Embed Size (px)
DESCRIPTION
Your network is already compromised, but do you know how and by whom? Can you find them, remove them, and prevent them from getting back in again? In this presentation, we will examine actual attacks and indicators of compromise and show how, using some basic network flow pattern analysis, we can detect and prevent contemporary malware, advanced persistent threats (APTs), zero-day exploits and more. In addition, we will discuss how to feed this data into a security analytics program to create a new, broader perspective on the threats that your organization faces. Over the past four years at National Instruments, we have been collecting tools to work cohesively as part of a larger security analytics platform. The goal of this presentation is to provide the attendee with the basic information that they need in order to build a security analytics program of their own. We will begin by talking about the problem of a lack of visibility within the enterprise environment. From there, we will talk about the traits that characterize a tool as being good for security analytics. Next, we will talk about the types of data that exists in the different tool sets and what types of questions they are good at answering. From there, we will talk about what it means to create patterns and analyze your data to find those specific patterns. Then, we will look at some specific analytics that are useful to run on a regular basis to find malware, misconfigured systems, APTs, and more. Lastly, we will talk about actionable (and even automated) next steps once we discover the patterns that we are looking for. This talk will encourage audience participation by encouraging them to share what they are doing to perform security analytics and is appropriate for both novice and experienced security professionals.
Citation preview
Security Analytics in Action
Josh Sokol & Walter Johnson
Josh Sokol ! OWASP Foundation Global Board Member ! Creator of SimpleRisk (simplerisk.org) ! Information Security Program Owner, National Instruments
Twitter: @joshsokol Blog: http://www.webadminblog.com
Walter Johnson ! Security Analyst, National Instruments ! LASCON Graphics Guy ! Likes long walks on the beach and candlelight dinners ! Former Yakuza Assassin
Twitter: @sirmodok
Visibility (or lack thereof) ! Am I under attack? ! Which systems are they attacking? ! What kind of attacks are they using? ! Who is attacking me? ! Were they successful?
" We need to create an ecosystem of security tools that work together to answer these questions and more. " We need tools that are able to talk to each other in order to leverage siloed data for mutual gain. " We need a platform to enable the analysis of and reporting on threats in our environment in near real-‐time.
We need Security Analytics!
Firewall
IPS
NAC
Malware Ana
lysis
Vulne
rability Mgm
t
# Tools Working in Silos
# Proprietary Protocols
# “Greedy” Platforms
# Duplication of Functionality
$ Open API $ Open DB $ Data Export
$ Events $ Alerts $ SNMP $ Syslog
Exploitation – Parasitism. The leech gains food and nutrients, but the host gains nothing from having a leech suck its blood.
You can assemble an arsenal of best-‐in-‐breed tools that work together. Even smaller purchases can have a large impact.
Question Data Do I trust the source? Reputation Data
How am I being attacked? Attack Data
What attacks are my systems vulnerable to? Vulnerability Data
What versions of O/S and software am I running? Asset Data
Who is using my systems? Identity Data
Who should have access to what? Data Classification
Who do I trust and who trusts me? Trust Hierarchy
Do I have access? Authentication Data
What can I access? Authorization Data
What has been tested? QA Data
Is data crossing between two trust levels? Trust Boundaries
! Common feature for modern routers and switches. ! Provides a lot of data for a reasonable amount of storage.
! Data can help make many security decisions easier.
! “Security Flaws in Universal Plug and Play” whitepaper by HD Moore
! Over 23 million IPs are vulnerable to remote code execution through a single UDP packet.
! Affects Simple Service Discovery Protocol (SSDP) which runs on UDP/1900.
Question: Are people actively scanning my network in order to exploit this flaw?
! Source address is external to my network. ! Destination address is on my network. ! Connection uses UDP (protocol 17) on port 1900.
! A pattern search of our NetFlow data over the past 24 hours returned 539 results in 1 minute and 38 seconds.
! Source address is on my network. ! Destination address is external to my network. ! The destination IP is listed on the Malware Domain List.
! Most of the pattern matches returned showed one MDL IP with multiple internal hosts connecting to it.
! Then there was this…
! Source address is on my network. ! Destination address is external to my network. ! Destination is associated with a malware event from one of our Malware Prevention appliances (scoped to 1hr).
! A pattern search of our NetFlow and MPS data over the past hour returned 134 results in 2 minutes and 4 seconds.
! Create a list of unused IP addresses on your network. ! Look for the internal systems making the most connections to those IPs.
! Source address is on my network. ! Destination address is external to my network. ! Connection is UDP port 53. ! Count the connections to destination IP addresses.
! Source address is on my network. ! Destination address is external to my network. ! Sum up the number of bytes sent and get the top 25.
! Source address is on my network. ! Destination address is on my network. ! Get the count of connections any IP makes to any other IP addresses.
! Source address is specified at runtime. ! Destination address is any IP. ! Show all ports and bytes of data sent to each.
! What is connecting to that IP address? ! What is that IP address connecting to? ! Do I have any alerts associated with that IP address? ! Is there any significant amount of data loss from that system?
! What is connecting to that IP address?
Dewan Communications
! What is that IP address connecting to?
AWS
hosted-‐by.ihc.ru
Feral Hosting? softlayer.com Dewan Communications
! Do I have any alerts associated with that IP address?
! Is there any significant amount of data loss from that system?
https://code.google.com/p/collective-‐intelligence-‐framework/
! Are there alerts associated with this host on my IPS or other monitoring devices? No.
! WAFSEC reputation data…
! McAfee Threat Intelligence data…
! This looks like a false positive to me.
! Should I accept packets from random IP X? $ Reputation Data $ Attack Data $ Vulnerability Data $ Asset Data $ Trust Boundaries
! Should I allow random person X to download a file Y? $ Data Classification $ Reputation Data $ Authentication Data $ Authorization Data $ Trust Boundaries
! Block an IP address with a Firewall or IPS system. ! Create WAF rules based on attack data. ! Ban a system from communicating on your network. ! Require additional authentication. ! Attack back?
-‐ Greg Hoglund, Founder and Former CEO of HBGary from CNBC “Companies Battle Cyberattacks Using ‘Hack Back’ 6/4/2013
! Many companies suffer from a lack of visibility into critical security threats.
! Security analytics allow us to see and react to threats. ! Ideal tools are those with both provider and consumer capabilities.
! Combining tool data together gives us the context that we can use to make informed decisions.
! Network flow data is the “glue” that ties the events together and helps to illustrate the attack progression.
Josh Sokol Twitter: @joshsokol Blog: http://www.webadminblog.com Walter Johnson Twitter: @sirmodok
