Transcript NetWitness Overview - RRC Serbia

RSA NetWitness
Overview
Helmut Wahrmann
Senior Technology Consultant
© Copyright 2011 EMC Corporation. All rights reserved.
1
Agenda
• The Problem Space
– Threat Landscape Evolution
– Big Data
– Innovation & Prevention
• Operational Opportunities
– Situational Awareness
– Case Study
• Conclusions
© Copyright 2011 EMC Corporation. All rights reserved.
2
Oversimplification of Threats
• Simple and
innovative are
not mutually
exclusive
• Simple does
not imply easily
detected
Source:
http://spectrum.ieee.org/static/hacker-matrix
© Copyright 2011 EMC Corporation. All rights reserved.
3
Is This Discussion Really About APTs or
Advanced Threat Vectors in General?
• Criminal and nation-state
• It’s not about terminology -- it’s about
adversaries continue to
RISK!
compromise systems on a regular
– You need to perform a threat
and large-scale basis.
assessment and understand both
the adversaries and their attack
methods
– Just because you are not seeing
anything, does not mean you are
not under attack
– Assess required changes to
people, processes and
technology to combat advanced
and emerging threats
© Copyright 2011 EMC Corporation. All rights reserved.
4
The Malware Problem
• 54% of breaches involved customized malware - no
signature was available at time of exploit (VzB/USSS, 2010)
• 87% of records stolen were from Highly Sophisticated
Attacks (VzB/USSS, 2010)
• 91% of organizations believe exploits bypassing their IDS
and AV systems to be advanced threats (Ponemon, 2010)
"With security researchers now uncovering close to
100,000 new malware samples a day, the time and
resources needed to conduct deep, human analysis on
every piece of malware has become overwhelming."
(GTISC Emerging Cyber Threats Report 2011)
© Copyright 2011 EMC Corporation. All rights reserved.
5
Welcome to the era of Big Data
”5 exabytes of information
[were] created between
the dawn of civilization
through 2003…That much
information is now created
every 2 days, and the
pace is increasing…”
–Eric Schmidt 1
• New challenges…
• But also, new opportunities…
1
http://www.readwriteweb.com/archives/google_ceo_schmidt_people_arent_ready_for_the_tech.php
© Copyright 2011 EMC Corporation. All rights reserved.
6
Security faces its own data deluge
In the last few years,
• The range and capability of threat actors
has expanded enormously
• So has the scope of their tools
– From scripting to industrialization
– Custom malware
– The more capable are also capable of
thorough research
• This makes it difficult enough to counteract
the previously unknown
• Now, add to this:
– An explosion of signatures
– Volumes of monitoring data
– Internal and external sources of
information
© Copyright 2011 EMC Corporation. All rights reserved.
7
Tracking the Opposing I/T Organization
Drop Sites
Payment
Gateways
Phishing
Botnet
Owners
eCommerce
Site
eCurrency
Gambling
ICQ
Banks
Wire
Transfer
Card
Forums
Retailers
Drop
Service
Data
Sales
Cashing
$$$
Credit
Card Users
Master
Criminals
Keyloggers
Botnet
Services
Malware
Distribution
Service
Spammers
Data
Acquisition
Service
Malware
Writers
© Copyright 2011 EMC Corporation. All rights reserved.
Validation
Service
(Card Checkers)
Data
Mining &
Enrichment
Identity
Collectors
8
Lopsided Focus on Prevention
…collectively, we’ve spent billions of dollars on security
technologies, and we still can’t curb these threats. Intruders
trot through firewalls
deployed
to block them, while malware
Firewalls:
$6 Billion
flourishes on systems that antivirus vendors
pledge
to
Security
Today:
immunize. Meantime, our identity management
efforts
– Perimeter-focused
guzzle funds faster than politicians before a crucial vote.
– Network layer
IDS/IPS: $1 Billion
– Signature-based
Recent events suggest that we are at a tipping point, and the
need to reassess and adapt has never been greater. That
starts with facing
someProtection:
hard truths and a willingness to
Endpoint
change the status
quo.
$3 Billion
Information Week, Oct. 13, 2010 (http://www.informationweek.com/news/security/antivirus/227700360)
Data Source: Gartner, 2010
© Copyright 2011 EMC Corporation. All rights reserved.
9
Agenda
• The Problem Space
– Threat Landscape Evolution
– Big Data
– Innovation & Prevention
• Operational Opportunities
– Situational Awareness
– Case Study
• Conclusions
© Copyright 2011 EMC Corporation. All rights reserved.
10
There ARE
specific
targets…
© Copyright 2011 EMC Corporation. All rights reserved.
11
The Questions Are More Complex
» Why are packed or obfuscated executables being used on
our systems?
» What critical threats are my Anti-Virus and IDS missing?
» I am worried about targeted malware and APTs -- how can
I fingerprint and analyze these activities in my
environment?
» We need to better understand and manage the risks
associated with insider threats – I want visibility into enduser activity and to be alerted on certain types of
behavior?
» On our high value assets, how can we have certainty that
our security controls are functioning exactly as
implemented?
» How can I detect new variants of Zeus or other 0-day
malware on my network?
» We need to examine critical incidents as if we had an HD
video camera recording it all…
© Copyright 2011 EMC Corporation. All rights reserved.
12
New Security Concept:
“OFFENSE IN DEPTH”
Attack
Begins
Attacker Surveillance
Target
Analysis
Attack
Set-up
Access
Probe
System
Intrusion
Discovery /
Persistence
Cover-up
Starts
Leap Frog
Attacks
Complete
Cover-up
Complete
Maintain foothold
Time
ATTACKER FREE TIME
Physical
Security
Containment
& eradication
Monitoring &
Controls
Threat
Analysis
Attack
Forecast
Defender discovery
Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
© Copyright 2011 EMC Corporation. All rights reserved.
Need to collapse attacker free time
Incident
Reporting
Impact
Analysis
Response
Recovery
System
Reaction
Attack
Identified
Damage
Identification
13
Cyber Defense in 2011 and Beyond:
What is Required?
» Advanced threat detection and response
requires a different approach:
» 24 x 7 SITUATIONAL AWARENESS
» Applying the science of NETWORK FORENSICS
to the art of incident response
» Application-layer threat context and intelligence
» Enable security teams to view network traffic
as conversations instead of individual
packets or groups of IP addresses
» AGILITY to extend architecture to address
emerging threat trends and integrate
external threat intelligence sources
© Copyright 2011 EMC Corporation. All rights reserved.
14
Typical Scenario These Days…
• Visit from the FBI saying, “You have a problem –
information is being taken”
– Perhaps IP addresses of compromised machines are
provided
– You might be told that certain types of files or email is
being stolen
– The CEO does not pay much attention to cyber,
generally, but now it has his/her full attention
– What do you do now?
• Knee-jerk reaction: take down these systems/networks, image the
drives, rebuild the machines, life goes on, etc.
• How do you know what has happened or is really still happening on
the network?
© Copyright 2011 EMC Corporation. All rights reserved.
15
What’s really happening (in many
cases)…
• If it’s an advanced persistent threat (APT), the adversary is quite
entrenched and has been there for a while
– It’s not simply a piece of malware you can detect and eradicate
– Both COTS variants (ZeuS) and specific custom tools (e.g., file search tools)
• They have the ability to change techniques, control channels, SSL certs,
hours of operation, etc.
– Commands scheduled on individual Windows machines
– Text files containing lists of target files
– RAR’d bunches of targeted files ready to be moved off the network in any number of
communication pathways
– Spear phishing attacks using bogus mailboxes created on mail system
• Their true approach is not always the obvious one
– C & C servers in places like HVAC or other low profile systems, versus file servers
– Drop locations are not in China or Belarus, but in the U.S.
© Copyright 2011 EMC Corporation. All rights reserved.
16
Introducing the NetWitness Network
Security Analysis Platform
Automated Malware
Analysis and Prioritization
Automated Threat Reporting,
Alerting and Integration
Freeform Analytics for
Investigations and Real-time
Answers
Revolutionary Visualization
of Content for Rapid Review
© Copyright 2011 EMC Corporation. All rights reserved.
17
How Do You Cope With New Threats?
Spear phishing
attack against your
organization –
bypasses all your
defenses
End-user behavior,
lack of visibility, and
network realities
create a gap
© Copyright 2011 EMC Corporation. All rights reserved.
18
Zero-Day : Your A/V security has failed 
» You can’t rely only upon preventative tools
» Only 1 of 42 AV vendors identified the file
as malicious on 03.05.2010 (virustotal.com)
» AV disabled by overwriting the host file,
vendor updates routed to 127.0.0.1
» Result: if AV didn’t pick up the malware
initially, it never will
© Copyright 2011 EMC Corporation. All rights reserved.
19
The old Way – Packet Analysis
Let’s take a look at
how your world looks
with NetWitness…
© Copyright 2011 EMC Corporation. All rights reserved.
20
Malware Prioritization and Workflow w/ Spectrum
Spectrum automates the
analysis of all network traffic to
prioritize potentially malicious
files unlike any other product.
report.zip and its contents
prioritized #1 for workflow
Four agile scoring
methods
© Copyright 2011 EMC Corporation. All rights reserved.
21
Informer – Your Automated Analyst
Informer takes another angle
on the problem, using the
same NetWitness infrastructure
to produce unique security
reports and alerts – in this case
intersecting multiple contentbased indicators to escalate a
potential incident
PDF Report
-Abnormal EXE structure
-Global Security Intelligence
-Crafted header
-Foreign Country
© Copyright 2011 EMC Corporation. All rights reserved.
22
Precise Detail and Context with
Investigator™
Threat Indicators & Intelligence
Validated Executable Fingerprint
Investigator provides
precise detail about the
suspect event – in this
case specific,
concerning and
compounding network
behavior involving
multiple characteristics
Foreign Country
© Copyright 2011 EMC Corporation. All rights reserved.
23
Precise Detail and Context with
Investigator
Target IP Address
Investigator answers anything
about the related activities of
the targeted computer to
obtain a complete frame of
reference.
Service Breakdown
Action Profile
AD User
OS & Browser Type
© Copyright 2011 EMC Corporation. All rights reserved.
24
Deeper Visibility and Layers of Discovery
Through both native capabilities
and data fusion NetWitness
provides the analyst the most
indications and warnings, e.g.:
time and geographic rendering
shows C&C beaconing to China
and FTP traffic to Belarus.
High volume
(red) beacon
traffic to server
in China,
115.100.250.105
© Copyright 2011 EMC Corporation. All rights reserved.
FTP Traffic to a
server in Belarus,
86.57.246.177
25
Unparalleled Analytics and Precision
The C&C beaconing to China
pinpoints to a ZeuS infestation,
on the target host.
Repeating download of
.bin ZeuS configuration
file from China
© Copyright 2011 EMC Corporation. All rights reserved.
26
Every New Question Yields An Accurate Answer
Target computer activity
shows data leakage -- FTP
upload of several documents.
Export, view, or VISUALIZE
for all content context.
Files exfiltrated
over FTP
© Copyright 2011 EMC Corporation. All rights reserved.
27
Visualize – INTERACT with Your Information
Files destined to
Belarus
Zoom to read and
review
Dynamically interact with
graphically rendered file objects
observed on your network – in
this case, obtain a rapid
understanding the content of
the stolen documents over FTP.
© Copyright 2011 EMC Corporation. All rights reserved.
28
Exposing Patient Zero / Finding Root Cause
Visibility into other
communications from the C&C
server shows the 1st stage of the
attack
Files pulled from the
C&C server… is
report.zip anywhere
else?
C&C server has
multiple domain
aliases
© Copyright 2011 EMC Corporation. All rights reserved.
29
Demonstration Recap
»The Issue
 You need to know what is happening on your network and get answers about anything at any time
»Series of Unfortunate Events
 User receives a well crafted spear-phish that bypasses all process and technology defenses
 User downloads and executes a zip file from a site in China
 Once executed, the victim’s machine becomes a member of a ZeuS botnet.
 The ZeuS botnet begins beaconing to establish command and control with the botnet operator
 Botnet operator commands the new zombie to download and execute second-stage malware
 This second-stage malware successfully FTPs documents from the victim computer to a server in Belarus.
»Only NetWitness can:
 Provide pervasive network visibility into the content of all network traffic and context of all network behavior
 Deliver precise and actionable real-time intelligence that fuses your organization’s information with the
knowledge of the global security community
 Get you answers to any security question on a single enterprise network monitoring platform
© Copyright 2011 EMC Corporation. All rights reserved.
30
Agenda
• The Problem Space
– Threat Landscape Evolution
– Big Data
– Innovation & Prevention
• Operational Opportunities
– Situational Awareness
– Case Study
• Conclusions
© Copyright 2011 EMC Corporation. All rights reserved.
31
Highest Value
Lowest Value
Combating Advanced Threats Requires
More and Better Information…
DATA SOURCE
DESCRIPTION
Firewalls,
Gateways, etc.
Overwhelming amounts of data with little context, but can be valuable when used within a
SEIM and in conjunction with network forensics.
IDS Software
For many organizations, the only indicator of a problem, only for known exploits. Can
produce false positives and limited by signature libraries.
NetFlow Monitoring
Network performance management and network behavioral anomaly detection (NBAD)
tools. Indicators of changes in traffic flows within a given period, for example, DDOS.
Limited by lack of context and content.
SEIM Software
Correlates IDS and other network and security event data and improves signal to noise
ratio. Is valuable to the extent that data sources have useful information and are properly
integrated, but lacks event context that can be provides by network forensics.
Real-time Network
Monitoring
(NetWitness)
Collects the richest network data. Provides a deeper level of advanced threat
identification and situational awareness. Provides context and content to all other data
sources and acts as a force multiplier.
© Copyright 2011 EMC Corporation. All rights reserved.
32
Conclusions
• Advanced adversaries and
emerging threats require
revolutionary thinking
• Current security paradigms are
completely broken -- all
organizations (including yours)
will be compromised – no matter
how good your security team
• The real objective should be
improving visibility at the
application layer -- this goal
requires complete knowledge of
the network and powerful analytic
tools and processes
© Copyright 2011 EMC Corporation. All rights reserved.
• Reduce risk surrounding the impact
of new threat vectors
– Improve incident response through
shortened time to problem recognition
and resolution
– Reduce impact and cost related to cyber
incidents
– Generate effective threat intelligence and
cyber investigations
• Conduct continuous monitoring of
critical security controls
• Achieve situational awareness –
being able to answer any conceivable
cyber security question – past,
present or future
Copyright 2007 NetWitness Corporation
33
THANK YOU
© Copyright 2011 EMC Corporation. All rights reserved.
34