Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

Similar documents
ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Symantec Ransomware Protection

Synchronized Security

SentinelOne Technical Brief

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Automated Threat Management - in Real Time. Vectra Networks

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Managed Endpoint Defense

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

A Comprehensive CyberSecurity Policy

CloudSOC and Security.cloud for Microsoft Office 365

SentinelOne Technical Brief

Cognitive Threat Analytics Tech update

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Intrusion Prevention Signature Failures Symantec Endpoint Protection

Compare Security Analytics Solutions

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Gladiator Incident Alert

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

THE ACCENTURE CYBER DEFENSE SOLUTION

Consumerization. Copyright 2014 Trend Micro Inc. IT Work Load

empow s Security Platform The SIEM that Gives SIEM a Good Name

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Copyright 2011 Trend Micro Inc.

with Advanced Protection

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

LA RELEVANCIA DEL ANALISIS POST- BRECHA

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

100% Endpoint Protection dank Machine Learning, EDR & Deception?

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

Real-time, Unified Endpoint Protection

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

Security Operations 2018: What is Working? What is Not.

Trend Micro Deep Discovery and Custom Defence

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

Comprehensive datacenter protection

Innovative Cisco Security- Lösungen für den Endpoint Das Alpha und Omega unsere Next Gen Security

Technical Brochure F-SECURE THREAT SHIELD

May the (IBM) X-Force Be With You

TREND MICRO SMART PROTECTION SUITES

Advanced Endpoint Protection

Automating Security Response based on Internet Reputation

CYBER ATTACKS DON T DISCRIMINATE. Michael Purcell, Systems Engineer Manager

Automated Context and Incident Response

At a Glance: Symantec Security.cloud vs Microsoft O365 E3

RSA NetWitness Suite Respond in Minutes, Not Months

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

Juniper Sky Advanced Threat Prevention

Seceon s Open Threat Management software

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Un SOC avanzato per una efficace risposta al cybercrime

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Imperva Incapsula Website Security

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

RSA Web Threat Detection

Next Generation Endpoint Security Confused?

Avoiding Information Overload: Automated Data Processing with n6

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Cyber Threat Intelligence Standards - A high-level overview

AMP for Endpoints & Threat Grid

The Future of Threat Prevention

Incident Response Agility: Leverage the Past and Present into the Future

Cisco Ransomware Defense The Ransomware Threat Is Real

Building Resilience in a Digital Enterprise

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

DDoS Hybrid Defender. SSL Orchestrator. Comprehensive DDoS protection, tightly-integrated on-premises and cloud

Juniper Sky Advanced Threat Prevention

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

ANATOMY OF AN ATTACK!

JUNIPER SKY ADVANCED THREAT PREVENTION

Behind the Yellow Curtain Symantec s Proactive Protection and Detection Technology

SRX als NGFW. Michel Tepper Consultant

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

Cisco s Appliance-based Content Security: IronPort and Web Security

Reducing the Cost of Incident Response

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

IBM Security Network Protection Solutions

Defend Against the Unknown

esendpoint Next-gen endpoint threat detection and response

The Evolution of : Continuous Advanced Threat Protection

Transcription:

Improved C&C Traffic Detection Using Multidimensional Model and Elad Menahem Avidan Avraham

Modern Threats Are More Sophisticated & Evasive CYBER KILL CHAIN: Infection Phase Post-Infection Recon Weaponization Delivery Exploitation Installation Command & Control Exfiltration TRADITIONAL SECURITY TOOLS FAIL AGAINST NEW THREATS: Firewall Anti-Spam Sandboxing IPS Intelligence Feeds URL Filtering Anti-malware Anti-bot EDR SIEM

Modern Threats Are More Sophisticated & Evasive CYBER KILL CHAIN: Infection Phase Post-Infection Recon Weaponization Delivery Exploitation Installation Command & Control Exfiltration TRADITIONAL SECURITY TOOLS FAIL AGAINST NEW THREATS: Sandboxing Intelligence Firewall Infection Vectors Change Rapidly Anti-malware Feeds Anti-bot IPS Anti-Spam URL Filtering Social engineering Zero-day exploits One-time event EDR SIEM

Modern Threats Are More Sophisticated & Evasive CYBER KILL CHAIN: Infection Phase Post-Infection Recon Weaponization Delivery Exploitation Installation Command & Control Exfiltration TRADITIONAL SECURITY TOOLS FAIL AGAINST NEW THREATS: Firewall Sandboxing Anti-Spam IPS Our Research Focuses on the Intelligence Anti-malware Feeds Anti-bot Post Infection Phase URL Filtering Continuous, EDR periodic Malware weakest link SIEM

Traditional Security Tools Fall Short Against Post Infection Firewall Anti-Spam Sandboxing IPS Intelligence Feeds URL Filtering Anti-malware Anti-bot EDR Real Time Inspection Lacks Context SIEM Event Significance is Obscured by Event Sources

Traditional Security Tools: Limited Context and Obscured Visibility Narrow Visibility Lack of context Yesterday Obscured by the source

No matter how long you stare at an IDS log event, it won t become any more informative Mark McArdle, esentire CTO NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Localized & isolated Events driven: no access to raw-data Local Data BROAD CONTEXT Global & collaborative Based on raw-data rather than security events Global Customer A WWW Customer C App App Branch Log Log Log Log Customer C Customer A 10101 10101110 10101110111 10101110111001 Customer B Customer A Log Event Raw Data Events Driven

VISIBILITY TO UNLIMITED RAW-DATA CHANGES THE GAME OF MALWARE HUNTING EXPANDING TRADITIONAL CONTEXT TO FIGHT C&C

Expanding Context to Fight C&C Client Classification NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Host, device name, source IP, user Client Data Example: Firefox TLS signature BROAD CONTEXT Human or bot Browser or not IP

Expanding Context to Fight C&C Client Classification NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Client Data BROAD CONTEXT Host, device name, source IP, user Human or bot Browser or not IP Raw Data 01110001011 10101011 100110 101 01110001011 10101011 100110 101 01110001011 10101011 100110 101 Machine Learning 011100 011100 011100 1011 0111001011011100 1011 110 1011 110 1011 110 110 110 Common Value Client Classification

Expanding Context to Fight C&C Target NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Client Target Data BROAD CONTEXT IP address, Domain Popularity Reputation Feeds 3 rd Party Ranking DIY Target Popularity Rank (Bucket) = Global Location x Number of Devices 7 10 9 1 12 15 Destination Source

Expanding Context to Fight C&C Target NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Client Target Data BROAD CONTEXT IP address, Domain Popularity 600000 500000 400000 300000 200000 Traffic Flows Unique Domains 25000 20000 15000 10000 DIY Target Popularity Rank (Bucket) = Global Location x Number of Devices 7 10 9 1 12 15 Destination Source 100000 5000 0 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

Expanding Context to Fight C&C Time NARROW CONTEXT (IPS, ANTI-BOT, SIEM) Singular event Client Target Time Data BROAD CONTEXT Repetitiveness Measured frequency Known Known & Unknown Jan 1 6:22am Jan 1 2:00pm Jan 2 6:22am Jan 2 3:10pm Jan 2 4:00pm Jan 2 10:22pm Jan 3 Jan 3 6:22am 7:12am Jan 3 10:22pm Jan 4 6:22am Jan 4 8:02pm Jan 1 6:22am Jan 1 2:00pm Jan 2 6:22am Jan 2 3:10pm Jan 2 4:00pm Jan 2 10:22pm Jan 3 Jan 3 6:22am 7:12am Jan 3 10:22pm Jan 4 6:22am Jan 4 8:02pm IPS Signature Jan 3 6:22pm

Network-based Malware Hunting Process Customer A 101 100110 10101011 Customer B Capture Network Flows Data Augmentation & Storage Automated Hunting Service Dimensions Utilization Human Validation

Example: Transforming Thousands of Unknown Flows to a Few Significant Events 100,000 TLS Flows Unknown URLs Filter: SOURCE: Not a Browser TARGET: Low Popularity TIME: Repetitive 1 Incident to Investigate Reduce the Noise and Focus on What Matters

Effective Network Detection and Response Unobscured Visibility Full Real-Time Context Forensic & Insights Automatic Containment From the cloud into all network endpoints For every IP, session and flow initiated from any endpoint to any target Machine learning and AI processes to mine network context over time Rapid mitigation of known and unknown threats Cato is the Network So No Setup is Required

Example: Detect Unknown C&C on the Network Same device Lookup 150 low popularity domains (DNS) 90% unresolved DNS requests - DGA Pulled client data history Search for resolved domains (HTTP) Classify Client type using HTTP traffic Unknown bot Pulled client data history Behavior repeated every 3 hours Resolved as Conficker Containment: block C&C communication

Visit Us at Booth H60

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback