SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA
The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2
Patterns Signal And The Noise 3
Agenda UBA / UEBA Defined Practical Uses Today What does the future hold? 4
Attackers are Outpacing Defenders Percent of breaches where time to compromise (red)/time to Discovery (blue) was days or less Attacker Capabilities 100% 75% Time to compromise 50% 25% Time to discovery Time to Discovery 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
Defender s Challenges The attack surface is expanding Attackers are becoming more sophisticated Existing strategies & controls are failing Security teams need comprehensive visibility from endpoint to cloud Teams need to increase experience & efficiency Tools & processes must adapt to today s threats Copyright 2015 EMC Corporation. Confidential and Proprietary. NDA Required
Threat Actors Firewall IDS/IPS AntiVirus Malicious Traffic Evolution of Threat Actors & Detection Implications At first, there were HACKS Preventative controls filter known attack paths Whitespace Successful HACKS Corporate Assets
Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic More Logs Blocked Session Blocked Session Blocked Session Alert S I E M At first, there were HACKS Preventative controls filter known attack paths Then, ATTACKS Despite increased investment in controls, including SIEM Whitespace Successful ATTACKS Corporate Assets
Threat Actors Evolution of Threat Actors & Detection Implications Firewall IDS/IPS AntiVirus Malicious Traffic Logs Endpoint Visibility Network Visibility Blocked Session Blocked Session Blocked Session Alert Process Network Sessions Advanced Analytics Now, successful ATTACK CAMPAIGNS target any and all whitespace. Complete visibility into every process and network sessions is required to eradicate the attacker opportunity. Unified platform for advanced threat detection & investigations Corporate Assets
Behavior what? UBA General Term Fraud and Security UEBA Analysis On Users and Entities Algorithms Machine Learning 10
Visibility & Analytics User Behavior: Anomalous Logins Suspect Access Patterns Suspicious tools: Live Off The Land Anomalous Usage Malware Behavior: Suspicious Domains Mechanized Activity Campaign Detection: Related entities Related indicators Related behaviors 11
A Typical Attack Utilizing C2 (2) User clicks link (3) Dropper is downloaded (4) Dropper downloads Gh0st RAT (5) C2 Beaconing (Gh0st Protocol) Command? Command? COMMAND. Attacker owned control server (client) (6) Attacker Issued Command (1) Spear phishing email with link to malicious URL COMMAND Examples: Capture webcam Download file Upload file Keystroke logging Remove existing rootkits Remote shell System inventory
Spotting C2 Exploit Early Real-time Analytics Data Science algorithms Scores on multiple C2 behavior indicators Utilizes streaming HTTP activity Low False Positives Learns from ongoing and historical activity Supervised whitelisting option LEADING INDICATORS OF A PLANNED C2 EXPLOIT Beaconing Behavior Rare Domains Rare User Agents Missing Referrers Domain Age (WhoIS) Suspicious Domains aggregate score
Workflow for Investigating a C2 Exploit High Risk Score Indicating a C2 exploit Network Session Details Activities indicating and used to calculate risk score of C2 exploit Enable analyst to pivot into associated network sessions
Lateral Movement Detection Identifies suspicious Windows login activity to reveal lateral movement attempts Windows Credential Harvesting Services Suspicious Login activity Explicit logins File move + Services 15
Resource Shift Needed: Budgets & People Monitoring 15% Response 5% Monitoring 33% Response 33% Prevention 80% Prevention 33% Today s Priorities Future Requirements
Detection: A Layered Approach 17
Combining Analytics, Context & Content GRC/CMDB Context 18
Apply Slide 1. Evaluate Your Internal Spending Patterns Look for a balanced approach 2.Start Collecting Data Context doesn t appear out of thin air 3. Consult on Data Science Approach You know your business apply analytics to your unique view 19