Security Analytics

Architecture for APT

Dale Long, Sr. Technology Consultant, RSA Security

© Copyright 2011 EMC Corporation. All rights reserved. 1

Agenda
• APT: Defined
• Methodology
• APTs are Nasty Because
• Evolution
• Response
• The Challenge of Cleanup
• Needed Capabilities
• Lessons Learned
• Introduction to Security Analytics

© Copyright 2011 EMC Corporation. All rights reserved. 2

You Down With APT?

© Copyright 2011 EMC Corporation. All rights reserved. 3

Advanced Persistent Threats
• Operators behind the threat have:
• a full spectrum of intelligence gathering techniques at their disposal.
• May include computer intrusion technologies and techniques, but
also extend to conventional intelligence gathering techniques such
as telephone interception technologies and satellite imaging.
• Often combine multiple targeting methods, tools and techniques in
order to reach and compromise their target and maintain access to it.
• Can use malware components generated from commonly available
do-it-yourself malware construction kits, or the use of easily procured
exploit materials
• Can typically access and develop more advanced tools as required.

© Copyright 2011 EMC Corporation. All rights reserved. 4

Advanced Persistent Threats
• Operators give priority to a specific task, rather than
opportunistically seeking information for financial or other
gain.
• Implies that attackers are guided by external entities.
• Targeting is conducted through continuous monitoring and
interaction in order to achieve the defined objectives. It
does not mean a barrage of constant attacks and malware
updates.
• In fact, a “low-and-slow” approach is usually more
successful. If the operator loses access to their target they
usually will reattempt access, and most often,
successfully.

© Copyright 2011 EMC Corporation. All rights reserved. 5

Advanced Persistent Threats
• APTs are a threat because they have both capability
and intent.
• A level of coordinated human involvement in the
attack, rather than a mindless and automated piece of
code.
• The operators have a specific objective and are
skilled, motivated, organized and well funded.

© Copyright 2011 EMC Corporation. All rights reserved. 6

APTs Key Features
1. Highly-targeted
• Tailored to an individual organization
2. Well-researched
• Reconnaissance on people and processes
3. Well-funded
• Financial backing for intensive, long-term attacks
4. Designed to evade detection
• “Low and slow”
5. Multiple vectors
• Social engineering, application-layer exploits, zero-day malware, and
data exfiltration techniques, etc.

© Copyright 2011 EMC Corporation. All rights reserved. 7

 APT: Methodology
Step One: C2 Communication
The malware contacts C2 servers for instructions, such as
downloading and executing new malware or opening a reverse
backdoor — allowing the attacker full access to the compromised
system, bypassing firewall
restrictions.
Step Two: Attack
The attacker (through the reverse backdoor) compromises multiple
sources of interest, such as database servers, email servers, and
file share servers.
Step Three: Data Staging
The attacker sends data to a staging server. Once the data is set,
the attacker then compresses the data (using the rar.exe utility)
and password protects it.
Step Four: Data Exfiltration
The attacker uses malware to send the data through an encrypted
tunnel to a malicious external IP address.
• The use of “staging servers” to aggregate the data they intend to
steal.
• Encryption and compression of the data they steal.
• Deleting the compressed files they exfiltrated from the “staging
server”.

© Copyright 2011 EMC Corporation. All rights reserved. 8

APTs are Nasty Because
• Little opportunity for correlation • APT Malware Analysis:
– Focused, so no community sourced – Average File Size: 121.85 KB
warning based on correlation across – Only 10% of APT backdoors were packed
victims – Packing is not as common in Standard APT
malware
– Zero-day heavy, so ineffective behavioral
– Packing is common in advanced APT Malware
pattern or footprint signature correlation and used by more advanced APT groups
– Complex and resilient CnC -> hard to • Most Common APT Filenames:
correlate on attack source – svchost.exe (most common)
– CnC Operators change as botnets are – iexplore.exe
transferred by section or by victim. – iprinp.dll
– Low and Slow, so no temporal correlation. – winzf32.dll
Signal to noise ration is low. Touch to
compromise ration 1.4.
• APT Malware avoids anomaly detection
through:
– Outbound HTTP connections
– Process injection
– Service persistence

© Copyright 2011 EMC Corporation. All rights reserved. 9

The APT Supply Chain: Choose Your Career Path

Technical Operational
Infrastructure Infrastructure
Specialists & Organizations
Specialists & Organizations

Tools Hosting Delivery Mules Drops Monetizing

Communication
Harvesting Fraud forum / chat room
Cash Out

Target Data & User Accounts

© Copyright 2011 EMC Corporation. All rights reserved. 10
The “Community’ of Attackers
Petty Organized
criminals crime
Criminals Organized, sophisticated
Unsophisticated supply chains (PII, financial
services, retail)

Anti-establishment
Terrorists vigilantes
Non-state
PII, Government, “Hacktivists”
actors critical infrastructure Targets of opportunity

PII, government, defense industrial base,

Nation states IP rich organizations

© Copyright 2011 EMC Corporation. All rights reserved. 11

 Advanced Threats 2.0
1.0

Clear-text & custom

protocol abc.com
1.2.3.4
abc.com
SSL or other
Clear-text standards
& normal C2C2Traffic
Traffic def.com
based encryption. Custom
protocol (port 80/443)
malware w/ no signature. def.com 3.7.9.1
1.2.3.4
Custom
def.com
encryption

8.2.3.3

Content Protocol Network Traffic Known Bad

1% of attacks discovered by Anti-Virus, <1% by IDS. (Verizon 2011 DBIR)
Inspection Anomalies Anomalies Endpoints

© Copyright 2011 EMC Corporation. All rights reserved. 12

 APT: Evolution
Intrusion Phase Non-APT (DoS) Obsolete Current

Scanning,
Reconnaissance None OSINT, targeted
opportunistic

Weaponization Blast, Stress Layer 4 payload Layer 7 payload

Delivery Opportunistic: non-targeted Vulnerable protocol Standard Comm. Prot.

Exploit Client-side, Server-side Server-side (svc) Client-side (app)

Installation Rapid Sibling infection Plain sight ADS, anti-reversing

Command & Ctrl None Custom protocol Protocol compliant

Actions on Intent Propagate, Disrupt, Deface Propagate or PII Exfiltrate

© Copyright 2011 EMC Corporation. All rights reserved. 13

APT: Response
Intrusion Phase Detect Deny Disrupt Degrade Deceive Destroy

Web Firewall
Reconnaissance
Analytics ACL

Weaponization NIDS NIPS

Vigilant
Delivery Proxy Filter In-Line AV Queuing
User

Exploit HIDS Patch DEP

“chroot”
Installation HIDS AV
Jail

Firewall DNS
Command & Ctrl NIDS NIPS Tarpit
ACL Redirect

Quality of
Actions Audit Log Honeypot
Service

© Copyright 2011 EMC Corporation. All rights reserved. 14

Attack Kill Chain Life Cycle
Data
Exfiltration

Late
Detection
Target Threat
Visibility &
Mitigation Goal

BREACH
EXPOSURE TIME “BET”
ADVANCED
CYBER
DEFENSE
APPROACH

CYBER
CYCLE Cyber Kill
Establish Chain
Network “Breach Life Cycle”
Threat Vector Foothold
“Malware”
(Undetected)

© Copyright 2011 EMC Corporation. All rights reserved. 15

APT: The Challenge of Cleanup
• Did you get it all?
– Cleaning
• Do you adequately understand how it happened?
– Forensic
• Will the exploits work again?
– Remediation
• Is Damage understood and contained?
– Risk Model and Reduction

© Copyright 2011 EMC Corporation. All rights reserved. 16

APT: Needed Capabilities
• Network Visibility • Incident Response
• Critical Info Ident and • Network Traffic Analysis
Tracking • Host-Based Forensics
• IPS Active Blocking • Malware Forensics
• Continuous Monitoring • Sig and IOC Development
• Cyber Threat Awareness • Cyber Threat and
• Attack Ident and Triage Intelligence
• Collaboration • Security Infrastructure

© Copyright 2011 EMC Corporation. All rights reserved. 17

APT: Lessons Learned
1. There are no trivial systems
2. Collect the right info
3. Have a plan
4. User Awareness
5. Be able to look back (forensics)
6. Know thyself (Crown Jewels)
7. Have the right people
8. It takes a village (or an ecosystem)
9. A holistic view is key
10.Get smart(er) with the data you collect

© Copyright 2011 EMC Corporation. All rights reserved. 18

 Introducing Security Analytics

© Copyright 2011 EMC Corporation. All rights reserved. 19

Today’s Security Requirements
Comprehensive Agile Analytics
Visibility
“Enable me to analyze and
“Analyze everything
investigate potential threats
happening in my
in near real time”
infrastructure”

Actionable Scalable
Intelligence Infrastructure
“Need a flexible infrastructure
“Help me identify targets, to conduct short term and
threats & incidents” long term analysis”

© Copyright 2011 EMC Corporation. All rights reserved. 20

RSA Security Management Compliance Vision
Delivering Visibility, Intelligence and Governance

© Copyright 2011 EMC Corporation. All rights reserved. 21

RSA Security Analytics: Changing
The Security Management Status Quo
Unified platform for security monitoring, incident investigations and
compliance reporting

RSA Security
SIEM Network Security
Analytics Monitoring
Compliance Reports
Fast & Powerful Analytics
Device XMLs High Powered Analytics
Logs & Packets
Log Parsing Big Data Infrastructure
Unified Interface
Integrated Intelligence
Analytics Warehouse

SEE DATA YOU DIDN’T SEE BEFORE,

UNDERSTAND DATA YOU DIDN’T EVEN CONSIDER BEFORE

© Copyright 2011 EMC Corporation. All rights reserved. 22

RSA Security Analytics Architecture
Long Term Analysis
Correlation
Metadata, Raw Logs,
Select Payload

Real Time Investigations

(hours  days)
Metadata, Packets

© Copyright 2011 EMC Corporation. All rights reserved. 23

What Makes Security Analytics Different?
The only security management solution that has both speed & smarts
• Big Data Infrastructure
• Fast & Scalable
• Logs & Packets
• Security data warehouse plus proven NetWitness infrastructure
• High Powered Analytics
• The speed and smarts to detect, investigate & understand advanced threats
• Comprehensive visibility to see everything happening in an environment
• Short term & long term analytics plus compliance
• Removes the hay vs. digging for needles
• Integrated Intelligence
• Intelligence from the global security community and RSA FirstWatch fused with
your organization’s data
• Understand what to look for and utilize what others have already found

© Copyright 2011 EMC Corporation. All rights reserved. 24

Big Data Infrastructure
• Single platform for capturing and
analyzing large amounts of network
and log data
• Distributed, “scale-out” architecture
• Unique architecture to support both
“speed” and “smarts” for threat
analysis
• Security data warehouse for long term
analytics & compliance
• Proven NetWitness infrastructure of
short term analytics and
investigations

© Copyright 2011 EMC Corporation. All rights reserved. 25

High Powered Analytics
• Eliminates blind spots to achieve
comprehensive visibility across the enterprise
• Real-time and “after-the-fact” investigations
• Uses the industry’s most comprehensive
and easily understandable analytical
workbench
• Proven, patented analytics applies business
context to security investigations
• Automates the generation of compliance
reports and supports long term forensic
analysis

© Copyright 2011 EMC Corporation. All rights reserved. 26

Full Network Visibility

• Gain full visibility into your network

Network including both logs and packets
traffic • Discover advanced threats missed by
traditional security approaches
• Completely reconstruct network sessions
for real time analysis and investigation
• Capture all data from the network to the
Logs application layer
• Perform detailed session analysis –
regardless of port or protocol

© Copyright 2011 EMC Corporation. All rights reserved. 27

Single Platform for Network
Packet and Log Data Collection

• Both network packet capture and log

Network collection.
traffic • Patented methods of network capture,
processing, data extraction and
service/protocol identification
• Consolidates disparate sources
• Instantly analyzes massive data sets
Logs

© Copyright 2011 EMC Corporation. All rights reserved. 28

Reimagining what SIEM can do:
Removing hay vs. digging for needles
All Network Terabytes of data –
100% of total
Traffic & Logs

Downloads of Thousands of data points –

executables 5% of total

Type does
not match Hundreds of data points –
extension 0.2% of total

! Create alerts to/from critical

assets
A few dozen alerts

© Copyright 2012 EMC Corporation. All rights reserved. 29

Integrated Intelligence
How Do I Know What To Look For?

Gathers advanced Aggregates &

threat intelligence consolidates the Automatically
and content from the  most pertinent  distributes
global security information and correlation rules,
community & RSA fuses it with your blacklists, parsers,
FirstWatch ® organization's data views, feeds

Operationalize Intelligence: Take advantage of what others have already found

and apply against your current and historical data

© Copyright 2011 EMC Corporation. All rights reserved. 30

Security Analytics Live Content

• Fuses open source, commercial, and confidential threat and fraud intelligence with an
organization’s live and recorded network traffic

© Copyright 2011 EMC Corporation. All rights reserved. 31

RSA FirstWatch ®

Providing RSA Security Analytics customers covert tactical and strategic threat
intelligence on advanced threats & actors

• RSA ‘s elite, highly trained global threat research &

intelligence team
– Heritage dating back to the late 1990s featuring a
‘who’s who’ of researchers
– Backgrounds in government, military, financial services
and information technology
• Focused on threats unknown to the security community
– Malicious code & content analysis
– Threat research & ecosystem analysis
– Profiling threat actors
• Research operationalized automatically via RSA Live

© Copyright 2011 EMC Corporation. All rights reserved. 32

RSA Security Analytics Results
• Reduce risk by compressing attacker free time
– Continuous analysis of terabytes of security data through big data
architecture, reducing the threat analysis time from days to minutes
• Level the playing field with adversaries
– Incorporate operationalized intelligence to defend with confidence
• Elevate the security team to another level of effectiveness
– Increase teams’ collective skill by gaining analytical firepower
– Investigate more rapidly, centralize information, automate alerts and
reports
• Meet compliance requirements

© Copyright 2011 EMC Corporation. All rights reserved. 33