Solera Networks

1 © 2013 Solera Networks, A Blue Coat Company © 2013 Solera Networks. All information contained herein should be considered confidential, proprietary, and trade secret

information of Solera Networks. Any use of this work without express written consent is strictly prohibited.

The Shift Towards a More Modern Security Strategy From Prevention to Rapid Detection and Response

James Stevenson, EMEA Security Director Advanced Threat Protection Group

2 © 2013 Solera Networks, A Blue Coat Company

Background

➜  5yrs Security Analysis / Team Lead at Symantec ➜  2yrs Managing Global Telco’s IDS/IPS/SIEM infrastructure ➜  4yrs architecting and leveraging SIA solutions for:

➜  Pro-active 0day malware identification ➜  Sensitive Data Exfiltration ➜  Rapid detection and Root Cause Analysis


The Current Threat Landscape .. in a nutshell

HACKTIVISTS STATE-SPONSORED ATTACKERS

CYBERCRIMINALS

FINANCIALLY MOTIVATED

NATIONALISTICALLY MOTIVATED

POLITICALLY MOTIVATED

ATA/APT GRADE

DDOS

Ransom & fraud

Gov’t, enterprise & infrastructure

targets

Public data leakage

Defacement

DATA THEFT

MALWARE

BAD

STUFF IN

GOOD STUFF OUT


The Problem

Over-reliance on prevention based strategy in a post prevention world

69% of attacks discovered by external parties

Multi-Stage / Vector attacks increasing time to detection / remediation

Motivated, Persistent, entrenched human adversary

Leveraging paths of trust, repack / obfuscate = 0day to avoid detection

Firefighting blindly over root cause analysis (lack of context and network visibility)


Security vendors cannot keep up with the latest malware

100,000 new malware variant's released every day

The attacker will always have the initiative, choosing Where, When, How

The Challenge of Keeping Pace in a prevention world ..

Increases Time To Detection, creating a large Window of Opportunity actively being exploited everyday …

Inevitable delay between first attack and vendor update


The Window of Opportunity

Initial Compromise to Discovery 0% 0% 9% 11% [ 12% 62% 4% ]

78%

Seconds Minutes Hours Days Weeks Months Years

66% took months or more to discover (typically waiting for Vendor updates) (VzB, 2013)


55%

44% 41%

55%

66%

2008 2009 2010 2011 2012

Breaches undiscovered for months or more

Time to Detection is increasing


While Custom malware in successful breaches is decreasing

➜  Why invest time/money customizing when “canned” attacks or simple repacks will do ..

➜  APT = Advanced? More like “Adequate” or just enough J

2012

30%


Simple Obfuscation / Repack Example

Unpacked

➜ “Hello World” Exploit released into the wild ➜ Vendors build Signature to detect “document.write(‘hello World’);” ➜ Attacker packs/obfuscates to create “variant” with minimal effort

without the need for a complete re-write. Back to 0day! ➜ Repeat

Packed (Base 62 Encoded)

<script type="text/javascript"> document.write(’Hello World'); </script>

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('<0 2="3/4">5.6(\'<1>7 8</1>\');</0>',9,9,'script|b|type|text|javascript|document|write|Hello|World'.split('|'),0,{}))


Breaches are now an inevitable reality

Deal With It.

Prevention Strategy alone is not working


Most Dreaded Questions from CISO

Who did this to us?

How did they do it?

What systems and data were affected?

Can we be sure it won’t happen again?

The Usual Answer: “We Still Don’t Know” = Poor post-breach posture

Can we be sure its over?

Complete lack of network visibility and forensic context


This Was 10 Years Ago.. And still true Today

“That’s Great James, But What Happened Before / After? ….”

Case Study: The Bunker Days

3am: “Nmap scan and buffer overflow detected..”


Shifting the emphasis from prevention to detection and a strong post-breach security posture:

•  When prevention fails only fast detection and response remains •  Detection requires full network visibility •  Visibility + Intelligence = Actionable intelligence •  From blocking to damage limitation mindset •  Best of breed integration achieves a comprehensive security strategy and

ecosystem that adds value to existing investments. e.g. SIA + SIEM •  From perpetual firefighting to root cause analysis and context •  Combine Re-active and pro-active breach discovery methodology

Shift Towards a More Modern Security Strategy


ATTACKER FREE TIME

Attack Begins

System Intrusion

Attacker Surveillance

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

Time

Attack Set-up

Discovery / Persistence

Maintain foothold

Cover-up Starts

Containment & eradication

System Reaction Damage

Identification

Recovery

Impact Analysis

Response

Attack Identified

Incident Reporting

Source: NERC HILF Report, pg43, June 2010 (http://www.nerc.com/files/HILF.pdf)

Need to collapse free time

66% Takes Months+ to be discovered

Requires complete network visibility Do not wait for vendors

The Objective: Decrease Time to Detection and Response


For complete visibility, rapid detection and response we must first ..

Collect All the Data


Solera is the Security Camera for your Network

Records, classifies and indexes all packets and flows from L2 – L7

On the wire, file-level visibility of data exfiltration & malware infiltration

Actionable intelligence, forensics and situational awareness

Unmatched multi-dimensional flow enrichment & big data warehousing

Flexible, open and easy-to-use platform

Providing real-time analysis and full visibility of everything going in and out of your network


Gartner Agrees …

➜  Record Everything, you don’t know when you will need it

➜  The highest value use case is proactive situational awareness

➜  The most common use case is reactive post-incident analysis and on-demand investigations

“By 2020, 75% of an enterprises security budget will be allocated for rapid detection and response approaches, up from less than 10% in 2012”


Reactive Security Analyst works on the assump2on they are already compromised and knows malicious ac2vity goes under the radar on a daily basis. They proac2vely analyse the network with NAV tools to detect “unknown” threats and goes back in 2me to determine true root cause and mi2gate a?ack vector

A Reac2ve Security Analyst reads the news of a newly discovered Trojan, and hopes that the AV Community releases a Signature to iden2fy the Threat They wait for an Alert to trigger and firefights. Repeat Daily

Proactive Security vs

16% Effectiveness (Quick Win) 28% Effectiveness (resource intensive but vital)

Breach Discovery Methods

19 © 2013 Solera Networks, A Blue Coat Company 19

Both Approaches Vital to defense in depth

Proactive and Reactive security needs SIA to be timely and effective

Improves breach discovery effectiveness and significantly reduces the attackers window of opportunity

No silver bullet or easy button (despite marketing gloss)


Combining IOC to Focus the Funnel in Pro-active Security

4 Artifacts of Interest

Domain Registered < 30 Days

Nginx Server

EXE, PDF, JAR, SWF

~47000 Sessions

Countries of interest

Small, Packed,

Obfuscated IP/Domain

Intel

C2 Beaconing


Putting the Concept into Practice…Separating the Hay!


Separating the Hay…






Evidence of Malware


Confirming Patient Zero!


Proactive Usecase - Begman Trojan

Focus on breach indicators to close the window of opportunity. DO NOT wait for Vendor updates !

ASK YOURSELF ..

“Why IS there a small, packed, obfuscated EXE file successfully

downloaded from a brand new domain that’s only been active for x days?” ….


Begman Trojan – Proactive Use Case

March 9th MS publishes W32.begman.A Trojan report

➜ Feb 23rd File Name: game.exe Submission Date: 2011-02-23 00:30:12 Result: 4/43 (9.3%)

Host downloaded it 2 days ago

➜ Feb 23rd Submission Date: 2011-02-23 14:43:23 Result: 8/43 (18.6%)

AV Vendor did not detect

➜ Mar 20th Submission Date: 2011-03-20 Result: 25/41 (61%)

➜ Oct 19th Submission Date: 2011-10-19 Result: 35/43 (81.4%)

AV Vendor detected it at this time

MS did not detect my variant


ATTACKER FREE TIME

Attack Begins

System Intrusion

Attacker Surveillance

Cover-up Complete

Access Probe

Leap Frog Attacks

Complete

Target Analysis

Time

Attack Set-up

Discovery / Persistence

Maintain foothold

Cover-up Starts

Containment & eradication

System Reaction Damage

Identification

Recovery

Impact Analysis

Response

Attack Identified

Incident Reporting

Source: NERC HILF Report, pg43, June 2010 (http://www.nerc.com/files/HILF.pdf)

Need to collapse free time

Don’t wait, be pro-active …

Don’t wait for signatures, be pro-active and reduce their window of opportunity

Closed attackers Window of Opportunity by 8 months!!


Frodo: I wish the Ring Breach had never come to me. I wish none of this had happened.

Gandalf: So do all who live to see such times; but that is not for them to decide. All we have to decide is what to do with the time that is

given to us..

Final Thoughts …


➜ It only takes a single click to comprise your network ➜ CISO: “Was the breach due to Trust Exploitation or an unfortunate employee being re-

directed from a legitimate site to a drive-by exploit server?”

➜  Get complete Network visibility, Get forensic Context and Go Find out…

Final Thoughts …


Thank You [email protected]

Technology

Solera Networks