Advanced Endpoint Protection Protecting Endpoints and Servers Nick Levay, Chief Security Officer, Bit9 <nlevay@bit9.com> @rattle1337 2014 Bit9. All Rights Reserved
About Me Chief Security Officer, Bit9 Former Director of Technical Operations and Information Security, Center for American Progress (CAP) Former Director of Global Systems and Tools, NASDAQ:IAWK Practicing professionally since 1997 Certified Information Systems Security Professional Educational background in Communications Areas of focus: Information Warfare Cyber Counter-Intelligence Security Operations Web Development & Operations Social Media / Social Network Analysis NJ TN Silicon Valley Asia * DC MA * Frequent movement between aforementioned locations
the assumption of breach the inevitability of compromise
In 2020, enterprises will be in a state of continuous compromise. -- Gartner More like 2010!!!
Rethink Security Strategy prevention is no longer enough invest in detection and response consider your technologies move from reactive to proactive security is not a solution it is a process
The attacker has the advantage. The attacker does not have the advantage, unless we cede it to them.
Enterprise Network as a Battlespace
Situational awareness enables real-time, accurate decisions in tactical situations. Most enterprises have no internal or endpoint situational awareness.
prepare the battlefield win the battle
Prepare for breach. Avoid forensics & expensive consultants.
Fig 41, Verizon Data Breach Report, 2013 NetDiligence, Cyberinsurance Claims, 2012 Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE
Defense-in-depth / Layered Controls Network security controls Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation Service security controls Authentication, permissions, naming lookup, lots of logging Endpoint security controls Anti-virus, application control, endpoint threat detection and response If you are depending on one control to stop an attack, you are doing it wrong.
The Attacker s Process & Enterprise Capabilities The often misunderstood meaning of empathy The Cyber Kill Chain model Developed by Mike Cloppert, Rohan Amin, and Eric Hutchens at Lockheed Martin Useful for Breaking down stages of an attacker s process Formulating strategy for deploying security controls Facilitating iterative intelligence gathering Effective intelligence use Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO DETECT DENY DISRUPT DEGRADE DECEIVE
The Endpoint in Focus Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Preventing Exploitation Patching matters!!! (Best way to minimize threat surface) ASLR/DEP is great, but only degrades and disrupts Very little can be done at this stage Preventing Installation Dropping binaries, touching other processes, et cetera Default-Allow == Blacklisting Default-Deny == Whitelisting Sandboxing Hybrid Approaches
The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Allow Blacklisting Known Bad Traditional AV, based on signatures Ineffective for anything other than nuisance threats Local blacklists are still tactically useful
Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time
Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time
The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Deny Whitelisting Trust Based Known Good Most effective protection Usually easy on servers and fixed function systems Can be challenging on dynamic endpoints Good application governance is key to successful implementation Still not a silver bullet
The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Sandboxes Mitigation of application compromise, not system protection Application specific sandboxes (e.g. Java, Chrome) Virtualization based EPP solutions Covers only a limited portion of the threat surface Can t prevent/detect lateral movement
Challenges stopping attacks at Delivery Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Network detection solutions often not in-line Known Bad point comes after delivery (2m-10m) Network assets often are not the first time a bad file is seen Encrypted (No SSL MITM inspection) In a container (Password protected zip/rar) Physical media (USB stick, DVD/CDs, et cetera) Detonation is so useful, it s becoming commoditized
Actionable intelligence passing Reconnaissance Weaponization Delivery Exploitation Installation C2 AoT Incoming files on network Detonate files for analysis Transfer alerts Correlate endpoint/server and network data Prioritize network alerts Investigate scope of the threat Remediate endpoints and servers Submit files automatically Submit files on-demand Endpoint and server files Automatic analysis of all suspicious files On-demand analysis of suspicious files
Focus on Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO IP Addresses Hostnames File Hashes Et cetera Leveraging Indicators to Facilitate Detection
Focus on Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Reputation levels for files Thresholds can drive approvals Firefox == 10 Keylogger == 0 Software Reputation Service (SRS) Leveraging Intelligence to Determine Trust
Complete Forensic Record of Endpoint Activity Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO All file modifications All registry modifications All file executions All network connections Copy of every executed binary All the information you need to respond
detection focus
detection focus seconds to minutes wee k s t o yea r s
detection focus seconds to minutes wee k s t o yea r s
seconds to minutes w e e k s t o y e a r s detection focus?
Endpoint and Server Telemetry Monitor: File executions File modifications Registry modifications Network activity Retain: Telemetry from periods when system is offline Copies of all executed binaries Control (at minimum): File executions Instant Global Ban Registry modifications
A growing consensus Security will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack. Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover. NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014 Assume the organization is already infected. Change your "incident response" mindset to a "continuous detection and response" process. Gartner Research Note, Feb 2014
In review... Compromise is inevitable; You must plan for response Defense tactics are changing You can leverage the home-field advantage against adversaries Forensics are not part of the defense process You ve got to collect telemetry from EVERYTHING Your endpoints and network must work together There are no silver bullets THERE ARE TWO THINGS YOU NEED TO DO: Decrease your threat surface Increase your response capabilities
Establishing a Continuous Security Process Attacks target the endpoint Visibility Know what s running on every computer right now How can you protect your assets if you don t know what s running on them? Traditional security tools provide no visibility Visibility needs to be live, not poll or scan-based
Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Reduce your attack surface The number of threats will continue to grow exponentially Apply trust-based policies to allow only known good software to run
Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures See and record everything You can t always know what s bad ahead of time Apply advanced indicators to detect unknown threats in real-time
Establishing a Continuous Security Process Respond See the full evolution of a threat; contain and control Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures Traditional incident response is expensive and time consuming With historical recording, you can identify scope and impact in seconds, not weeks Use that information to contain, remediate and further reduce attack surface
questions Nick Levay <nlevay@bit9.com> @rattle1337
Thank You! Nick Levay <nlevay@bit9.com> @rattle1337