Presd1 13

April 2010

Cyber Defense in Depth

Using Network Intelligence Technology toBuild a Second Line of Defense

The challenges of government cyber security

Cyber threats and limitations of COTS

Using Network Intelligence Technology forcyber defense in depth

Summary

Contents

The Big Picture:Defending Nations Against Advanced Persistent Threats

Are disruptions at banks, electricity grids or airport navigationsystems due to technical problems or is it a cyber attack?Are disruptions at banks, electricity grids or airport navigationsystems due to technical problems or is it a cyber attack?

When is an attack just “hacker mischief “and when is it a matter of national security?When is an attack just “hacker mischief “and when is it a matter of national security?

How did the blueprints for our country’s topsecret weapon system end up abroad?How did the blueprints for our country’s topsecret weapon system end up abroad?

Is the cyber attack coordinated against aparticular country or is it just a random attack?Is the cyber attack coordinated against aparticular country or is it just a random attack?

Several layers of defense

High-spec, “military-grade” capabilities

Fast reaction to zero-day attacks

Precise understanding of abnormalnetwork behavior

Highly confidential solutions

Key Government Requirements

Cyber Defense in Depth




Summary

Contents

BotnetsZombies infected by malware, controlled throughCommand & Control (C&C) by bot-mastersA bot typically uses a covert channel to communicatewith its C&C serverCovert channels have evolved from historical IRCstandard to an increasing use of P2P (e.g. eDonkey),social networking (e.g. Twitter, Google Groups,Facebook, Jaiku, etc.), and HTTPS (e.g. Aurora)Sometimes difficult to detect C&C traffic due to low-level,sporadic activity, which is drowned within high-volumenetwork traffic

Compromised email agents or relaysUsed to spread malware through email address spoofing

Hacking of government officials’ accountsFacebook, Twitter (e.g. Obama)

Examples of Cyber Threats Affecting Governments

C&C communicationBot setup, spread, synchronization, attacks

scan traffic for IRC, Twitter, FaceBook, Jaiku... scan attachments inside IM, etc.

Fast fluxSurging DNS activity on a “strange domain” maybe a sign that fast flux is used by botnets to hidemalware delivery sites behind an ever-changingnetwork of compromised hosts acting as proxies

Data exfiltrationA Web server which starts communicatingsuspiciously or unusual payloads leaving anetwork enclave could be the sign of dataexfiltration, especially if traffic is encrypted

Changes in SMTP relays

What Kind of Malware Activity Could You Detect By Lookingat Network Traffic?

Limitations of Signature-based Commercial-Off-The-Shelf(COTS) Products

Malware detection by antivirus < 51%

Phishing detection by browsers < 50%

Necessary, but not enough…

Limitations of Network Behavioral Analysis (NBA) COTSSolutions

Used to detect behavior that might be missed by IPS, firewalls andsecurity information and event management (SIEM) systemsExamples of anomaly detection

Statistical payload analysis to detect “abnormal” packetsDeviation from usual number of connections by port (22, 80, 443, etc.)Deviation from average number and frequency of emails sentSurges in infrastructure usage

Limitations of NBA solutionsRequire steep learning curve and considerable skills for effective useAre typically statistical, aggregated, and therefore not preciseHave known specifications, which makes them vulnerable to advancedmalware can stay under the radar of NBA COTS products, by learningand mimicking the “normal” behavior of a network

Necessary, but not enough…




Summary

Contents

Fact: Some Cyber Threats Get Through a COTS Barrier

Cyber Threats

Sensitive assets

SpecializedCommercial Off-The-Shelf (COTS)products filter out

known threats

Anti-virus, NetworkBehavior AnalysisIDS/IPS, Data Leak

Protection, etc.


Protection, etc.

First Line of Defense:COTS Barrier

Signature-based COTS products (anti-virus, IDS/IPS) can onlydetect standard attacks and known threats (not 0-day attacks)Specifications and capabilities of COTS products may be knownto adversariesNetwork Behavior Analysis COTS solutions can be circumventedby advanced malwareIn the case of best-in-class cyber defense, the COTS Barrier isused to filter out known threats and ease the work for a SecondLine of Cyber Defense, which is custom-built by cyber securityteams (see next slides)

Characteristics of the First Line of Defense: “COTS Barrier”

A Recent Real-Life Example:COTS Products Not Able to Prevent Zero-Day Attacks

Example

COTSBarrier

Sensitive assets

Attack principles:

-Backdoor components are installedon PC by a Trojan exploiting avulnerability in Internet Explorer- Malware is initialized on PC- Connection is made on port 443using a custom encrypted protocol,(instead of the standard HTTPSprotocol, encrypted with SSL)-Backdoor client initiates connectionto a command & control server-Disguised as a common connectionto a secure website (port 443),attackers are able to covertly gathersensitive info from PC without beingdiscovered…


Protection, etc.


Protection, etc.

Cyber Defense In Depth Requires a Second Line of CyberDefense

Sensitive assets

Cyber Threats


Protection, etc.


Protection, etc.Specialized

Commercial Off-The-Shelf (COTS)products filter out

known threats

Second Line ofDefense

Protection and mitigation based onspecific government security

expertise & requirements



Network Intelligence Technology

Custom-DevelopedCyber Defense

Solution, Based onHuman Expertise

Detailed trafficvisibility


Developed by government cyber security teams, based on NetworkIntelligence technology

The specs and capabilities of the solution stay confidentialCould itself be composed of several layers of custom cyber defense

The Second Line of Defense only deals with the most advanced threatsThis allows a limited team of cyber security experts to concentrate on real attacksinstead of minor problems or false alarms, since standard attacks and known threatshave been filtered out by the first line, COTS BarrierThe Second Line of Defense can identify new types of threats before they areimplemented in COTS productsThe Second Line of Defense can be built to identify attacks on specific networks orspecific countries (e.g. APT)

The Second Line of Defense leverages human expertiseThe custom solution is developed based on network behavior expertise that only aspecific cyber security team has (not a COTS vendors)The system is operated by human experts, who analyze the situation each time analarm is generated and decide how to react (e.g. block suspicious in/out traffic)

Characteristics of a Custom Built, Second Line of CyberDefense

Example

Sensitive assets

SpecializedCommercial Off-The-Shelf (COTS)products filter out

known threats

Second Line ofDefense





Network Intelligence Technology

Custom-DevelopedCyber Defense

Solution, Based onHuman Expertise

Detailed trafficvisibility

Cyber Threats


Protection, etc.


Protection, etc.


RequirementsRequirements Commercial Off-The-Shelf(COTS) Products

Second Line of Cyber Defensebased on Network Intelligence

FastFast rreaction to zeroeaction to zero--dayday attacksattacks

Signature-based solutions(AV, IDS) could take days oreven weeks…

Near real-time reaction by IncidentResponse Teams (e.g. can blocksuspicious traffic within minutes)

Precise understandingPrecise understandingof abnormal behaviorof abnormal behavior

Statistical anomaly detectionsolutions (NBA) typically onlyprovide an overall view

Ability to understand the detailednature of each anomaly and assess ifit represents a security threat

Exact knowledge ofExact knowledge ofsecurity performancesecurity performance

No detailed knowledge ofsupplier technology

Total control over technicalspecification and implementation

Robustness of solutionRobustness of solution Malware could use exploitsand vulnerabilities tocircumvent COTS products

Difficult for malware to deactivatecustom-built security solutions

EaseEase ofof deploymentdeployment Configuration of servers,logs, etc. can be costly, timeconsuming and intrusive

Transparent and easy implementationof network-based technology, evenacross several networks which aremanaged by a single organization

Custom-Developed Second Line of Defense as a Complementto COTS Solutions

Example 1: Detecting Abnormal Email Traffic by CheckingChanges in SMTP Relays

SMTPServer 1

InternetCompromisedSMTP Relay

GovernmentSMTP Server

GovernmentNetwork

Tap

IP traffic

Custom policiesand rules


Emailmetadata

Security AlertSecurity Alert

From: [email protected]: [email protected]: [email protected]: [email protected]

From: [email protected] [email protected]: [email protected]: [email protected] [email protected]: [email protected]

John Doe

Hacker

JaneSmith

Securitysensor

Example 2: Detecting Infected File Transfers within InstantMessages

Internet

GovernmentNetwork

IP traffic



IMmetadata

MitigationMitigation

Block IM FileTransfer

IM session withinfected File Transfer

Anti-virusAnti-virus

Anti-Virus maynot detect

infected FT

Tap

Securitysensor

Technical Implementation of Custom Cyber Defense Solutionbased on Network Intelligence Technology

metadata orcontent

IP traffic

ICMP/DNS/TORTunnel DetectionICMP/DNS/TOR

Tunnel DetectionAbnormal Email

DetectionAbnormal Email

DetectionDetection of IM FileTransfer Malware

Detection of IM FileTransfer Malware Other…Other…

Cyber Security Sensor

Custom Development

Government Network

Metadata/Behavior Log

Metadata/Behavior Log

Mitigation orAlert Generation

Mitigation orAlert Generation


Protection, etc.


Protection, etc.

Several countries are implementing a centralized Security OperationsCenter (SOC) approach

Publicly known examples include USA (Einstein), Korea, Norway, The Netherlands,Germany, France, etc.

Centralized SOC is staffed by specialized cyber security expertsResponsible for the cyber security of several government networksIn some cases, also includes cyber security of critical infrastructure (electric grids,power plants, oil refineries, transportation, water supply, telecommunications, etc.)Internally, different SOC teams may manage the cyber security of different networks

SOC experts develop the complete custom cyber security solutionCentral solution located at SOCCyber security sensorsPrecise positioning of cyber security sensors on the different networks

A non-intrusive, network-based implementation is requiredSOC teams do not manage everyday operations of each individual network, andtherefore need to ensure cyber security in a transparent wayCyber security sensors fit the needs, since they are transparent

Current Trend:Network of Cyber Security Sensors Managed by SOC

Example of Technical Implementation:Network of Cyber Security Sensors Managed by SOC

GovernmentNetwork 1

GovernmentNetwork 2 Critical

InfrastructureNetwork

Alert Generationand/or MitigationAlert Generationand/or Mitigation

Alert Generationand/or MitigationAlert Generationand/or Mitigation Alert Generation

and/or MitigationAlert Generationand/or Mitigation

Protection and mitigation basedon specific government security


Protection and mitigation basedon specific government security


Security OperationsCenter (SOC)

run by governmentagency or contractor

Recognized applications and protocols (sample)Instant Messaging: AIM, msn, Skype, Yahoo, Google Talk, QQ, etc.Webmail: Gmail, Hotmail, Livemail, Yahoo mail, etc.Network: IP, TCP, FTP, Ethernet, DNS, DHCP, UDP, etc.Audio/Video: H.323, SIP, MGCP, RTP, RTCP, MMSE, RTSP, Shoutcast, YahooVideo, MSN Video, SCCP, etc.

Extracted metadata (sample)User IDIP addressDate & time of login / logoffInstant Messaging: Login, Sender, Receiver, File Transfer, Attached DocumentsEmail: Subject of email, Recipients, Content of email, Attached documents(content + metadata), Header field, Envelop fieldData transfer sessions (type, content, time)

Example of Network Information Extracted




Summary

Contents

RequirementsRequirements Signature-basedCOTS

Network BehavioralAnalysis COTS

Custom-builtSolutions

FilteringFiltering outoutknown threatsknown threats *** * -DetectingDetectingzerozero--dayday attacksattacks - *** ***DetectingDetectingadvancedadvancedmalwaremalware - * ***ConfidentialConfidentialspecificationsspecifications - - ***

Overview of Cyber Defense In Depth

First line of COTS cyber defense Second line ofcustom cyber

defense

1. Commercial Off-The-Shelf (COTS) products are necessary, butnot enough for cyber defense in depth

2. A second line of cyber defense solutions are needed for effectiveprotection Confidential, custom-built Able to drill down into the details of each anomaly Based on human expertise of each network

3. Network intelligence technology provides the detailed trafficvisibility needed for this second line of custom cyber defense

Summary

Qosmos: Detailed Traffic Visibility ForCustom Cyber Defense Solutions

Qosmos Product Portfolio

Software Development Kit (SDK)Enables engineers to implementpowerful Network Intelligencefeatures in their productsProtocol Plugin SDKto create new or customapplication & protocol plugins

Intelligent IP ProbesFeeds detailed network informationto applications

Supported Environments• x86/32bits• x86/64bits• RMI XLR• Cavium Octeon• Freescale PowerQUICC• Tilera

Product Range• ixM 10 Series: CPE (~ 10s Mbps)• ixM 100 Series: Access (~ 100s Mbps)• ixM 1 000 Series: Edge (~ Gbps)• ixM 10 000 Series: Core (~ 10s of Gbps)• Available as software-only format ixMOS

Qosmos, Qosmos ixEngine, Qosmos ixMachine and Qosmos Sessionizer are trademarks or registered trademarks in France and other countries.Other company and products name mentioned herein are the trademarks or registered trademarks of their respective owners. Copyright Qosmos 2010

Non contractual information. Products and services and their specifications are subject to change without prior notice

© Qosmos 2010Enabling True Network Intelligence Everywhere

Thank you

Presd1 13

Documents

Transcript of Presd1 13