Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

About Me

• Chief Security Officer @ Bit9

• Former Director of Technical Operations and Information Security

@ Center for American Progress

• Former Director of Global Systems and Tools @ NASDAQ:IAWK

• Practicing professionally since 1997

• Certified Information Systems Security Professional

• Educational background in Communications

• Areas of focus:

– Information Warfare

– Cyber Counterintelligence

– Security Operations

– Development Operations

– Social Media / Social Network Analysis

• NJ TN Silicon Valley Asia * DC MA

* Frequent movement between aforementioned locations

the assumption of

breach the inevitability of

compromise

“In 2020, enterprises will be in a state of continuous compromise.”

-- Gartner

more like 2010…

Rethink Your Security Strategy

security is not a solution it is a process

prevention is no longer enough invest in detection and response

consider your technologies move from reactive to proactive

“The attacker has the advantage.” The attacker does not have the advantage,

unless we cede it to them.

Enterprise Network as a Battlespace

Situational awareness enables real-time, accurate

decisions in tactical situations.

Most enterprises have no internal or endpoint situational awareness.

the battlefield prepare

the battle win

Prepare for breach. Avoid forensics & expensive

consultants.

Defense-in-depth / Layered Controls

• Network security controls – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation

• Service security controls – Authentication, permissions, naming lookup, lots of logging

• Endpoint security controls – Anti-virus, application control, endpoint threat detection and

response

If you are depending on one control to stop an attack,

you are doing it wrong.

The Attacker’s Process & Enterprise Capabilities

• The often misunderstood meaning of “empathy”

• The “Cyber Kill Chain”™ model

– Developed by Mike Cloppert, Rohan Amin, and Eric Hutchens at

Lockheed Martin

– Useful for …

• Breaking down stages of an attacker’s process

• Formulating strategy for deploying security controls

• Facilitating iterative intelligence gathering

• Effective intelligence use

Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI

DETECT – DENY – DISRUPT – DEGRADE – DECEIVE

Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO

The Endpoint in the Kill Chain

Preventing Exploitation Patching matters! (Most basic way to minimize threat surface) Enforce ASLR/DEP (Microsoft EMET) Inter-process memory controls Unfortunately, there’s little you can do at this stage

Preventing Installation

Dropping of binaries, touching other processes, et cetera Blacklist approaches – Default-Allow Sandbox approaches – Default-Allow + “Deny-over-there” Trust based approaches – Default-Deny (Application Whitelisting) Hybrid approaches – Detonate-and-Deny, Detect-and-Deny


The Endpoint in Focus – Prevention

Default-Allow Blacklisting – Blocking known bad Traditional AV, based on signatures Ineffective for anything other than nuisance threats Local blacklists are still tactically useful

Ho

sts

Co

mp

rom

ised

Time

10

100

1k

10k

100k

Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7

Ho

sts

Co

mp

rom

ised

Time

10

100

1k

10k

100k


OP

PO

RTU

NIS

TIC

“A

dva

nce

d”

Goal is to maximize slope.

Goal is to minimize slope.

Opportunistic vs “Advanced” Attacks

Ho

sts

Co

mp

rom

ised

Time

10

100

1k

10k

100k


Ho

sts

Co

mp

rom

ised

Time

10

100

1k

10k

100k


OP

PO

RTU

NIS

TIC

“A

dva

nce

d”

THRESHOLD OF DETECTION

THRESHOLD OF DETECTION

Goal is to maximize slope.

Goal is to minimize slope.

Opportunistic vs “Advanced” Attacks



Default-Deny Whitelisting – Trust Based – Known Good Most effective protection Easy on servers and fixed function systems Can be challenging on dynamic endpoints Good application governance is key to successful implementation Still not a silver bullet



Sandboxes Mitigation of application compromise, not system protection Application specific sandboxes (e.g. Java, Chrome) Virtualization based EPP solutions Covers only a limited portion of the threat surface Can’t prevent/detect lateral movement


Challenges stopping attacks at Delivery

Network detonation solutions often not in-line “Known Bad” point comes after delivery, becomes detection only

Network assets often are not the first time a bad file is seen Encrypted (No SSL MITM inspection) In a container (Password protected zip/rar) Removable media (USB stick, DVD/CDs, et cetera)


Actionable intelligence passing

Transfer alerts

Submit files automatically Submit files on-demand

Incoming files on

network

“Detonate” files for analysis

Prioritize network alerts

Investigate scope of the threat

Remediate endpoints and servers

Correlate endpoint/server

and network data

Automatic analysis of all suspicious files

On-demand analysis of suspicious files

Endpoint and server files

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=1512r_3rWPsFIM&tbnid=_mHGlEbs21CkSM:&ved=0CAUQjRw&url=http://www.o2networks.com.au/palo-alto-networks&ei=NidDUfecHKfv0QGsi4BA&bvm=bv.43828540,d.dmg&psig=AFQjCNEfHZsbHol4e7JqKqVni4Ua1H1XUw&ust=1363441840444465

Threat Intelligence


Leveraging Indicators to Facilitate Detection

IP Addresses Hostnames File Hashes Et cetera

Threat Intelligence


Leveraging Intelligence to Determine Trust

Software Reputation Service (SRS)

Reputation levels for files Thresholds can drive approvals

Firefox == 10 Keylogger == 0

Complete Forensic Record of Endpoint Activity


All file modifications

All file executions

All registry modifications

All network connections

Copy of every executed binary

All the information you need to respond

telemetry

telemetry

detection focus

seconds to minutes w e e k s t o y e a r s

detection focus

detection focus

seconds to minutes w e e k s t o y e a r s

detection focus

seco

nds

to

min

ute

s

we

ek

s

to

y

ea

rs

detection focus

?

Establishing a Continuous Security Process

Visibility Know what’s

running on every computer right now

Attacks happen on the endpoint

How can you protect your assets if you don’t know what’s running on them?

Traditional security tools provide no visibility

Visibility needs to be live, not poll or scan-based




Reducing your attack surface

Symantec saw 240 million unique threats in 2009 – we’ve crossed the billion mark cumulatively

Apply trust-based policies to allow only known good software to run

Prevent

Stop threats with proactive,

customizable prevention




See and record everything

You can’t always know what’s “bad” ahead of time

Apply advanced indicators to detect unknown threats in real-time Detect

Detect threats in real-time without

signatures

Prevent






Traditional incident response is expensive and time consuming

With historical recording, you can identify scope and impact in minutes, not weeks

Use that information to contain, remediate and further reduce attack surface

Detect

Detect threats in real-time without

signatures

Respond See the full

evolution of a threat; contain

and control

Prevent



Endpoint and Server Telemetry/Control

• Monitor & Record:

– File executions

– File modifications

– Registry modifications

– Network connections

• Retain:

– Telemetry from periods when system is offline

– Copies of all executed binaries

• Control:

– File executions

– Inter-process memory access

– Registry modifications

Conclusions

• Compromise is inevitable; You must plan for response

• Proactive defense starts with visibility

• You’ve got to collect telemetry from EVERYTHING

• You can leverage the home-field advantage against adversaries

• Defense tactics are changing – Shift from Default-Allow to Default-Deny

• Not all assets are protected the same way

• Your endpoints and network must work together

• There are no silver bullets

• THERE ARE TWO THINGS YOU NEED TO DO: – Decrease your threat surface

– Increase your response capabilities

All questions welcome

Share experiences

Keep it short & leave room for others

Discussion

Thank You!

Documents

Application Whitelisting and Active Analysisilta.personifycloud.com/webfiles/productfiles/1877999/... · 2014. 6. 11. · – Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation