Modern Lessons in Security Monitoring
-
Upload
anton-goncharov -
Category
Technology
-
view
260 -
download
0
Transcript of Modern Lessons in Security Monitoring
Prepared for Prepared by
HP Protect 2011
Modern Lessons for Security Monitoring
ANATOMY OF A HIGH PROFILE ATTACK
Anton Goncharov, CISSP Partner, Solutions Architect [email protected] Dragos Lungu, CISSP, CISA Security Consultant [email protected]
PROPRIETARY AND CONFIDENTIAL
METANET IVS
• SIEM and Event Management Group
• Heavy focus on HP/ArcSight solutions
• Based in New York with team members world-wide
• Services: Infrastructure Management, Monitoring and Support
• ArcSight Tools (RR, NMI)
• Technical Forum (answers.metanetivs.com)
* Source: MetaNet Customer Survey, 6/2011
EXPERIENCE EXPERTISE QUALITY OUR TOP 3 STRENGTHS*
PROPRIETARY AND CONFIDENTIAL
Agenda
1. Discuss attacks against Sony, HBGary, and RSA
2. Review the weaknesses and vulnerabilities which allowed attacks to succeed
3. Look at the practices and solutions which could have helped prevent the breaches
4. Discuss integration of prevention and monitoring
5. Discuss how ArcSight ESM can combat new threats by improving infrastructure visibility
Detailed Review
ATTACKS
PROPRIETARY AND CONFIDENTIAL
SONY: Brief Intro
ü April and May 2011
ü PlayStation Network
ü Followed by: • Qriocity
• Sony Online Entertainment
• Regional (Thailand, Greece, Indonesia)
ü 100M+ PSN accounts stolen
ü $173M+ direct costs
(Source: eWeek)
PROPRIETARY AND CONFIDENTIAL
SONY: Attack Dissection
ApplicationServers
DatabaseServers
1. Inject Exploit inApplication Server
2. Gain DB Access
3. Phone Home &Upload Data
Web Server
PROPRIETARY AND CONFIDENTIAL
SONY: Weaknesses
ü Inefficient Vulnerability Management
ü Lack of compensating security controls
ü SPOF in SSL tunneling
ü PII Security Policy unenforced
ü Poor network segregation
PROPRIETARY AND CONFIDENTIAL
HBGary: Brief Intro
• On February 7 2011, HBGary Federal and rootkit.com are compromised
• Over 71,000 corporate emails leaked triggering PR disaster
• Intellectual Property stolen or destroyed (including a decompiled copy of Stuxnet)
• hbgaryfederal.com is still offline 6 months later*
* As of July 2011
PROPRIETARY AND CONFIDENTIAL
HBGary: Attack Dissection
Phase 1
SQL Injection
Firewall Admin
Social Engineering
Phase 2
Forged Inbound Access
Rootkit.comCMS Database
HBGary Emailhbgaryfederal.com
Phase 3
CorporateFirewall
PROPRIETARY AND CONFIDENTIAL
HBGary: Weaknesses
ü Insecure web application programming
ü Weak password encryption and hashing policies
ü Repeated violations of password reuse policy
ü Single factor authentication throughout critical systems
ü Weak vulnerability management program
ü Lack of security training and awareness among critical staff
PROPRIETARY AND CONFIDENTIAL
RSA: Brief Intro • On March 17, RSA suffers an APT attack targeting the RSA SecurID®
product
• Customers exposed to new security risks: RSA ACE server attacks, brute force attacks, phishing attacks to reveal PINs, token serial numbers
• On June 2, data stolen in March is used against Lockheed Martin
• No dollar figure or details on compromised data were given.
“…this information could potentially be used to reduce the effectiveness of a current two-factor authentication”
(Art Coviello, Executive Chairman, RSA)
PROPRIETARY AND CONFIDENTIAL
RSA: Attack Dissection
Phase 1
Spear PhishingWith 0-day payload
CVE-02011-0609
Phase 2 Phase 3
Privilege Escalation
Deeper Scanning
Phase 4
Data AcquisitionAnd Encryption
Backdoor Infestation
Poison Ivy RAT
Phase 5
Data Exfiltration
Compromised FTP Server
PROPRIETARY AND CONFIDENTIAL
RSA: Weaknesses
ü Poor security awareness
ü Lax local security policies facilitating privilege escalation
ü No segregation of assets based on business role which allowed access to critical systems
ü No effective data loss prevention system
Threats and Practices
REASONS
PROPRIETARY AND CONFIDENTIAL
Common Areas of Concern ü Security Awareness
ü Ineffective vulnerability and patch management
ü Endpoint security policy
ü Password management issues
ü Egress content filtering
ü DLP for critical networks / systems
Nothing new here.
PROPRIETARY AND CONFIDENTIAL
Now Back to 2011 ü New vectors:
• Virtual social engineering, spear phishing, zero-day malware, covert channels, commercialization of attack tools
ü Higher levels of impact:
• IP Theft, Cyber Espionage / Sabotage, Market Manipulation, Vendetta, Social Riots
ü Vulnerability Management is more challenging:
• Undisclosed zero-day, weak preventative & compensating security controls, limited security practices in SDLC, ubiquity of critical business data
Targeted attacks, zero-days vulns, and custom malware are brutally efficient.
PROPRIETARY AND CONFIDENTIAL
Targeted Attacks
1 in 1,000,000 EMAILS IS A TARGETED ATTACK
60.4% INCREASE IN TARGETED ATTACKS in 2010
Source: Symantec MessageLabs 2011
57%
INDIVIDUALS WITH MANAGEMENT RESPONSIBILITIES
PROPRIETARY AND CONFIDENTIAL
Zero-Day Vulnerabilities Rise ü One Tell-Tale: More Out of Band Patches
ü Vulnerability Disclosure Changed:
• Vendor Bounty Programs
• Responsible Disclosure vs. Full Disclosure
• Underground Market
ü New attack vectors are leveraged as technologies mature
This means we don’t know what we’ll be defending against same time next year.
PROPRIETARY AND CONFIDENTIAL
Custom Malware
• AV avoidance is a part of the Q&A
• Sandbox and VM detection
• Small distribution helps avoid detection:
• no packing or polymorphic functions
• code signing using forged certificates
Source: Verizon Data Breach Report 2011
63% 79%
MALWARE UNDETECTABLE BY AV COMPROMISED RECORDS WHERE MALWARE WAS USED
Prevention and Assurance
SO WHAT DO WE DO
PROPRIETARY AND CONFIDENTIAL
Low Hanging Fruit
ü You can leverage traditional event sources to detect attacks:
• Geo/IP data
• Port numbers
• AD auth logs
ü The attackers know this
ü The attacks on SONY and others bypassed detection easily
21
Successful defense requires a bit more effort
PROPRIETARY AND CONFIDENTIAL
Addressing Modern Threats Targeted Attacks / Spear Phishing:
- User training, bi-directional message screening, digital signatures, message encryption, layered anti-spam, browser protection
Zero Day Vulnerabilities:
- Layered security, critical process isolation, compensating security controls, application-aware IPS (which do not rely on signatures), complete infrastructure visibility
Custom Malware:
- Behavior monitoring, security policy facilitating incident containment, risk based security management, layered security controls
However, deploying solutions without monitoring them is a waste of resources.
PROPRIETARY AND CONFIDENTIAL
So How Do We...
…Assess the effectiveness of the security controls?
…Define a security baseline?
…Recognize internal threats?
…Monitor critical business processes?
…Assess immediate impact in case of a security breach?
23
The answer is infrastructure visibility.
PROPRIETARY AND CONFIDENTIAL
ArcSight ESM Delivers ü FlexConnectors for emerging security technologies
ü FlexConnectors for custom, business-critical applications
ü Identity Activity Monitoring
ü Infrastructure Mapping across the Business Units and Roles
ü Enforcing Corporate Security Policy
ü KPI-based Information Security Program tracking
ü Scalability and flexibility to address future threats and undiscovered use cases
PROPRIETARY AND CONFIDENTIAL
Example: Business Infrastructure Mapping
Business Units America EMEA APAC
Applications HR Accounting Payroll HR Accounting Payroll HR Accounting Payroll
IT G
roup
s Server - - - - - - - - -
Application - - - - - - - - -
Database - - - - - - - - -
Asset Name* Hostname IP Description* Asset Group* Asset Category Asset Category
APAC HR Server hrserver 1.1.1.1 File server hosting HR data
Insurance HR Server
America Payroll DB
payrolldb 2.2.2.2 Payroll Oracle DBMS Credit Payroll Database
EMEA Acct App Server
acctapp 3.3.3.3 Accounting application server for EMEA
Investments Accounting Application
* - supported by MetaNet NMI (Network Model Importer)
Requirements:
Asset Import File:
PROPRIETARY AND CONFIDENTIAL
Example: Business Infrastructure Reporting
Date Event Name Hostname IP BU Group App Event Count
12-09-11 Malware Infection payrolldb 2.2.2.2 Credit Database Payroll 16
13-09-11 Policy Violation acctapp 3.3.3.3 Investments Application Accounting 42
14-09-11 Failed Admin Login hrserver 1.1.1.1 Insurance Server HR 25
Trend Table:
Trend Based Report:
0
20
40
60
80
100
120
Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7
Failed Admin Logins
Accounting HR Payroll
PROPRIETARY AND CONFIDENTIAL
Example: Security Program Monitoring
KPI Data Sources ESM Content Description
# failed administrative logins
OS, Applications, Network & Security Devices
Line chart Reports based on event counts grouped by business units, applications, or groups.
# IT policy violations Security Event Management
Correlated events with ‘/Policy/Violation’ Event Category based on Policy Violation Rules (IT Gov., and custom).
% systems where security req’s are not met
Vulnerability Management
Area-based graphs showing the percentage of Assets tagged with ‘Vulnerability’ Asset Category, mapped across time periods
# average time lag between detection, reporting and action upon security incidents
Issue Tracking Systems, Security Event Management
Reports based on averaged time-to-resolve values provided by ITS or SIEM. Case-based Reports in ArcSight ESM.
(only 20 slides left)
CONCLUSIONS
PROPRIETARY AND CONFIDENTIAL
Conclusions 1. Higher awareness of modern security threats
2. Seek and deploy tools specifically designed to combat modern attacks
3. Solid security policy, procedures and user training
4. No single security control is 100% effective; compensating controls are key
5. On-going monitoring of technical and procedural controls is a must
ArcSight ESM provides the framework to deliver complete infrastructure visibility
to enforce your security controls
PROPRIETARY AND CONFIDENTIAL
Questions?
http://answers.metanetivs.com
We Have Answers:
PROPRIETARY AND CONFIDENTIAL
References 1. eWeek
http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/
2. Ars Technica http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
3. RSA Open Letters http://www.rsa.com/node.aspx?id=3891
4. Verizon Breach Report 2011 http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/
5. Symantec MessageLabs Intelligence Reports http://www.symanteccloud.com/globalthreats/overview/r_mli_reports
6. The VeriSign iDefense Intelligence Report http://www.verisigninc.com/assets/whitepaper-idefense-trends-2011.pdf
Prepared for Prepared by
THANK YOU
Anton Goncharov, CISSP Partner, Solutions Architect [email protected] Dragos Lungu, CISSP, CISA Security Consultant [email protected]
MetaNetIVS.com/P2011