Looking for the weird webinar 09.24.14
-
Upload
lancope-inc -
Category
Technology
-
view
140 -
download
2
description
Transcript of Looking for the weird webinar 09.24.14
![Page 1: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/1.jpg)
Looking for the Weird: Detecting "Bad" Traffic and Abnormal Network Behavior
CHARLES HERRING
@CHARLESHERRING
HTTP: / / F15HB0WN.COM
CHERRING@L ANCOPE .COM
![Page 2: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/2.jpg)
AgendaDefinitions
NBAD Specific Detection Approaches
Example Breaches
![Page 3: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/3.jpg)
Overview - DefinitionsWhat is NBAD?
What is NetFlow?
Detection Schools
![Page 4: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/4.jpg)
What is NBAD?Network Behavioral Anomaly Detection
Data source = Network MetaData (NetFlow)
Probe locations = Core or deeper
Quantity/Metric Centric (not Pattern/Signature Centric)
Sometimes used to refer to NetFlow Security Tools
![Page 5: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/5.jpg)
5
OSS NBAD - SilK/PySiLK
![Page 6: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/6.jpg)
6
Commercial SolutionsArbor PeakFlow
IBM Qradar
Invea-Tech FlowMon
Lancope StealthWatch
ManageEngine
McAfee NTBA
Plixer Scrutinizer
ProQSys FlowTraq
Riverbed Cascade (formerly Mazu)
* For comparison see Gartner Network Behavior Analysis Market December 2012 (G00245584)
![Page 7: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/7.jpg)
8
Network Logging Standards
NetFlow v9 (RFC-3950)
IPFIX (RFC-5101)
Rebranded NetFlow◦ Jflow – Juniper◦ Cflowd – Juniper/Alcatel-Lucent◦ NetStream – 3Com/Huawei◦ Rflow – Ericsson◦ AppFlow - Citrix
Basic/Common Fields
![Page 8: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/8.jpg)
Detection MethodsSignature = Inspect Object against blacklist
◦ IPS◦ Antivirus◦ Content Filter
Behavioral = Inspect Victim behavior against blacklist◦ Malware Sandbox◦ NBAD/UBAD◦ HIPS◦ SEIM
Anomaly = Inspect Victim behavior against whitelist◦ NBAD/UBAD
![Page 9: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/9.jpg)
Comparison of Detection Methods
Signature Behavior AnomalyKnown Exploits Best Good Limited
0-Day Exploits Limited Best Good
Credential Abuse Limited Limited Best
![Page 10: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/10.jpg)
Overview – NBAD Detection ApproachesSignature
Behavioral
Anomaly
![Page 11: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/11.jpg)
NBAD Detection - SignatureSegmentation Enforcement
Policy Violations
C&C Connections
Pro’s: Certainty can be established; Easy to set up; Deep visibility (without probes)
Con’s: Only detects “Known Threats”
![Page 12: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/12.jpg)
Boolean DetectionIDS Signature?
VA mark
ed vulnerable?
NetFlow
shows return
ed data?
Trigger
Breach
Alarm
13
• Requires understanding of “bad” scenario• Dependent on reliable (non-compromised) data
sources• Data sources rely on signature (known bad) detection• NetFlow usage limited to communication tracking
![Page 13: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/13.jpg)
NBAD Detection - BehavioralScanning
SYN Flood
Flag Sequences
Pro’s: Doesn’t need to know exploit
Con’s: Must establish host counters
![Page 14: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/14.jpg)
NBAD Detection – Anomaly Pro’s: Can Catch Sophisticated/Targeted/Unknown Threats
Con’s:◦ Requires Host and User Profiles◦ Requires Specific Baselines/Policies◦ Output requires interpretation◦ Requires massive data collection/processing◦ Requires Algorithmic Calculation
![Page 15: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/15.jpg)
Algorithmic Detection
16
• Based on knowing normal• Dependent on raw NetFlow MetaData (multiple sources)• Does not require understanding of attack• Output is security indices focused on host activity
Host Concern Index =
1,150,000
Slow Scanning Activity : Add
325,000
Abnormal connections: Add 425,000
Internal pivot activity: Add
400,000
![Page 16: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/16.jpg)
NBAD Detection – Anomaly TypesService Traffic Threshold Anomaly
Service Type Anomaly
Geographic Traffic Anomaly
Time of Day Anomaly
Geographic User Anomaly
Data Hoarding
Data Disclosure
![Page 17: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/17.jpg)
NBAD Detection - Anomaly Service Traffic Threshold Anomaly
![Page 18: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/18.jpg)
NBAD Detection - Anomaly Service Type Anomaly
![Page 19: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/19.jpg)
NBAD Detection - Anomaly Geographic Traffic Anomaly
![Page 20: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/20.jpg)
NBAD Detection - Anomaly Time of Day Anomaly
![Page 21: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/21.jpg)
NBAD Detection - Anomaly Geographic User Anomaly
![Page 22: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/22.jpg)
NBAD Detection - Anomaly Data Hoarding
![Page 23: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/23.jpg)
NBAD Detection - Anomaly Data Disclosure
![Page 24: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/24.jpg)
Overview – Specific NBAD BreachesHealth Care vs. State Sponsored
State/Local Government vs. Organized Crime
Agriculture vs. State Sponsored
Higher Education vs. State Sponsored
Manufacture vs. Activists
![Page 25: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/25.jpg)
Patient Data to East AsiaVictim Vertical: Healthcare
Probable Assailant: State Sponsored
Objective: Theft of patient healthcare records
Motivation: Geopolitical/Martial
Methodology: ◦ Keylogging Malware◦ Configuration change of infrastructure
NBAD Type: Enforcement Monitoring
![Page 26: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/26.jpg)
Geographical Anomaly
![Page 27: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/27.jpg)
Cardholder Data to East Europe Victim Vertical: State/Local Government
Probable Assailant: Organized Crime
Objective: Theft of cardholder data
Motivation: Profit
Methodology: ◦ Coldfusion exploit of payment webserver◦ Recoded Application◦ Staged data on server; uploaded to East Europe FTP server
NBAD Type: ◦ Geographic Anomaly◦ Traffic Anomaly
![Page 28: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/28.jpg)
Geographical Traffic Anomaly
![Page 29: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/29.jpg)
Intellectual Property to East Asia Victim Vertical: Agriculture
Probable Assailant: State Sponsored
Objective: Theft of food production IP
Motivation: Profit/National Competition
Methodology: ◦ Spearphish of administrator◦ Pivot via VPN◦ Pivot via monitoring servers◦ Direct exfiltration
NBAD Type: ◦ Geographic Traffic Anomaly◦ Geographic User Anomaly◦ Traffic Anomaly
![Page 30: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/30.jpg)
Recon from Monitoring Servers
![Page 31: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/31.jpg)
Geographical Anomaly
![Page 32: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/32.jpg)
Theft of Research Data Victim Vertical: Higher Education
Probable Assailant: State Sponsored
Objective: Theft sensitive research data
Motivation: Geopolitical/Martial
Methodology: ◦ Direct access to exposed RDP Servers◦ Bruteforce of credentials
NBAD Type: ◦ Service Traffic Anomaly◦ Geographic Traffic Anomaly
![Page 33: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/33.jpg)
Traffic Anomaly
![Page 34: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/34.jpg)
Theft of Customer Data Victim Vertical: Manufacturing
Probable Assailant: Activist
Objective: Publish stolen customer data
Motivation: Embarrassing Victim
Methodology: ◦ SQL Injection to Customer Portal
NBAD Type: ◦ Recon detection◦ Traffic Anomaly to Internet◦ Traffic Anomaly to Webserver from DB
![Page 35: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/35.jpg)
Recon before SQLi
![Page 36: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/36.jpg)
Anomalous Data Exfiltration
![Page 37: Looking for the weird webinar 09.24.14](https://reader035.fdocuments.us/reader035/viewer/2022070304/54b876704a79595e608b4575/html5/thumbnails/37.jpg)
Catching Breaches with NBAD
CHARLES HERRING
@CHARLESHERRING
HTTP: / / F15HB0WN.COM
CHERRING@L ANCOPE .COM
Questions?