Business white paper Hunting today

Transcription

1 Business white paper Hunting today Using your existing technology to hunt for cyber threats

2 Business white paper Page 2 Do what you can, with what you have, where you are. Theodore Roosevelt Table of contents 2 Security detection analytics 3 How to start practicing security analytics? 3 Start with the data you have 3 Prototype on a sample of your data 3 Sample several ways 4 Have a well-defined goal 4 What skills do I need? 4 Statistics 9 Exploration 12 Conclusion In recent years, the balance of power in network security has shifted even further in favor of attackers. Criminals are improving their techniques, but we, as an enterprise security community, haven t moved forward fast enough. The techniques that were used to stop the big worms that plagued the Internet in the last decade are no longer sufficient. Threats are becoming less obvious: advanced persistent threats, low-and-slow attacks, insider threats, and targeted attacks like spear phishing. We focus on inbound network traffic, when some of the scariest attacks are data exfiltration from compromised laptops. We look at the most commonly visited domains that contain malware in proxy logs, but we miss the from a vulnerable expense reports server in the accounting department to the CFO s secretary. After all, it was only one ; it came from an internal source that sends a lot of , and only one person visited a malicious site safepassword-reset. com. We have to look at more events than ever before to find the things that really matter. In other words, we have smaller needles sitting in larger and larger piles of hay. Security detection analytics Organizations are looking to analytics as a solution to this problem. Security detection analytics borrows from the fields of business intelligence, data science, statistics, and visualization to enable organizations to deal with unknown threats. In HPE s paper, A vision for cyber security detection analytics, a vision for where security detection analytics will go in the next few years is defined. Figure 1 (reprinted from our vision paper) is a matrix from that paper laying out security detection techniques. This paper focuses on the first two columns: existing and emerging techniques. New tools will be coming to the market in the next few years that aid in security analytics, but enterprise security is a process it won t come in a box. An important part of detection analytics is the people and process side of the equation. Although many advanced detection techniques may not be available in off-the-shelf software today, organizations can begin to invest in training their analysts to look at and understand data. Analysts need to learn to think like a scientist: examine data, make hypotheses, experiment, and come to conclusions based on hard data. These skills can be developed on the tools that are currently available in a modern Security Operations Center (SOC). Organizations who start practicing security detection analytics today will be better prepared for dealing with new, unknown threats in the future.

3 Business white paper Page 3 Existing Emerging Advanced Target Understand Basic context Asset, network Identity Advanced context Application Flow & DPI Technical intelligence Malware detonation IOC identification Human intelligence Sentiment analysis Motivation Explore Explain Ad-hoc query Small dataset Basic analysis Reporting Threat Compliance Advanced search Indicator lists Pivot search Scoring Risk fidelity Profiling Frontier Analytical query Big Data management Analytical data mart Data mining Clustering, aggregation Affinity grouping Visualization Exploratory data analysis Machine learning Classification Other algorithms Detect Real-time Real-time correlation Log aggregation Historical analysis Long-term correlation Epidemiology Statistical analysis Distributed R Standard deviation Behavioral Insider threat Baselining Depth => Increase in effectiveness Figure 1. A vision for security detection analytics Organizations will need enterprise security experts to become experts in data analytics. These people are referred to as advanced detection analysts or hunt team members. In smaller organizations, detection analytics will become part of the everyday job of the senior analysts. Larger organizations that run an SOC 24x7 can move some of their senior analysts into detection analytics roles like Hewlett Packard Enterprise Cyber Defense Center have done. If detection analytics is done right, it will enable the SOC to tailor and refine security information and event management (SIEM) use cases, which should reduce the workload on first-tier analysts over time. How to start practicing security analytics? Marketing organizations have been using better and better data for decades, but they didn t start with Big Data and machine learning. They started with pencil and paper calculations, followed by spreadsheets, business information tools, and only recently machine learning. With each step, they used a more complex model to look at more data. Often the biggest wins came from taking the first few baby steps. The same is true in the realm of cyber defense. Start with the data you have If you have an existing SOC, you should already have your organization s most valuable information available. Instead of attempting to collect and parse a new source of data, come up with things you can look for in the data you already collect. Once you have experience doing data-driven security, then you can look for new sources of data to bring in. Prototype on a sample of your data One of the biggest hurdles to data-driven security is time spent waiting on the database to return a search query. You need to find ways to avoid having people wait on machines. Often, the secret to doing things quickly is doing fewer things. If you work on a subset of the data that fits the RAM on your local desktop, you can iterate much more quickly. You can make a dataset smaller by sampling, summarization, and excluding irrelevant fields. You can do this today with very minimal cost using existing tools. Understanding your data and what is relevant to security analytics greatly reduces the datasets for analysis and the cost of analyzing the data. Sample several ways Looking at the 100,000 most recent events or sampling 1/10,000 events may be the most obvious way to take a sample of events, but there are other ways to sample a set of events. Here are some examples:

4 Business white paper Page 4 Select events from one Web server for a month Select events where the source or destination is in one /24 subnet Select events at 10:23 a.m. every Wednesday for the past year Select outbound firewall events from the San Francisco data center Select events from sources that only generate a small number of events Select summarized data (e.g., VPN session information by user, source, and byte count) There is more to sample than just events; subnets, users, departments, or geographical regions could all be sampled. Ultimately, every sample will be a biased sample in some way. It is important to understand how a sample is biased when working with it. For example, randomly selecting events will lose the relationships between the events. A dense, strongly connected network of events between different machines will turn into sparse, disconnected events. Have a well-defined goal There is value in wandering and undirected exploration, but it should not be the primary task of the detection analyst. Instead, try to create questions that have objective answers. Here are some questions you could investigate: Look at internal port scans on port 3389 from last month. What happened to the machines that accepted packets? How do events that were attributed to recently terminated employees compare to employees who were not terminated? What are the main flows between major network segments, like user VLANs to externally facing DMZs? For SCADA systems, do we have any suspect network communications going to and from each system? For PCI servers, are there any outliers related to processes running on systems? You may find something that was different from what you were looking for. That is great, but having defined goals means you are not looking at the same things repeatedly. This is also a great security team brainstorming exercise. What skills do I need? Security detection analysts will need skills in statistics, visualization, and exploratory data analysis. Statistics Detection analysts need to learn to use some basic statistics. It may seem scary at first, but there are real gains to be had in applying basic statistical analysis to enterprise security problems. The two main branches of statistics are descriptive statistics and inferential statistics. Descriptive statistics describe the properties of a dataset. Inferential statistics is used to determine if a result could be caused by random chance. It is often used in science to determine if a result is statistically significant. Unfortunately, techniques for inferential statistics tend to be misused and misinterpreted. Significance testing is useful, but should only be used once truly understood. Instead, organizations should first focus on using descriptive statistics and visualizations. Here are some of the most useful descriptive statistics: Mean Average value in a sample.

5 Business white paper Page 5 Median The middle value in a sample. Half the values are greater than the median, and half of the values are less than the median. The median is less influenced by outliers than the mean is, and so it can be more useful in a security context than the mean. Mode The most common value in a set of data. The mode is particularly useful for understanding categorical distributions, which are common in a security data. First quartile The median value of the values that are smaller than the median. This is also known as the 25th percentile. Third quartile The median value of the values that are larger than the median. This is also known as the 75th percentile. Comparing the mean, median, first quartile, and third quartile can give you a good idea of the distribution. Minimum and maximum Smallest and largest value in a sample. These values are often outliers. Standard deviation Measurement of how much variation there is in a group of values. For example, a predictable user may log in everyday at 8:55 a.m. with a standard deviation of three minutes, whereas a user with a more erratic schedule may log in at 9:10 a.m. with a standard deviation of one hour. Standard deviation can be used to detect outliers. For example, a rule could be created that triggers when a value is two standard deviations greater than the mean. These values can be calculated in an HPE ArcSight Logger report with sufficiently clever SQL statements, but they are easier to calculate in a spreadsheet or a system for scientific statistical computing like R. Analysts should learn to recognize common distributions they see in their data. If you understand the distribution of a dataset, you can predict what processes is causing the distribution. Knowing the distribution will also give you a sense of what is expected and what is unexpected. Here are a few of the distributions security professionals are most likely to see: Uniform distribution This field is constant, or is constant for a limited range. People may dismiss a graph that shows a uniform distribution as being useless, but that is not the case. The uniform distribution is the hallmark of a machine: a cron job that runs every five minutes or a program that generates random IP addresses, like a worm, will result in a uniform distribution. Normal (Gaussian) distribution The classic bell curve. Lots of natural processes fit a bell curve: the time of day that a person starts working or errors in measurement. Log-normal distribution The when it rains, it pours distribution. Log-normal distributions often show up in cases when negative numbers do not make sense. The number of bytes in a file or request will generally fit a log-normal distribution. If you transform the number of bytes per request with the function log (1+bytes), you will get something that looks more like a normal distribution. After the transformation, descriptive statistics like standard deviation and average will be more useful. Power-law distribution The it never rains, but when it does, there is a flash flood distribution. The number of events per destination IP address will follow a power law distribution: a handful of IP addresses will have millions of events and millions of IP addresses have a handful of events. The average and standard deviation of a power-law distribution are generally not useful: your DNS server may generate enough events to be seven standard deviations above average, but that doesn t mean there is anything wrong with it. In practice, security infrastructure should deal with the two sides of the distribution separately. Security organizations often generate reports that list the top 10 event sources; they should also summarize the behavior of the bottom 10 percent of event sources.

6 Business white paper Page 6 Categorical distribution The variable can take any value from an unordered set of values. A large fraction of the data you see in security settings is categorical: device types, top-level domains, TCP ports, and HTTP verbs are all categorical. Mixture distribution Often there are several different processes that combine together to form a distribution. For example, the number of events per second will fluctuate based on the time of day and day of week according to a predictable pattern, but other sources of events will always generate the same number of events per hour. Visualizations Most security products have some amount of visualization built in. HPE ArcSight Enterprise Security Management (ESM), HPE ArcSight Logger, and HPE ArcSight Interactive Discovery all support data visualization. Spreadsheets and business intelligence tools are also useful. Traditional charts Most security tools will support some form of bar graphs, line graphs, and pie charts. These are powerful tools and have the advantage that most people already know how to interpret them. However, information in a pie chart is often better presented in a bar graph, as it is easier to compare the relative size of bars compared to pie slices. This line graph shows the count of events per hour by device type (where each color is a different device type): The purple and green lines look different because their devices are sending events with incorrect timestamps. The count of events is shown on a logarithmic scale so that the relatively quiet devices are still visible. This kind of summary information can be good for sanity checking the health of your operations and sensor grid. Dashboards HPE ArcSight ESM and Logger both support dashboards that display up-to-date stats about your system:

7 Business white paper Page 7 Event graphs HPE ArcSight ESM can display related events in a graph. This graph shows the sources and destinations for several events: Attackers are represented by red squares, events are turquoise circles, targets are white squares, and hosts that are both targets and attackers are blue squares. From this graph, you can see how a group of events is related to each other. Many patterns of attack are intuitively obvious from this type of visualization, which makes it very useful for explanation. Scatter plot A scatter plot shows the relationship between two variables. The following scatter plot shows attacker address vs. target address colored by event name. Several interesting patterns stand out: dark areas from the more popular destination subnets, a diagonal line caused by traffic inside the same subnet, and vertical lines from scans.

8 Business white paper Page 8 Parabox A parabox is a tool to visualize several variables at the same time. Each variable is shown in a different column. Here is an example: The first column shows all of the events that have the category device group /Firewall. In the second column is a histogram of what time of day the events took place. There are more events during the daytime. The next column shows the relative popularity of the five different event names. In the previous image, everything is colored by the event name, but that can be changed to highlight a different field. When you connect a new device to HPE ArcSight, it can help to look at a sample of events from that device in a parabox display. This will give you an idea of what values those fields typically contain and the relationship between the fields of an event. A parabox display is also a good way to help new analysts understand what normal events look like. It is often also used for root cause analysis of events that were identified with more broad visual analysis graphics think drill down. Treemap A treemap shows the relative size of hierarchical data. This map shows events grouped first by port and then by event name: The most common type of event in this treemap is the portsweep on port 80 in red in the top left rectangle. This is a great approach to summarize both top talkers as well as the most low and slow.

9 Business white paper Page 9 Exploration If you want to have aha! moments, you need to iterate. Detection analysts can have the computer summarize the data one way, find something interesting, and then summarize it a different way. They can also drill down to get more details about a set of events. HPE ArcSight Interactive Discovery, Logger pivoting search, and the pivot tables feature found in most spreadsheet applications can all be used for exploration. Exploration in HPE ArcSight Interactive Discovery Here is an example exploration in HPE ArcSight Interactive Discovery. The treemap from the previous page shows portsweeps on port 80, 22, and 137. It seems strange that there are no scans targeting port 443. Let s focus on just the events on port 80: Then switch back to the scatter plot, which shows sources and destinations, and we see that all the events are only coming from two subnets: After more investigation, it turns out that all those events were coming from just two IP addresses. Since there were only two scans on port 80 in this dataset, it seems reasonable that there were no scans on port 443. Sometimes you run into a dead end while hunting. Let s now look at the internal port scan. The relevant events are selected in the following graphic:

10 Business white paper Page 10 Exclude all the other events, and go back to the parabox plot: In this graph, the events that have category outcome of /Success are selected. From this graph, you can see that most of the events were dropped. There were five events that represent successful connections. From the graph, you can see that all of the successful connections happened on port 137. From here, you could investigate the individual machines that were connected successfully, or you could investigate the machine that was the source of the scans. Exploration with scientific computing tools There are several programming tools on the market that are built for scientists with some programming ability rather than software developers. These tools are a good fit for enterprise security problems that are too complicated to solve in a spreadsheet. These tools have the interactivity of spreadsheets, but they can be converted to reusable scripts and are less cumbersome when dealing with thousands of records. Often a hunt team member will need to combine data from several sources to answer a question. In this example exploration, we export the results of two HPE ArcSight Logger queries into CSV files, load it in a small Python program, and then graph the data. This example compares the distribution of IP addresses for the sources of inbound firewall events to the distribution of destinations of outbound events. This code was run in a Web browser using IPython Notebook:

11 Business white paper Page 11 Here is an example of why understanding the distribution of data can aid in a security investigation. It shows the number of unique source IP addresses in blue and the number of unique destinations in green for each /8 subnet. The blue line is what it looks like when people do random. The rather complicated distribution is the result of three decades of IP address allocation. Some subnets were divvied up by ARIN and have lots of machines, while other subnets, such as the amateur radio ( /8), don t. On the other hand, the green line shows machines doing random: it has a uniform distribution. From this graph, you can see that most of the unique IP addresses on this network are caused by programs that are picking IP addresses at random. If you go back and find the machines that are the source of these outbound events that connect to unique destination IP addresses, you are likely to find compromised machines.

12 Business white paper Conclusion There has been plenty of buzz about the future of Big Data, machine learning, and analytics for enterprise security, but the fact of the matter is that organizations can, and should, start practicing security detection analytics now. Organizations that start to practice security detection analytics now will be better prepared for the future. Hunt team members who grow their skills in the areas of statistics, visualization, and exploration will be more productive and will ultimately keep their organizations more secure. About HPE Enterprise Security HPE is a leading provider of security and compliance solutions for the modern enterprise that wants to mitigate risk in its hybrid environment and defend against advanced threats. Based on market-leading products from HPE ArcSight, HPE Fortify, HPE Atalla, and HPE TippingPoint, the HPE Security Intelligence Platform uniquely delivers the advanced correlation, application protection, and network defenses to protect today s hybrid IT infrastructure from sophisticated cyber threats. Hunting is not simply a technology solution; it involves skilled people executing thoughtful and effective processes. Hunting also involves much more than security analytics alone. HPE leverages emerging capabilities and hunting techniques with our customers to enable them to build a full program for detection and analysis of a wide variety of threats. The HPE Security Intelligence and Operations Consulting (SIOC) group provides services to develop hunt team operations, including security analytics. Learn more at hp.com/go/sioc Sign up for updates Rate this document Copyright 2015 Hewlett Packard Enterprise Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HPE products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein. 4AA5-8031ENW, November 2015, Rev. 1