirstWatch®
• RSA ‘s elite, highly trained global threat research & intelligence team
– Heritage dating back to the late 1990s featuring a ‘who’s who’ of researchers
– Backgrounds in government, military, financial services and information technology
• Focused on threats unknown to the security community – Malicious code & content analysis
– Threat research & ecosystem analysis
– Profiling threat actors
• Research operationalized automatically via RSA Live
Providing RSA Security Analytics customers covert tactical and strategic threat intelligence on advanced threats & actors
33 © Copyright 2011 EMC Corporation. All rights reserved.
RSA Security Analytics Results
• Reduce risk by compressing attacker free time – Continuous analysis of terabytes of security data through big data
architecture, reducing the threat analysis time from days to minutes
• Level the playing field with adversaries – Incorporate operationalized intelligence to defend with confidence
• Elevate the security team to another level of effectiveness – Increase teams’ collective skill by gaining analytical firepower
– Investigate more rapidly, centralize information, automate alerts and reports
• Meet compliance requirements