290 likes | 456 Views
Bruce Roton CISSP, CISM, CEH, CISA, CGEIT, ISO27001, CSSGB Director, Security Solutions Architecture. Getting Ahead of the Security Threat: Proactive Mitigation for State Government. Agenda. Security Statistics and Trends
E N D
Bruce Roton CISSP, CISM, CEH, CISA, CGEIT, ISO27001, CSSGB Director, Security Solutions Architecture Getting Ahead of the Security Threat: Proactive Mitigation for State Government
Agenda Security Statistics and Trends Traditional Security Infrastructures and Protection Models (and Why they Fail) Analytics Using NetFlow Statistics (and Packet Capture) Turning Detection into a Prevention Strategy Custom Crafted Compromise Detection Level 3 Communications: Carrier View Summary and Recommendations
Cyber Warfare on the Rise • In 2007 US-CERT* received almost 12,000 cyber incidents reported • By 2009, there were over 24,000 cyber incidents reported • By 2012, there were over 48,000 cyber incidents reported *US-CERT is the US Department of Computer Emergency Readiness Team, under the US Department of Homeland Security
Cyber Attacks Explained • Notable Statistics: • Social Engineering is back on the rise after a 2 yr decline (spear phishing) • Malware and Hacking are consistent leaders • Physical attacks though on the rise are primarily tampering and POS attacks (discounting espionage for IP) • While Misuse seems to rise, it is likely skewed by sample and focused on financially motivated attacks Source: Verizon 2013 Data Breach Investigations Report
Role of Botnets in Attacks • Botnets are proliferating at a high rate. • Botnets uses are expanding rapidly: • Theft of financial credentials • Self propagation • DDoS sourcing • Installation of keyloggers • Spam and Phishing sourcing • Botnets are regularly updated and provide a Flexible platform for malware loading Source: Verizon 2013 Data Breach Investigations Report
Who is being Attacked? • Biggest Target is Financial Services • Second Biggest Target is Government • News attacks are typically State Sponsored and Hacktivist • Industry attacks are typically espionage targeting IP
Cyber Security in the News • Idaho State University fined over $400K for breach of unsecure electronic health information of patients at the University’s Medical Clinic (June 2013) • Utah State Tax Commission promising tighter security on new software in the shadows of the Utah Department of Health’s 2012 breach of 780,000 pieces of data • Washington State Administrative Office of the Courts announced a data breach of 160,000 Social Security numbers and 1 million driver’s license numbers (May 2013) • California launches Cybersecurity Task Force, in an effort to mitigate the growing number of sophisticated cyber attacks hitting state governments (May 2013) • Recent Cyberintrusion Data • The Pentagon reports getting 10 Million cyberintrusion attempts a day • The National Nuclear Security Administration, of the Energy Department, also records 10 million hacks a day • The State of Michigan deals with close to 120,000 cyberincidents a day • Utah says it faces 20 million attempts a day – up from 1million a day 2 years ago • -from nextgov.com
Is your agency at risk? LAW ENFORCEMENT May 2013 Man pleads guilty to attacks on Texas intelligence firms; also admits involvement in cyber attacks on law enforcement websites UNIVERSITY SYSTEM March 2013 “2 Journalism Sites University of Texas at Austin hit by massive Cyberattack” Recent Examples: http://www.washingtontimes.com/news/2011/nov/18/hackers-apparently-based-in-russia-attacked-a-publ/?page=all http://www.upi.com/Top_News/US/2013/05/29/Anonymous-hacker-pleads-guilty-to-Austin-Texas-cyberattack/UPI-96691369830610/ http://www.signix.com/credit-union-news/bid/93563/Texas-credit-union-website-hit-by-cyber-attack http://www.cyberwarnews.info/2013/04/01/first-national-bank-texas-hacked-social-security-details-leaked-for-opblacksummer/ http://otm.myfoxal.com/news/crime/157323-cybercrooks-use-interest-texas-plant-explosion-attack-computers http://news.softpedia.com/news/Two-Journalism-Sites-of-the-University-of-Texas-at-Austin-Hit-by-Massive-Cyberattack-340277.shtml http://www.esecurityplanet.com/network-security/texas-tech-university-health-sciences-center-admits-data-breach.html
The Target is Growing • Employee Mobility • Social Networking and Engagement • Cloud-based Services • BYOD • Mobile Devices
Threat Trends and Attack Strategy Advancements • Get in, stay in, steal quietly for years • Not all APT is really ATP (and why we hate this term) • Submarine warfare and the Hunt for Red 0Day. • Highly motivated, willing to make capital investment • Proliferation of comprehensive toolkits and malware packaging websites (with customer support!) • They share attacks better than we share defenses • Understanding the value proposition for criminals. • Beyond the criminal mind: State Sponsorship • Critical infrastructure • Patents, research, and theft of Intellectual Property • Political motivations
Traditional Infrastructures and Protection Models ( AKA, how did we end up spending so much?) • Protect the perimeter from intrusion • Protecting the network • Protecting the user systems • Filters, filters and more filters (web, email, file, and content) • Stopping the leaks with DLP • Protecting the web servers • The “Protect Everything” model
Controls and Validations Email Filter Host/App Identity Authentication WEB Filter DOS Protection Firewalls and IPS File Integrity Host AV Host IPS DLP Filter Penetration Testing Application Testing Vulnerability Testing
Why our Security Architectures Fail Two Primary Reasons SOFTWARE Developed by humans and not perfect PEOPLE Coincidentally, also developed by humans and not perfect (social engineering works)
Why Can’t We Make it Secure Through Testing? • First and foremost the goal of testing has traditionally been to validate that something works and does what we planned, not to see if we can make it do unplanned stuff. • Vulnerability assessors and Penetration testers generally don’t build custom tools just to exploit your environment. • Vulnerability assessors and Penetration testers do not have the same level of motivation as a hacker. • Vulnerability assessors and Penetration testers care about collateral damage • Vulnerability assessors and Penetration testers don’t have years to find your weak spots
Good Analytics Using NetflowStatistics • Catches the obvious • Abuse (so why is 80% of your traffic iTunes?) • Misuse (so why are you running a game server on the campus net?) • Catches the less obvious • Talking to restricted locations (so who do you know in Cuba?) • Unexpected/Banned protocols (so what are you using FTP for?) • Encrypted channels (so do you have a business partner in Belarus?) • Can catch the true outliers (a bit more work/storage) • Rare Comms (so why do we only talk at 3am on Wednesday?) • Suspicious new connections (so why are you acting different now?) • Compare realtime streams with historical norms
Advanced Analytics with Flow Statistics • Requires one-for-one capture • Potential triggers and fingerprinting • Packet size within sequence: fingerprint potential malware download • Conversation timing: Associating packet delta with specific malware • Flags and window size: Fingerprinting systems and malware • Data Mining for Traffic Signatures • Step 1: Use honeypots/tar-pits to attract and capture • Step 2: Lots of post attack traffic correlation to identified attacks • Step 3: Investigate suspicious sequences for potential attacks • Step 4: Reverse engineer captured malware to determine purpose and look for similar activities • Step 5: Build a malicious IP watchlist for traffic risk management (may also augment with external sources) • Step 6: Correlate realtime traffic to signatures and watchlist
Better Analytics Using PCAP Bleeding Edge Research • This is what the AV and IPS companies are doing. • Payload capture and analytic modeling • Note: Some assembly required • Potential triggers and fingerprinting • Size of the malware payload • Executable code and scripts • Application and port targeting • Data Mining for Payload Signatures • Step 1: Use honeypots/tar-pits to attract and capture • Step 2: Lots of post attack traffic correlation to identified attacks • Step 3: Etc, etc, etc
Turning Detection into a Prevention Strategy • Understanding the investment • Building the basic analytics engines and developing the tuning skills to effectively operate them will take a minimum of 6 months • Building the monitoring infrastructure will take 2-6 months depending on the complexity of the network environment • Building the database of traffic signatures and heuristic models will take a minimum of 6 months • Building your reverse engineered malware library may take 8-12 months • When should encrypted channels be permitted? • When knowing can hurt you • The liability of knowledge • Make sure you have funding for remediation efforts • Make sure your Incident Response plan is sound and tested
Steganography Based Compromise Detection • Cool new use for your IPS box • Stego traps simplified • Step 1: Pick multiple locations of increasing sensitivity within the network • Step 2: Use Stego tool to create invisible digital watermarks at differing levels • Step 3: Create custom IPS signatures for the watermarks and watch for them on Egress points • Note the obvious issues with encrypted channels and pre-transit encryption. • Tool options: StegoMagic, Steghide, Staanote, Cloak, DataStash, S-tools, Steganos Security Suite, Playmaker, Wbstego, Stegspy, etc
Global Security Scope of Operation We operate some of the worlds largest networks and application environments • Level 3 Global Internet • 8 Tbps of traffic continuous • Level 3 DNS Caching Infrastructure • http://en.wikipedia.org/wiki/User:Incu_Master/4.2.2.2 • Level 3 CDN
Global Security Monitoring Environment • We monitor 950 million security events per day • Enterprise, Products, Managed Security • We monitor over 90 billion netflowsessions per day • Over 2 TB of storage capacity per day • We perform daily audits, protect and monitor all Level 3 products, services and systems • 200,000 elements (130k network, 70k systems) • 3,000 applications • 3,000 video cameras • 10,000 badge readers
Global Security Defense Environment • Defending against some of the most sophisticated attacks in the industry • Over six attacks a second on our public infrastructure • Numerous zero day attacks per month • Focus on intelligent, role targeted attacks • Social research to find targeted employees • Attacks from sophisticated, adaptable botnet armies • Centralized Security Organization • Enterprise, infrastructure, products/services and Managed Security • Proactive Protection • Attack Detection and Reactive Response • Predictive Analysis • Lifecycle Management • Policy, Physical, Logical, Compliance • Policy structure based on NIST 800-53, and ISO 27001 • Four global Security Operations Centers
Threat Intelligence System • We monitor 90B netflow messages a day, looking for botnet activity and compromised computer systems • We track botnet and other malicious traffic based on known and unknown traffic patterns • Database is linked to our Managed Security service for proactive blocking • We issue “take down” requests to hosting ISPs to notify them of C2s
Summary and Basic Recommendations • Focus on the easy stuff first and harness the power of your network visibility and controls (Detective/Preventive) • Excuse me, but what are you looking for? • Define suspicious, and then look for it! • Where is Data-XXX supposed to live and have you seen it anywhere else? • Should that server ever communicate with anyone outside this network? • Exactly who should be accessing those data stores? • Should Fill in the blank type of data be traversing your network? • Do you have a business partner in Iran? • Should that comms channel really be encrypted? • Why is there a Telnet session running or port 25?
Outsource Options to Get Ahead of the Attack • Full managed UTM services • Managing device health • Proactive and reactive configurations for filter rules • IPS/IDP features and custom rules • Web URL and Content Filters • Anti-virus settings • DDoS Protection • Detection services • Cloud Based Mitigation services Proactive discovery and mitigation of potential security issues • Advanced SIEM content and Expert analytical skill with Fine-tuned process and procedures to leverage people and tools • Realtime blocking of zero day attacks Reactive Response to Security Issues • Immediate detection and recognition of Attacks and Suspicious or abnormal network activity Connection, authentication and performance support for secure VPN solutions • Site-to-Site static tunnels • Remote end-user solutions (SSL/IPSec) Professional Services • Assessments and Testing • Data Discovery • Roadmaps and Planning