470 likes | 620 Views
Preparing for the Inevitable: How to Fight Advanced Targeted Attacks with Security Intelligence and Big-Data Analytics. See everything. Know everything.™. Andrew Brandt Director of Threat Research. Big Data. See everything. Know everything.™. Little attacks. Andrew Brandt
E N D
Preparing for the Inevitable:How to Fight Advanced Targeted Attacks with Security Intelligence and Big-Data Analytics See everything. Know everything.™ Andrew Brandt Director of Threat Research
Big Data See everything. Know everything.™ Little attacks Andrew Brandt Director of Threat Research
Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist 3
Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast 4
Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast • Malware analyst 5
Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast • Malware analyst • Network security researcher 6
Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast • Malware analyst • Network security researcher • If you code, distribute, or use malware for gain, prepare for maximum mockery and humiliation. 7
What I do @SoleraBlog #AusCERT12 #bigdata A story behind every attack Sometimes, strange stuff just happens 8
Break computers for fun and profit @SoleraBlog #AusCERT12 #bigdata Yep, you nailed it I couldn’t have said it better myself Little-known “mea culpa” feature of Blackshades RAT 9
Involved, enthusiastic blog readership @SoleraBlog #AusCERT12 #bigdata 10
Why so touchy? @SoleraBlog #AusCERT12 #bigdata A little too close to home? 11
Today’s Persistent, Blended Threats Communication Exploitation Propagation • Social engineering • Convince victim to do something • Visit web page • Download file • Execute binary • Enumerate surface • Exploit vulnerability • Infiltrate system • Maintain connectivity • Spread to other systems • Expand attack footprint • Adapt to countermeasures 12
The Challenge of Keeping Pace… @SoleraBlog #AusCERT12 #bigdata 87% 54% $7.2M of breaches involved customized malware (no signature available at the time of exploit) of records stolen were stolen using Highly Sophisticated Attacks was the average cost of a data breach in 2011 (Ponemon) (VzB/USSS) (VzB/USSS) 13
Big Data Landscape – Security Intelligence & Analytics NEXT-GEN FIREWALLS INTRUSION PREVENTION SYSTEMS “ Context-aware and adaptive security will be the only way to securely support the dynamic business and IT infrastructures emerging during the next 10 years. —Neil MacDonald, VP & FellowGARTNER BIG DATA ANALYTICS LOG MANAGEMENT DATA LEAKAGE PREVENTION ” SECURITY INFORMATION EVENT MANAGEMENT CONTENT FILTERING
@SoleraBlog #AusCERT12 #bigdata What does this stuff look like when it’s happening? 15
Seriously @SoleraBlog #AusCERT12 #bigdata Are you guys new to this whole trying to convince people thing? 18
What about one of these? @SoleraBlog #AusCERT12 #bigdata 19
Yeah, it’s malicious @SoleraBlog #AusCERT12 #bigdata 20
Indistinguishable from normal email… @SoleraBlog #AusCERT12 #bigdata 21
…until it isn’t, anymore. @SoleraBlog #AusCERT12 #bigdata 22
Cyber Attacks Accelerate… “Operation Aurora” Oct Apr Jan ‘10 Apr Jul Jan Jul ‘11 Diplomatic Cables Leak
The Malware Problem – Overwhelming Odds “With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming.”-GTISC Emerging Cyber Threats Report 2011 24
Record everything, 24/7 Timely analysis and insight into every packet entering or leaving your network Actionable intelligence, forensics and situational awareness Unmatched multi-dimensional flow enrichment and big data warehousing Records, classifies and indexes all packets and flows from L2 – L7 On the wire, file-level visibility of data exfiltration and malware infiltration Flexible, open and easy-to-use platform 25
Multiple Levels of Indexing Packet Capture and Repository (DSFS) @SoleraBlog #AusCERT12 #bigdata • Full fidelity, full payload streaming capture • Capable of 10s of Gb/s data storage • Support for simultaneous readers and writers • Maximum throughput via smart streaming writes and reads 26
Multiple Levels of Indexing Solera DB Index @SoleraBlog #AusCERT12 #bigdata • SoleraDB – middle layer contains the data necessary to find and reconstruct packets, flows, and entire network sessions in perfect fidelity • Handles millions of IOPS on a single appliance • Used as a “quick rejection” for the Packet Capture and Repository 27
Multiple Levels of Indexing Solera DB Bitmask & Hash @SoleraBlog #AusCERT12 #bigdata • Per-attribute quick lookup layer • Takes milliseconds to accept/reject hundreds of MBs of capture data • Search queries are processed using proprietary algorithm that generates hash values used by the top layer of the search engine to quickly determine which 64MB chunks the data are in 28
So @SoleraBlog #AusCERT12 #bigdata What happens when someone clicks one of these links? 30
The victim sees this… @SoleraBlog #AusCERT12 #bigdata 31
Meanwhile…CVE 2011-3544 Javasploit @SoleraBlog #AusCERT12 #bigdata 32
Most Dreaded Questions from the CISO Can we be sure it won’t happen again? Who did this to us – and how? How long has this been going on? What did we lose, and when? Is it over yet? @SoleraBlog #AusCERT12 #bigdata 33
Breaches Happen.Deal With It. @SoleraBlog #AusCERT12 #bigdata 34
I see what you did there @SoleraBlog #AusCERT12 #bigdata “Classic” Blackhole Exploit Kit behavior, malware payload delivered at the end 35
Danger, Will Robinson @SoleraBlog #AusCERT12 #bigdata 36
Your reputation precedes you @SoleraBlog #AusCERT12 #bigdata • Look up rep on: • Domain • IP • Any extracted artifact • Reputation services: • Virustotal • Clam AV • SORBS • Robtex • SANS ISC • Google SafeBrowse • … 37
Real-Time Extractor: Malware at the speed of light Delivering file-level alerting and malware analysis—at the network layer—to any enterprise Policy-based: protocol, country, MIME-type, file extension, etc. Continuous detection of all network traffic—analyze, index, alert Alert-triggered analysis—PDF, .js, PE, Flash, JAR, OLE, .apk, etc. Collapse the distributed network—leverage core security infrastructure 38
What’s in your pingback? @SoleraBlog #AusCERT12 #bigdata When malware phones home: • Exfiltrates sensitive data • “Beacon” packets • Profiling info about infected PC • Geolocation • Stolen passwords • Extracted email addresses • Other documents • Receives • Instructions • Links to payloads • Poison pill self-deletion command 39
Zbot/Spyeye Target List @SoleraBlog #AusCERT12 #bigdata Partial target list, downloaded by Trojan. Domains include those of banks that service business customers. Targets vary based on the victim’s location in the world. One mistaken click, by the wrong employee, can bankrupt a corporation! 40
When malware phones home @SoleraBlog #AusCERT12 #bigdata Some RATs or phishing Trojans don’t bother to hide their activity Others try to obfuscate the data with base64 41
Revealed, you are by your weird User-Agent @SoleraBlog #AusCERT12 #bigdata 42
Collecting Decrypted SSL Traffic 100% encrypted traffic decrypted, captured, classified and indexed Protects against SSL-encrypted bot traffic or confidential information leakage Common Control/Management Decrypted And Captured Traffic Non-SSL SSL Session 2 SSL Proxy SSL Server Session 1 In partnership with… Solera DS Appliance Transparent SSL Proxy Web Browser (SSL Client) Internet/WAN Web Servers (SSL Servers) 43
Decrypted SSL Zbot/Cridex Pingback @SoleraBlog #AusCERT12 #bigdata Every 5-60 seconds, the bot sends this SSL- encrypted packet to its CnC server. “I’m still here. Ready for orders.” 44
One last thing @SoleraBlog #AusCERT12 #bigdata We know where you are, malware guys 45
Invest in preparedness, not in prediction—Nassim Taleb, The Black Swan ” “ 46
Thank You Andrew Brandt abrandt@soleranetworks.com blog.soleranetworks.com http://j.mp/bigdata_auscert @SoleraBlog Facebook.com/soleranetworks 47