War on stealth cyber attacks phishing docusign apache metron
-
Upload
gvetticaden -
Category
Data & Analytics
-
view
334 -
download
1
Transcript of War on stealth cyber attacks phishing docusign apache metron
![Page 1: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/1.jpg)
WaronStealthCybera/acksthatTargetUnknownVulnerabili:esInves:gate,ThreatScopeAnalysis&ForensicsofAdvancedCyberThreatswithApacheMetron
GeorgeVeFcaden&JamesSirotaApacheMetronCommi0ers
![Page 2: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/2.jpg)
2 ©HortonworksInc.2011–2016.AllRightsReserved
UseCase:PhishingA/ack
![Page 3: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/3.jpg)
3 ©HortonworksInc.2011–2016.AllRightsReserved
PhishingA/acks
à WhatisaPhishingA0ack?– Ana0ackthat“baits”unsuspecJngworkersintoclickingonlinksinemailsandunknowinglygivinga0ackersatoeholdintheiremployers’systems.
à FromNYTIMESArJcle(6/13/2016)
“Phishinga*ackshavebecomeanepidemic.Todate,morethan90percentofbreacheshavebegunwithaphishinga*ack,accordingtoVerizon.
Intelligenceexpertssaythatphishinga*acksarethepreferredmethodofChinesehackerswhohavemanagedtostealthingsasvariedasnuclearpropulsiontechnologyandSiliconValley’smostguardedsoGwarecode.”
![Page 4: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/4.jpg)
4 ©HortonworksInc.2011–2016.AllRightsReserved
DocuSignPhishingA/acks
WhatisDocuSign?• Provideselectronicsignaturetechnology
andDigitalTransacJonManagementservicesforfacilitaJngelectronicexchangesofcontractsandsigneddocuments.
• E.g:Ifyougetanewjob,theofferle0erwillmostlikelybepresentedtoyouasa“DocuSignDoc”whichrequireselectronicsignature.
WhatisaDocuSignPhishingA0ack?• AcJvephishingcampaignsusingfake
DocuSigntryingtotrapemployeesintoopeningthemup
• These"securedoc"emailsareoneofthemostmisflaggedcategoriesofrealemails
• Usershavetroublefiguringoutwhethera"securedoc"emailisrealoraphish
![Page 5: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/5.jpg)
5 ©HortonworksInc.2011–2016.AllRightsReserved
DocuSignPhishingA/ackonCompanyFOO
![Page 6: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/6.jpg)
6 ©HortonworksInc.2011–2016.AllRightsReserved
UseCaseSetup
à On4/10,ausernamedEthanVatCompanyFoosubmitsasecurity:cketcomplainingaboutapoten:alPhishingEmail.
à TheDetailsprovidedbytheEthanVintheJcketarethefollowing– EthanreceivesanemailfromaninternalemployeeSonjaLarwhoworksontheFinanceTEam– TheemailstatesthatasignatureisrequiredforanewDocu-SigndocumentforanewStockOpJongrant
forgrantedtoEthan– ThereisalinkintheemailtotheDocu-SignDocument– Ethanclicksonthelink,andloginappears– EthanentershisSSOcreden:alsandsubmits– Onsubmission,nothinghappens– EthancallsSonjabutSonjastatesshedidn’tsendanemail– Ethanisworriedandthenfileshelpdesksecurity:cket
à Asecurity:cketiscreatedandassignedtotheSOCTeam
à ASOCanalystJamespicksupthecasetoinvesJgateit.
![Page 7: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/7.jpg)
7 ©HortonworksInc.2011–2016.AllRightsReserved
TypicalWorkflowifCompanyFoousestradi:onalSIEMtool
![Page 8: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/8.jpg)
8 ©HortonworksInc.2011–2016.AllRightsReserved
SystemsAccessedforInves:ga:on/Context“InvesJgaJon”WorkflowSteps
• Step1:AnalystJamessearchesinSIEMforanyeventsassociatedwiththeuserSonjaoverthelast24hours
• Step1Result:MosteventsarecomingfromIPY.ButfeweventsfromfromIPXwheresheissendingemailviaCorpGmailaccount.
• Step2:Jamesdoesgeo-lookupofIPXandYnMaxmind
• Step2Result:IPXisfromIreleandandIPyisfromSouthernCali
• Step3CorpFoohasofficesinIreland&LosAngeles.JamesfilesaJcketwithADteamtofindgroupsthatSonjabelongsto.
• Step3Result:ThegroupsshebelongstoisonlyassociatedwithLosAngelesandnotIreland
StoryUnfolding• Step1Insight:AnomalousEvent–CorpGmailwasdecommissionedonbehalfofexchangemonthsbackandonlyfewusersarecurrentlyusingit
• Step2Insight:NotpossibleforthesameuserbelogginginfromIreland&SouthernCaliatthesameJme.
• Step3Insight:UnauthorizedaccessisoccurringfromIreland
SIEM
Search
1
Maxmind(IPGeoDB)
2
AD(IdenJtyMgmt.)
3
• Step4:JameslogsintoFoo’sAssetMgmtsystemtodetermineassettheIPbelongto
• Step4Result:IPYisfromSonja’sworkstaJonwhileIPXisanunidenJfiedAsset
• Step4Insight:SeemslikeSonjaisinSouthernCalibutsomeoneelsepretendingtobeherislogginginfromunidenJfiedAsset
AssetMgmt.Inventory4
• Step5:JameslogintoSoltraathreatintelaggregaJonservicetoseeifIPXhasathreatintelhit.
• Step5Result:IPXhasathreatintelhitandSonja’saccountisimmediatelyshutdown&Ethan’scredenJalshavebeenreset
• Step5Insight:Sonja’saccounthasbeencompromised.ShutitdownandEthan’scredenJalshavebeenreset.ButwhatothersusersareaffectedlikeEthan?
Soltra(ThreatIntel)
5
![Page 9: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/9.jpg)
9 ©HortonworksInc.2011–2016.AllRightsReserved
SystemsAccessedforThreatScope
SystemsAccessedforForensics
SystemsAccessedforInves:ga:on/Context
SIEM
“ScopeofThreat”WorkflowSteps
• Step6:SearchesSIEMforFireyeandIronPortemaileventsassociatedwithSonja.TheSIEMdoesn’thavethatinfo
• Step6Result:NeedtologintoFireyeandIronPort
• Step7:LogintoFireyeEmailThreatPrevenJonCloud&IronPorttofindallemailssentfromSonjafromthatmaliciousIP
• Step7Result:HavealistofallusersthatthePhishingemailwassentto.Canresetthepasswordforallthoseusers
Maxmind(IPGeoDB)
AD(IdenJtyMgmt.)
AssetMgmt.Inventory
Soltra(ThreatIntel)
StoryUnfolding• Step1Insight:AnomalousEvent–CorpGmailwasdecommissionedonbehalfofexchangemonthsbackandonlyfewusersarecurrentlyusingit
• Step2Insight:NotpossibleforthesameuserbelogginginfromIreland&SouthernCaliatthesameJme.
• Step3Insight:UnauthorizedaccessisoccurringfromIreland
• Step4Insight:SeemslikeSonjaisinSouthernCalibutsomeoneelsepretendingtobeherislogginginfromunidenJfiedAsset
• Step5Insight:Sonja’saccounthasbeencompromised.ShutitdownandEthan’scredenJalshavebeenreset.ButwhatothersusersareaffectedlikeEthan?
• Step6Insight:SIEMdoesn’thaveallthefireyeemaileventsIneedtodeterminescope
• Step7Insight:Understandthescopeofthethreatandcancancontainit.
“Forensics”WorkflowSteps
• Step8:LogsintoCiscoIronPorttodeterminewhenthea0ackerfirstcompromisedSonja’sGmailaccount
• Step8Result:On3/26,auserfromIreleandloggedintoSony’sCorpGmailAccount
• Step8Insight:UnderstandswhenSonja’sGmailAccountwasfirstcompromised
• Step9:LogsintoIntermedia,anemailarchivesystem,tounderstandhowtheaccountwascompromised
• Step9Result:Seesasetofemailswherethea0ackerspoofedsomeoneelseemailaddress“warmedup’herwithafewemailsandthensentanemailwithanlinkthatSonjaclickedonwhichstolehercredenJalsfromherchain
• Step9Insight:UnderstandhowSonja’saccountgotcompromised
SystemsAccessedforRemedia:on
Exchange(Primary
EmailService)
CorpGmail(Secondary
EmailService)
AD&SSO(IdenJtyProvider
&SSO)
Search
1
2 3 4 5
6
FireEye(Email
CloudSecurity)
7
CiscoIronPort(Email
On-PremiseSecurity)
8
Intermedia(EmailArchive)
9
![Page 10: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/10.jpg)
10 ©HortonworksInc.2011–2016.AllRightsReserved
The“ThreatStory”theWorkflowTold….
![Page 11: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/11.jpg)
11 ©HortonworksInc.2011–2016.AllRightsReserved
The Challenges faced by the SOC Analyst to Create this Story…
Challenge • The analyst had to jump from the SIEM to
more than 7 different tools that took up valuable time.
• It took more than 24 hours across 2 SOC shifts to investigate, determine scope, remediate and do further forensics/investigation.
• Half of my time was spending getting the context needed for me to create the story
• The threat was detected too late. Instead of detecting the incident on 4/9, the threat should have been detected on 3/20 when the attacker spoofed Sonja’s email address
Need • Want a Centralized View of my data so I don’t
have to jump around and learn other tools Eliminate manual tasks to investigate a case
• Need to discover bad stuff quicker
• Need the System to create the context for me in real-time
• The current static rules in the SIEM didn’t detect the threat. Need smart analytics based on:
• UserSonjahasn’tusedcorpgmailinthelast3months
• UserSonjacan’tloginfromIrelandandSouthernCaliatthesameJme
![Page 12: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/12.jpg)
12 ©HortonworksInc.2011–2016.AllRightsReserved
SameWorkflowifCompanyFoousedApacheMetron
![Page 13: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/13.jpg)
13 ©HortonworksInc.2011–2016.AllRightsReserved
Demo
![Page 14: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/14.jpg)
14 ©HortonworksInc.2011–2016.AllRightsReserved
DoInves:ga:on,FindScopeandPerformForensicsUsingonlyMetron
SystemsAccessedforRemediaJon
Exchange(Primary
EmailService)
CorpGmail(Secondary
EmailService)
AD&OKTA(IdenJtyProvider
&SSO)
Maxmind(IPGeoDB)
AD(IdenJtyMgmt.)
AssetMgmt.Inventory
Soltra(ThreatIntel)
SystemsAccessedforInvesJgaJon/Context
SystemsAccessedtoDetermineScope
FireEye(Email
CloudSecurity)
CiscoIronPort(Email
On-PremiseSecurity)
Intermedia(EmailArchive)
SystemsAccessedforForensics
![Page 15: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/15.jpg)
15 ©HortonworksInc.2011–2016.AllRightsReserved
DoInves:ga:on,FindScopeandPerformForensicsUsingonlyMetron
MetronwillmakeiteasierandfastertofindtherealissuesIneedtoactonwithreal-Jmeenrichment
ProvidesSinglePaneofGlassforInvesJgaJon,ScopeAnalysisandForensics
MetroncantakeeverythingthatisknownaboutathreatandcheckforitinrealJme
ForAdvancedPersistentThreats(APT),MetroncanmodelhistoricalbehaviorofwhoeverIamimpersonaJngandflagmeasItrytodeviate
![Page 16: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/16.jpg)
16 ©HortonworksInc.2011–2016.AllRightsReserved
MetronArchitecture
Network Data (PCAP, Netflow, Bro, etc)
IDS (suricata, Snort, etc)
Threat Intelligence Feeds(Soltra, OpenTaxi, Third
party Feeds)
Security Endpoint Devices (Fireye, Palo Alto, BlueCoat,
etc..)
Telemetry Data Sources
Machine Generated Logs (AD, App/Web Server,
Firewall, VPN, etc.)
Telemetry Parsers
TELEMETRY ING
EST BUFFER
Enrichment Indexers & Writers
Telemetry Parsers
Real-Time Processing Cyber Security Engine
Threat Intel Alert Triage
Cyber Security Stream Processing Pipeline
DATA SERVICES & INTEGRATIO
N LAYER
Modules
Community Analytical Models
Search and Dashboarding
Portal
Security Data Vault
Provisioning, Mgmt & Monitoring
Performant Network Ingest
Probes
Real-Time Enrich/
Threat Intel Streams
Telemetry Data Collectors
/ Other..
![Page 17: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/17.jpg)
17 ©HortonworksInc.2011–2016.AllRightsReserved Real-JmeProcessingEngine
PCAP
NETFLOW
DPI
IDS
AV
FIREWALL
HOSTLOGS
Telemetry Event Buffer
1
PARSE
NORMALIZE
TAG
VALIDATE
PROCESS
2
USER
ASSET
GEO
WHOIS
CONN
ENRICH
3
STIX
FlatFiles
Aggregators
ModelAsAService
CloudServices
LABEL
4
PCAPStore
ALERTPERSIST
Alert
SecurityDataVault
5
NetworkTap
7a
Fast Telemetry Ingest
Telemetry Ingest
7b
Custom Performant Probes
CustomMetronUI/Portals
Real-TimeSearch
InteracJveDashboards
DataModelling
IntegraJonLayer
PCAPReplay
SecurityLayer
Data&Integra:onServices
6
Apache Metron
ApacheMetronLogicalArchitecture
![Page 18: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/18.jpg)
18 ©HortonworksInc.2011–2016.AllRightsReserved
Analy:cs
![Page 19: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/19.jpg)
19 ©HortonworksInc.2011–2016.AllRightsReserved
OldSchoolvs.NewSchoolSecurityControlsEmail
SecurityRules
FirewallRules IDSRules Sandbox
Rules DLPRulesOldSchool->(1-1)
NewSchool->(1-*) Email
Classifier AlertsTriageMalwareFamilyClassifier
NetworkBehaviorClassifier
UEBASystem
![Page 20: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/20.jpg)
20 ©HortonworksInc.2011–2016.AllRightsReserved
Analy:cs
DescripJve DiagnosJc PredicJve PrescripJve
MetronSecurityDataAnalyJcsPlavorm
HDF HDP
DeepPacket
ModelasaService
Nevlow
ApplianceLogs
Alerts
HostLogs
GeoEnrich
HostEnrich
App.Enrich
IdenJtyEnrich
DomainEnrich
SocialMedia
Chat
Forums
Playbook
WokflowHR
IRMobileDevices
MachineExhaust IoT
DatasetsAccessLogs
MalwareBinaries Sandbox
Honeypot
DecepJon
SaaS
BusinessEnrich
CMDBEnrich
Compl.Enrich
KnowledgeGraph
EnJtyProfiles
InteracJonGraph
WebMining
UseCasesInsiderThreat
DataAccessManagement
BreachDetecJon
ExfiltraJon
LateralMovement
MalwareDetecJon
AlertsTriage
RemediaJon
![Page 21: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/21.jpg)
21 ©HortonworksInc.2011–2016.AllRightsReserved
ThankYouGeorgeVeFcaden&JamesSirota
ApacheMetronCommi/ers
![Page 22: War on stealth cyber attacks phishing docusign apache metron](https://reader031.fdocuments.us/reader031/viewer/2022021918/588902c11a28abcf5f8b6779/html5/thumbnails/22.jpg)
22 ©HortonworksInc.2011–2016.AllRightsReserved
Learn,ShareatBirdsofaFeatherStreaming,DataFlow&Cybersecurity
ThursdayJune306:30pm,BallroomC