Behavioral Analytics A Closer Look

Size: px

Start display at page:

Download "Behavioral Analytics A Closer Look"

Brook Reeves
5 years ago
Views:

1 SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA

2 The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2

3 Patterns Signal And The Noise 3

4 Agenda UBA / UEBA Defined Practical Uses Today What does the future hold? 4

Attackers are Outpacing Defenders Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less Attacker Capabilities 100% 75% Time to compromise 50% 25% Time to

5 Attackers are Outpacing Defenders Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less Attacker Capabilities 100% 75% Time to compromise 50% 25% Time to discovery Time to Discovery VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

Defender s Challenges The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams need comprehensive visibility

6 Defender s Challenges The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams need comprehensive visibility from endpoint to cloud Teams need to increase experience & efficiency Tools & processes must adapt to today s threats Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required

7 Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic Evolution of Threat Actors & Detection Implications At first, there were HACKS Preventative controls filter known attack paths Whitespace Successful HACKS Corporate Assets

Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At

8 Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventative controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets

9 Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic Logs Endpoint Visibility Network Visibility Blocked Session Blocked Session Blocked Session Alert Process Network Sessions Advanced Analytics Now, successful ATTACK CAMPAIGNS target any and all whitespace. Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Corporate Assets

10 Behavior what? UBA General Term Fraud and Security UEBA Analysis On Users and Entities Algorithms Machine Learning 10

11 Visibility & Analytics User Behavior: Anomalous Logins Suspect Access Patterns Suspicious tools: Live Off The Land Anomalous Usage Malware Behavior: Suspicious Domains Mechanized Activity Campaign Detection: Related entities Related indicators Related behaviors 11

A Typical Attack Utilizing C2 (2) User clicks link

Gh0st RAT (5) C2 Beaconing (Gh0st Protocol) Command?

Attacker owned control server (client) (6) Attacker

malicious URL COMMAND Examples: Capture webcam

12 A Typical Attack Utilizing C2 (2) User clicks link (3) Dropper is downloaded (4) Dropper downloads Gh0st RAT (5) C2 Beaconing (Gh0st Protocol) Command? Command? COMMAND. Attacker owned control server (client) (6) Attacker Issued Command (1) Spear phishing with link to malicious URL COMMAND Examples: Capture webcam Download file Upload file Keystroke logging Remove existing rootkits Remote shell System inventory

Spotting C2 Exploit Early Real-time Analytics Data Science

streaming HTTP activity Low False Positives Learns from ongoing and

INDICATORS OF A PLANNED C2 EXPLOIT Beaconing Behavior Rare Domains

13 Spotting C2 Exploit Early Real-time Analytics Data Science algorithms Scores on multiple C2 behavior indicators Utilizes streaming HTTP activity Low False Positives Learns from ongoing and historical activity Supervised whitelisting option LEADING INDICATORS OF A PLANNED C2 EXPLOIT Beaconing Behavior Rare Domains Rare User Agents Missing Referrers Domain Age (WhoIS) Suspicious Domains aggregate score

14 Workflow for Investigating a C2 Exploit High Risk Score Indicating a C2 exploit Network Session Details Activities indicating and used to calculate risk score of C2 exploit Enable analyst to pivot into associated network sessions

15 Lateral Movement Detection Identifies suspicious Windows login activity to reveal lateral movement attempts Windows Credential Harvesting Services Suspicious Login activity Explicit logins File move + Services 15

16 Resource Shift Needed: Budgets & People Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today s Priorities Future Requirements

17 Detection: A Layered Approach 17

18 Combining Analytics, Context & Content GRC/CMDB Context 18

19 Apply Slide 1. Evaluate Your Internal Spending Patterns Look for a balanced approach 2.Start Collecting Data Context doesn t appear out of thin air 3. Consult on Data Science Approach You know your business apply analytics to your unique view 19

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

RSA Advanced Security Operations Richard Nichols, Director EMEA 1 What is the problem we need to solve? 2 Attackers Are Outpacing Defenders..and the Gap is Widening Attacker Capabilities The defender-detection