Upload
ngs-distribution
View
921
Download
2
Embed Size (px)
DESCRIPTION
Презентация с прошедшего 24 июля 2013 года семинара для партнёров "Безопасная среда".
Citation preview
1 © 2013 Solera Networks, A Blue Coat Company © 2013 Solera Networks. All information contained herein should be considered confidential, proprietary, and trade secret
information of Solera Networks. Any use of this work without express written consent is strictly prohibited.
The Shift Towards a More Modern Security Strategy From Prevention to Rapid Detection and Response
James Stevenson, EMEA Security Director Advanced Threat Protection Group
2 © 2013 Solera Networks, A Blue Coat Company
Background
➜ 5yrs Security Analysis / Team Lead at Symantec ➜ 2yrs Managing Global Telco’s IDS/IPS/SIEM infrastructure ➜ 4yrs architecting and leveraging SIA solutions for:
➜ Pro-active 0day malware identification ➜ Sensitive Data Exfiltration ➜ Rapid detection and Root Cause Analysis
3 © 2013 Solera Networks, A Blue Coat Company
The Current Threat Landscape .. in a nutshell
HACKTIVISTS STATE-SPONSORED ATTACKERS
CYBERCRIMINALS
FINANCIALLY MOTIVATED
NATIONALISTICALLY MOTIVATED
POLITICALLY MOTIVATED
ATA/APT GRADE
DDOS
Ransom & fraud
Gov’t, enterprise & infrastructure
targets
Public data leakage
Defacement
DATA THEFT
MALWARE
BAD
STUFF IN
GOOD STUFF OUT
4 © 2013 Solera Networks, A Blue Coat Company
The Problem
Over-reliance on prevention based strategy in a post prevention world
69% of attacks discovered by external parties
Multi-Stage / Vector attacks increasing time to detection / remediation
Motivated, Persistent, entrenched human adversary
Leveraging paths of trust, repack / obfuscate = 0day to avoid detection
Firefighting blindly over root cause analysis (lack of context and network visibility)
5 © 2013 Solera Networks, A Blue Coat Company
Security vendors cannot keep up with the latest malware
100,000 new malware variant's released every day
The attacker will always have the initiative, choosing Where, When, How
The Challenge of Keeping Pace in a prevention world ..
Increases Time To Detection, creating a large Window of Opportunity actively being exploited everyday …
Inevitable delay between first attack and vendor update
6 © 2013 Solera Networks, A Blue Coat Company
The Window of Opportunity
Initial Compromise to Discovery 0% 0% 9% 11% [ 12% 62% 4% ]
78%
Seconds Minutes Hours Days Weeks Months Years
66% took months or more to discover (typically waiting for Vendor updates) (VzB, 2013)
7 © 2013 Solera Networks, A Blue Coat Company
55%
44% 41%
55%
66%
2008 2009 2010 2011 2012
Breaches undiscovered for months or more
Time to Detection is increasing
8 © 2013 Solera Networks, A Blue Coat Company
While Custom malware in successful breaches is decreasing
➜ Why invest time/money customizing when “canned” attacks or simple repacks will do ..
➜ APT = Advanced? More like “Adequate” or just enough J
2012
30%
9 © 2013 Solera Networks, A Blue Coat Company
Simple Obfuscation / Repack Example
Unpacked
➜ “Hello World” Exploit released into the wild ➜ Vendors build Signature to detect “document.write(‘hello World’);” ➜ Attacker packs/obfuscates to create “variant” with minimal effort
without the need for a complete re-write. Back to 0day! ➜ Repeat
Packed (Base 62 Encoded)
<script type="text/javascript"> document.write(’Hello World'); </script>
eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('<0 2="3/4">5.6(\'<1>7 8</1>\');</0>',9,9,'script|b|type|text|javascript|document|write|Hello|World'.split('|'),0,{}))
10 © 2013 Solera Networks, A Blue Coat Company
Breaches are now an inevitable reality
Deal With It.
Prevention Strategy alone is not working
11 © 2013 Solera Networks, A Blue Coat Company
Most Dreaded Questions from CISO
Who did this to us?
How did they do it?
What systems and data were affected?
Can we be sure it won’t happen again?
The Usual Answer: “We Still Don’t Know” = Poor post-breach posture
Can we be sure its over?
Complete lack of network visibility and forensic context
12 © 2013 Solera Networks, A Blue Coat Company
This Was 10 Years Ago.. And still true Today
“That’s Great James, But What Happened Before / After? ….”
Case Study: The Bunker Days
3am: “Nmap scan and buffer overflow detected..”
13 © 2013 Solera Networks, A Blue Coat Company
Shifting the emphasis from prevention to detection and a strong post-breach security posture:
• When prevention fails only fast detection and response remains • Detection requires full network visibility • Visibility + Intelligence = Actionable intelligence • From blocking to damage limitation mindset • Best of breed integration achieves a comprehensive security strategy and
ecosystem that adds value to existing investments. e.g. SIA + SIEM • From perpetual firefighting to root cause analysis and context • Combine Re-active and pro-active breach discovery methodology
Shift Towards a More Modern Security Strategy
14 © 2013 Solera Networks, A Blue Coat Company
ATTACKER FREE TIME
Attack Begins
System Intrusion
Attacker Surveillance
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
Time
Attack Set-up
Discovery / Persistence
Maintain foothold
Cover-up Starts
Containment & eradication
System Reaction Damage
Identification
Recovery
Impact Analysis
Response
Attack Identified
Incident Reporting
Source: NERC HILF Report, pg43, June 2010 (http://www.nerc.com/files/HILF.pdf)
Need to collapse free time
66% Takes Months+ to be discovered
Requires complete network visibility Do not wait for vendors
The Objective: Decrease Time to Detection and Response
15 © 2013 Solera Networks, A Blue Coat Company
For complete visibility, rapid detection and response we must first ..
Collect All the Data
16 © 2013 Solera Networks, A Blue Coat Company
Solera is the Security Camera for your Network
Records, classifies and indexes all packets and flows from L2 – L7
On the wire, file-level visibility of data exfiltration & malware infiltration
Actionable intelligence, forensics and situational awareness
Unmatched multi-dimensional flow enrichment & big data warehousing
Flexible, open and easy-to-use platform
Providing real-time analysis and full visibility of everything going in and out of your network
17 © 2013 Solera Networks, A Blue Coat Company
Gartner Agrees …
➜ Record Everything, you don’t know when you will need it
➜ The highest value use case is proactive situational awareness
➜ The most common use case is reactive post-incident analysis and on-demand investigations
“By 2020, 75% of an enterprises security budget will be allocated for rapid detection and response approaches, up from less than 10% in 2012”
18 © 2013 Solera Networks, A Blue Coat Company
Reactive Security Analyst works on the assump2on they are already compromised and knows malicious ac2vity goes under the radar on a daily basis. They proac2vely analyse the network with NAV tools to detect “unknown” threats and goes back in 2me to determine true root cause and mi2gate a?ack vector
A Reac2ve Security Analyst reads the news of a newly discovered Trojan, and hopes that the AV Community releases a Signature to iden2fy the Threat They wait for an Alert to trigger and firefights. Repeat Daily
Proactive Security vs
16% Effectiveness (Quick Win) 28% Effectiveness (resource intensive but vital)
Breach Discovery Methods
19 © 2013 Solera Networks, A Blue Coat Company 19
Both Approaches Vital to defense in depth
Proactive and Reactive security needs SIA to be timely and effective
Improves breach discovery effectiveness and significantly reduces the attackers window of opportunity
No silver bullet or easy button (despite marketing gloss)
20 © 2013 Solera Networks, A Blue Coat Company
Combining IOC to Focus the Funnel in Pro-active Security
4 Artifacts of Interest
Domain Registered < 30 Days
Nginx Server
EXE, PDF, JAR, SWF
~47000 Sessions
Countries of interest
Small, Packed,
Obfuscated IP/Domain
Intel
C2 Beaconing
21 © 2013 Solera Networks, A Blue Coat Company
Putting the Concept into Practice…Separating the Hay!
22 © 2013 Solera Networks, A Blue Coat Company
Separating the Hay…
23 © 2013 Solera Networks, A Blue Coat Company
Separating the Hay…
24 © 2013 Solera Networks, A Blue Coat Company
Separating the Hay…
25 © 2013 Solera Networks, A Blue Coat Company
Evidence of Malware
26 © 2013 Solera Networks, A Blue Coat Company
Confirming Patient Zero!
27 © 2013 Solera Networks, A Blue Coat Company
Proactive Usecase - Begman Trojan
Focus on breach indicators to close the window of opportunity. DO NOT wait for Vendor updates !
ASK YOURSELF ..
“Why IS there a small, packed, obfuscated EXE file successfully
downloaded from a brand new domain that’s only been active for x days?” ….
28 © 2013 Solera Networks, A Blue Coat Company
Begman Trojan – Proactive Use Case
March 9th MS publishes W32.begman.A Trojan report
➜ Feb 23rd File Name: game.exe Submission Date: 2011-02-23 00:30:12 Result: 4/43 (9.3%)
Host downloaded it 2 days ago
➜ Feb 23rd Submission Date: 2011-02-23 14:43:23 Result: 8/43 (18.6%)
AV Vendor did not detect
➜ Mar 20th Submission Date: 2011-03-20 Result: 25/41 (61%)
➜ Oct 19th Submission Date: 2011-10-19 Result: 35/43 (81.4%)
AV Vendor detected it at this time
MS did not detect my variant
29 © 2013 Solera Networks, A Blue Coat Company
ATTACKER FREE TIME
Attack Begins
System Intrusion
Attacker Surveillance
Cover-up Complete
Access Probe
Leap Frog Attacks
Complete
Target Analysis
Time
Attack Set-up
Discovery / Persistence
Maintain foothold
Cover-up Starts
Containment & eradication
System Reaction Damage
Identification
Recovery
Impact Analysis
Response
Attack Identified
Incident Reporting
Source: NERC HILF Report, pg43, June 2010 (http://www.nerc.com/files/HILF.pdf)
Need to collapse free time
Don’t wait, be pro-active …
Don’t wait for signatures, be pro-active and reduce their window of opportunity
Closed attackers Window of Opportunity by 8 months!!
30 © 2013 Solera Networks, A Blue Coat Company
Frodo: I wish the Ring Breach had never come to me. I wish none of this had happened.
Gandalf: So do all who live to see such times; but that is not for them to decide. All we have to decide is what to do with the time that is
given to us..
Final Thoughts …
31 © 2013 Solera Networks, A Blue Coat Company
➜ It only takes a single click to comprise your network ➜ CISO: “Was the breach due to Trust Exploitation or an unfortunate employee being re-
directed from a legitimate site to a drive-by exploit server?”
➜ Get complete Network visibility, Get forensic Context and Go Find out…
Final Thoughts …
32 © 2013 Solera Networks, A Blue Coat Company
Thank You [email protected]