ATP for Dummies

These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

Advanced Threat Protection Blue Coat Systems Special Edition

by Steve Piper, CISSP


Advanced Threat Protection For Dummies®, Blue Coat Systems Special Edition Published by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2013 by John Wiley & Sons, Inc., Hoboken, New Jersey No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Blue Coat Systems and the Blue Coat logo are trademarks or registered trademarks of Blue Coat Systems, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/ go/custompub. For information about licensing the For Dummies brand for products or services, contact [email protected]. ISBN 978-1-118-65876-5 (pbk); ISBN 978-1-118-66056-0 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1


Publisher’s Acknowledgments We’re proud of this book and of the people who worked on it. For details on how to create a custom For Dummies book for your business or organization, contact info@ dummies.biz or visit www.wiley.com/go/custompub. For details on licensing the For Dummies brand for products or services, contact [email protected]. Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Vertical Websites Development Editor: Kathy Simpson Project Editor: Jennifer Bingham Acquisitions Editor: Amy Fandrei Editorial Manager: Rev Mengle Business Development Representative: Kimberley Schumacker Custom Publishing Project Specialist: Michael Sullivan

Composition Services Senior Project Coordinator: Kristie Rees Layout and Graphics: Melanee Habig Proofreader: Susan Moritz Special help from Blue Coat Systems: John Vecchi, Ajay Uggirala, Alan Hall, Armen Sargsyan, Joe Levy

Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Director, Acquisitions Mary C. Corder, Editorial Director Publishing and Editorial for Consumer Dummies Kathleen Nebenhaus, Vice President and Executive Publisher Composition Services Debbie Stailey, Director of Composition Services Business Development Lisa Coleman, Director, New Market and Brand Development



Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 How This Book Is Organized..................................................... 1 Icons Used in This Book............................................................. 2

Chapter 1: Surveying a World of Advanced Threats. . . . 3 Contrasting Basic and Advanced Threats............................... 4 Basic Threats: Oldies but Baddies............................................ 4 Advanced Threats: Emerging Dangers..................................... 7 Know Thy Enemy...................................................................... 10 The Price of Failure................................................................... 13

Chapter 2: Exploring Advanced Threats . . . . . . . . . . . . . 15 Viewing the Evolving Threat Landscape................................ 16 Seeing Why Security Sometimes Fails.................................... 18 Tracking the Advanced Threat Life Cycle............................. 20 Knowing When You’ve Been Compromised.......................... 25

Chapter 3: Fighting Back with Big Data Security Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 What Is Big Data?...................................................................... 27 What Is Big Data Security Analytics?...................................... 28 How Big Data Security Analytics Solutions Work................. 29 What Big Data Security Analytics Does.................................. 31 Exploring Features.................................................................... 33 Integrating Big Data Security Analytics into Your Network................................................................ 36

Chapter 4: Exploring Big Data Security Analytics for Advanced Threat Protection. . . . . . . . . . . . . . . . . . 39 Understanding the Underlying Technologies....................... 39 Identifying Advanced Threats within Files............................ 45

Chapter 5: Advanced Threat Protection Buying Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Full Packet Capture................................................................... 48 Multivector Threat Detection and Correlation..................... 48


vi

Advanced Threat Detection For Dummies Virtual Platform Visibility........................................................ 49 Comprehensive Threat Intelligence....................................... 49 File-Based Malware Detection................................................. 50 Support for Continuous Monitoring....................................... 50 Extensive Third-Party Integration.......................................... 52 Enterprise Performance, Scalability, and Reliability............ 52 Ease of Use................................................................................. 53 Responsive Customer Support............................................... 54

Chapter 6: Ten Best Practices for Advanced Threat Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Leverage Your Vendor’s Expertise......................................... 55 Achieve 20/20 Security Visibility............................................ 57 Understand That CRIME Pays................................................. 58 Discover Your Application Landscape................................... 59 Engage Your CSIRT Team........................................................ 59 Plan for Performance and Scalability..................................... 60 Automate Discovery of File-Embedded Threats................... 60 Constantly Monitor Anomalies............................................... 61 Strengthen Your Infrastructure............................................... 61 Train for Success...................................................................... 62

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63


Introduction

T

urn on any nationally televised news channel and watch it for a few hours. Odds are that you’ll hear about at least one major cyberattack that occurred in the previous 48 hours. Frankly, I can’t think of the last full day when I didn’t hear about some big data breach— which certainly wasn’t the case three years ago. Cyberattacks have become an international crisis, targeting and affecting every developed nation. Despite spending billions every year for security products, organizations around the world are losing the battle against a new generation of cyberattacks, with advanced persistent threats, or APTs, leading the charge. The bad news is that this crisis is only going to get worse unless IT organizations start thinking and acting differently. The good news is that many security-savvy enterprises and government agencies are doing just that, thanks to a new weapon in the fight against advanced threats and targeted attacks called Big Data Security Analytics. If you’re tired of fighting a losing battle against advanced threats, you’ve exhausted your options with traditional, signature-based solutions, or you simply want to make sure your organization isn’t mentioned next on the evening news, this book is for you.

How This Book Is Organized I’ve organized this book so that you don’t have to read it cover to cover, front to back. You can skip around and read just the chapters that interest you. Here’s what you’ll find inside: ✓ Chapter 1, “Surveying a World of Advanced Threats,” distinguishes between basic and advanced threats, reviews the costs of enterprise data breaches, and identifies three types of cyberenemies. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

2

Advanced Threat Detection For Dummies

✓ Chapter 2, “Exploring Advanced Threats,” reviews factors that contribute to the rise in advanced threats, shows why traditional security products sometimes fail, and outlines the five stages of the advanced-threat life cycle. ✓ In Chapter 3, “Fighting Back with Big Data Security Analytics,” I describe this innovative technology for mitigating advanced threats and explore how Big Data Security Analytics solutions operate and integrate with your existing network security infrastructure. ✓ Chapter 4, “Exploring Big Data Security Analytics for Advanced Threat Protection,” covers the underlying technologies that make Big Data Security Analytics work in the context of advanced threat protection, including the process of detecting malware-infected files. ✓ In Chapter 5, “Advanced Threat Protection Buying Criteria,” I describe exactly what to look for, and what to avoid, when evaluating security solutions as part of a comprehensive advanced threat protection framework. ✓ In Chapter 6, “Ten Best Practices for Advanced Threat Protection,” I give you some advice on how to get the most out of your advanced threat protection investment. ✓ Finally, the Glossary defines some important terms that I use throughout the book.

Icons Used in This Book This book uses the following icons to indicate special content. You won’t want to forget the information in these paragraphs.

A Tip icon points out practical advice that can help you craft a better strategy, whether you’re planning a purchase or setting up your software. Look out! When you see this icon, it’s time to pay attention. You’ll find cautionary information that you won’t want to miss. Maybe you’re one of those highly detailed people who really needs to grasp all the nuts and bolts, even the most techie parts. If so, these tidbits are right up your alley.


Chapter 1

Surveying a World of Advanced Threats In This Chapter ▶ Distinguishing between basic and advanced threats ▶ Recognizing three types of cyberenemies ▶ Counting the cost of data breaches

I

t’s getting rough out there.

I’m not kidding. In more than two decades of observing the effects of enterprise and government data breaches, I’ve never seen anything like today’s threat landscape. The sheer number of recent high-profile cyberattacks is staggering. The bad guys clearly have the upper hand, and it seems like there’s nothing that any of us can do about it. Given the efficacy of modern-day threats, today’s information security professionals are judged not only on how well they can block known threats but also on how quickly they can uncover, identify, and mitigate unknown threats. Unfortunately, too many security professionals lack the tools and training needed to stay ahead in this cyberarms race. In this chapter, I distinguish between basic and advanced cyberthreats while exploring common variations of advanced threats along the way. I also cite recent data-breach statistics, describe three types of cyberenemies, and review high-profile commercial and government cyberattacks that recently made international headlines. But first, allow me to clarify the differences between basic and advanced threats.


4


Contrasting Basic and Advanced Threats The following are key characteristics of basic and advanced cyberthreats: ✓ Basic threats are known threats against known operating system (OS) or application-level vulnerabilities. They are commonly detected by traditional signature-based network- and endpoint-security defenses, including intrusion prevention systems (IPSs), secure web and e-mail gateways, and antivirus platforms. ✓ Advanced threats are unknown threats against unknown OS or application-level vulnerabilities. They can’t be detected by traditional signature-based defenses.

Better network security devices can detect unknown threats (or new variants of known threats) that target known vulnerabilities, but I still classify those threats as basic. Obviously, as the name suggests, advanced threats are far more difficult to detect. Traditional security defenses that rely on pattern-matching signatures for detection are useless for detecting advanced threats. Don’t get me wrong — traditional defenses such as firewalls, IPSs, and secure web and e-mail gateways are your front line in a defense-in-depth (layers of security defenses) strategy. But you can’t rely on these technologies exclusively for detecting today’s advanced threats. (Jump to Chapter 2 to find out why.) Before delving into some of the advanced threats that endanger today’s organizations, take a few minutes to reacquaint yourself with some basic threats that have been around for years.

Basic Threats: Oldies but Baddies The basic cyberattacks described in this section generally don’t pose huge threats to enterprises and government agencies because they’re largely mitigated by traditional network


Chapter 1: Surveying a World of Advanced Threats

5

and endpoint security solutions. If you fail to take them seriously, however, any of them could be your downfall.

Worms, Trojans, and viruses A computer worm is malware that exploits the vulnerabilities of a computer’s OS (typically, Microsoft Windows) to selfpropagate via the internal network to which the computer is linked. Worms are dangerous to any network because they can be used to exfiltrate data or otherwise harm computer systems. They also consume large amounts of bandwidth, causing degradations in network performance. Unlike a virus (discussed later in this section), a worm doesn’t attach itself to computer programs or files. A Trojan (or Trojan horse) is malware disguised as a legitimate software application to trick a user into installing it on a computer. Unlike computer worms, Trojans can’t propagate to other vulnerable computers on their own. Instead, they join networks of other infected computers (called botnets; see the next section), wait to receive instructions from the attacker, and then transfer stolen information. Trojans are commonly delivered by means of social media and spam e-mails; they may also be disguised as installers for games or applications. A computer virus is malicious code that attaches itself to a program or file so that it can spread from one computer to another, leaving infections as it propagates. Unlike a worm, a virus can’t travel without a human helper — in this case, a user who sends (usually unknowingly) an infected program or file to another user.

Spyware and botnets Spyware is a form of malware that covertly aggregates user information without the user’s knowledge and forwards it to the perpetrator via the Internet. Sometimes, spyware is employed for the purpose of advertising (in which case it’s called adware and displays pop-up ads). At other times, it’s used to collect confidential information such as usernames, passwords, and credit-card numbers. Typically, spyware is secretly bundled into shareware or freeware.


6

Advanced Threat Detection For Dummies A botnet is a group of Internet-connected computers on which malware is running (bots). Bots are often used to commit denial-of-service attacks (attacks that overload a server’s processing power), relay spam, steal data, and/or download additional malware to the infected host computer. The person who controls a botnet — the bot herder or botmaster — typically uses web servers called command-andcontrol (CnC) servers. CnC servers have only one job: controlling bots.

Social engineering attacks Social engineering attacks are extremely common, especially the two types discussed in this section: phishing and baiting. As I discuss later in this chapter, these attacks are often incorporated into advanced threats.

Phishing Phishing is an attempt to steal confidential information — usernames, passwords, credit-card numbers, Social Security numbers, and so on — via e-mail by masquerading as a legitimate organization. After clicking a seemingly innocent hyperlink in the e-mail, the victim is directed to enter personal information on an imposter website that looks almost identical to the one it’s emulating. Phishing has two common variants: ✓ Spear phishing targets specific people within an organization, using information about them collected from social media sites such as Facebook, LinkedIn, and Twitter. ✓ Whaling is phishing that targets the senior executives of a given organization.

Baiting Baiting occurs when a criminal casually drops a USB flash drive or CD-ROM in a public area (perhaps a parking lot or cybercafé) within close proximity of the targeted organization. The media device is labeled with enticing words such as Product Roadmap or Proprietary & Confidential to spark the finder’s interest. When the victim inserts the device into her computer, it instantly installs malware on the computer. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


Buffer overflows and SQL injections These two common techniques exploit vulnerabilities in web applications: ✓ A buffer overflow attack is a painfully common cyberthreat in which a malicious hacker knowingly writes more data into a memory buffer than the buffer is designed to hold. Data subsequently spills into adjacent memory, causing the application to execute unauthorized code that may grant the hacker administrative privileges or possibly even crash the system. ✓ In an SQL injection attack, the attacker enters SQL statements into a web form in an attempt to get the form to pass an unauthorized SQL command to the database. If successful, the attack can give its perpetrator full access to database content such as credit-card numbers, Social Security numbers, and passwords.

Advanced Threats: Emerging Dangers Now that you’re up to speed on basic threats, it’s time to explore the advanced threats that are making headlines today.

Advanced persistent threats Advanced persistent threats (APTs) — also known as advanced targeted attacks (ATAs) — are sophisticated, multivectored (perpetrated through multiple channels) cyberattacks in which an attacker gains unauthorized network access and stays undetected for a long period. To date, the goal of APTs generally has been data theft, but more extreme consequences, including kinetic damage, are possible.

APTs target organizations in industries that handle highvalue information, such as financial institutions, government agencies and contractors, and companies that have valuable


7

8

Advanced Threat Detection For Dummies intellectual property in such sectors as technology, pharmaceuticals, and energy. To help illustrate the nature of an APT, I break down the components of the acronym:

✓ Advanced: Attackers use a full spectrum of computerintrusion technologies and techniques, often exploiting unreported vulnerabilities in OSs and applications. Many of these threats are undetectable by traditional security systems. ✓ Persistent: After a network is breached, the perpetrator operates low and slow to remain undetected. Patience is key as he quietly maps the network and connects to each host (often in the middle of the night) until the ultimate target has been identified. ✓ Threat: The attacker initiates each APT with a specific objective in mind and won’t stop until he achieves that objective. He’s skilled, highly motivated, and well funded.

Chapter 2 explores APTs in considerably more detail and also provides an overview of the APT threat life cycle.

Zero-day threats A zero-day threat is a cyberattack on an OS or application vulnerability that’s unknown to the general public. It’s called a zero-day threat because the attack was launched before public awareness of the vulnerability (on day zero). In some cases, the OS or application vendor is already aware of the vulnerability but hasn’t disclosed it publicly because the vulnerability hasn’t been patched yet. In other cases, the vendor is caught by surprise.

Polymorphic threats A polymorphic threat is a cyberattack — such as a virus, a worm, a Trojan, or spyware — that continuously changes (morphs), making it impossible for traditional signature-based security defenses to detect. Polymorphic threats morph in a variety of ways, including filename and file-size changes.



9

Bypassing million-dollar security with a good pair of shoes No matter how much money your organization spends on perimeterbased network security defenses, they’ll be bypassed every time by users carrying their own laptops, mobile devices, and portable media (such as USB flash drives) right through the office front door. The best approach to information security is a defense-in-depth strategy comprised of best-of-breed security

products that can detect all kinds of threats originating both inside and outside the organization. If you’re an IT security professional who thinks that advanced cyberthreats can penetrate your network only through your firewall, you’re headed for a rude awakening — and possibly a new career.

Although the code within a polymorphic threat changes with each mutation, the function generally remains the same. Consider a spyware program that’s designed to act as a keylogger (malware designed to record keystrokes in an effort to steal usernames, passwords, or other confidential data). Even after its underlying code changes, that program continues to act as a keylogger.

Blended threats A blended threat employs multiple attack vectors (paths and targets) and multiple types of malware to disguise the attack, confuse security analysts, and increase the likelihood of a successful data breach. Classic examples of blended threats include Conficker, Code Red, and Nimda.

Insider threats Not all threats originate outside the network. Some originate within, introduced by two types of users: ✓ Malicious users: These users may consist of ill-intentioned contractors, disgruntled employees, or even criminals who use social engineering techniques to gain physical


10

Advanced Threat Detection For Dummies access to the network after being admitted to the building by a negligent receptionist.

✓ Unknowing employees: Even well-intentioned employees may bring malware-infected laptops and mobile devices into the office after surfing the web at home over the weekend. Depending on how sophisticated your information security is at home and on whether you ever connect your personally owned mobile devices (laptops, smartphones, or tablets) to your company’s network, you might be an insider threat and never even know it!

Malnets A malnet (malware network) employs a distributed network infrastructure in the Internet that is purpose built and maintained by cybercriminals to launch a variety of attacks against Internet users over extended periods of time. A malnet is comprised of unique domains, servers, and websites that work in unison to funnel users to the malware payload.

Blue Coat Security Labs projects that nearly two-thirds of all new cyberattacks will originate from malnets.

Know Thy Enemy It’s not enough just to know what kind of cyberthreats you face. You also need to know the sources and goals of those threats. This section gives you some insights into potential attackers — and potential attacks.

Types of attackers Cyberattackers have changed dramatically over the past half century. In the 1970s and 1980s, phone phreaking (hacking telephone equipment to make free long-distance calls) was common. In the 1990s, widespread Internet adoption and the emergence of the World Wide Web enticed hackers to deface public websites primarily for bragging rights. Since the turn of the century, however, cyberattackers have fallen into three broad categories: cybercriminals, statesponsored hackers, and hacktivists. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


11

Cybercriminals As the name suggests, cybercriminals hack for profit. They penetrate a company’s network security defenses in an attempt to steal something valuable (such as credit-card numbers) and sell them on the black market. Many of today’s botmasters and CnC servers are under the control of cybercriminals and their circuits. Today, cybercrime is a multibillion-dollar industry.

State-sponsored hackers Cyberattacks committed by nations against foreign corporations and governments are perpetrated by state-sponsored hackers — people who hack for a paycheck with the objective of compromising data, sabotaging systems, or even committing cyberwarfare. China, Russia, Iran, and North Korea are among the countries most often cited for recruiting state-sponsored hackers, although evidence has emerged that the United States is also active in this arena.

Hacktivists Hacktivists are computer hackers who are driven by political ideology. Typical attacks committed by hacktivists include website defacements, redirects, information theft and exposure, and virtual sit-ins through denial-of-service attacks. Some hacktivists join forces to target their victims, working as groups such as LulzSec (which claimed responsibility for attacks against Sony Pictures and the Central Intelligence Agency) and Anonymous (which claimed responsibility for attacks against the Church of Scientology, HBGary Federal, PayPal, the U.S. Federal Reserve, and the Ugandan government in protest of its antihomosexuality bill).

Attacks that make headlines These days, it seems that a day doesn’t go by without news of a major commercial or government cyberattack. The following sections summarize some recent data breaches that have made international headlines.

Attacks on companies You may have read about some of these high-profile attacks: These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

12


✓ Apple and Microsoft (February 2013): Microsoft announced that it experienced an intrusion in its Mac business unit originating from Java-based malware. This attack came just days after Apple stated that it had been victimized by Java-based malware that employees inadvertently downloaded after visiting a website for software developers. Neither Microsoft nor Apple disclosed what, if any, data was compromised. ✓ The New York Times and The Wall Street Journal (January 2013): China has been accused of conducting cyberattacks against these two media giants in response to undesirable coverage of the Chinese government, including Prime Minister Wen Jiabao. ✓ Facebook, Twitter, and LinkedIn (2012–2013): Officials of each of these social media giants claimed that they were targeted by advanced cyberattacks. LinkedIn was first, with 6.5 million passwords stolen in June 2012; Twitter was next, with 250,000 passwords stolen in February 2013. Facebook followed soon after (with no reports of stolen passwords just yet). ✓ Citigroup, Bank of America, and JPMorgan Chase (September 2012): U.S. officials accused Iran of orchestrating attacks on the websites of these major U.S. banks in response to United Nations sanctions against Iran. PNC Financial Services Group, SunTrust, and BB&T were also targeted in January 2013.

Data breaches by the numbers In 2013, Verizon analyzed 621 databreach incidents that occurred in 2012, resulting in 44 million compromised records, and came up with some staggering statistics: ✓ 40 percent incorporated malware. ✓ 52 percent involved some form of hacking. ✓ 66 percent took months or more to discover.

✓ 84 percent compromised their targets in seconds, minutes, or hours. ✓ 69 percent were discovered by a third party. ✓ 92 percent were perpetrated by outsiders. ✓ 95 percent of state-affiliated attacks employed phishing. You can download the report for free at www.verizonenterprise. com/DBIR/2013.



13

Attacks on government agencies Unsurprisingly, governments are high-profile targets. Here are a few recent examples: ✓ NATO and European governments (February 2013): Officials of NATO and several European nations, including the Czech Republic, Ireland, Portugal, and Romania, announced the compromise of sensitive computer systems by advanced malware called MiniDuke, which exploits a flaw in Adobe Reader. ✓ U.S. Department of Energy (February 2013): In a major cyberattack, the personal information of several hundred DoE employees was compromised. The agency reported that 14 servers and 20 workstations were penetrated during the attack. ✓ South Carolina Department of Revenue (November 2012): A single malicious e-mail enabled a hacker to crack into state computers and access 3.8 million tax returns in what experts say is the biggest cyberattack against a state government. ✓ Iran (May 2012): A malware program called Flame, allegedly developed by the United States and Israel, was deployed to collect intelligence related to Iran’s nuclear program. Unlike Stuxnet, which was designed to sabotage an industrial process, Flame was written purely for espionage purposes. This list of attacks just scratches the surface of what government agencies are experiencing. An official of a well-known federal contractor inadvertently disclosed at a company event that the U.S. Navy fights off more than 110,000 cyberattacks every hour — more than 30 attacks every single second!

The Price of Failure Failing to detect a data breach before it’s too late is disastrous to any organization. The associated costs are difficult to quantify, as they’re spread across many areas, including these: ✓ Investigation and forensics costs ✓ Customer and partner communication costs


14


✓ Public relations costs ✓ Lost revenue due to damaged reputation ✓ Regulatory fines and civil claims In 2012, the Ponemon Institute published its 2012 Cost of CyberCrime Study, which calculated the cost of data breaches for 56 U.S.-based enterprises. The report found the average annualized cost of cybercrime for each organization to be $8.9 million, with a range of $1.4 million to $46 million, a 6 percent increase (from $8.4 million) from the year before. To download a free copy of the report, visit www.ponemon.org/library.

Security researcher exposes potential source of global cyberespionage In February 2013, cybersecurity vendor and researcher Mandiant (www.mandiant.com) published a report called APT1 that instantly turned heads throughout the information security industry. In this report, Mandiant claims to have conclusive proof that a governmentcontrolled organization in China is the source of hundreds of advanced cyberattacks. According to Mandiant, which has investigated computer security breaches at hundreds of organizations around the world, the company has tracked more than 20 APT groups with origins in China, but a single organization, which Mandiant has dubbed APT1, is by far the most prolific. In its report, Mandiant claims that APT1 stole 6.5 terabytes of compressed

data from a single organization over a ten-month period. In the last two years alone, APT1 has allegedly established a minimum of 937 command-and-control (CnC) servers hosted on 849 distinct IP addresses in 13 countries. The majority of these IP addresses were registered to organizations in China. In a Forbes.com article written by Richard Stiennon, Chief Security Analyst at IT Harvest, Mr. Stiennon advised his readers responsible for the IT security of their organizations to drop everything and immediately read Mandiant’s APT1 report. Although I hope you continue reading this book, I advise that you do the same. To download a free copy of the Mandiant APT1 report, connect to http://intelreport. mandiant.com.


Chapter 2

Exploring Advanced Threats In This Chapter ▶ Considering trends that contribute to cyberattacks ▶ Understanding why traditional security products may fail ▶ Reviewing the advanced threat life cycle ▶ Finding out when you’ve been victimized

T

oday, two types of IT organizations exist: Those that know their networks have been compromised and those that don’t yet know their networks have been compromised. In either case, virtually every enterprise and government agency has malware somewhere on its network — on servers, on desktops, and even on mobile devices. The good news is that the information security industry is innovating all the time. Vendors are making great strides in detecting and ultimately preventing advanced threats. If the past decade has taught us one thing, however, it’s that relying on prevention technology alone is a recipe for disaster. Before I introduce an innovative solution for detecting and mitigating advanced threats (see Chapter 3), I want to spend a little more time delving into these threats so that you’re fully prepared to face them.


16


Viewing the Evolving Threat Landscape Perhaps the only constant in your network environment is change. Your company or government agency is changing, personnel are changing, and the demands placed on your IT organization are in flux. The same is true of network security. New trends introduce new security threats, and the threats themselves are evolving.

Trends that introduce threats Supplemental to the changes in your organization are four technological trends that leave your network open to new risks and uncertainties — especially to advanced threats.

Social media Social media has exploded in popularity over the past decade (to make a gross understatement). LinkedIn, which celebrated its tenth anniversary in May 2013, has nearly 50 million users. Twitter, created in March 2006, boasts more than 500 million users, and Facebook, launched in February 2004, has more than 1 billion users. Conservatively speaking, one of every eight humans on this planet is registered on at least one of these three sites. The growing popularity of social media poses a new problem. Most organizations don’t restrict employees’ access to social media sites because they don’t have the technology to do so and/or don’t want to damage employee morale. Unfortunately, cyberattackers now use social media sites to identify targets and launch advanced threats.

Virtualization The adoption of cost-saving virtualization is one of the greatest shifts in network computing in the past decade. Platforms such as VMware, Xen, and Hyper-V have changed the face of data centers forever. Virtualization, however, poses a few risks that don’t apply to physical hosts:


Chapter 2: Exploring Advanced Threats

17

✓ IT can’t natively inspect traffic between virtual machines (VMs) without specialized tools. ✓ Many VMs go unprotected (or at least unmonitored) because IT doesn’t have a budget for virtual security. ✓ Often, new VMs are pushed into production without the knowledge (or approval) of IT security — a problem known as VM sprawl.

Cloud computing Cloud computing has changed the way that enterprises and government agencies deliver applications. Like virtualization (which is heavily leveraged by cloud-computing infrastructures), cloud computing has inherent risks. Whether applications are deployed via a public cloud, a private cloud, or a hybrid cloud, unless proper security measures are taken, data can be breached just as easily through a cloud architecture as it can through a traditional computer network.

BYOD BYOD (which stands for bring your own device) is a new policy trend that allows employees to connect their personal smartphones, tablets, and other mobile computing devices to the company’s network so that they can access company-maintained data and applications at their own convenience. Employee-owned devices, of course, are entirely unmanaged by IT, so they usually don’t have the proper security settings and protections. Furthermore, mobile devices are increasingly vulnerable to advanced malware and are subject to different threat tactics than traditional desktops are. Still, IT is pressured to support these devices, starting with those owned by the organization’s executives.

Trends in threats themselves As I mention in Chapter 1, basic threats are known attacks that exploit known OS or application vulnerabilities, and advanced threats are unknown attacks that exploit unknown (or at least unpatched) vulnerabilities. Both types of threats are evolving.


18


Longer time to detection Because no intrusion prevention, firewall, or even antivirus protection exists for an attack that hasn’t yet been identified, advanced attacks typically sail right past traditional signaturebased defenses (see “Signature-based defense limitations,” later in this chapter). In the case of the alleged Chinese cyberattack against The New York Times (see Chapter 1), it was reported that only 1 of the 45 pieces of malware associated with that data breach was spotted by the company’s vendor for antivirus protection. As you discover in “Tracking the Advanced Threat Life Cycle,” later in this chapter, perpetrators of advanced threats employ low and slow tactics to avoid detection — such as operating during off-peak hours (when fewer security analysts are watching), encrypting data before it’s extracted, breaking data into chunks before exfiltration, and uninstalling malware after penetrating the network. These tactics enable them to go months or even years without detection.

Use of diversionary tactics Talented advanced threat actors often employ diversionary tactics when conducting cyberespionage. They know that every organization has a finite number of IT security resources. By launching a series of attacks that are easy or moderately difficult to detect on other parts of the network, such as a distributed denial of service attack (DDoS), an attacker keeps the victim’s IT security resources busy and away from an advanced attack already in progress.

Seeing Why Security Sometimes Fails By now, you probably realize that advanced threats are very different from cyberattacks of the past. Detecting and mitigating them requires new thinking and new technologies because traditional security defenses are no match for today’s advanced threats and targeted attacks.



19

Signature-based defense limitations Signature-based endpoint and network security defenses — such as antivirus (AV), intrusion prevention systems (IPSs), next-generation firewalls (NGFWs), and more — leverage pattern-matching detection engines to detect known threats against known vulnerabilities. Today’s advanced threats, however, often employ zero-day attacks against vulnerabilities that the vendor hasn’t patched yet (see Chapter 1). Using traditional security defenses alone to detect these threats will fail every time. Don’t get me wrong — traditional signature defenses are critical components of a well-balanced defense-in-depth strategy. I’m simply saying that by themselves, they’re not enough to defend your business against today’s advanced threats.

Anomaly-based defense limitations Better IPS and network behavior analysis (NBA) solutions incorporate anomaly-based detection methods to uncover cyberattacks that have already penetrated the network, from the outside or from the inside (by being carried into the network on mobile computing devices; see “BYOD,” earlier in this chapter). These security solutions work by aggregating flow records (such as NetFlow, sFlow, and cFlow) from network routers and switches and then baselining normal network traffic over a given period. After a baseline has been established, the solution can detect anomalies such as one employee-owned device communicating directly with other employee-owned devices (a sign of worm propagation). Although anomaly-based security defenses sometimes detect clues pertaining to advanced threats, they’re largely unsuccessful because they’re notoriously prone to reporting false positives — misclassifying good traffic as bad. Because these offerings only analyze summarized flow information, they don’t provide the context required for analysts to make fully informed decisions or perform forensic analysis.


20


Sandboxing limitations Even advanced malware analysis solutions that incorporate sandboxing technology (a technique that uses virtual sessions or emulation to detect and classify advanced malware) can be defeated. Some types of malware are designed to detect the presence of a sandbox environment. Others have a built-in delay so that they’re not triggered until long after the sandbox analysis is complete or execute only in the presence of computer mouse movement to avoid automated analysis.

Tracking the Advanced Threat Life Cycle To detect — and ultimately mitigate — advanced threats, it’s critical to understand how they work. The terminology that researchers use to describe each stage of the advanced threat life cycle varies, but the process followed by advanced threats — and particularly by APTs — is well understood. Following is the general consensus on the stages of the advanced threat life cycle:

1. The attacker exploits system vulnerabilities.

2. The planted tool phones home.

3. The attack spreads across the network.

4. Compromised data is exfiltrated.

5. The attacker covers his tracks. In the following sections, I explore these five stages in detail.

Stage 1: Attacker exploits system vulnerabilities Every advanced threat begins with the exploitation of an operating system or application vulnerability (usually present in a Windows-based workstation or laptop) that enables the attacker to access other network hosts from the inside. Such attacks often involve tricking gullible employees with social These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


21

engineering attacks such as e-mails containing dangerous attachments (phishing) or USB drives or CD-ROMs planted in parking lots (baiting). Attackers generally prefer phishing to baiting (see Chapter 1) because unless the media device involved in a baiting operation is inserted into a computer, there’s no way for the attacker to delete the incriminating malware files later. After a victimized system has been compromised, the attacker installs malware containing a remote administration tool (RAT), which enables the attacker to take control of the compromised system in Stage 2.

Stage 2: Planted tool phones home When the RAT is up and running, it phones home by initiating an outbound connection, often embedded within a Secure Sockets Layer (SSL)-encrypted channel, between the compromised system and a command-and-control (CnC) server operated by the attacker. This connection goes undetected by network security devices that aren’t configured to monitor outbound traffic or that aren’t capable of inspecting SSLencrypted communications.

Some attackers prefer to configure CnC callbacks to occur in the middle of the night, when fewer information security personnel are monitoring the network. When the RAT connects to the CnC server, the attacker has full control of the compromised host, just as though she were sitting in front of the keyboard. Typical RATs (such as DarkComet RAT, Back Orifice, and Poison Ivy) enable attackers to do a variety of ill-intentioned things:

✓ Log keystrokes (via a keylogger function) to steal usernames and passwords ✓ Control the mouse and keyboard ✓ Take screen shots ✓ Delete, edit, and rename files ✓ Edit Windows Registry keys These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

22


✓ Remotely download and install other programs ✓ Record video with a connected webcam ✓ Record sound with a connected microphone ✓ Remotely shut down the system Future instructions from the attacker are conveyed via a CnC server connection to the RAT, or vice versa. Attackers usually prefer the latter method because an external connection initiated by a host within the trusted network is far less suspicious than a connection initiated from the outside.

Stage 3: Attack spreads across network The actual host associated with Stage 1 of the attack rarely contains strategic data, so the attacker must spread laterally through the network in search of hosts operated by IT administrators (in an effort to steal admin credentials) or high-value servers and databases containing sensitive data — the ultimate targets of the advanced attack. An attack that spreads laterally through the network typically doesn’t require malware or tools other than those that are already installed on compromised systems, such as com mand shells, NetBIOS commands, VNC, RDP, and similar tools that network administrators use to service remote hosts. In a common tactic known as pass the hash, credentials from one authenticated session can be used to create sessions to other servers. When the ultimate target of the advanced threat campaign has been identified and the attacker has obtained adequate logon credentials, his hard work and determination begin to pay off.

Stage 4: Compromised data is exfiltrated In this stage of the campaign, the attacker faces three challenging obstacles:



23

✓ Transferring all the target data at the same time (often gigabytes or even terabytes of data) could trigger a flowbased anomaly alert (if NBA technology is used) due to the unusually high volume of traffic initiated by the targeted server or database. ✓ The attacker needs to ensure that the host receiving the data can’t be linked back to her. ✓ Transferring data as plain text could trigger an alert from a data loss prevention (DLP) system. Here’s how an experienced advanced threat actor can overcome all three of these obstacles:

1. To overcome the first obstacle, a savvy attacker exfiltrates data from target systems in chunks — perhaps in increments of 50MB to 100MB at a time.

One approach is to group files or records into compressed, password-protected RAR (Roshal Archive) files. Some RAR files can be parts of multiple-volume sequences, enabling the attacker to split a large quantity of data into volumes. Each file has a name that depicts the number of the volume: part1.rar, part2.rar, part3.rar, and so on. 2. To overcome the more challenging second obstacle — the attacker wants to get the data offsite as soon as possible but can’t risk sending it to a host that can be traced back to her — the attacker might set up a temporary staging area on a virtual host operated by a cloud-based service provider.

The advantage of this method is that the attacker can destroy the virtual host the instant that all the targeted data has been extracted.

3. Finally, the attacker can overcome the third obstacle by encrypting each RAR file before it’s transferred (often via FTP) to the staging host. As most network security devices — including DLP systems — are blind to encrypted traffic, this is a perfect way to exfiltrate data without detection. After the data has been exfiltrated, the attacker either seeks additional target hosts (Stage 3) or decides that the work is done (Stage 5).


24


Debunking APT myths APT is one of the most commonly used terms in the information security industry today, but it’s also one of the most widely misunderstood. Here are three common myths about APTs:

more APTs originate in China than in any other country, APTs have been linked to attackers in Russia, Iran, North Korea, Israel, and even the United States.

✓ Only APTs cause data breaches. Although some of the largest data breaches in recent history were the result of APTs, malicious insiders and good old-fashioned negligence (such as forgetting to change default administrative passwords) are also commonly at fault.

✓ APTs can be effectively addressed by traditional security defenses. Traditional signature-based security products are designed to detect known threats, but APTs often contain unknown threats and zero-day malware to exploit unknown vulnerabilities, which are virtually undetectable by traditional security defenses.

✓ All APTs come from China. Although research indicates that

Stage 5: Attacker covers his tracks After the attacker has exfiltrated all the desired data from the target host (and has determined that no other hosts on the network contain data of value), it’s time for him to get out. Before he does so, however, he needs to cover his tracks so that the attack remains undetected. The following list contains tactics that sophisticated hackers employ to minimize the risk of detection: ✓ Executing highly visible attacks on other parts of the network to distract security analysts and keep them away from compromised systems ✓ Deleting the compressed files after they’ve been extracted from the staging server ✓ Uninstalling malware and RATs at the initial entry point ✓ Deleting the staging server (if it’s hosted in the cloud) or taking it offline (if it’s under the attacker’s control) ✓ Employing antiforensic techniques such as deleting log, event, and audit files, as well as scrubbing file-system slack space to prevent recovery of deleted files These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


25

Knowing When You’ve Been Compromised Although advanced threats and targeted attacks are painfully difficult to detect, here a few telltale signs to look for in determining whether your organization has been compromised by an advanced cyberattack: ✓ An increase in administrative logons late at night ✓ Outbound connections to known CnC servers ✓ Widespread back-door Trojans on endpoints and/or network file shares ✓ Large flows of data from within the network (from server to server, server to client, client to server, or network to network) ✓ Large chunks of data (gigabytes worth of data) appearing in places where data shouldn’t exist ✓ SSL-encrypted network communications using encryption algorithms and/or digital certificates not commonly used by the organization ✓ Windows Application Event Log entries of antivirus and firewall stop and restart commands

Enterprises and government agencies often fail to identify advanced threats because their network security devices are configured only to inspect ingress (inbound) traffic at the perimeter. Acquiring and/or configuring security devices to inspect egress (outbound) traffic, as well as traffic flowing from within the core (data center), significantly improves your chances of detecting advanced threats. Recovering from a widespread advanced cyberattack is one of the most painful exercises you’ll face in your career. Just determining the scope, root cause, and impact of the attack can drive you insane, much less determining whether the attack is truly over. Fortunately, hope is on the horizon, and it’s the focus of the next chapter.


26


Lessons learned from the RSA Security data breach Although it occurred more than two years ago, the breach of security firm RSA Security in March 2011 is still a textbook example of an advanced cyberattack — literally a textbook example because company officials posted details about the attack on RSA’s corporate blog so that other companies can avoid making the same mistakes. The data breach began with a spear-phishing attack on several employees who presumably were identified through social media sites. Over a two-day period, the attacker sent two small groups of employees an e-mail with the subject line 2011 Recruitment plan.xls and a Microsoft Excel spreadsheet attachment. Although the e-mail was flagged as spam, one employee was fooled into retrieving it from the Junk Mail (spam) folder and then doubleclicking the attached Excel file, which contained a zero-day exploit that used an Adobe Flash vulnerability to install a RAT. When the RAT was in place, it initiated an outbound connection to the attacker’s CnC server, and the attacker gained full control of the user’s desktop. Because the initially compromised PC wasn’t a strategic asset, the attacker moved laterally across the network, compromising additional hosts. He harvested access credentials from the first compromised PC, including credentials to a domain

admin account. Then he performed privileged account escalation on nonadministrative user accounts on other systems. He repeated this process until he stumbled across a highvalue target: a computer operated by an IT server administrator. Soon after, the attacker located multiple highly sensitive servers (allegedly containing top-secret SecurID two-factor authentication algorithms), compromised them, and established access to internal staging servers at key aggregation points to get ready for extraction. Next, the attacker logged into the servers of interest, exfiltrated their data, and moved it to staging servers where the data was compressed and encrypted for extraction. Finally, the attacker used FTP to transfer a series of passwordprotected RAR files from the RSA file server to an outside staging server at a hosting provider. The files were subsequently deleted from the internal and external staging servers to remove any traces of the attack. This cyberattack clearly illustrates the five stages of the advanced threat life cycle, discussed in the “Tracking the Advanced Threat Life Cycle” section. Today, organizations are slowly becoming more comfortable with sharing details of successful cyberattacks in a cooperative effort to combat their damaging effects.


Chapter 3

Fighting Back with Big Data Security Analytics In This Chapter ▶ Understanding Big Data and Big Data Security Analytics ▶ Seeing how Big Data Security Analytics works ▶ Discovering what Big Data Security Analytics can do for you

W

ith advanced threats clearly on the rise, and given that traditional security defenses are ineffective in defending against them, organizations are turning to a new breed of network security defense: Big Data Security Analytics. In this chapter, I define Big Data and Big Data Security Analytics and describe how the latter can help your organization ward off threats.

What Is Big Data? Big Data is all around all of us. To a stockbroker, it’s a sea of annual reports and economic indicators. To an insurance actuary, it’s thousands of insurance claims. And to an information security analyst, it’s every bit and byte that traverses the network. Big Data is one of the hottest, most-talked-about trends in the IT industry, but until recently, it was more theoretical than practical. Technological advances in high-speed data collection, indexing, analysis, and storage, along with advancements in data analytics, give IT a new secret weapon against advanced cyberthreats: Big Data Security Analytics. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

28


What Is Big Data Security Analytics? Big Data Security Analytics is a network security solution that aggregates and analyzes Big Data — every single packet, file, and flow that it sees — in order to detect and minimize advanced cyberthreats. Leading Big Data Security Analytics solutions leverage both internal and external Big Data sources.

Internal sources Typical internal sources of Big Data include the following: ✓ All traffic flowing across your network, including web traffic, e-mail, and file transfers and attachments ✓ Network flow records (such as NetFlow, jFlow, sFlow, and IPFIX) from network routers and switches ✓ VM-to-VM (virtual machine to virtual machine) IP traffic on VMware, Xen, and other virtualization platforms ✓ User account directories, such as Microsoft Active Directory and LDAP ✓ Threat intelligence from malware analysis systems (if present), such as Solera Networks (a Blue Coat company), FireEye, and Norman Malware Analyzer

External sources Following are some common external sources of Big Data: ✓ Publicly available cyberthreat and reputation feeds, such as Emerging Threats, Google Safe Browsing, Malware Domain List, SANS ISC, SORBS, and VirusTotal ✓ Commercially available cyberthreat and reputation feeds, such as those from Blue Coat and Bit9 ✓ IP geolocation services, such as Digital Envoy, Geobytes, MaxMind, and Quova ✓ Website intelligence services, such as Blue Coat WebPulse, Domain Tools, and Robtex These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 3: Fighting Back with Big Data Security Analytics

29

How Big Data Security Analytics Solutions Work Big Data Security Analytics solutions constantly aggregate Big Data intelligence and analyze it through a sophisticated data analytics engine equipped with both prebuilt and user-defined rules. These solutions — delivered in software, virtual appliance, and physical appliance form factors — can support the largest enterprises, capturing and indexing data (including packet header and payload, OSI Layers 2–7) at wire speed, providing a complete, forensically sound record of all activity going in and out of the network. Big Data Security Analytics solutions also have built-in tools that perform real-time or back-in-time analysis of files, applications, web traffic, flows, and packets. The appliances must have ample storage capacity because they record and store terabytes of data for days, weeks, or even months.

Key components A full-featured Big Data Security Analytics deployment typically involves the following components: ✓ Physical appliances (see Figure 3-1) with throughput up to 10 Gbps per instance ✓ Virtual appliances that support VMware, Xen, and other virtualization platforms ✓ Big Data Security Analytics software that allows organizations to deploy the solution on their own server-class hardware ✓ A central manager appliance that provides centralized management and data aggregation for organizations that deploy multiple Big Data Security Analytics appliances, servers, or hosts ✓ Storage modules that expand data storage capacity for Big Data Security Analytics hosts in organizations that want to store and analyze data for longer periods ✓ Appliances that decrypt Secure Sockets Layer (SSL)encrypted traffic before storage to detect SSL-encrypted threats (see “Large organizations,” later in this chapter) These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

30


Figure 3-1: Sample Big Data Security Analytics appliance.

Deployment strategies Before it can capture network data, a Big Data Security Analytics system must be capable of seeing that data.

Small to medium-size organizations If your organization is small to medium-size, providing Big Data Security Analytics capability is simple: Just route traffic from the switches’ SPAN ports directly to the Big Data Security Analytics appliance or server (see Figure 3-2). Then use the central management console to manage your instances while the solution shares intelligence with a variety of third-party, best-of-breed security tools.

Figure 3-2: Typical Big Data Security Analytics deployment architecture. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


31

For the rest of this book, I use the term appliance in the generic sense. Keep in mind, however, that Big Data Security Analytics appliances can take the form of physical appliances, virtual appliances, and software.

Large organizations For large enterprises and government agencies, deploying a Big Data Security Analytics solution is a little more involved. Fortunately, high-end network TAPs called network packet brokers (NPBs) enable users to aggregate traffic from multipleswitch SPAN ports (or basic TAPs) and direct that traffic to a single Big Data Security Analytics appliance (or server) at speeds up to 10 Gbps. Organizations that want to extend the period for which data is stored can use expandable storage modules. One piece of the puzzle is missing, however: Advanced threats that leverage SSL to mask exfiltrated data are extremely common. Placing an SSL decryption appliance between the network and your Big Data Security Analytics appliances helps you mitigate those threats.

What Big Data Security Analytics Does When your Big Data Security Analytics system is up and running, it begins to pay dividends immediately. Your organization instantly has a record of every packet, flow, file, and application that traverses the network, which helps you identify and mitigate advanced threats.

Analyzes all your data Many users describe Big Data Security Analytics solutions as being like DVRs for the network. Instead of recording TV shows, however, the Big Data Security Analytics solution records everything going in and out of your network. Like a DVR, when a Big Data Security Analytics appliance runs out of space, it begins to overwrite the oldest data first unless you mark specific data for nondeletion.


32

Advanced Threat Detection For Dummies Data from Big Data Security Analytics appliances is used to reconstruct sessions, discover applications, and analyze potential threats in the central manager console — the central nervous system of your deployment — providing full security visibility, rich threat intelligence, and powerful security analytics to uncover hidden threats (see Chapter 4).

Delivers advanced threat protection No single network security technology can protect an organization from all advanced threats. Such protection requires a concerted effort by people, processes, and technologies, and even then, there are no guarantees. Big Data Security Analytics, however, plays a pivotal role in the cause of advanced threat protection. In Chapter 4, I explore many of the underlying technologies that support this cause. For now, here’s a high-level list of ways that Big Data Security Analytics protects against advanced threats: ✓ Examining suspicious traffic: Leading Big Data Security Analytics systems leverage rules that alert users when they detect suspicious traffic, such as protocols that use nonstandard ports or traffic originating in countries commonly linked to advanced persistent threats (APTs), such as China, Russia, and Iran. ✓ Searching for traffic abnormalities: A good Big Data Security Analytics system can compare traffic on a network at varying points in time to detect abnormalities. A significant boost in FTP traffic from one day to another, for example, could be the result of unauthorized data exfiltration. ✓ Analyzing IP/URL reputation: Sometimes, threats are carried into the office on mobile devices (see Chapter 2). When malware calls out to a command-and-control (CnC) server that’s potentially associated with a botnet or an APT, the Big Data Security Analytics system can compare the destination with a blacklist of known malicious sites and trigger alerts if it finds any matches. ✓ Detecting malware: Better Big Data Security Analytics solutions continuously compute file hashes and maintain a database of known-good and known-bad files. When a known-bad file is detected, that file is quarantined, and These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


33

IT is alerted. Leading solutions even ship suspicious or unclassified binaries off to an internal or external malware-analysis sandbox (a virtual machine configured to emulate key aspects of the target environment, such as the operating system and application associated with the file in question) to attempt to safely “detonate” the malware and observe its intended effects. ✓ Remediating detected threats: Whether a threat has been uncovered by the Big Data Security Analytics appliance or by some other network security device, it must be remediated before more damage is done. Big Data Security Analytics can help you determine exactly which hosts have been compromised and what, if any, data has been breached so that you know exactly where and how to respond.

Exploring Features Now that you have a grasp of the components of a typical Big Data Security Analytics solution and a frame of reference for how the solution is deployed and how it functions, you’re ready to explore the basic and advanced features of leading Big Data Security Analytics products. For a more comprehensive description of basic and advanced features, ask for a copy of Big Data Security For Dummies, courtesy of Solera Networks (a Blue Coat Company) (www. soleranetworks.com).

Basic features Following are the basic features that you should expect to find in even the most rudimentary Big Data Security Analytics solution: ✓ Customizable dashboard: The dashboard (see Figure 3-3) is the primary interface for monitoring the Big Data Security Analytics system and investigating threats. The dashboard is accessed on individual appliances or as a central management console and can be customized based on the user’s role in the organization.


34


Figure 3-3: Sample Big Data Security Analytics web-based dashboard.

✓ Rules and alerts: Rules and alerts automate the process of discovering and responding to advanced threats. Prebuilt and customizable rules analyze and correlate your Big Data sources, looking for suspicious traffic and network abnormalities. When rules fire, alerts are sent to security analysts via e-mail and/or text messages. ✓ Comprehensive reporting: The reporting feature keeps information security management and compliance auditors informed by logging statistics and security events related to the security posture of the organization. ✓ Basic reputation services: These services use basic community threat intelligence to determine when network traffic is associated with known-bad URLs, IP addresses, and files. (See Chapter 4 for a list of community-based threat intelligence feeds.)

Advanced features The following advanced features are available in leading Big Data Security Analytics offerings: ✓ Geolocation: Geolocation (see Figure 3-4) enables users to view the origin, destination, and flow of network traffic. Users can also identify potentially suspicious traffic involving countries where the organization has no business dealings or countries that are commonly associated with APTs.



35

Figure 3-4: Geolocation view of external traffic sources.

✓ Root-cause exploration: This feature enables analysts to quickly identify sessions or files that caused a security event reported by an intrusion prevention system (IPS), next-generation firewall (NGFW), or other security device. ✓ Content reconstruction: This feature allows analysts to extract and reconstruct original documents (such as Microsoft Word documents and PDFs), image files (such as JPEGs and GIFs), web pages, e-mails, and chat sessions so that they can better identify threats and determine their impact. ✓ Real-time security analytics: Advanced heuristic detection, inferential and exception reporting, and visual data representations enable security analysts to uncover advanced threats in real time. ✓ Third-party integration: Third-party integration enables your Big Data Security Analytics system to share intelligence with your existing network security infrastructure. ✓ Advanced threat intelligence services: These services use best-of-breed threat intelligence sources to determine when network traffic is associated with known-bad URLs, IP addresses, files, and e-mail addresses. (See Chapter 4 for a list of advanced threat intelligence feeds.)


36


Integrating Big Data Security Analytics into Your Network Integrating your Big Data Security Analytics solution into your existing network security infrastructure can yield many benefits, including the following: ✓ Correlating threats with endpoint intelligence (operating systems, applications, and vulnerability status) to assess the effect of high-severity security events ✓ Rapidly determining the extent of damage (if any) related to security breaches ✓ Analyzing suspicious binaries and other file types through sandbox testing ✓ Collecting digital evidence to help law enforcement investigate network breaches In the following sections, I discuss how Big Data Security Analytics can integrate with specific security components.

SIEM integration Security information and event management (SIEM) systems seem to have reached critical mass: Almost every large enterprise and government agency has at least one. These tools are invaluable for aggregating security intelligence from across an organization and analyzing it to uncover threats that might otherwise go undiscovered. A SIEM gains most of its intelligence from log files and events generated by security and network devices. Log data is sufficient for responding to basic known threats, but to investigate advanced threats security analysts must dig much deeper into the source data pertaining to a suspected attack. Some Big Data Security Analytics vendors provide application programming interfaces (APIs) that combine with SIEM vendor APIs for integration directly into the SIEM’s management console. This allows security analysts to access raw packets pertaining to the source and/or destination IP addresses of suspicious traffic without ever leaving the SIEM’s management console — a time-saving feature when time is of the essence. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


37

IPS and NGFW integration When an IPS or NGFW generates a high-severity or highimpact intrusion event related to an attack, security analysts should respond quickly to determine whether the attack was successful and, if so, what damage was done. Integrating a Big Data Security Analytics system into an IPS or NGFW saves security analysts valuable time and effort. Integration with these systems is similar to SIEM integration (see the preceding section). Analysts can query the Big Data Security Analytics database for raw packets related to intrusion events right from the IPS or NGFW console.

Advanced malware analysis integration Like Big Data Security Analytics, advanced malware analysis is a relatively new category of network security technology. These solutions identify suspicious files through a series of sophisticated algorithms and then attempt to “detonate” embedded malware in the safety of a sandbox present on a physical appliance, on a customer-supplied server, or in the cloud. Big Data Security Analytics complements advanced malware analysis solutions in two ways: ✓ In many cases, analysts can launch Big Data Security Analytics queries directly from the advanced malware analysis console, just as they can from IPS, NGFW, and SIEM interfaces. ✓ Better Big Data Security Analytics solutions allow analysts to redirect suspicious files to advanced malware analysis appliances (or the cloud) for examination.

Some leading Big Data Security Analytics vendors offer their own advanced malware analysis solutions. Better vendors let organizations choose between on-premises and cloud-based sandbox environments — or a hybrid of the two — depending on the size of the organization, the sensitivity of inspected files, and potential privacy laws such as those imposed by certain European countries.


38


Universal connectors If you’d like to integrate your Big Data Security Analytics solution into the management console of your network security device, but the vendors don’t yet support that type of integration, ask your Big Data Security Analytics vendor whether it offers a universal connector. This connector lays a simple query interface over the webbased GUI of your device’s console. The connection isn’t seamless, but it saves analysts valuable time because they won’t have to switch consoles to launch simple queries.

Online retailer forecasts sunny days ahead A large online retailer based in the United States invested millions of dollars in best-of-breed network and endpoint security defenses, including an advanced malware analysis system designed to detect unknown threats. Every day around lunchtime for two weeks, the malware analysis system triggered alerts related to the same piece of malware. As the system was designed only to detect malware, the security analysts had no way to investigate the source of the attacks. Then the company acquired a Big Data Security SIA solution from Solera Networks (A Blue Coat company — www.soleranetworks.com), which gave them the tools necessary for a thorough forensics investigation. By analyzing network traffic flowing to and from the internal hosts associated with the attacks, the online retailer quickly determined that the

associated users were connecting to a popular local weather website each day during lunch. Analysts further concluded that the malware was being transmitted through malicious code embedded within one of the weather site’s banner ads. The retailer’s director of network security immediately contacted the weather website, which immediately replaced the infected banner ad. By leveraging the powerful forensics capabilities of its new Big Data Security Analytics solution, the online retailer never saw that strain of malware again. The system’s innovative Solera Security Analytics Platform (formerly Solera DeepSee Platform) not only protected the retailer’s own network but also the computers of thousands of local businesses and households that connect to the local weather website each day.


Chapter 4

Exploring Big Data Security Analytics for Advanced Threat Protection In This Chapter ▶ Touring Big Data Security Analytics technologies ▶ Finding malicious files in your network

O

rganizations are rapidly turning to Big Data Security Analytics to complement advanced malware analysis and other security solutions in a coordinated effort to detect and mitigate advanced threats. In this chapter, I dive into Big Data Security Analytics, reviewing some of the underlying technologies so you can gain a feel for how Big Data Security Analytics can help deliver advanced threat protection.

Understanding the Underlying Technologies The best Big Data Security Analytics solutions available today comprise three categories (or themes) of technologies for advanced threat protection: ✓ Full security visibility ✓ Threat intelligence ✓ Security analytics The following sections explore these technologies in detail. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

40


Full security visibility At its core, Big Data Security Analytics provides full security visibility around the clock. It’s always on and always watching, like a closed-circuit video surveillance system for your network. This unprecedented visibility enables IT to answer key questions related to advanced threats, such as these: ✓ Are we under attack? ✓ How did the attacker get in? ✓ Where did the attack originate? ✓ Which systems were compromised? ✓ What, if any, data was exfiltrated? ✓ How was the data exfiltrated? ✓ Which users were affected? ✓ Is the attack over? ✓ How can we be certain this attack won’t happen again? In the following sections, I review some of the key technologies that enable full security visibility.

Full packet capture Every good Big Data Security Analytics solution begins with full packet capture, although some rudimentary products offer packet sampling due to limitations in throughput, latency, and/or storage. Many people liken a Big Data Security Analytics solution to a closed-circuit video surveillance system that records video at 30 frames per second. But just imagine a system that records still images once every few seconds. Sure, you save money in the short run by not storing thousands of hours of recorded video, but in the end, the organization you’re protecting is far less secure. Also, by capturing every packet, flow, application, and file that traverses your network, you have the means to uncover exactly what has transpired during a cyberattack so that your organization doesn’t overreact in its response, causing unnecessary expense and embarrassment. (See the nearby sidebar “Rightsizing your advanced threat response” for further discussion.) These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 4: Exploring Big Data Security Analytics

41

Right-sizing your advanced threat response Imagine that you’re the director of network security for a credit-card processing company that oversees millions of transactions daily. Further imagine that your best security analyst just told you she’s certain that your core databases have been compromised by an advanced threat. Without a Big Data Security Analytics system in place, you have no way of knowing the true extent of the damage. You don’t know whether the attacker stole 1,000 credit-card numbers, or 100,000, or even 100 million — and because you don’t know which numbers were stolen, you must assume that all of them were stolen and notify every potentially affected customer.

A Big Data Security Analytics solution (aside from preventing the breach in the first place) would have taken the guesswork out of determining the scope and material impact of the damage. In other words, with a Big Data Security Analytics system in place, you’d know exactly which credit-card numbers were stolen so that you could right-size your company’s response and resolution. Big Data Security Analytics helps you avoid treating a small breach as a huge disaster and allows you to notify only customers that were affected instead of worrying every single one of them.

Deep packet inspection Beyond full packet capture, leading Big Data Security Analytics solutions offer deep packet inspection to identify applications by their vendor-supplied fingerprints (unique characteristics). Such solutions can categorize applications into dozens of families and identify more than 1,000 distinct applications and protocols. For custom applications, users can create their own application fingerprints. Big Data Security Analytics appliances also extract various metadata attributes such as e-mail addresses, website URLs, instant-messaging usernames, search-engine queries, social personas, HTTP servers, flow information, and many more — enabling security analysts to get the context they need to develop a vivid picture of all suspicious activity.

Indexing on Layers 2–7 Big Data Security Analytics classifies, indexes, and stores all network traffic in a high-performance database for quick These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

42

Advanced Threat Detection For Dummies search and retrieval. Each appliance stores rich, detailed information, including packets, sessions, flows, files, and applications. Depending on the specifications of the appliance, data can be stored for weeks or sometimes months.

Flexible security policies Preferred Big Data Security Analytics systems enable users to configure security policies to help them reduce the network’s attack surface. Users may want to be alerted, for example, when an application uses a nonstandard port, when FTP or SSH transmissions originate from the finance department, or when a BitTorrent application is used anywhere on the network, causing both security and performance concerns.

Session and application reconstructions Effective Big Data Security Analytics solutions enable analysts to view web pages and web-based applications exactly as users originally saw them. Analysts can review instant messages and e-mails (with attachments) in their original forms, which can be particularly useful in investigating the sources of threats.

Physical and virtual security visibility Advanced threats aren’t confined to physical networks. They can just as easily emanate from virtual hosts, especially virtualization platforms that serve up virtual desktops. To maintain complete network visibility, supplement your physical Big Data Security Analytics appliances with virtual ones. Leading vendors commonly support VMware ESX, Citrix XenServer, Microsoft Hyper-V, and KVM.

Threat intelligence Capturing, indexing, storing, and analyzing your network’s Big Data are critical steps in uncovering advanced threats. To be truly successful, however, you need another piece of the Big Data Security Analytics puzzle: threat intelligence. High-quality and dynamic threat intelligence helps take the guesswork out of uncovering advanced threats by identifying malware-infected files, locating botnet-infected hosts, isolating callback communications, and so on.



43

Intelligence cloud When shopping for a Big Data Security Analytics solution, evaluating the capabilities of physical and virtual appliances is important, but it’s equally important to evaluate the threat intelligence each vendor provides. Most vendors offer an intelligence cloud (similar to Blue Coat’s WebPulse) so that physical and virtual appliances are updated throughout the day, every day, with updated threat intelligence, including: ✓ IP, URL, and DNS reputation and categorization feeds ✓ Botnet destinations ✓ Callback destinations ✓ Domain age reporters ✓ Known-good and known-bad file hashes (see “Identifying Advanced Threats within Files,” later in this chapter)

Whitelisting and blacklisting Whitelists and blacklists are lists of items that are approved and rejected, respectively, as they pertain to information security. Sample items may include: ✓ IP addresses ✓ Website URLs ✓ File hashes ✓ Applications ✓ Protocols

Community-based threat intelligence Some Big Data Security Analytics systems incorporate the ability to import community-based threat intelligence into the system. Examples of such intelligence feeds include: ✓ ClamAV ✓ Cuckoo ✓ Google Safe Browsing ✓ Robtex ✓ VirusTotal


44


Advanced threat intelligence In addition to community-based threat intelligence, some Big Data Security Analytics systems also incorporate best-of-breed, advanced threat intelligence services into the system, such as: ✓ Blue Coat’s WebPulse ✓ Bit9 ✓ Team Cymru ✓ Webroot

Security analytics The hardest cyberattacks to detect contain unknown threats targeting unknown vulnerabilities that communicate with unknown (not blacklisted) hosts. Detecting these threats takes a more-concerted effort involving security analytics: the use of charts and graphs to represent data. Following are three ways that security analytics can be used to uncover hidden advanced threats.

Examination of suspicious traffic Vigilant security professionals must be more than just Big Data analysts; they must also be Big Data scientists. In other words, sometimes you need to find answers to questions that you didn’t even think to ask. Suppose that you’re comparing yesterday’s network traffic volume with volume from a week ago. You may notice a significant spike in FTP traffic from a network segment that typically doesn’t use FTP, or you may stumble across a network flow with China that uses a nonstandard port you’ve never seen. To reveal such patterns, your Big Data Security Analytics solution must be equipped with a powerful analytics engine that allows you to depict your Big Data search queries in a variety of tables, charts, and graphs.

Relationship graphing Another method of uncovering hidden threats is relationship graphing. Here, the Big Data Security Analytics user constructs search queries. Instead of displaying the data in tabular format, the solution displays it graphically in relationship maps. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


45

If a file stored on an internal file server, for example, turns out to contain botnet-related malware that originated in Russia, you can visually depict other users and hosts that accessed the same file and connected to hosts in Russia.

Review of noncompliant traffic Most enterprises and government agencies have acceptableuse policies (AUPs) for network resources. Enforcement of those rules varies, however. Most organizations don’t even monitor AUP compliance, mainly because they lack the tools to do so — a mistake that can cost them dearly. Big Data Security Analytics solves this challenge by providing tools that allow IT to monitor the network continuously for AUP compliance. If an AUP rule is violated, IT can determine the severity, effect, and source of the violation.

Identifying Advanced Threats within Files As I explain in Chapter 2, many advanced threats involve social engineering attacks that trick users into opening files contaminated with malware. To combat these threats, many Big Data Security Analytics solutions include a threat-profiler function that dynamically identifies and investigates suspicious files. Here’s how it works:

1. Preconfigured security policies detect files of interest within traffic flows, such as executable files from nontrusted web servers, or PDF or JAR files downloaded from domains less than 30 days old.

2. A real-time extractor reconstructs suspicious files in near real time.

3. File hashes are computed so that the file can be compared with blacklists and whitelists. If the file appears on a blacklist, the system generates an alert. If the file appears on a whitelist, no further action is taken.

4. The file is classified by type and passed to an appropriate handler for deeper analysis.

5. The handler generates a confidence score that rates the likelihood of the presence of malware in the file. If the score is below a certain threshold, no further action These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

46

Advanced Threat Detection For Dummies is taken or the file is placed on a watchlist for future analysis. If the score is above that threshold (the file is likely to be malicious), the system moves to Step 6.

6. The file is submitted to a malware detonator (sandbox) either in the cloud or on the premises. If the file is deemed malicious, an alert is generated, and the file is placed on a blacklist. If the file is deemed benign, it’s placed on a whitelist. When shopping for a Big Data Security Analytics solution, be sure it either provides robust advanced malware analysis capability and/or tightly integrates with best-of-breed sand boxing platforms.

Big Data Security Analytics pays dividends to financial services firm A large multinational financial services firm headquartered in New York City was in the headlines recently for all the wrong reasons: It was victimized by multiple high-profile APTs. The company’s chief information security officer (CISO) was familiar with two sets of network security technologies designed to detect APTs and other unknown cyberthreats: Big Data Security Analytics and advanced malware analysis solutions. He began evaluating the latter first. The company initially purchased a handful of malware analysis appliances and began rolling them out at their primary data center. Not fully realizing the cost and complexity of a hardware-based malware analysis architecture within a multinational corporation, the company began searching for alternative solutions. A trusted member of the CISO’s staff had implemented a Big Data Security Analytics solution from Solera

Networks (a Blue Coat company — www.soleranetworks.com) for a previous employer with great success. Upon learning that Solera now offers both hardware- and cloud-based advanced malware analysis solutions — as part of the Solera Big Data Security Analytics technology — she recommended Solera to her CISO, who in turn initiated an onsite evaluation. Through its built-in file traffic controller capability, the Big Data Security Analytics Platform (formerly Solera DeepSee Platform) can direct suspicious files to both the company’s recently acquired malware analysis appliances and to its own integrated sandbox technology. Since deploying its Solera solution for advanced threat protection, alongside its Blue Coat solution for best-of-breed web security, the company has detected and mitigated hundreds of APTs — and kept itself out of the headlines.


Chapter 5

Advanced Threat Protection Buying Criteria In This Chapter ▶ Knowing what to avoid when evaluating solutions ▶ Creating a checklist of important buying criteria ▶ Understanding what to look for

Y

ou have many things to consider when you evaluate a Big Data Security Analytics solution for advanced threat protection — so many, in fact, that I don’t have enough space in this book to address them all. Before highlighting the buying criteria that I feel are most important, I’d like to point out the product characteristics that you should avoid like the plague: ✓ Solutions that only sample network packets due to hardware constraints in processing power and/or storage capacity ✓ Physical appliances that can’t keep pace with today’s increasing network speeds ✓ Solutions that fail to provide or integrate with advanced malware analysis (sandbox) solutions ✓ Products that lack comprehensive threat intelligence updated continuously via the cloud ✓ Offerings that fail to provide insight into VM-to-VM (virtual machine to virtual machine) traffic within virtualization platforms ✓ Solutions with little-to-no vendor-supported integration into your existing security infrastructure and ecosystem These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

48

Advanced Threat Detection For Dummies Now that you know what to avoid, read on to find out what attributes you should look for when evaluating Big Data Security Analytics offerings.

Full Packet Capture

If you’re serious about advanced threat protection, you must acquire a Big Data Security Analytics solution that offers full packet capture. If you purchase a product that merely samples packets, you’ll have an incomplete picture of the presence of advanced threats on your network. Also, you certainly won’t be able to take advantage of collaborating with advanced malware analysis (sandbox) platforms, as you won’t have fully reconstructed suspicious files to redirect to them.

Multivector Threat Detection and Correlation Unfortunately, not all cyberthreats penetrate your network through the perimeter. Some threats arrive via employeeowned mobile devices and portable media (see Chapter 2). Even the unknown threats that bypass your perimeter defenses don’t stick to one medium. Some take the form of e-mail attachments; others are embedded in files that users download from the Internet. This complexity means that it’s important to select a multivector solution that can process traffic feeds from all parts of the network and correlate them against rich threat intelligence as part of the Big Data Security Analytics platform. Advanced threats often communicate within Secure Sockets Layer (SSL)-encrypted channels, especially when they’re calling back to the attacker’s server and exfiltrating stolen data. Leading Big Data Security Analytics vendors offer, or integrate with, stand-alone SSL decryption appliances (see Figure 5-1) that decrypt SSL traffic before it’s stored on the Big Data Security Analytics appliances.


Chapter 5: Advanced Threat Protection Buying Criteria

49

Figure 5-1: Blue Coat’s SSL Visibility Appliance.

Virtual Platform Visibility If you’re not capturing VM-to-VM traffic, you’re missing a wealth of Big Data and potentially missing advanced threats. To remedy this problem, preferred Big Data Security Analytics vendors offer virtual appliances for popular virtualization platforms, including VMware ESX, Citrix XenServer, Microsoft Hyper-V, and KVM. Virtual appliances offer features identical to those of their physical counterparts and are limited only by the processing power, memory, and disk space allocated to the hosting virtual machine. Data captured by virtual appliances is accessible through the central manager console, so security analysts can query data from both physical and virtual networks from one central location.

Comprehensive Threat Intelligence A successful Big Data Security Analytics solution for advanced threat protection not only needs to capture packets at the speed of your network but also must include comprehensive, reliable threat intelligence to help users uncover advanced threats. (See Chapter 4 for lists of community and advanced threat intelligence feeds.) Better Big Data Security Analytics providers incorporate a threat-detection engine within their solutions to enable automatic blacklisting (alerting) of traffic associated with knownbad IP addresses, URLs, and files. Even if you have an advanced


50

Advanced Threat Detection For Dummies malware analysis solution defending your perimeter, threats are sometimes hand carried right through the office door. Vendor-supplied threat intelligence typically is distributed via the cloud as regular updates throughout the day. When you evaluate Big Data Security Analytics providers for advanced threat protection, be sure to inquire about their threat intelligence, including their sources (both private and public) and the frequency of updates.

File-Based Malware Detection Advanced malware embedded in files is the leading cause of APT incursions. Unsuspecting users open e-mail attachments or click hyperlinks embedded in spear-phishing e-mails, often out of sheer curiosity, opening up the network to a variety of advanced threats. Some vendors offer a threat-profiler capability to detect the presence of advanced malware in files. These solutions generate hashes (fingerprints) for suspicious files, compare them with blacklists and whitelists, and integrate with sandbox technologies for deeper threat analysis. (For details on this feature, see Chapter 4.) If you choose a Big Data Security Analytics provider for advanced threat protection that doesn’t offer a solution for mitigating advanced threats embedded in files, you may be opening your network to advanced cyberattacks. Even the best signature-based security solutions are helpless when it comes to detecting unknown threats and malware that target unknown, zero-day vulnerabilities. Files with such embedded threats sail through traditional perimeter defenses as though they weren’t even there.

Support for Continuous Monitoring Networks and systems never stop changing. Cyberthreats never stop changing either. With your network constantly in flux, selecting an advanced threat protection solution that supports continuous monitoring is critical.



51

All enterprises and government agencies must stay vigilant against APTs and other advanced threats. Big Data Security Analytics plays an important role in an effective continuous monitoring strategy by offering the following services: ✓ Around-the-clock quantitative surveillance and inspection of all network activity and traffic to uncover hidden threats ✓ Timely, targeted, prioritized information that allows security decision-makers to identify and fix critical security events ✓ Risk mitigation for virtualization, cloud computing, transient mobile devices, and noncompliance with internal acceptable-use policies The 2010 Federal Information Security Management Act, commonly referred to as FISMA 2.0, requires continuous monitoring of information systems as part of each federal agency’s security program. Big Data Security Analytics solutions play an important role in an effective continuous monitoring strategy (see the nearby sidebar). Be sure to select a solution that can keep up with the speed of your network while performing full packet capture within both physical and virtual network environments.

The origin of continuous monitoring The U.S. National Institute of Standards and Technology (NIST) introduced the term continuous monitoring in NIST Special Publication 800-37, Revision 1, published in February 2010. At the time, the term was associated primarily with vulnerability management and security configuration management controls, rather than advanced threat protection. Since then, federal agencies have realized the benefits that continuous monitoring brings to the cause of detecting and mitigating advanced threats.

Although continuous monitoring, as defined by NIST, pertains to U.S. federal agency networks, the spirit of continuous monitoring has caught on throughout commercial IT organizations as well. To find out more about NIST’s view of the role of continuous monitoring, download NIST Special Publication 800-37 at http://csrc.nist. gov/publications/nist pubs/800-137/SP800-137Final.pdf.


52


Extensive Third-Party Integration Security products need to work together to share intelligence in the common cause of cyberthreat defense. That concept is an important criterion for evaluating a solution for advanced threat protection. When a Big Data Security Analytics solution integrates directly into the management console of network security devices — or at least into the web browser used to connect to these consoles — security analysts save significant time and effort in investigating advanced threats. Also, by integrating with internal and/or external advanced malware analysis (sandbox) solutions, your Big Data Security Analytics solution can help identify suspicious files so that analysts can determine whether advanced malware is present. (For details on sandboxing and the role of Big Data Security Analytics, see Chapter 3.) If you find a so-called Big Data Security Analytics solution that offers no integration with your network security infrastructure, stay away. It’s clearly not ready for prime time and doesn’t provide effective advanced threat protection.

Enterprise Performance, Scalability, and Reliability For effective advanced threat protection, you need security appliances that can keep pace with today’s network speeds and high storage capacities to deliver full security visibility. If your Big Data Security Analytics appliances can’t keep up with the speed of your network, rip them out and replace them. Otherwise, you’re effectively housing a bunch of rackmounted paperweights in your network’s data center. Leading Big Data Security Analytics vendors offer purposebuilt appliances that can capture all packets, files, and flows at speeds up to 10 Gbps and store 100TB of data or more on a single appliance. These appliances are reliable, too, featuring dual, hot-pluggable, redundant power supplies and RAID 5 storage for added fault tolerance. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


Ease of Use An information security product may have every feature that you could want, but if it’s too difficult to use, you might as well throw it away. The same is true of Big Data Security Analytics products for advanced threat protection. When you’ve drawn up your short list of vendors, put their products to the test. Specifically, evaluate how easy it is to perform everyday tasks such as these: ✓ Monitoring the dashboard for security alerts ✓ Generating canned and custom reports to satisfy the needs of IT management and external security auditors (see Figure 5-2) ✓ Customizing packet queries based on IP address, date, and time ✓ Creating sample security policies that correspond to your network’s acceptable-use policy

Figure 5-2: Sample Big Data Security Analytics report charts.

Also, inspect the quality of each product’s documentation. Administrator guides always come in handy, regardless of how easy a product is to use.


53

54


Responsive Customer Support An often-overlooked buying criterion is the quality of each vendor’s customer support. You can actually evaluate the quality of a vendor’s support offerings before you’ve purchased its products. Unless a vendor refuses to take your call or respond to your e-mails during the evaluation phase (which should raise a red flag anyway), evaluating the responsiveness, technical accuracy, and professionalism of a customer-support organization is both possible and necessary. Even if you’re not experiencing technical difficulties during the evaluation phase, make up a few reasons to contact each vendor’s support department. Ask for help generating a report, find out the best way to investigate an alert, or seek advice on creating security policies that correspond to your acceptable-use policies.

Don’t ask all your questions at the same time, and ask them via phone and e-mail on different days to address different issues so you can see how well they respond to each approach. By the time you finish asking your questions, you’ll have a pretty good idea of the level of service provided by each vendor’s customer-support department, which should have a significant effect on your vendor selection process.


Chapter 6

Ten Best Practices for Advanced Threat Protection In This Chapter ▶ Figuring out where and how to get started ▶ Taking advantage of your vendor’s Big Data Security Analytics expertise ▶ Getting the most out of your investment

W

hen you’ve narrowed down your vendor short list and made your selection, it’s time to start implementing your Big Data Security Analytics solution as part of a comprehensive advanced threat protection strategy. But where do you begin? This chapter provides ten best practices that can really help.

Leverage Your Vendor’s Expertise Although Big Data Security Analytics hasn’t been around nearly as long as firewalls and intrusion prevention systems have, it’s been around plenty long enough for vendors to know the right ways and the wrong ways to implement it for advanced threat protection. A great place to start is to ask the vendor’s consulting team to make sure that your Big Data Security Analytics solution is installed and configured properly so that you can start detecting advanced threats from day one. Your vendor (or your reseller, if it’s experienced enough) can help you with important tasks such as these:


56


✓ Selecting the optimal number and type of physical and/or virtual appliances ✓ Determining where to install your appliances to capture the most important traffic ✓ Using network TAPs and network packet brokers (NPBs) to aggregate traffic from multiple network segments and direct it to your Big Data Security Analytics appliances ✓ Configuring reports that satisfy IT management and the demands of external security auditors ✓ Leveraging reputation-based blacklists to alert upon identification of traffic associated with known-bad IP addresses, known-bad URLs, or malware-infected files ✓ Configuring your Big Data Security Analytics system to automatically ship suspicious files off to internal and/or external advanced malware analysis (sandboxing) systems ✓ Establishing whitelists so that files known to be free from malware are cleared from advanced malware analysis ✓ Constructing security policies that help IT monitor and enforce your organization’s acceptable-use policies ✓ Ensuring that your Big Data Security Analytics appliances don’t miss hidden threats embedded within Secure Sockets Layer (SSL)-encrypted communications ✓ Showing you how to identify network anomalies that may lead to advanced threats ✓ Showing you how to investigate the cause and effects of a reported cyberattack, discover the extent of damage, and determine whether the attack is still underway ✓ Preserving digital evidence that law enforcement can use to prosecute cybercriminals ✓ Integrating your Big Data Security Analytics solution into your existing security ecosystem for comprehensive advanced threat protection — from enforcement, to assurance, and to remediation Yes, vendors are absolutely motivated by profit, but in my experience, their professional services consultants are not. These consultants are highly motivated, well educated, and fully capable of maximizing your Big Data Security Analytics investment to perform advanced threat protection tasks that you never knew were possible. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 6: Ten Best Practices for Advanced Threat Protection

57

Achieve 20/20 Security Visibility Some people have compared installing a Big Data Security Analytics appliance on a network to wearing prescription eyeglasses for the first time. Before, your sight was blurry; now you have 20/20 vision. Here are a few tips that can help you achieve perfect security visibility across all of your network segments, physical and virtual:

✓ Use network packet broker devices (high-end network TAPs) to aggregate traffic from multiple-switch SPAN ports into a single Big Data Security Analytics appliance (or a group of load-balanced appliances). This technique broadens visibility and also saves money in the long run because you don’t have to purchase more Big Data Security Analytics appliances when you run out of available network interfaces.

✓ Acquire one or more stand-alone SSL appliances to decrypt SSL traffic before the data is stored by your Big Data Security Analytics appliances. This method ensures that you won’t miss advanced threats embedded in encrypted SSL communications. ✓ Install Big Data Security Analytics virtual appliances not only to view traffic between virtual machines but also to facilitate rapid deployment to smaller branch offices. ✓ Leverage the threat intelligence provided by your Big Data Security Analytics provider. Enable blacklists to flag traffic associated with known-bad IP addresses, knownbad URLs, and malicious files. Without automated threat intelligence and a threat-profiling engine to leverage it, searching for advanced threats is like trying to find a needle in a haystack. ✓ If your Big Data Security Analytics system has only enough capacity to store network data for a few days, acquire additional storage modules so that you can retain data for weeks or months before it’s overwritten. If it’s configured properly, a Big Data Security Analytics system can provide unprecedented visibility into advanced threats, unknown malware, and targeted attacks. Simply put, you’ll see things that you never could see before. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

58


Understand That CRIME Pays When your Big Data Security Analytics system is up and running, and you’ve achieved complete 20/20 security visibility, a nifty acronym — CRIME — can help you remember the five steps of advanced threat protection: ✓ Context: If you don’t know what you’re protecting, how do you stand a chance of protecting it? Big Data Security Analytics provides the context you need so that you can turn complexity into actionable insight, configure your network security defenses properly, and reduce your network’s surface area of attack. ✓ Root cause: When your network security device triggers an alert, you must respond quickly to verify the source of the associated attack. ✓ Impact: After determining the root cause, you need to gauge the material impact of the attack so that you can assign IT security resources appropriately and begin to answer critical post-attack questions. If a Windowsbased exploit targets a Linux host, for example, there’s no real cause for alarm. But if that same exploit targets a Windows host and the associated vulnerability hasn’t yet been patched (or is unknown), the damage could be severe, requiring immediate attention. ✓ Mitigation: When a threat has been designated as critical, you must mitigate it immediately by configuring host and/or network security settings to stop the attack and ensure that it never occurs again. This process may be as simple as patching the target system (and other systems like it) or shutting down a port on the firewall. ✓ Eradication: When the attacker’s path has been shut down for good, the final step is eradicating the threat by determining whether any other hosts have been compromised and, if so, to what extent. You may find malware on a host victimized by a phishing attack, for example, but if the attack took place two weeks ago, the attack may very well have spread laterally.

Determining which additional hosts have been compromised is a painstaking goal, but it’s one that you can — and must — achieve through the proper use of your Big Data Security Analytics system.



59

Discover Your Application Landscape The more applications you have running on your network, the higher the likelihood that you’ll be victimized by an advanced threat because many applications contain vulnerabilities that attackers can exploit remotely. To reduce your network’s surface area of attack, know what applications are running on your network — whether or not they’re approved for use on the network. I call this process knowing your application landscape. When you know what applications are running, you’re better equipped to configure your network security defenses to defend against corresponding vulnerabilities. Then, when you see an unusual application that has no business being there, you may identify an attack that’s already in progress. Applications are sometimes configured to use nonstandard ports that may already be open on your firewall. It’s important to use your Big Data Security Analytics solution to discover and identify unauthorized applications and close any gaps that could be used by advanced threats. Leading Big Data Security Analytics solutions have the capability to discover thousands of applications and protocols so that you can make sure that only trusted applications are running in your network.

Engage Your CSIRT Team These days, savvy security analysts know that it’s no longer a question of whether your network will be victimized by an advanced threat; it’s a question of when. Although you certainly hope for the best, always plan for the worst. Part of the planning process is knowing how to respond when an advanced threat is detected. Large enterprises and government agencies commonly employ a computer security incident response team (CSIRT) that can be called at a moment’s notice to investigate potential cyberthreats.


60

Advanced Threat Detection For Dummies Comprehensive and efficient incident response is a tenet of Big Data Security Analytics solutions. As such, sophisticated incident responders and security analysts rely on Big Data Security Analytics for quick and thorough resolution of security incidents. Make sure that each member of the CSIRT team has been thoroughly trained in all the capabilities of your Big Data Security Analytics solution because when they’re responding to an advanced threat, time is of the essence.

Plan for Performance and Scalability Selecting the right Big Data Security Analytics solution for advanced threat protection means ensuring that the solution meets your performance and scalability needs. Performance relates to the system’s capability to capture, record, and index packets at the speed of your network and to display data quickly and accurately in dashboards, reports, and search queries. Scalability relates to the system’s capability to aggregate and record traffic from all physical and virtual network segments (or at least the segments you most want to monitor) and then make that data accessible for a certain period, depending on your requirements. Most Big Data Security Analytics users design their systems to store network data for one month, but additional storage can make data accessible for two or three months, or even more.

Automate Discovery of File-Embedded Threats As I discuss throughout this book, most APTs involve advanced malware embedded in files to exploit vulnerabilities in operating systems and applications. To mitigate these threats, select a Big Data Security Analytics solution that includes malware detonation (sandbox) technology or at least can integrate These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.


61

directly with third-party solutions. This technique (see Chapter 5) is an effective way to uncover advanced threats embedded in files that don’t appear in your Big Data Security Analytics system’s whitelists or blacklists. Even if you’ve purchased a stand-alone sandboxing solution for detecting advanced threats, it may not be designed to detect threats embedded in files on mobile computing devices or USB thumb drives carried into the office by unsuspecting employees. If you combine this solution with a compatible Big Data Security Analytics system — using the export facility in your Big Data Security Analytics solution to automatically send suspicious files to your sandboxing solution — you’ll have far more success in detecting advanced threats.

Constantly Monitor Anomalies Information security analysts can be divided into two types: those who lean back and those who lean forward. Those who lean back are simply waiting for security alerts to pop up on the dashboard so that they can respond to them. Those who lean forward are actively looking for suspicious traffic and network anomalies, such as FTP use on a restricted network segment, a deluge of inbound connection requests from another country, or a major spike in outbound traffic from a sensitive database in the middle of the night. Every IT organization has plenty of lean-back users who are waiting for blinking red lights to appear on their screens. There is a difference between no sign of infection and a sign of no infection. The former represents a lean-back approach, and the latter represents a lean-forward approach. Be sure to cultivate a few lean-forward Big Data Security Analytics users who know how to look for network anomalies and other advanced threat indicators because they may save your bacon one day.

Strengthen Your Infrastructure A good Big Data Security Analytics solution fights advanced threats and also strengthens your existing network security infrastructure by simplifying the process of investigating


62

Advanced Threat Detection For Dummies security alerts from IPS, secure e-mail and web gateways, and next-generation firewall (NGFW) devices. By leveraging application programming interfaces from both your Big Data Security Analytics vendor and your securitydevice vendors, you can instantly query traffic captured by your Big Data Security Analytics appliances right from your other vendors’ management consoles — reducing query time from several minutes to just a few seconds by zooming directly into the data set of an event without trying to comb through or stitch together disparate data. This time savings may not seem like much, but security analysts investigate hundreds of cyberattacks on a daily basis, so it adds up quickly. Integration also helps security analysts respond to high-priority cyberthreats much faster when time is of the essence. For a quick review of how Big Data Security Analytics integrates with network security products, flip back to Chapter 4.

Train for Success It doesn’t take a degree in rocket science to learn how to use a Big Data Security Analytics system for comprehensive and effective advanced threat protection. However, better offerings incorporate several methods for detecting advanced threats, and they often provide the means to integrate with your existing security infrastructure to save time and improve your network’s security posture. To ensure that you’re getting the most value from your investment, it’s wise to have your Big Data Security Analytics vendor deliver formal, hands-on training, either on site at your location or in a classroom environment, to teach your staff how to use the system for effective advanced threat protection. Knowledge is power. The more you know, the better chance you have of staying ahead of your cyberadversaries. After all, it’s getting rough out there.


Glossary advanced persistent threat (APT): A sophisticated cyberattack that employs advanced stealth techniques to remain undetected for extended periods. APTs usually target governments or commercial entities for the purposes of espionage or long-term reconnaissance. advanced targeted attack (ATA): See advanced persistent threat. advanced threat: An unknown cyberthreat that is difficult or impossible for traditional security tools to detect. They often target unknown OS and application vulnerabilities. adware: Software unknowingly installed by users that automatically displays advertisements to generate revenue for its author. baiting: A social-engineering attack in which physical media containing malware is deliberately left in proximity to a targeted organization’s facilities, where it may be found and later accessed by curious victims. basic threat: A known cyberthreat that traditional security tools can easily detect. Big Data: A collection of data sets so large and complex that it becomes awkward to work with in traditional database management and analysis tools. Big Data Security Analytics: A system that captures and stores an organization’s Big Data sources relevant to information security for the purposes of uncovering cyberthreats by interpreting data displayed within tables, charts, and graphs. blended threat: A cyberattack that employs multiple attack vectors and multiple types of malware to increase the severity of damage and the speed of contagion. bot: An infected computer controlled by a remote server for the purpose of disrupting other computers or stealing data. See also botnet and command-and-control (CnC) server. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

64

Advanced Threat Detection For Dummies botnet: A network of Internet-connected computers with breached security defenses that a malicious third party may control. See also bot. buffer overflow: A cyberthreat that exploits a vulnerability in an application in a specific way. The hacker intentionally overruns the buffer’s boundary, causing the application to pass undesirable commands directly to the operating system. command-and-control (CnC) server: A computer operated by an attacker to control distributed malware via the Internet. The attacker’s purpose is to use the CnC server to send commands to compromised computers. cybercriminal: An attacker who hacks for profit rather than political gain. denial of service (DoS) attack: A cyberthreat intended to disrupt or disable a targeted host by flooding it with benign communication requests from a single host. file hash: The result of an algorithm that maps large files of variable length to smaller data sets (sometimes called fingerprints) of a fixed length for the purpose of rapid file identification. hacktivist: A hacker who uses computers and computer networks as a means to protest and/or promote political ends. keylogger: A program that records the keystrokes on a computer, often without the user’s knowledge. Keyloggers are useful for stealing usernames and passwords. malnet: A distributed malware network comprised of unique domains, servers, and websites maintained by cybercriminals to launch a variety of cyberattacks against Internet users over extended periods of time. malware: Malicious software (such as a computer virus, worm, or Trojan) created to disrupt computer operations, gather sensitive information, or gain access to private computer systems. See also spyware, Trojan, and worm. phishing: An attempt to acquire personal information (such as usernames, passwords, and credit-card details) by masquerading as a trustworthy entity. See also spear phishing and whaling. These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

Glossary

65

polymorphic threat: Malware that modifies its own code, making it more difficult for some signature-based antimalware programs to detect. remote administration tool (RAT): A program that allows a remote operator to control a system as though she had physical access to it. RATs are commonly used in APT attacks. sandboxing: A process that attempts to detonate suspected malware in the safety of a virtual machine. spear phishing: A phishing attempt directed toward a specific organization or person(s) within that organization. See also phishing and whaling. spyware: A type of malware that collects information about users, with or without their knowledge. SQL injection: A technique used to attack databases through a website or web-based application. Portions of SQL statements are included in a web form in an attempt to get the website (or web application) to pass a newly formed rogue SQL command to the database. state-sponsored threat: A threat in which attackers are employed by a nation-state (such as China) to commit espionage against government and commercial entities for political gain. Trojan: A type of malware that masquerades as a legitimate file or helpful application with the ultimate purpose of granting a hacker unauthorized access to a computer. whaling: An attack directed to senior executives and other high-profile targets within businesses. See also phishing and spear phishing. worm: A form of malware that exploits vulnerabilities in operating-system or network protocols to propagate copies of itself on other computers connected to the same network or to USB mass-storage devices connected to the infected PC. zero-day threat: A cyberattack on an unknown operatingsystem or application vulnerability. The attack occurs on day zero of awareness of the vulnerability, when neither a patch nor a threat-detection signature exists.



