Presd1 13
-
Upload
niels-groeneveld -
Category
Documents
-
view
231 -
download
1
Transcript of Presd1 13
April 2010
Cyber Defense in Depth
Using Network Intelligence Technology toBuild a Second Line of Defense
The challenges of government cyber security
Cyber threats and limitations of COTS
Using Network Intelligence Technology forcyber defense in depth
Summary
Contents
Page 2
Page 3
The Big Picture:Defending Nations Against Advanced Persistent Threats
Are disruptions at banks, electricity grids or airport navigationsystems due to technical problems or is it a cyber attack?Are disruptions at banks, electricity grids or airport navigationsystems due to technical problems or is it a cyber attack?
When is an attack just “hacker mischief “and when is it a matter of national security?When is an attack just “hacker mischief “and when is it a matter of national security?
How did the blueprints for our country’s topsecret weapon system end up abroad?How did the blueprints for our country’s topsecret weapon system end up abroad?
Is the cyber attack coordinated against aparticular country or is it just a random attack?Is the cyber attack coordinated against aparticular country or is it just a random attack?
Several layers of defense
High-spec, “military-grade” capabilities
Fast reaction to zero-day attacks
Precise understanding of abnormalnetwork behavior
Highly confidential solutions
Key Government Requirements
Page 4
Cyber Defense in Depth
The challenges of government cyber security
Cyber threats and limitations of COTS
Using Network Intelligence Technology forcyber defense in depth
Summary
Contents
Page 5
BotnetsZombies infected by malware, controlled throughCommand & Control (C&C) by bot-mastersA bot typically uses a covert channel to communicatewith its C&C serverCovert channels have evolved from historical IRCstandard to an increasing use of P2P (e.g. eDonkey),social networking (e.g. Twitter, Google Groups,Facebook, Jaiku, etc.), and HTTPS (e.g. Aurora)Sometimes difficult to detect C&C traffic due to low-level,sporadic activity, which is drowned within high-volumenetwork traffic
Compromised email agents or relaysUsed to spread malware through email address spoofing
Hacking of government officials’ accountsFacebook, Twitter (e.g. Obama)
Examples of Cyber Threats Affecting Governments
Page 6
C&C communicationBot setup, spread, synchronization, attacks
scan traffic for IRC, Twitter, FaceBook, Jaiku... scan attachments inside IM, etc.
Fast fluxSurging DNS activity on a “strange domain” maybe a sign that fast flux is used by botnets to hidemalware delivery sites behind an ever-changingnetwork of compromised hosts acting as proxies
Data exfiltrationA Web server which starts communicatingsuspiciously or unusual payloads leaving anetwork enclave could be the sign of dataexfiltration, especially if traffic is encrypted
Changes in SMTP relays
What Kind of Malware Activity Could You Detect By Lookingat Network Traffic?
Page 7
Limitations of Signature-based Commercial-Off-The-Shelf(COTS) Products
Page 8
Malware detection by antivirus < 51%
Phishing detection by browsers < 50%
Necessary, but not enough…
Limitations of Network Behavioral Analysis (NBA) COTSSolutions
Page 9
Used to detect behavior that might be missed by IPS, firewalls andsecurity information and event management (SIEM) systemsExamples of anomaly detection
Statistical payload analysis to detect “abnormal” packetsDeviation from usual number of connections by port (22, 80, 443, etc.)Deviation from average number and frequency of emails sentSurges in infrastructure usage
Limitations of NBA solutionsRequire steep learning curve and considerable skills for effective useAre typically statistical, aggregated, and therefore not preciseHave known specifications, which makes them vulnerable to advancedmalware can stay under the radar of NBA COTS products, by learningand mimicking the “normal” behavior of a network
Necessary, but not enough…
The challenges of government cyber security
Cyber threats and limitations of COTS
Using Network Intelligence Technology forcyber defense in depth
Summary
Contents
Page 10
Page 11
Fact: Some Cyber Threats Get Through a COTS Barrier
Cyber Threats
Sensitive assets
SpecializedCommercial Off-The-Shelf (COTS)products filter out
known threats
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
First Line of Defense:COTS Barrier
Signature-based COTS products (anti-virus, IDS/IPS) can onlydetect standard attacks and known threats (not 0-day attacks)Specifications and capabilities of COTS products may be knownto adversariesNetwork Behavior Analysis COTS solutions can be circumventedby advanced malwareIn the case of best-in-class cyber defense, the COTS Barrier isused to filter out known threats and ease the work for a SecondLine of Cyber Defense, which is custom-built by cyber securityteams (see next slides)
Characteristics of the First Line of Defense: “COTS Barrier”
Page 12
A Recent Real-Life Example:COTS Products Not Able to Prevent Zero-Day Attacks
Page 13
Page 14
Example
COTSBarrier
Sensitive assets
Attack principles:
-Backdoor components are installedon PC by a Trojan exploiting avulnerability in Internet Explorer- Malware is initialized on PC- Connection is made on port 443using a custom encrypted protocol,(instead of the standard HTTPSprotocol, encrypted with SSL)-Backdoor client initiates connectionto a command & control server-Disguised as a common connectionto a secure website (port 443),attackers are able to covertly gathersensitive info from PC without beingdiscovered…
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
Page 15
Cyber Defense In Depth Requires a Second Line of CyberDefense
Sensitive assets
Cyber Threats
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.Specialized
Commercial Off-The-Shelf (COTS)products filter out
known threats
Second Line ofDefense
Protection and mitigation based onspecific government security
expertise & requirements
Protection and mitigation based onspecific government security
expertise & requirements
Network Intelligence Technology
Custom-DevelopedCyber Defense
Solution, Based onHuman Expertise
Detailed trafficvisibility
First Line of Defense:COTS Barrier
Developed by government cyber security teams, based on NetworkIntelligence technology
The specs and capabilities of the solution stay confidentialCould itself be composed of several layers of custom cyber defense
The Second Line of Defense only deals with the most advanced threatsThis allows a limited team of cyber security experts to concentrate on real attacksinstead of minor problems or false alarms, since standard attacks and known threatshave been filtered out by the first line, COTS BarrierThe Second Line of Defense can identify new types of threats before they areimplemented in COTS productsThe Second Line of Defense can be built to identify attacks on specific networks orspecific countries (e.g. APT)
The Second Line of Defense leverages human expertiseThe custom solution is developed based on network behavior expertise that only aspecific cyber security team has (not a COTS vendors)The system is operated by human experts, who analyze the situation each time analarm is generated and decide how to react (e.g. block suspicious in/out traffic)
Characteristics of a Custom Built, Second Line of CyberDefense
Page 16
Page 17
Example
Sensitive assets
SpecializedCommercial Off-The-Shelf (COTS)products filter out
known threats
Second Line ofDefense
Protection and mitigation based onspecific government security
expertise & requirements
Protection and mitigation based onspecific government security
expertise & requirements
Network Intelligence Technology
Custom-DevelopedCyber Defense
Solution, Based onHuman Expertise
Detailed trafficvisibility
Cyber Threats
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
First Line of Defense:COTS Barrier
RequirementsRequirements Commercial Off-The-Shelf(COTS) Products
Second Line of Cyber Defensebased on Network Intelligence
FastFast rreaction to zeroeaction to zero--dayday attacksattacks
Signature-based solutions(AV, IDS) could take days oreven weeks…
Near real-time reaction by IncidentResponse Teams (e.g. can blocksuspicious traffic within minutes)
Precise understandingPrecise understandingof abnormal behaviorof abnormal behavior
Statistical anomaly detectionsolutions (NBA) typically onlyprovide an overall view
Ability to understand the detailednature of each anomaly and assess ifit represents a security threat
Exact knowledge ofExact knowledge ofsecurity performancesecurity performance
No detailed knowledge ofsupplier technology
Total control over technicalspecification and implementation
Robustness of solutionRobustness of solution Malware could use exploitsand vulnerabilities tocircumvent COTS products
Difficult for malware to deactivatecustom-built security solutions
EaseEase ofof deploymentdeployment Configuration of servers,logs, etc. can be costly, timeconsuming and intrusive
Transparent and easy implementationof network-based technology, evenacross several networks which aremanaged by a single organization
Custom-Developed Second Line of Defense as a Complementto COTS Solutions
Page 18
Example 1: Detecting Abnormal Email Traffic by CheckingChanges in SMTP Relays
Page 19
SMTPServer 1
InternetCompromisedSMTP Relay
GovernmentSMTP Server
GovernmentNetwork
Tap
IP traffic
Custom policiesand rules
Custom policiesand rules
Emailmetadata
Security AlertSecurity Alert
From: [email protected]: [email protected]: [email protected]: [email protected]
From: [email protected] [email protected]: [email protected]: [email protected] [email protected]: [email protected]
John Doe
Hacker
JaneSmith
Securitysensor
Example 2: Detecting Infected File Transfers within InstantMessages
Page 20
Internet
GovernmentNetwork
IP traffic
Custom policiesand rules
Custom policiesand rules
IMmetadata
MitigationMitigation
Block IM FileTransfer
IM session withinfected File Transfer
Anti-virusAnti-virus
Anti-Virus maynot detect
infected FT
Tap
Securitysensor
Page 21
Technical Implementation of Custom Cyber Defense Solutionbased on Network Intelligence Technology
metadata orcontent
IP traffic
ICMP/DNS/TORTunnel DetectionICMP/DNS/TOR
Tunnel DetectionAbnormal Email
DetectionAbnormal Email
DetectionDetection of IM FileTransfer Malware
Detection of IM FileTransfer Malware Other…Other…
Cyber Security Sensor
Custom Development
Government Network
Metadata/Behavior Log
Metadata/Behavior Log
Mitigation orAlert Generation
Mitigation orAlert Generation
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak
Protection, etc.
Several countries are implementing a centralized Security OperationsCenter (SOC) approach
Publicly known examples include USA (Einstein), Korea, Norway, The Netherlands,Germany, France, etc.
Centralized SOC is staffed by specialized cyber security expertsResponsible for the cyber security of several government networksIn some cases, also includes cyber security of critical infrastructure (electric grids,power plants, oil refineries, transportation, water supply, telecommunications, etc.)Internally, different SOC teams may manage the cyber security of different networks
SOC experts develop the complete custom cyber security solutionCentral solution located at SOCCyber security sensorsPrecise positioning of cyber security sensors on the different networks
A non-intrusive, network-based implementation is requiredSOC teams do not manage everyday operations of each individual network, andtherefore need to ensure cyber security in a transparent wayCyber security sensors fit the needs, since they are transparent
Current Trend:Network of Cyber Security Sensors Managed by SOC
Page 22
Example of Technical Implementation:Network of Cyber Security Sensors Managed by SOC
Page 23
GovernmentNetwork 1
GovernmentNetwork 2 Critical
InfrastructureNetwork
Alert Generationand/or MitigationAlert Generationand/or Mitigation
Alert Generationand/or MitigationAlert Generationand/or Mitigation Alert Generation
and/or MitigationAlert Generationand/or Mitigation
Protection and mitigation basedon specific government security
expertise & requirements
Protection and mitigation basedon specific government security
expertise & requirements
Security OperationsCenter (SOC)
run by governmentagency or contractor
Recognized applications and protocols (sample)Instant Messaging: AIM, msn, Skype, Yahoo, Google Talk, QQ, etc.Webmail: Gmail, Hotmail, Livemail, Yahoo mail, etc.Network: IP, TCP, FTP, Ethernet, DNS, DHCP, UDP, etc.Audio/Video: H.323, SIP, MGCP, RTP, RTCP, MMSE, RTSP, Shoutcast, YahooVideo, MSN Video, SCCP, etc.
Extracted metadata (sample)User IDIP addressDate & time of login / logoffInstant Messaging: Login, Sender, Receiver, File Transfer, Attached DocumentsEmail: Subject of email, Recipients, Content of email, Attached documents(content + metadata), Header field, Envelop fieldData transfer sessions (type, content, time)
Example of Network Information Extracted
Page 24
The challenges of government cyber security
Cyber threats and limitations of COTS
Using Network Intelligence Technology forcyber defense in depth
Summary
Contents
Page 25
RequirementsRequirements Signature-basedCOTS
Network BehavioralAnalysis COTS
Custom-builtSolutions
FilteringFiltering outoutknown threatsknown threats *** * -DetectingDetectingzerozero--dayday attacksattacks - *** ***DetectingDetectingadvancedadvancedmalwaremalware - * ***ConfidentialConfidentialspecificationsspecifications - - ***
Overview of Cyber Defense In Depth
Page 26
First line of COTS cyber defense Second line ofcustom cyber
defense
1. Commercial Off-The-Shelf (COTS) products are necessary, butnot enough for cyber defense in depth
2. A second line of cyber defense solutions are needed for effectiveprotection Confidential, custom-built Able to drill down into the details of each anomaly Based on human expertise of each network
3. Network intelligence technology provides the detailed trafficvisibility needed for this second line of custom cyber defense
Page 27
Summary
Qosmos: Detailed Traffic Visibility ForCustom Cyber Defense Solutions
Qosmos Product Portfolio
Page 28
Software Development Kit (SDK)Enables engineers to implementpowerful Network Intelligencefeatures in their productsProtocol Plugin SDKto create new or customapplication & protocol plugins
Intelligent IP ProbesFeeds detailed network informationto applications
Supported Environments• x86/32bits• x86/64bits• RMI XLR• Cavium Octeon• Freescale PowerQUICC• Tilera
Product Range• ixM 10 Series: CPE (~ 10s Mbps)• ixM 100 Series: Access (~ 100s Mbps)• ixM 1 000 Series: Edge (~ Gbps)• ixM 10 000 Series: Core (~ 10s of Gbps)• Available as software-only format ixMOS
Qosmos, Qosmos ixEngine, Qosmos ixMachine and Qosmos Sessionizer are trademarks or registered trademarks in France and other countries.Other company and products name mentioned herein are the trademarks or registered trademarks of their respective owners. Copyright Qosmos 2010
Non contractual information. Products and services and their specifications are subject to change without prior notice
© Qosmos 2010Enabling True Network Intelligence Everywhere
Thank you