To Catch A Thief Sam Curry Chief Technology Officer RSA, The Security Division of EMC
2 Security is about Security isn t about security. It is about managing risk at some cost. In the absence of metrics, we tend to over compensate and focus on risks that are either familiar or recent. Hugh Thompson, Chief Security Strategist People Security
Disruptors to IT (and the world) 3 Keep in mind today and in the coming days that there are three concurrent disruptors in IT 1. Cloud (Private, Public, Hybrid et al) 2. User-driven IT / Consumer Computing 3. Proliferation and Maturation of Cybercrime
The Criminal Reality today 4
Context: The Dark Cloud 5
There is an underground economy Asset Pay-out for each unique adware installation Going-rate Malware package, basic version $1,000 $2,000 30 cents in the United States, 20 cents in Canada, 10 cents in the UK, 2 cents elsewhere Malware package with add-on services Varying prices starting at $20 Exploit kit rental 1 hour $0.99 to $1 Exploit kit rental 2.5 hours $1.60 to $2 Exploit kit rental 5 hours Undetected copy of a certain information-stealing Trojan Distributed Denial of Service attack $4, may vary $80, may vary $100 per day 10,000 compromised PCs 1,000 $ Stolen bank account credentials Varying prices starting at $50 1 million freshly-harvested emails (unverified) Sample data from research on the underground digital economy in 2007 6 $8 up, depending on quality
Commercial Motivations: you don t have to be faster than the bear 7 When you are dealing with an intelligent opponent and quantifiable gains (reward) and losses (risks), you can apply Game Theory You can determine to some level of accuracy the relative probability of a set of attack types with respect to one another Total Reward Total Risk Therefore Probability Probability You can use this information to implement stronger controls against a dynamic and increasingly hostile threat environment You can use this outlook to examine the effects of world events and small changes in State of the Art or even the introduction of disruptive technologies Total Reward Probability Total Risk Or P V A V D V * R V
8 Content Races, Decision Loops and Operational Efficiency Products and systems always end up in a content race Who wins in this picture? It s all about decision loops OODA Command-and-control We have an intelligent opponent Adapt and change Improve / we improve GRC APT
R&D/Beta 1 st infection Zero-time 1 st Signature Solution Signature The. Long. Wait. Risk What does the risk curve look like? 9 9
R&D/Beta 1 st infection Zero-time 1 st Signature Solution Signature The. Long. Wait. Risk How do we reduce the risk window? 10 10
The APT Challenge: you do have to be faster than the bear 11 GREATER COMPLEXITY Architecture of the Virtual Data center and Cloud environments Consumerization of IT the growing demand for more unmanaged machines, applications, and information sharing tools Increase in information to analyze and correlate BIGGER THREATS Prevalence and sophistication of security threats will increase Advanced Persistent Threat (APT) will become more predominant Attack vectors continue to make use of infrastructure vulnerabilities and exploit human vulnerabilities RESPONSE TIME Responding to an attack can potentially slow due to increase in data (and noise) Important to be able stay ahead of the attackers and continue to stay in front of them
Advanced Persistent Threats The Ultimate Problem Low and Slow Multiple attack methodologies Specific objective Well organized and funded Human involvement Can leverage automated techniques 12
The Future Solution: Intelligent SOC A Holistic Approach Risk Planning 1 First and foremost requirement for building a focused, effective security operations program Information centric approach to security risk planning Knowledge determines how fast and well the SOC can react to problem Attack Modeling 2 Virtualized Environments 3 Determine which systems, people and processes have access to valuable, protected information Model threat surface: normal traffic patterns and potential attack vectors for this information Determine potential attack vectors, examine all defensive steps, devise optimal defense Virtualization will be a core capability of the Intelligent SOC Sandboxing: suspicious file could be launched in an isolated hypervisor and VM cut off from the rest of the system Isolation in depth for most sensitive information and virtual nodes Self Learning Predictive Analytics 4 Continually monitor and learn typical states to identify problematic patterns early Configuration data, events, contextual information and risk profiles connect unrelated events to detect high-risk activities instantaneously. Integrated feedback loops use confirmed alerts to help the system improve threat detection Automated topography: remap entire network infrastructure to disrupt an attacker s Assess risks almost instantly and vary responses accordingly Automated, Risk-based 5 reconnaissance efforts Decision Systems Improvement with Forensic Analysis Community Learning 6 Virtualized environments provide snapshots of the IT environment at the time of the security event. Provides useful information if detection of the attack was delayed Information collected centrally and shared among partnering organizations to analyze and help defend against similar security threats. 13
14 Modeling an Attack RSA Labs in Collaboration with Ron Rivest NO COMPROMISE Exploit Social Engineering FTP Server Attack INFECT EMAIL FTP SERVER DELIVERED VM Log Analysis User Opens PDF in time < t User opens email INFECT COMPROMISE CLIENT CLIENT MACHINE MACHINE WITH ZEUS Log Access into Document Store STEAL SENSITIVE INFORMATION Time Correlation User Opens PDF in time > t Deployment Dynamics Behavior Adaptive Analytics Authentication Within Attacker Through time uses manages a social t the stolen engineering FTP credentials get server to the attack, is target, re-provisioned from a compromised but Zeus attack variant from revealed is machine a installed clean by to VM on external log image an into document triggering Internal machine mechanism store Opportunity for attack is time interval t Probability Can By monitoring detect time that file attacker correlation and network accesses between access the FTP document patterns server at exploit store the hypervisor in and the opening expected layer, of context is malformed behavior low analytics PDF filecan detect compromise Attack Assume Log analysis tamper-resistant blocked can be with used high logs to probability backtrack the attack path and remove that attack vector
15 The APT Challenge in simple terms Attacker The Game Target The Goals Attacker must gain access to the target Defender must defend access to the target Defender must know which controls cover the attack vectors Both must stay within their financial means
Modeling an Attack RSA Labs in Collaboration with Ron Rivest Log Analysis User Opens PDF in time < t Exploit FTP Server INFECT FTP SERVER VM COMPROMISE CLIENT MACHINE Log into Document Store NO COMPROMISE Social Engineering Attack EMAIL User Opens PDF in time > t User Opens Email Deployment Dynamics INFECT CLIENT Access Document Store Risk Analytics STEAL SENSITIVE INFORMATION DELIVERED MACHINE WITH ZEUS Behavior Analytics Log Analysis 16
The Right Measures Simulate an APT like attack on an Intelligent SOC Risk Model Exploit FTP Server INFECT FTP SERVER VM User Opens PDF COMPROMISE CLIENT MACHINE Log into Document Store Dynamics NO COMPROMISE Social Engineering Attack EMAIL User Opens Email INFECT CLIENT Adaptive Access Document Store STEAL SENSITIVE INFORMATION DELIVERED MACHINE WITH ZEUS Analytics Behavioral Assessment 17
18 Deployment Dynamics Defensive Approach Attacker How it works Deployment Dynamics Server (DDS) instantiates clean FTP server from FTP VM image and moves to production area. DDS instructs Load Balancer to add FTP Server to the pool of available servers providing FTP service. After time (t), DDS instructs Load Balancer to remove FTP server from the pool of servers providing FTP service. DDS destroys FTP Server, and begins process again.
19 Adaptive Authentication Preventive Approach Username: wolfd Password: 0ct0rulz HIGH RISK: Require stronger authentication How it works Attacker tries to log into internal restricted document store that leverages adaptive authentication functionality. Document Store passes authentication credentials and observed network data (IP, device fingerprint) to AMx AMx calculates high risk score as authentication credentials had not been previously used from observed device. Document Store prompts Attacker for Secondary Authentication OTP which are sent via SMS to user.
20 Analytics Responsive Approach Data Center Security Management Data Warehouse Contextual Data Watch Lists Logs Risk Profile How it works Logs from Endpoints, Servers and VM snapshot data from Deployment Dynamics services are stored in Greenplum. Given knowledge of a document leak from external sources, the system backtracks through the log-data to identify past network activity of all endpoints which accessed the leaked document. Intermediate results are further correlated with VM Re-provisioning's snapshot meta-data to narrow down on suspicious points of server infection and sources of document leak.
Behavior Analytics Learning Approach Read/Write Activity Network Activity Dynamic Reputation User opens email Zeus infects VMs File creation Blacklist Folder Creation Analytics Engine Payload Analysis How it works Data flows from multiple VMs, mirrored by the hypervisor and sent to the analytics engine The engine analyzes the individual input and their relationships The engine ties multiple events together and if they look suspicious - an alert is generated Every alert arrives with a severity-score, and the reason of why the alert was generated 21
22 Techniques used in an Intelligent SOC Risk Model Dynamics Adaptive Behavioral Analytics assessment
23 The Future Solution: Intelligent SOC A Holistic Approach Identify what is important Assets and asset relationships Services and service dependencies User credentials Sensitive data Protect what is important Efficiently, aggressively and thoroughly secure and comply according to best practices Make advanced exploits harder: dynamics, sandboxing, isolation in depth, stack integrity monitoring Minimize damage Leverage comprehensive visibility Focus using analytics Respond quickly Adapt by improving response efficiency by addressing discovered weakness Disrupt the objective Interrupt the transaction Discover the leaked information Share cyber intelligence (collaborate) Prosecute aggressively (increase attacker s cost)
24 Summary CORE Elements of Intelligent SOC model Risk based security strategy Predictive modeling and analysis Leverage techniques in virtualized environments Self-learning predictive analytics Automated, adaptive systems Continual improvement through forensic analysis and community learning
25 The Future The bad guys will keep getting worse: we have an intelligent opponent! E.g. expect a bleed v. butcher approach in malware E.g. expect benefits built into malware E.g. expect APTs to converge vectors and get faster and more directed to IP Expect Cybercrime to continue to flourish Expect a resurgence in non-financially, motivated, sophisticated APT Move to a progressively more intelligent SOC GRC gives Security Management a chance To be about risk mitigation 2011+ To become more transparent To get close to the business To be more efficient and reduce focus on tools
26
Thank you! 27