RSA: Security Analytics Architecture for APT

1 © Copyright 2011 EMC Corporation. All rights reserved.

Security Analytics Architecture for APT

Dale Long, Sr. Technology Consultant, RSA Security


Agenda • APT: Defined • Methodology • APTs are Nasty Because • Evolution • Response • The Challenge of Cleanup • Needed Capabilities • Lessons Learned • Introduction to Security Analytics


You Down With APT?


Advanced Persistent Threats • Operators behind the threat have:

• a full spectrum of intelligence gathering techniques at their disposal.

• May include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging.

• Often combine multiple targeting methods, tools and techniques in order to reach and compromise their target and maintain access to it.

• Can use malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials

• Can typically access and develop more advanced tools as required.


Advanced Persistent Threats • Operators give priority to a specific task, rather than

opportunistically seeking information for financial or other gain.

• Implies that attackers are guided by external entities.

• Targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates.

• In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully.


Advanced Persistent Threats

• APTs are a threat because they have both capability and intent.

• A level of coordinated human involvement in the attack, rather than a mindless and automated piece of code.

• The operators have a specific objective and are skilled, motivated, organized and well funded.


APTs Key Features 1. Highly-targeted

• Tailored to an individual organization

2. Well-researched • Reconnaissance on people and processes

3. Well-funded • Financial backing for intensive, long-term attacks

4. Designed to evade detection • “Low and slow”

5. Multiple vectors • Social engineering, application-layer exploits, zero-day malware, and

data exfiltration techniques, etc.


APT: Methodology

Step One: C2 Communication The malware contacts C2 servers for instructions, such as downloading and executing new malware or opening a reverse backdoor — allowing the attacker full access to the compromised system, bypassing firewall restrictions. Step Two: Attack The attacker (through the reverse backdoor) compromises multiple sources of interest, such as database servers, email servers, and file share servers. Step Three: Data Staging The attacker sends data to a staging server. Once the data is set, the attacker then compresses the data (using the rar.exe utility) and password protects it. Step Four: Data Exfiltration The attacker uses malware to send the data through an encrypted tunnel to a malicious external IP address. • The use of “staging servers” to aggregate the data they intend to

steal. • Encryption and compression of the data they steal. • Deleting the compressed files they exfiltrated from the “staging

server”.


APTs are Nasty Because • Little opportunity for correlation

– Focused, so no community sourced warning based on correlation across victims

– Zero-day heavy, so ineffective behavioral pattern or footprint signature correlation

– Complex and resilient CnC -> hard to correlate on attack source

– CnC Operators change as botnets are transferred by section or by victim.

– Low and Slow, so no temporal correlation. Signal to noise ration is low. Touch to compromise ration 1.4.

• APT Malware avoids anomaly detection through:

– Outbound HTTP connections – Process injection – Service persistence

• APT Malware Analysis: – Average File Size: 121.85 KB – Only 10% of APT backdoors were packed – Packing is not as common in Standard APT

malware – Packing is common in advanced APT Malware

and used by more advanced APT groups

• Most Common APT Filenames: – svchost.exe (most common) – iexplore.exe – iprinp.dll – winzf32.dll


Technical Infrastructure Specialists & Organizations

Cash Out

The APT Supply Chain: Choose Your Career Path

Harvesting

Operational Infrastructure Specialists & Organizations

Communication Fraud forum / chat room

Target Data & User Accounts

Tools Hosting Delivery Mules Drops Monetizing


The “Community’ of Attackers

Criminals

Petty criminals

Organized crime

Organized, sophisticated supply chains (PII, financial services, retail)

Unsophisticated

Non-state actors

Terrorists Anti-establishment

vigilantes

“Hacktivists” Targets of opportunity

PII, Government, critical infrastructure

Nation states PII, government, defense industrial base, IP rich organizations


Advanced Threats 1.0

abc.com

def.com 1.2.3.4

Clear-text & custom protocol

Clear-text & normal protocol

Custom encryption

Content Inspection

Protocol Anomalies

Network Traffic Anomalies

Known Bad Endpoints

C2 Traffic SSL or other standards

based encryption. Custom malware w/ no signature.

C2 Traffic (port 80/443)

abc.com

def.com

1.2.3.4

def.com

3.7.9.1

8.2.3.3

Advanced Threats 2.0

1% of attacks discovered by Anti-Virus, <1% by IDS. (Verizon 2011 DBIR)


APT: Evolution Intrusion Phase Non-APT (DoS) Obsolete Current

Reconnaissance None Scanning, opportunistic

OSINT, targeted

Weaponization Blast, Stress Layer 4 payload Layer 7 payload

Delivery Opportunistic: non-targeted Vulnerable protocol Standard Comm. Prot.

Exploit Client-side, Server-side Server-side (svc) Client-side (app)

Installation Rapid Sibling infection Plain sight ADS, anti-reversing

Command & Ctrl None Custom protocol Protocol compliant

Actions on Intent Propagate, Disrupt, Deface Propagate or PII Exfiltrate


APT: Response

Intrusion Phase Detect Deny Disrupt Degrade Deceive Destroy

Reconnaissance Web

Analytics Firewall

ACL

Weaponization NIDS NIPS

Delivery Vigilant

User Proxy Filter In-Line AV Queuing

Exploit HIDS Patch DEP

Installation HIDS “chroot”

Jail AV

Command & Ctrl NIDS Firewall

ACL NIPS Tarpit

DNS Redirect

Actions Audit Log Quality of

Service Honeypot


ADVANCED CYBER

DEFENSE APPROACH

CYBER CYCLE

BREACH EXPOSURE TIME “BET”

Data Exfiltration

Late Detection

Threat Vector “Malware”

(Undetected)

Cyber Kill Chain

“Breach Life Cycle”

Establish Network Foothold

Target Threat Visibility &

Mitigation Goal

Attack Kill Chain Life Cycle


APT: The Challenge of Cleanup

• Did you get it all? – Cleaning

• Do you adequately understand how it happened? – Forensic

• Will the exploits work again? – Remediation

• Is Damage understood and contained? – Risk Model and Reduction


APT: Needed Capabilities

• Network Visibility

• Critical Info Ident and Tracking

• IPS Active Blocking

• Continuous Monitoring

• Cyber Threat Awareness

• Attack Ident and Triage

• Collaboration

• Incident Response

• Network Traffic Analysis

• Host-Based Forensics

• Malware Forensics

• Sig and IOC Development

• Cyber Threat and Intelligence

• Security Infrastructure


APT: Lessons Learned 1. There are no trivial systems 2. Collect the right info 3. Have a plan 4. User Awareness 5. Be able to look back (forensics) 6. Know thyself (Crown Jewels) 7. Have the right people 8. It takes a village (or an ecosystem) 9. A holistic view is key 10.Get smart(er) with the data you collect


Introducing Security Analytics


Today’s Security Requirements

Comprehensive Visibility

“Analyze everything happening in my infrastructure”

Agile Analytics

“Enable me to analyze and investigate potential threats

in near real time”

Actionable Intelligence

“Help me identify targets, threats & incidents”

Scalable Infrastructure

“Need a flexible infrastructure to conduct short term and

long term analysis”


RSA Security Management Compliance Vision Delivering Visibility, Intelligence and Governance


RSA Security Analytics: Changing The Security Management Status Quo Unified platform for security monitoring, incident investigations and compliance reporting

SIEM Compliance Reports

Device XMLs Log Parsing

Network Security Monitoring

High Powered Analytics Big Data Infrastructure Integrated Intelligence

RSA Security Analytics

Fast & Powerful Analytics Logs & Packets

Unified Interface Analytics Warehouse

SEE DATA YOU DIDN’T SEE BEFORE, UNDERSTAND DATA YOU DIDN’T EVEN CONSIDER BEFORE


RSA Security Analytics Architecture

Real Time Investigations (hours days) Metadata, Packets

Correlation Long Term Analysis Metadata, Raw Logs, Select Payload


What Makes Security Analytics Different?

• Big Data Infrastructure • Fast & Scalable • Logs & Packets • Security data warehouse plus proven NetWitness infrastructure

• High Powered Analytics • The speed and smarts to detect, investigate & understand advanced threats • Comprehensive visibility to see everything happening in an environment • Short term & long term analytics plus compliance • Removes the hay vs. digging for needles

• Integrated Intelligence • Intelligence from the global security community and RSA FirstWatch fused with

your organization’s data

• Understand what to look for and utilize what others have already found

The only security management solution that has both speed & smarts


Big Data Infrastructure • Single platform for capturing and

analyzing large amounts of network and log data

• Distributed, “scale-out” architecture

• Unique architecture to support both “speed” and “smarts” for threat analysis

• Security data warehouse for long term analytics & compliance

• Proven NetWitness infrastructure of short term analytics and investigations


High Powered Analytics • Eliminates blind spots to achieve

comprehensive visibility across the enterprise

• Real-time and “after-the-fact” investigations

• Uses the industry’s most comprehensive and easily understandable analytical workbench

• Proven, patented analytics applies business context to security investigations

• Automates the generation of compliance reports and supports long term forensic analysis


Full Network Visibility

Network traffic

Logs

• Gain full visibility into your network including both logs and packets

• Discover advanced threats missed by traditional security approaches

• Completely reconstruct network sessions for real time analysis and investigation

• Capture all data from the network to the application layer

• Perform detailed session analysis – regardless of port or protocol


Network traffic

Logs

• Both network packet capture and log collection.

• Patented methods of network capture, processing, data extraction and service/protocol identification

• Consolidates disparate sources • Instantly analyzes massive data sets

Single Platform for Network Packet and Log Data Collection


Reimagining what SIEM can do: Removing hay vs. digging for needles

All Network Traffic & Logs

Downloads of executables

Type does not match extension

!

Terabytes of data – 100% of total

Thousands of data points – 5% of total

Hundreds of data points – 0.2% of total

Create alerts to/from critical assets

A few dozen alerts


Integrated Intelligence How Do I Know What To Look For?

Gathers advanced threat intelligence

and content from the global security

community & RSA FirstWatch ®

Aggregates & consolidates the most pertinent information and fuses it with your

organization's data

Automatically

distributes correlation rules,

blacklists, parsers, views, feeds

Operationalize Intelligence: Take advantage of what others have already found and apply against your current and historical data


• Fuses open source, commercial, and confidential threat and fraud intelligence with an organization’s live and recorded network traffic

Security Analytics Live Content


RSA FirstWatch®

• RSA ‘s elite, highly trained global threat research & intelligence team

– Heritage dating back to the late 1990s featuring a ‘who’s who’ of researchers

– Backgrounds in government, military, financial services and information technology

• Focused on threats unknown to the security community – Malicious code & content analysis

– Threat research & ecosystem analysis

– Profiling threat actors

• Research operationalized automatically via RSA Live

Providing RSA Security Analytics customers covert tactical and strategic threat intelligence on advanced threats & actors


RSA Security Analytics Results

• Reduce risk by compressing attacker free time – Continuous analysis of terabytes of security data through big data

architecture, reducing the threat analysis time from days to minutes

• Level the playing field with adversaries – Incorporate operationalized intelligence to defend with confidence

• Elevate the security team to another level of effectiveness – Increase teams’ collective skill by gaining analytical firepower

– Investigate more rapidly, centralize information, automate alerts and reports

• Meet compliance requirements

RSA: Security Analytics Architecture for APT

Technology

Transcript of RSA: Security Analytics Architecture for APT