1 / 47

See everything. Know everything.™

Preparing for the Inevitable: How to Fight Advanced Targeted Attacks with Security Intelligence and Big-Data Analytics. See everything. Know everything.™. Andrew Brandt Director of Threat Research. Big Data. See everything. Know everything.™. Little attacks. Andrew Brandt

apu
Download Presentation

See everything. Know everything.™

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preparing for the Inevitable:How to Fight Advanced Targeted Attacks with Security Intelligence and Big-Data Analytics See everything. Know everything.™ Andrew Brandt Director of Threat Research

  2. Big Data See everything. Know everything.™ Little attacks Andrew Brandt Director of Threat Research

  3. Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist 3

  4. Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast 4

  5. Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast • Malware analyst 5

  6. Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast • Malware analyst • Network security researcher 6

  7. Who I am and what I do @SoleraBlog #AusCERT12 #bigdata • Former journalist • Self-taught security enthusiast • Malware analyst • Network security researcher • If you code, distribute, or use malware for gain, prepare for maximum mockery and humiliation. 7

  8. What I do @SoleraBlog #AusCERT12 #bigdata A story behind every attack Sometimes, strange stuff just happens 8

  9. Break computers for fun and profit @SoleraBlog #AusCERT12 #bigdata Yep, you nailed it I couldn’t have said it better myself Little-known “mea culpa” feature of Blackshades RAT 9

  10. Involved, enthusiastic blog readership @SoleraBlog #AusCERT12 #bigdata 10

  11. Why so touchy? @SoleraBlog #AusCERT12 #bigdata A little too close to home? 11

  12. Today’s Persistent, Blended Threats Communication Exploitation Propagation • Social engineering • Convince victim to do something • Visit web page • Download file • Execute binary • Enumerate surface • Exploit vulnerability • Infiltrate system • Maintain connectivity • Spread to other systems • Expand attack footprint • Adapt to countermeasures 12

  13. The Challenge of Keeping Pace… @SoleraBlog #AusCERT12 #bigdata 87% 54% $7.2M of breaches involved customized malware (no signature available at the time of exploit) of records stolen were stolen using Highly Sophisticated Attacks was the average cost of a data breach in 2011 (Ponemon) (VzB/USSS) (VzB/USSS) 13

  14. Big Data Landscape – Security Intelligence & Analytics NEXT-GEN FIREWALLS INTRUSION PREVENTION SYSTEMS “ Context-aware and adaptive security will be the only way to securely support the dynamic business and IT infrastructures emerging during the next 10 years. —Neil MacDonald, VP & FellowGARTNER BIG DATA ANALYTICS LOG MANAGEMENT DATA LEAKAGE PREVENTION ” SECURITY INFORMATION EVENT MANAGEMENT CONTENT FILTERING

  15. @SoleraBlog #AusCERT12 #bigdata What does this stuff look like when it’s happening? 15

  16. Would this convince you to click? 16

  17. Reply to the IRS…using LinkedIn? 17

  18. Seriously @SoleraBlog #AusCERT12 #bigdata Are you guys new to this whole trying to convince people thing? 18

  19. What about one of these? @SoleraBlog #AusCERT12 #bigdata 19

  20. Yeah, it’s malicious @SoleraBlog #AusCERT12 #bigdata 20

  21. Indistinguishable from normal email… @SoleraBlog #AusCERT12 #bigdata 21

  22. …until it isn’t, anymore. @SoleraBlog #AusCERT12 #bigdata 22

  23. Cyber Attacks Accelerate… “Operation Aurora” Oct Apr Jan ‘10 Apr Jul Jan Jul ‘11 Diplomatic Cables Leak

  24. The Malware Problem – Overwhelming Odds “With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming.”-GTISC Emerging Cyber Threats Report 2011 24

  25. Record everything, 24/7 Timely analysis and insight into every packet entering or leaving your network Actionable intelligence, forensics and situational awareness Unmatched multi-dimensional flow enrichment and big data warehousing Records, classifies and indexes all packets and flows from L2 – L7 On the wire, file-level visibility of data exfiltration and malware infiltration Flexible, open and easy-to-use platform 25

  26. Multiple Levels of Indexing Packet Capture and Repository (DSFS) @SoleraBlog #AusCERT12 #bigdata • Full fidelity, full payload streaming capture • Capable of 10s of Gb/s data storage • Support for simultaneous readers and writers • Maximum throughput via smart streaming writes and reads 26

  27. Multiple Levels of Indexing Solera DB Index @SoleraBlog #AusCERT12 #bigdata • SoleraDB – middle layer contains the data necessary to find and reconstruct packets, flows, and entire network sessions in perfect fidelity • Handles millions of IOPS on a single appliance • Used as a “quick rejection” for the Packet Capture and Repository 27

  28. Multiple Levels of Indexing Solera DB Bitmask & Hash @SoleraBlog #AusCERT12 #bigdata • Per-attribute quick lookup layer • Takes milliseconds to accept/reject hundreds of MBs of capture data • Search queries are processed using proprietary algorithm that generates hash values used by the top layer of the search engine to quickly determine which 64MB chunks the data are in 28

  29. Metadata Attribute Mappings 29

  30. So @SoleraBlog #AusCERT12 #bigdata What happens when someone clicks one of these links? 30

  31. The victim sees this… @SoleraBlog #AusCERT12 #bigdata 31

  32. Meanwhile…CVE 2011-3544 Javasploit @SoleraBlog #AusCERT12 #bigdata 32

  33. Most Dreaded Questions from the CISO Can we be sure it won’t happen again? Who did this to us – and how? How long has this been going on? What did we lose, and when? Is it over yet? @SoleraBlog #AusCERT12 #bigdata 33

  34. Breaches Happen.Deal With It. @SoleraBlog #AusCERT12 #bigdata 34

  35. I see what you did there @SoleraBlog #AusCERT12 #bigdata “Classic” Blackhole Exploit Kit behavior, malware payload delivered at the end 35

  36. Danger, Will Robinson @SoleraBlog #AusCERT12 #bigdata 36

  37. Your reputation precedes you @SoleraBlog #AusCERT12 #bigdata • Look up rep on: • Domain • IP • Any extracted artifact • Reputation services: • Virustotal • Clam AV • SORBS • Robtex • SANS ISC • Google SafeBrowse • … 37

  38. Real-Time Extractor: Malware at the speed of light Delivering file-level alerting and malware analysis—at the network layer—to any enterprise Policy-based: protocol, country, MIME-type, file extension, etc. Continuous detection of all network traffic—analyze, index, alert Alert-triggered analysis—PDF, .js, PE, Flash, JAR, OLE, .apk, etc. Collapse the distributed network—leverage core security infrastructure 38

  39. What’s in your pingback? @SoleraBlog #AusCERT12 #bigdata When malware phones home: • Exfiltrates sensitive data • “Beacon” packets • Profiling info about infected PC • Geolocation • Stolen passwords • Extracted email addresses • Other documents • Receives • Instructions • Links to payloads • Poison pill self-deletion command 39

  40. Zbot/Spyeye Target List @SoleraBlog #AusCERT12 #bigdata Partial target list, downloaded by Trojan. Domains include those of banks that service business customers. Targets vary based on the victim’s location in the world. One mistaken click, by the wrong employee, can bankrupt a corporation! 40

  41. When malware phones home @SoleraBlog #AusCERT12 #bigdata Some RATs or phishing Trojans don’t bother to hide their activity Others try to obfuscate the data with base64 41

  42. Revealed, you are by your weird User-Agent @SoleraBlog #AusCERT12 #bigdata 42

  43. Collecting Decrypted SSL Traffic 100% encrypted traffic decrypted, captured, classified and indexed Protects against SSL-encrypted bot traffic or confidential information leakage Common Control/Management Decrypted And Captured Traffic Non-SSL SSL Session 2 SSL Proxy SSL Server Session 1 In partnership with… Solera DS Appliance Transparent SSL Proxy Web Browser (SSL Client) Internet/WAN Web Servers (SSL Servers) 43

  44. Decrypted SSL Zbot/Cridex Pingback @SoleraBlog #AusCERT12 #bigdata Every 5-60 seconds, the bot sends this SSL- encrypted packet to its CnC server. “I’m still here. Ready for orders.” 44

  45. One last thing @SoleraBlog #AusCERT12 #bigdata We know where you are, malware guys 45

  46. Invest in preparedness, not in prediction—Nassim Taleb, The Black Swan ” “ 46

  47. Thank You Andrew Brandt abrandt@soleranetworks.com blog.soleranetworks.com http://j.mp/bigdata_auscert @SoleraBlog Facebook.com/soleranetworks 47

More Related