Advanced Threat Protection For Dummies®, Blue Coat Systems

Transcription

These materials are the copyright of John Wiley & Sons, Inc. and any
dissemination, distribution, or unauthorized use is strictly prohibited.
Advanced
Threat Protection
Blue Coat Systems Special Edition
by Steve Piper, CISSP
Advanced Threat Protection For Dummies®, Blue Coat Systems Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2013 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the
prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making
Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley &
Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without
written permission. Blue Coat Systems and the Blue Coat logo are trademarks or registered trademarks of Blue Coat Systems, Inc. All other trademarks are the property of their respective owners.
John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE
NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES,
INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.
THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT
ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE
FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER
INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT
MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN
THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, or how to create a custom For
Dummies book for your business or organization, please contact our Business Development
Department in the U.S. at 877-409-4177, contact [email protected], or visit www.wiley.com/
go/custompub. For information about licensing the For Dummies brand for products or services,
contact BrandedRights&[email protected].
ISBN 978-1-118-65876-5 (pbk); ISBN 978-1-118-66056-0 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Publisher’s Acknowledgments
We’re proud of this book and of the people who worked on it. For details on how to
create a custom For Dummies book for your business or organization, contact info@
dummies.biz or visit www.wiley.com/go/custompub. For details on licensing the For
Dummies brand for products or services, contact BrandedRights&[email protected].
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and
Vertical Websites
Development Editor: Kathy Simpson
Project Editor: Jennifer Bingham
Acquisitions Editor: Amy Fandrei
Editorial Manager: Rev Mengle
Business Development Representative:
Kimberley Schumacker
Custom Publishing Project Specialist:
Michael Sullivan
Composition Services
Senior Project Coordinator: Kristie Rees
Layout and Graphics: Melanee Habig
Proofreader: Susan Moritz
Special help from Blue Coat Systems:
John Vecchi, Ajay Uggirala, Alan Hall,
Armen Sargsyan, Joe Levy
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Director, Acquisitions
Mary C. Corder, Editorial Director
Publishing and Editorial for Consumer Dummies
Kathleen Nebenhaus, Vice President and Executive Publisher
Composition Services
Debbie Stailey, Director of Composition Services
Business Development
Lisa Coleman, Director, New Market and Brand Development
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
How This Book Is Organized..................................................... 1
Icons Used in This Book............................................................. 2
Chapter 1: Surveying a World of Advanced Threats. . . . 3
Contrasting Basic and Advanced Threats............................... 4
Basic Threats: Oldies but Baddies............................................ 4
Advanced Threats: Emerging Dangers..................................... 7
Know Thy Enemy...................................................................... 10
The Price of Failure................................................................... 13
Chapter 2: Exploring Advanced Threats . . . . . . . . . . . . . 15
Viewing the Evolving Threat Landscape................................ 16
Seeing Why Security Sometimes Fails.................................... 18
Tracking the Advanced Threat Life Cycle............................. 20
Knowing When You’ve Been Compromised.......................... 25
Chapter 3: Fighting Back with Big Data
Security Analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
What Is Big Data?...................................................................... 27
What Is Big Data Security Analytics?...................................... 28
How Big Data Security Analytics Solutions Work................. 29
What Big Data Security Analytics Does.................................. 31
Exploring Features.................................................................... 33
Integrating Big Data Security Analytics
into Your Network................................................................ 36
Chapter 4: Exploring Big Data Security Analytics
for Advanced Threat Protection. . . . . . . . . . . . . . . . . . 39
Understanding the Underlying Technologies....................... 39
Identifying Advanced Threats within Files............................ 45
Chapter 5: Advanced Threat Protection
Buying Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Full Packet Capture................................................................... 48
Multivector Threat Detection and Correlation..................... 48
vi
Advanced Threat Detection For Dummies
Virtual Platform Visibility........................................................ 49
Comprehensive Threat Intelligence....................................... 49
File-Based Malware Detection................................................. 50
Support for Continuous Monitoring....................................... 50
Extensive Third-Party Integration.......................................... 52
Enterprise Performance, Scalability, and Reliability............ 52
Ease of Use................................................................................. 53
Responsive Customer Support............................................... 54
Chapter 6: Ten Best Practices for Advanced
Threat Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Leverage Your Vendor’s Expertise......................................... 55
Achieve 20/20 Security Visibility............................................ 57
Understand That CRIME Pays................................................. 58
Discover Your Application Landscape................................... 59
Engage Your CSIRT Team........................................................ 59
Plan for Performance and Scalability..................................... 60
Automate Discovery of File-Embedded Threats................... 60
Constantly Monitor Anomalies............................................... 61
Strengthen Your Infrastructure............................................... 61
Train for Success...................................................................... 62
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Introduction
T
urn on any nationally televised news channel and watch
it for a few hours. Odds are that you’ll hear about at least
one major cyberattack that occurred in the previous 48 hours.
Frankly, I can’t think of the last full day when I didn’t hear
about some big data breach— which certainly wasn’t the case
three years ago.
Cyberattacks have become an international crisis, targeting
and affecting every developed nation. Despite spending billions every year for security products, organizations around
the world are losing the battle against a new generation of
cyberattacks, with advanced persistent threats, or APTs, leading the charge.
The bad news is that this crisis is only going to get worse
unless IT organizations start thinking and acting differently.
The good news is that many security-savvy enterprises and
government agencies are doing just that, thanks to a new
weapon in the fight against advanced threats and targeted
attacks called Big Data Security Analytics.
If you’re tired of fighting a losing battle against advanced
threats, you’ve exhausted your options with traditional,
signature-based solutions, or you simply want to make sure
your organization isn’t mentioned next on the evening news,
this book is for you.
How This Book Is Organized
I’ve organized this book so that you don’t have to read it cover
to cover, front to back. You can skip around and read just the
chapters that interest you. Here’s what you’ll find inside:
✓
Chapter 1, “Surveying a World of Advanced Threats,”
distinguishes between basic and advanced threats,
reviews the costs of enterprise data breaches, and identifies three types of cyberenemies.
2
✓
Chapter 2, “Exploring Advanced Threats,” reviews factors that contribute to the rise in advanced threats, shows
why traditional security products sometimes fail, and outlines the five stages of the advanced-threat life cycle.
✓
In Chapter 3, “Fighting Back with Big Data Security
Analytics,” I describe this innovative technology for
mitigating advanced threats and explore how Big Data
Security Analytics solutions operate and integrate with
your existing network security infrastructure.
✓
Chapter 4, “Exploring Big Data Security Analytics for
Advanced Threat Protection,” covers the underlying
technologies that make Big Data Security Analytics work
in the context of advanced threat protection, including
the process of detecting malware-infected files.
✓
In Chapter 5, “Advanced Threat Protection Buying
Criteria,” I describe exactly what to look for, and what
to avoid, when evaluating security solutions as part of a
comprehensive advanced threat protection framework.
✓
In Chapter 6, “Ten Best Practices for Advanced Threat
Protection,” I give you some advice on how to get the
most out of your advanced threat protection investment.
✓
Finally, the Glossary defines some important terms that I
use throughout the book.
Icons Used in This Book
This book uses the following icons to indicate special content.
You won’t want to forget the information in these paragraphs.
A Tip icon points out practical advice that can help you craft
a better strategy, whether you’re planning a purchase or setting up your software.
Look out! When you see this icon, it’s time to pay attention.
You’ll find cautionary information that you won’t want to miss.
Maybe you’re one of those highly detailed people who really
needs to grasp all the nuts and bolts, even the most techie
parts. If so, these tidbits are right up your alley.
Chapter 1
Surveying a World of
Advanced Threats
In This Chapter
▶Distinguishing between basic and advanced threats
▶Recognizing three types of cyberenemies
▶Counting the cost of data breaches
I
t’s getting rough out there.
I’m not kidding. In more than two decades of observing
the effects of enterprise and government data breaches, I’ve
never seen anything like today’s threat landscape. The sheer
number of recent high-profile cyberattacks is staggering.
The bad guys clearly have the upper hand, and it seems like
there’s nothing that any of us can do about it.
Given the efficacy of modern-day threats, today’s information security professionals are judged not only on how
well they can block known threats but also on how quickly
they can uncover, identify, and mitigate unknown threats.
Unfortunately, too many security professionals lack the tools
and training needed to stay ahead in this cyberarms race.
In this chapter, I distinguish between basic and advanced
cyberthreats while exploring common variations of advanced
threats along the way. I also cite recent data-breach statistics,
describe three types of cyberenemies, and review high-profile
commercial and government cyberattacks that recently made
international headlines.
But first, allow me to clarify the differences between basic and
advanced threats.
4
Contrasting Basic and
Advanced Threats
The following are key characteristics of basic and advanced
cyberthreats:
✓
Basic threats are known threats against known operating system (OS) or application-level vulnerabilities. They
are commonly detected by traditional signature-based
network- and endpoint-security defenses, including intrusion prevention systems (IPSs), secure web and e-mail
gateways, and antivirus platforms.
✓
Advanced threats are unknown threats against unknown
OS or application-level vulnerabilities. They can’t be
detected by traditional signature-based defenses.
Better network security devices can detect unknown threats
(or new variants of known threats) that target known vulnerabilities, but I still classify those threats as basic.
Obviously, as the name suggests, advanced threats are far
more difficult to detect. Traditional security defenses that rely
on pattern-matching signatures for detection are useless for
detecting advanced threats. Don’t get me wrong — traditional
defenses such as firewalls, IPSs, and secure web and e-mail
gateways are your front line in a defense-in-depth (layers of
security defenses) strategy. But you can’t rely on these technologies exclusively for detecting today’s advanced threats.
(Jump to Chapter 2 to find out why.)
Before delving into some of the advanced threats that endanger today’s organizations, take a few minutes to reacquaint
yourself with some basic threats that have been around for
years.
Basic Threats: Oldies but Baddies
The basic cyberattacks described in this section generally
don’t pose huge threats to enterprises and government agencies because they’re largely mitigated by traditional network
Chapter 1: Surveying a World of Advanced Threats
5
and endpoint security solutions. If you fail to take them seriously, however, any of them could be your downfall.
Worms, Trojans, and viruses
A computer worm is malware that exploits the vulnerabilities
of a computer’s OS (typically, Microsoft Windows) to selfpropagate via the internal network to which the computer is
linked. Worms are dangerous to any network because they
can be used to exfiltrate data or otherwise harm computer
systems. They also consume large amounts of bandwidth,
causing degradations in network performance. Unlike a virus
(discussed later in this section), a worm doesn’t attach itself
to computer programs or files.
A Trojan (or Trojan horse) is malware disguised as a legitimate
software application to trick a user into installing it on a computer. Unlike computer worms, Trojans can’t propagate to
other vulnerable computers on their own. Instead, they join
networks of other infected computers (called botnets; see the
next section), wait to receive instructions from the attacker,
and then transfer stolen information. Trojans are commonly
delivered by means of social media and spam e-mails; they
may also be disguised as installers for games or applications.
A computer virus is malicious code that attaches itself to a
program or file so that it can spread from one computer to
another, leaving infections as it propagates. Unlike a worm,
a virus can’t travel without a human helper — in this case, a
user who sends (usually unknowingly) an infected program or
file to another user.
Spyware and botnets
Spyware is a form of malware that covertly aggregates user
information without the user’s knowledge and forwards it
to the perpetrator via the Internet. Sometimes, spyware is
employed for the purpose of advertising (in which case it’s
called adware and displays pop-up ads). At other times, it’s
used to collect confidential information such as usernames,
passwords, and credit-card numbers. Typically, spyware is
secretly bundled into shareware or freeware.
6
A botnet is a group of Internet-connected computers on which
malware is running (bots). Bots are often used to commit
denial-of-service attacks (attacks that overload a server’s processing power), relay spam, steal data, and/or download additional malware to the infected host computer.
The person who controls a botnet — the bot herder or
botmaster — typically uses web servers called command-andcontrol (CnC) servers. CnC servers have only one job: controlling bots.
Social engineering attacks
Social engineering attacks are extremely common, especially
the two types discussed in this section: phishing and baiting.
As I discuss later in this chapter, these attacks are often incorporated into advanced threats.
Phishing
Phishing is an attempt to steal confidential information —
usernames, passwords, credit-card numbers, Social Security
numbers, and so on — via e-mail by masquerading as a legitimate organization. After clicking a seemingly innocent hyperlink in the e-mail, the victim is directed to enter personal
information on an imposter website that looks almost identical to the one it’s emulating.
Phishing has two common variants:
✓
Spear phishing targets specific people within an organization, using information about them collected from social
media sites such as Facebook, LinkedIn, and Twitter.
✓
Whaling is phishing that targets the senior executives of
a given organization.
Baiting
Baiting occurs when a criminal casually drops a USB flash
drive or CD-ROM in a public area (perhaps a parking lot or
cybercafé) within close proximity of the targeted organization. The media device is labeled with enticing words such
as Product Roadmap or Proprietary & Confidential to spark the
finder’s interest. When the victim inserts the device into her
computer, it instantly installs malware on the computer.
Buffer overflows and
SQL injections
These two common techniques exploit vulnerabilities in web
applications:
✓
A buffer overflow attack is a painfully common cyberthreat in which a malicious hacker knowingly writes
more data into a memory buffer than the buffer is
designed to hold. Data subsequently spills into adjacent
memory, causing the application to execute unauthorized code that may grant the hacker administrative privileges or possibly even crash the system.
✓
In an SQL injection attack, the attacker enters SQL statements into a web form in an attempt to get the form to
pass an unauthorized SQL command to the database. If
successful, the attack can give its perpetrator full access
to database content such as credit-card numbers, Social
Security numbers, and passwords.
Advanced Threats:
Emerging Dangers
Now that you’re up to speed on basic threats, it’s time to
explore the advanced threats that are making headlines today.
Advanced persistent threats
Advanced persistent threats (APTs) — also known as advanced
targeted attacks (ATAs) — are sophisticated, multivectored
(perpetrated through multiple channels) cyberattacks in
which an attacker gains unauthorized network access and
stays undetected for a long period. To date, the goal of APTs
generally has been data theft, but more extreme consequences, including kinetic damage, are possible.
APTs target organizations in industries that handle highvalue information, such as financial institutions, government
agencies and contractors, and companies that have valuable
7
8
intellectual property in such sectors as technology, pharmaceuticals, and energy.
To help illustrate the nature of an APT, I break down the components of the acronym:
✓
Advanced: Attackers use a full spectrum of computerintrusion technologies and techniques, often exploiting
unreported vulnerabilities in OSs and applications. Many
of these threats are undetectable by traditional security
systems.
✓
Persistent: After a network is breached, the perpetrator
operates low and slow to remain undetected. Patience is
key as he quietly maps the network and connects to each
host (often in the middle of the night) until the ultimate
target has been identified.
✓
Threat: The attacker initiates each APT with a specific
objective in mind and won’t stop until he achieves that
objective. He’s skilled, highly motivated, and well funded.
Chapter 2 explores APTs in considerably more detail and also
provides an overview of the APT threat life cycle.
Zero-day threats
A zero-day threat is a cyberattack on an OS or application
vulnerability that’s unknown to the general public. It’s called
a zero-day threat because the attack was launched before
public awareness of the vulnerability (on day zero).
In some cases, the OS or application vendor is already aware
of the vulnerability but hasn’t disclosed it publicly because
the vulnerability hasn’t been patched yet. In other cases, the
vendor is caught by surprise.
Polymorphic threats
A polymorphic threat is a cyberattack — such as a virus, a
worm, a Trojan, or spyware — that continuously changes
(morphs), making it impossible for traditional signature-based
security defenses to detect. Polymorphic threats morph in a
variety of ways, including filename and file-size changes.
9
Bypassing million-dollar security
with a good pair of shoes
No matter how much money your
organization spends on perimeterbased network security defenses,
they’ll be bypassed every time by
users carrying their own laptops,
mobile devices, and portable media
(such as USB flash drives) right
through the office front door. The
best approach to information security is a defense-in-depth strategy
comprised of best-of-breed security
products that can detect all kinds of
threats originating both inside and
outside the organization.
If you’re an IT security professional
who thinks that advanced cyberthreats can penetrate your network
only through your firewall, you’re
headed for a rude awakening — and
possibly a new career.
Although the code within a polymorphic threat changes with
each mutation, the function generally remains the same.
Consider a spyware program that’s designed to act as a keylogger (malware designed to record keystrokes in an effort to
steal usernames, passwords, or other confidential data). Even
after its underlying code changes, that program continues to
act as a keylogger.
Blended threats
A blended threat employs multiple attack vectors (paths and
targets) and multiple types of malware to disguise the attack,
confuse security analysts, and increase the likelihood of a
successful data breach. Classic examples of blended threats
include Conficker, Code Red, and Nimda.
Insider threats
Not all threats originate outside the network. Some originate
within, introduced by two types of users:
✓
Malicious users: These users may consist of ill-intentioned
contractors, disgruntled employees, or even criminals
who use social engineering techniques to gain physical
10
access to the network after being admitted to the building
by a negligent receptionist.
✓
Unknowing employees: Even well-intentioned employees
may bring malware-infected laptops and mobile devices into
the office after surfing the web at home over the weekend.
Depending on how sophisticated your information security
is at home and on whether you ever connect your personally
owned mobile devices (laptops, smartphones, or tablets) to
your company’s network, you might be an insider threat and
never even know it!
Malnets
A malnet (malware network) employs a distributed network
infrastructure in the Internet that is purpose built and maintained by cybercriminals to launch a variety of attacks against
Internet users over extended periods of time. A malnet is comprised of unique domains, servers, and websites that work in
unison to funnel users to the malware payload.
Blue Coat Security Labs projects that nearly two-thirds of all
new cyberattacks will originate from malnets.
Know Thy Enemy
It’s not enough just to know what kind of cyberthreats you
face. You also need to know the sources and goals of those
threats. This section gives you some insights into potential
attackers — and potential attacks.
Types of attackers
Cyberattackers have changed dramatically over the past half
century. In the 1970s and 1980s, phone phreaking (hacking
telephone equipment to make free long-distance calls) was
common. In the 1990s, widespread Internet adoption and the
emergence of the World Wide Web enticed hackers to deface
public websites primarily for bragging rights.
Since the turn of the century, however, cyberattackers have
fallen into three broad categories: cybercriminals, statesponsored hackers, and hacktivists.
11
Cybercriminals
As the name suggests, cybercriminals hack for profit. They penetrate a company’s network security defenses in an attempt
to steal something valuable (such as credit-card numbers) and
sell them on the black market. Many of today’s botmasters and
CnC servers are under the control of cybercriminals and their
circuits. Today, cybercrime is a multibillion-dollar industry.
State-sponsored hackers
Cyberattacks committed by nations against foreign corporations and governments are perpetrated by state-sponsored
hackers — people who hack for a paycheck with the objective
of compromising data, sabotaging systems, or even committing cyberwarfare.
China, Russia, Iran, and North Korea are among the countries most often cited for recruiting state-sponsored hackers,
although evidence has emerged that the United States is also
active in this arena.
Hacktivists
Hacktivists are computer hackers who are driven by political
ideology. Typical attacks committed by hacktivists include
website defacements, redirects, information theft and exposure, and virtual sit-ins through denial-of-service attacks.
Some hacktivists join forces to target their victims, working
as groups such as LulzSec (which claimed responsibility for
attacks against Sony Pictures and the Central Intelligence
Agency) and Anonymous (which claimed responsibility for
attacks against the Church of Scientology, HBGary Federal,
PayPal, the U.S. Federal Reserve, and the Ugandan government in protest of its antihomosexuality bill).
Attacks that make headlines
These days, it seems that a day doesn’t go by without news of
a major commercial or government cyberattack. The following
sections summarize some recent data breaches that have made
international headlines.
Attacks on companies
You may have read about some of these high-profile attacks:
12
✓
Apple and Microsoft (February 2013): Microsoft
announced that it experienced an intrusion in its Mac
business unit originating from Java-based malware.
This attack came just days after Apple stated that it had
been victimized by Java-based malware that employees
inadvertently downloaded after visiting a website for
software developers. Neither Microsoft nor Apple disclosed what, if any, data was compromised.
✓
The New York Times and The Wall Street Journal
(January 2013): China has been accused of conducting
cyberattacks against these two media giants in response
to undesirable coverage of the Chinese government,
including Prime Minister Wen Jiabao.
✓
Facebook, Twitter, and LinkedIn (2012–2013): Officials
of each of these social media giants claimed that they
were targeted by advanced cyberattacks. LinkedIn was
first, with 6.5 million passwords stolen in June 2012;
Twitter was next, with 250,000 passwords stolen in
February 2013. Facebook followed soon after (with no
reports of stolen passwords just yet).
✓
Citigroup, Bank of America, and JPMorgan Chase
(September 2012): U.S. officials accused Iran of orchestrating attacks on the websites of these major U.S. banks
in response to United Nations sanctions against Iran. PNC
Financial Services Group, SunTrust, and BB&T were also
targeted in January 2013.
Data breaches by the numbers
In 2013, Verizon analyzed 621 databreach incidents that occurred in
2012, resulting in 44 million compromised records, and came up with
some staggering statistics:
✓ 40 percent incorporated malware.
✓ 52 percent involved some form of
hacking.
✓ 66 percent took months or more
to discover.
✓ 84 percent compromised their targets in seconds, minutes, or hours.
✓ 69 percent were discovered by a
third party.
✓ 92 percent were perpetrated by
outsiders.
✓ 95 percent of state-affiliated
attacks employed phishing.
You can download the report for free
at www.verizonenterprise.
com/DBIR/2013.
13
Attacks on government agencies
Unsurprisingly, governments are high-profile targets. Here are
a few recent examples:
✓
NATO and European governments (February 2013):
Officials of NATO and several European nations, including the Czech Republic, Ireland, Portugal, and Romania,
announced the compromise of sensitive computer
systems by advanced malware called MiniDuke, which
exploits a flaw in Adobe Reader.
✓
U.S. Department of Energy (February 2013): In a major
cyberattack, the personal information of several hundred
DoE employees was compromised. The agency reported
that 14 servers and 20 workstations were penetrated
during the attack.
✓
South Carolina Department of Revenue (November
2012): A single malicious e-mail enabled a hacker to crack
into state computers and access 3.8 million tax returns
in what experts say is the biggest cyberattack against a
state government.
✓
Iran (May 2012): A malware program called Flame, allegedly developed by the United States and Israel, was
deployed to collect intelligence related to Iran’s nuclear
program. Unlike Stuxnet, which was designed to sabotage
an industrial process, Flame was written purely for espionage purposes.
This list of attacks just scratches the surface of what government agencies are experiencing. An official of a well-known
federal contractor inadvertently disclosed at a company event
that the U.S. Navy fights off more than 110,000 cyberattacks
every hour — more than 30 attacks every single second!
The Price of Failure
Failing to detect a data breach before it’s too late is disastrous
to any organization. The associated costs are difficult to quantify, as they’re spread across many areas, including these:
✓
Investigation and forensics costs
✓
Customer and partner communication costs
14
✓
Public relations costs
✓
Lost revenue due to damaged reputation
✓
Regulatory fines and civil claims
In 2012, the Ponemon Institute published its 2012 Cost of
CyberCrime Study, which calculated the cost of data breaches
for 56 U.S.-based enterprises. The report found the average
annualized cost of cybercrime for each organization to be $8.9
million, with a range of $1.4 million to $46 million, a 6 percent
increase (from $8.4 million) from the year before. To download
a free copy of the report, visit www.ponemon.org/library.
Security researcher exposes potential
source of global cyberespionage
In February 2013, cybersecurity
vendor and researcher Mandiant
(www.mandiant.com) published
a report called APT1 that instantly
turned heads throughout the information security industry. In this
report, Mandiant claims to have
conclusive proof that a governmentcontrolled organization in China is
the source of hundreds of advanced
cyberattacks.
According to Mandiant, which has
investigated computer security
breaches at hundreds of organizations around the world, the company
has tracked more than 20 APT groups
with origins in China, but a single organization, which Mandiant has dubbed
APT1, is by far the most prolific.
In its report, Mandiant claims that APT1
stole 6.5 terabytes of compressed
data from a single organization over a
ten-month period. In the last two years
alone, APT1 has allegedly established a
minimum of 937 command-and-control
(CnC) servers hosted on 849 distinct IP
addresses in 13 countries. The majority
of these IP addresses were registered
to organizations in China.
In a Forbes.com article written by
Richard Stiennon, Chief Security
Analyst at IT Harvest, Mr. Stiennon
advised his readers responsible for
the IT security of their organizations to
drop everything and immediately read
Mandiant’s APT1 report. Although I
hope you continue reading this book,
I advise that you do the same.
To download a free copy of the
Mandiant APT1 report, connect
to http://intelreport.
mandiant.com.
Chapter 2
Exploring Advanced
Threats
In This Chapter
▶Considering trends that contribute to cyberattacks
▶Understanding why traditional security products may fail
▶Reviewing the advanced threat life cycle
▶Finding out when you’ve been victimized
T
oday, two types of IT organizations exist: Those that
know their networks have been compromised and those
that don’t yet know their networks have been compromised.
In either case, virtually every enterprise and government
agency has malware somewhere on its network — on servers,
on desktops, and even on mobile devices.
The good news is that the information security industry is
innovating all the time. Vendors are making great strides in
detecting and ultimately preventing advanced threats. If the
past decade has taught us one thing, however, it’s that relying
on prevention technology alone is a recipe for disaster.
Before I introduce an innovative solution for detecting and
mitigating advanced threats (see Chapter 3), I want to spend a
little more time delving into these threats so that you’re fully
prepared to face them.
16
Viewing the Evolving
Threat Landscape
Perhaps the only constant in your network environment is
change. Your company or government agency is changing,
personnel are changing, and the demands placed on your IT
organization are in flux. The same is true of network security.
New trends introduce new security threats, and the threats
themselves are evolving.
Trends that introduce threats
Supplemental to the changes in your organization are four
technological trends that leave your network open to new
risks and uncertainties — especially to advanced threats.
Social media
Social media has exploded in popularity over the past decade
(to make a gross understatement). LinkedIn, which celebrated
its tenth anniversary in May 2013, has nearly 50 million users.
Twitter, created in March 2006, boasts more than 500 million
users, and Facebook, launched in February 2004, has more
than 1 billion users. Conservatively speaking, one of every
eight humans on this planet is registered on at least one of
these three sites.
The growing popularity of social media poses a new problem.
Most organizations don’t restrict employees’ access to social
media sites because they don’t have the technology to do so
and/or don’t want to damage employee morale. Unfortunately,
cyberattackers now use social media sites to identify targets
and launch advanced threats.
Virtualization
The adoption of cost-saving virtualization is one of the greatest shifts in network computing in the past decade. Platforms
such as VMware, Xen, and Hyper-V have changed the face of
data centers forever.
Virtualization, however, poses a few risks that don’t apply to
physical hosts:
Chapter 2: Exploring Advanced Threats
17
✓
IT can’t natively inspect traffic between virtual machines
(VMs) without specialized tools.
✓
Many VMs go unprotected (or at least unmonitored)
because IT doesn’t have a budget for virtual security.
✓
Often, new VMs are pushed into production without the
knowledge (or approval) of IT security — a problem
known as VM sprawl.
Cloud computing
Cloud computing has changed the way that enterprises and
government agencies deliver applications. Like virtualization
(which is heavily leveraged by cloud-computing infrastructures), cloud computing has inherent risks. Whether applications are deployed via a public cloud, a private cloud, or a
hybrid cloud, unless proper security measures are taken, data
can be breached just as easily through a cloud architecture as
it can through a traditional computer network.
BYOD
BYOD (which stands for bring your own device) is a new policy
trend that allows employees to connect their personal smartphones, tablets, and other mobile computing devices to the company’s network so that they can access company-maintained
data and applications at their own convenience.
Employee-owned devices, of course, are entirely unmanaged
by IT, so they usually don’t have the proper security settings
and protections. Furthermore, mobile devices are increasingly
vulnerable to advanced malware and are subject to different
threat tactics than traditional desktops are. Still, IT is pressured to support these devices, starting with those owned by
the organization’s executives.
Trends in threats themselves
As I mention in Chapter 1, basic threats are known attacks that
exploit known OS or application vulnerabilities, and advanced
threats are unknown attacks that exploit unknown (or at least
unpatched) vulnerabilities. Both types of threats are evolving.
18
Longer time to detection
Because no intrusion prevention, firewall, or even antivirus
protection exists for an attack that hasn’t yet been identified,
advanced attacks typically sail right past traditional signaturebased defenses (see “Signature-based defense limitations,”
later in this chapter).
In the case of the alleged Chinese cyberattack against The
New York Times (see Chapter 1), it was reported that only 1 of
the 45 pieces of malware associated with that data breach was
spotted by the company’s vendor for antivirus protection.
As you discover in “Tracking the Advanced Threat Life Cycle,”
later in this chapter, perpetrators of advanced threats employ
low and slow tactics to avoid detection — such as operating during off-peak hours (when fewer security analysts are
watching), encrypting data before it’s extracted, breaking
data into chunks before exfiltration, and uninstalling malware
after penetrating the network. These tactics enable them to go
months or even years without detection.
Use of diversionary tactics
Talented advanced threat actors often employ diversionary tactics when conducting cyberespionage. They know
that every organization has a finite number of IT security
resources. By launching a series of attacks that are easy or
moderately difficult to detect on other parts of the network,
such as a distributed denial of service attack (DDoS), an
attacker keeps the victim’s IT security resources busy and
away from an advanced attack already in progress.
Seeing Why Security
Sometimes Fails
By now, you probably realize that advanced threats are
very different from cyberattacks of the past. Detecting and
mitigating them requires new thinking and new technologies
because traditional security defenses are no match for today’s
advanced threats and targeted attacks.
19
Signature-based defense limitations
Signature-based endpoint and network security defenses —
such as antivirus (AV), intrusion prevention systems (IPSs),
next-generation firewalls (NGFWs), and more — leverage
pattern-matching detection engines to detect known threats
against known vulnerabilities.
Today’s advanced threats, however, often employ zero-day
attacks against vulnerabilities that the vendor hasn’t patched
yet (see Chapter 1). Using traditional security defenses alone
to detect these threats will fail every time.
Don’t get me wrong — traditional signature defenses are critical components of a well-balanced defense-in-depth strategy.
I’m simply saying that by themselves, they’re not enough to
defend your business against today’s advanced threats.
Anomaly-based defense limitations
Better IPS and network behavior analysis (NBA) solutions
incorporate anomaly-based detection methods to uncover
cyberattacks that have already penetrated the network, from
the outside or from the inside (by being carried into the network on mobile computing devices; see “BYOD,” earlier in this
chapter). These security solutions work by aggregating flow
records (such as NetFlow, sFlow, and cFlow) from network
routers and switches and then baselining normal network traffic over a given period.
After a baseline has been established, the solution can detect
anomalies such as one employee-owned device communicating directly with other employee-owned devices (a sign of
worm propagation).
Although anomaly-based security defenses sometimes detect
clues pertaining to advanced threats, they’re largely unsuccessful because they’re notoriously prone to reporting false
positives — misclassifying good traffic as bad. Because these
offerings only analyze summarized flow information, they
don’t provide the context required for analysts to make fully
informed decisions or perform forensic analysis.
20
Sandboxing limitations
Even advanced malware analysis solutions that incorporate
sandboxing technology (a technique that uses virtual sessions
or emulation to detect and classify advanced malware) can be
defeated. Some types of malware are designed to detect the
presence of a sandbox environment. Others have a built-in
delay so that they’re not triggered until long after the sandbox
analysis is complete or execute only in the presence of computer mouse movement to avoid automated analysis.
Tracking the Advanced
Threat Life Cycle
To detect — and ultimately mitigate — advanced threats, it’s
critical to understand how they work. The terminology that
researchers use to describe each stage of the advanced threat
life cycle varies, but the process followed by advanced threats —
and particularly by APTs — is well understood.
Following is the general consensus on the stages of the
advanced threat life cycle:
1. The attacker exploits system vulnerabilities.
2. The planted tool phones home.
3. The attack spreads across the network.
4. Compromised data is exfiltrated.
5. The attacker covers his tracks.
In the following sections, I explore these five stages in detail.
Stage 1: Attacker exploits
system vulnerabilities
Every advanced threat begins with the exploitation of an
operating system or application vulnerability (usually present
in a Windows-based workstation or laptop) that enables the
attacker to access other network hosts from the inside. Such
attacks often involve tricking gullible employees with social
21
engineering attacks such as e-mails containing dangerous
attachments (phishing) or USB drives or CD-ROMs planted in
parking lots (baiting).
Attackers generally prefer phishing to baiting (see Chapter 1)
because unless the media device involved in a baiting
operation is inserted into a computer, there’s no way for the
attacker to delete the incriminating malware files later.
After a victimized system has been compromised, the attacker
installs malware containing a remote administration tool
(RAT), which enables the attacker to take control of the compromised system in Stage 2.
Stage 2: Planted tool phones home
When the RAT is up and running, it phones home by initiating an outbound connection, often embedded within a Secure
Sockets Layer (SSL)-encrypted channel, between the compromised system and a command-and-control (CnC) server
operated by the attacker. This connection goes undetected
by network security devices that aren’t configured to monitor outbound traffic or that aren’t capable of inspecting SSLencrypted communications.
Some attackers prefer to configure CnC callbacks to occur in
the middle of the night, when fewer information security personnel are monitoring the network.
When the RAT connects to the CnC server, the attacker has
full control of the compromised host, just as though she were
sitting in front of the keyboard.
Typical RATs (such as DarkComet RAT, Back Orifice, and
Poison Ivy) enable attackers to do a variety of ill-intentioned
things:
✓
Log keystrokes (via a keylogger function) to steal usernames and passwords
✓
Control the mouse and keyboard
✓
Take screen shots
✓
Delete, edit, and rename files
✓
Edit Windows Registry keys
22
✓
Remotely download and install other programs
✓
Record video with a connected webcam
✓
Record sound with a connected microphone
✓
Remotely shut down the system
Future instructions from the attacker are conveyed via a CnC
server connection to the RAT, or vice versa. Attackers usually prefer the latter method because an external connection
initiated by a host within the trusted network is far less suspicious than a connection initiated from the outside.
Stage 3: Attack spreads
across network
The actual host associated with Stage 1 of the attack rarely
contains strategic data, so the attacker must spread laterally
through the network in search of hosts operated by IT administrators (in an effort to steal admin credentials) or high-value
servers and databases containing sensitive data — the ultimate
targets of the advanced attack.
An attack that spreads laterally through the network typically doesn’t require malware or tools other than those that
are already installed on compromised systems, such as com mand shells, NetBIOS commands, VNC, RDP, and similar tools
that network administrators use to service remote hosts. In a
common tactic known as pass the hash, credentials from one
authenticated session can be used to create sessions to other
servers.
When the ultimate target of the advanced threat campaign has
been identified and the attacker has obtained adequate logon
credentials, his hard work and determination begin to pay off.
Stage 4: Compromised
data is exfiltrated
In this stage of the campaign, the attacker faces three challenging obstacles:
23
✓
Transferring all the target data at the same time (often
gigabytes or even terabytes of data) could trigger a flowbased anomaly alert (if NBA technology is used) due to
the unusually high volume of traffic initiated by the targeted server or database.
✓
The attacker needs to ensure that the host receiving the
data can’t be linked back to her.
✓
Transferring data as plain text could trigger an alert from
a data loss prevention (DLP) system.
Here’s how an experienced advanced threat actor can overcome all three of these obstacles:
1. To overcome the first obstacle, a savvy attacker exfiltrates data from target systems in chunks — perhaps
in increments of 50MB to 100MB at a time.
One approach is to group files or records into compressed, password-protected RAR (Roshal Archive)
files. Some RAR files can be parts of multiple-volume
sequences, enabling the attacker to split a large
quantity of data into volumes. Each file has a name
that depicts the number of the volume: part1.rar,
part2.rar, part3.rar, and so on.
2. To overcome the more challenging second obstacle —
the attacker wants to get the data offsite as soon as
possible but can’t risk sending it to a host that can
be traced back to her — the attacker might set up a
temporary staging area on a virtual host operated by a
cloud-based service provider.
The advantage of this method is that the attacker can
destroy the virtual host the instant that all the targeted data has been extracted.
3. Finally, the attacker can overcome the third obstacle
by encrypting each RAR file before it’s transferred
(often via FTP) to the staging host. As most network
security devices — including DLP systems — are blind
to encrypted traffic, this is a perfect way to exfiltrate
data without detection.
After the data has been exfiltrated, the attacker either seeks
additional target hosts (Stage 3) or decides that the work is
done (Stage 5).
24
Debunking APT myths
APT is one of the most commonly
used terms in the information security
industry today, but it’s also one of the
most widely misunderstood. Here are
three common myths about APTs:
more APTs originate in China
than in any other country, APTs
have been linked to attackers in
Russia, Iran, North Korea, Israel,
and even the United States.
✓ Only APTs cause data breaches.
Although some of the largest
data breaches in recent history were the result of APTs,
malicious insiders and good
old-fashioned negligence (such
as forgetting to change default
administrative passwords) are
also commonly at fault.
✓ APTs can be effectively addressed by traditional security defenses. Traditional
signature-based security products are designed to detect
known threats, but APTs often
contain unknown threats and
zero-day malware to exploit
unknown vulnerabilities, which
are virtually undetectable by traditional security defenses.
✓ All APTs come from China.
Although research indicates that
Stage 5: Attacker covers his tracks
After the attacker has exfiltrated all the desired data from the
target host (and has determined that no other hosts on the
network contain data of value), it’s time for him to get out.
Before he does so, however, he needs to cover his tracks so
that the attack remains undetected.
The following list contains tactics that sophisticated hackers
employ to minimize the risk of detection:
✓
Executing highly visible attacks on other parts of the network to distract security analysts and keep them away
from compromised systems
✓
Deleting the compressed files after they’ve been extracted
from the staging server
✓
Uninstalling malware and RATs at the initial entry point
✓
Deleting the staging server (if it’s hosted in the cloud) or
taking it offline (if it’s under the attacker’s control)
✓
Employing antiforensic techniques such as deleting log,
event, and audit files, as well as scrubbing file-system
slack space to prevent recovery of deleted files
25
Knowing When You’ve
Been Compromised
Although advanced threats and targeted attacks are painfully
difficult to detect, here a few telltale signs to look for in determining whether your organization has been compromised by
an advanced cyberattack:
✓
An increase in administrative logons late at night
✓
Outbound connections to known CnC servers
✓
Widespread back-door Trojans on endpoints and/or network file shares
✓
Large flows of data from within the network (from server
to server, server to client, client to server, or network to
network)
✓
Large chunks of data (gigabytes worth of data) appearing
in places where data shouldn’t exist
✓
SSL-encrypted network communications using encryption algorithms and/or digital certificates not commonly
used by the organization
✓
Windows Application Event Log entries of antivirus and
firewall stop and restart commands
Enterprises and government agencies often fail to identify
advanced threats because their network security devices
are configured only to inspect ingress (inbound) traffic at the
perimeter. Acquiring and/or configuring security devices to
inspect egress (outbound) traffic, as well as traffic flowing
from within the core (data center), significantly improves your
chances of detecting advanced threats.
Recovering from a widespread advanced cyberattack is one
of the most painful exercises you’ll face in your career. Just
determining the scope, root cause, and impact of the attack
can drive you insane, much less determining whether the
attack is truly over.
Fortunately, hope is on the horizon, and it’s the focus of the
next chapter.
26
Lessons learned from the
RSA Security data breach
Although it occurred more than two
years ago, the breach of security firm
RSA Security in March 2011 is still a
textbook example of an advanced
cyberattack — literally a textbook
example because company officials
posted details about the attack on
RSA’s corporate blog so that other
companies can avoid making the
same mistakes.
The data breach began with a
spear-phishing attack on several
employees who presumably were
identified through social media sites.
Over a two-day period, the attacker
sent two small groups of employees
an e-mail with the subject line 2011
Recruitment plan.xls and a Microsoft
Excel spreadsheet attachment.
Although the e-mail was flagged
as spam, one employee was fooled
into retrieving it from the Junk
Mail (spam) folder and then doubleclicking the attached Excel file,
which contained a zero-day exploit
that used an Adobe Flash vulnerability to install a RAT. When the RAT
was in place, it initiated an outbound
connection to the attacker’s CnC
server, and the attacker gained full
control of the user’s desktop.
Because the initially compromised
PC wasn’t a strategic asset, the
attacker moved laterally across the
network, compromising additional
hosts. He harvested access credentials from the first compromised PC,
including credentials to a domain
admin account. Then he performed
privileged account escalation on
nonadministrative user accounts on
other systems. He repeated this process until he stumbled across a highvalue target: a computer operated by
an IT server administrator.
Soon after, the attacker located
multiple highly sensitive servers
(allegedly containing top-secret
SecurID two-factor authentication
algorithms), compromised them,
and established access to internal
staging servers at key aggregation
points to get ready for extraction.
Next, the attacker logged into the
servers of interest, exfiltrated their
data, and moved it to staging servers
where the data was compressed and
encrypted for extraction.
Finally, the attacker used FTP to
transfer a series of passwordprotected RAR files from the RSA file
server to an outside staging server
at a hosting provider. The files were
subsequently deleted from the internal and external staging servers to
remove any traces of the attack.
This cyberattack clearly illustrates
the five stages of the advanced
threat life cycle, discussed in the
“Tracking the Advanced Threat Life
Cycle” section. Today, organizations
are slowly becoming more comfortable with sharing details of successful cyberattacks in a cooperative
effort to combat their damaging
effects.
Chapter 3
Fighting Back with
Big Data Security Analytics
In This Chapter
▶Understanding Big Data and Big Data Security Analytics
▶Seeing how Big Data Security Analytics works
▶Discovering what Big Data Security Analytics can do for you
W
ith advanced threats clearly on the rise, and given that
traditional security defenses are ineffective in defending against them, organizations are turning to a new breed of
network security defense: Big Data Security Analytics.
In this chapter, I define Big Data and Big Data Security Analytics
and describe how the latter can help your organization ward off
threats.
What Is Big Data?
Big Data is all around all of us. To a stockbroker, it’s a sea
of annual reports and economic indicators. To an insurance
actuary, it’s thousands of insurance claims. And to an information security analyst, it’s every bit and byte that traverses
the network.
Big Data is one of the hottest, most-talked-about trends in the
IT industry, but until recently, it was more theoretical than
practical. Technological advances in high-speed data collection, indexing, analysis, and storage, along with advancements in data analytics, give IT a new secret weapon against
advanced cyberthreats: Big Data Security Analytics.
28
What Is Big Data
Security Analytics?
Big Data Security Analytics is a network security solution that
aggregates and analyzes Big Data — every single packet,
file, and flow that it sees — in order to detect and minimize
advanced cyberthreats. Leading Big Data Security Analytics
solutions leverage both internal and external Big Data sources.
Internal sources
Typical internal sources of Big Data include the following:
✓
All traffic flowing across your network, including web
traffic, e-mail, and file transfers and attachments
✓
Network flow records (such as NetFlow, jFlow, sFlow, and
IPFIX) from network routers and switches
✓
VM-to-VM (virtual machine to virtual machine) IP traffic
on VMware, Xen, and other virtualization platforms
✓
User account directories, such as Microsoft Active
Directory and LDAP
✓
Threat intelligence from malware analysis systems (if
present), such as Solera Networks (a Blue Coat company), FireEye, and Norman Malware Analyzer
External sources
Following are some common external sources of Big Data:
✓
Publicly available cyberthreat and reputation feeds, such
as Emerging Threats, Google Safe Browsing, Malware
Domain List, SANS ISC, SORBS, and VirusTotal
✓
Commercially available cyberthreat and reputation feeds,
such as those from Blue Coat and Bit9
✓
IP geolocation services, such as Digital Envoy, Geobytes,
MaxMind, and Quova
✓
Website intelligence services, such as Blue Coat
WebPulse, Domain Tools, and Robtex
Chapter 3: Fighting Back with Big Data Security Analytics
29
How Big Data Security Analytics
Solutions Work
Big Data Security Analytics solutions constantly aggregate Big
Data intelligence and analyze it through a sophisticated data
analytics engine equipped with both prebuilt and user-defined
rules. These solutions — delivered in software, virtual appliance, and physical appliance form factors — can support the
largest enterprises, capturing and indexing data (including
packet header and payload, OSI Layers 2–7) at wire speed,
providing a complete, forensically sound record of all activity
going in and out of the network.
Big Data Security Analytics solutions also have built-in tools
that perform real-time or back-in-time analysis of files, applications, web traffic, flows, and packets. The appliances must
have ample storage capacity because they record and store
terabytes of data for days, weeks, or even months.
Key components
A full-featured Big Data Security Analytics deployment typically involves the following components:
✓
Physical appliances (see Figure 3-1) with throughput up
to 10 Gbps per instance
✓
Virtual appliances that support VMware, Xen, and other
virtualization platforms
✓
Big Data Security Analytics software that allows organizations to deploy the solution on their own server-class
hardware
✓
A central manager appliance that provides centralized
management and data aggregation for organizations that
deploy multiple Big Data Security Analytics appliances,
servers, or hosts
✓
Storage modules that expand data storage capacity for
Big Data Security Analytics hosts in organizations that
want to store and analyze data for longer periods
✓
Appliances that decrypt Secure Sockets Layer (SSL)encrypted traffic before storage to detect SSL-encrypted
threats (see “Large organizations,” later in this chapter)
30
Figure 3-1: Sample Big Data Security Analytics appliance.
Deployment strategies
Before it can capture network data, a Big Data Security
Analytics system must be capable of seeing that data.
Small to medium-size organizations
If your organization is small to medium-size, providing Big
Data Security Analytics capability is simple: Just route traffic from the switches’ SPAN ports directly to the Big Data
Security Analytics appliance or server (see Figure 3-2).
Then use the central management console to manage your
instances while the solution shares intelligence with a variety
of third-party, best-of-breed security tools.
Figure 3-2: Typical Big Data Security Analytics deployment architecture.
31
For the rest of this book, I use the term appliance in the
generic sense. Keep in mind, however, that Big Data Security
Analytics appliances can take the form of physical appliances,
virtual appliances, and software.
Large organizations
For large enterprises and government agencies, deploying a
Big Data Security Analytics solution is a little more involved.
Fortunately, high-end network TAPs called network packet
brokers (NPBs) enable users to aggregate traffic from multipleswitch SPAN ports (or basic TAPs) and direct that traffic to
a single Big Data Security Analytics appliance (or server) at
speeds up to 10 Gbps.
Organizations that want to extend the period for which data is
stored can use expandable storage modules.
One piece of the puzzle is missing, however: Advanced threats
that leverage SSL to mask exfiltrated data are extremely
common. Placing an SSL decryption appliance between the
network and your Big Data Security Analytics appliances
helps you mitigate those threats.
What Big Data Security
Analytics Does
When your Big Data Security Analytics system is up and running, it begins to pay dividends immediately. Your organization
instantly has a record of every packet, flow, file, and application that traverses the network, which helps you identify and
mitigate advanced threats.
Analyzes all your data
Many users describe Big Data Security Analytics solutions
as being like DVRs for the network. Instead of recording TV
shows, however, the Big Data Security Analytics solution
records everything going in and out of your network. Like a
DVR, when a Big Data Security Analytics appliance runs out of
space, it begins to overwrite the oldest data first unless you
mark specific data for nondeletion.
32
Data from Big Data Security Analytics appliances is used to
reconstruct sessions, discover applications, and analyze
potential threats in the central manager console — the central
nervous system of your deployment — providing full security
visibility, rich threat intelligence, and powerful security analytics to uncover hidden threats (see Chapter 4).
Delivers advanced threat protection
No single network security technology can protect an organization from all advanced threats. Such protection requires
a concerted effort by people, processes, and technologies,
and even then, there are no guarantees. Big Data Security
Analytics, however, plays a pivotal role in the cause of
advanced threat protection.
In Chapter 4, I explore many of the underlying technologies that
support this cause. For now, here’s a high-level list of ways that
Big Data Security Analytics protects against advanced threats:
✓
Examining suspicious traffic: Leading Big Data Security
Analytics systems leverage rules that alert users when
they detect suspicious traffic, such as protocols that
use nonstandard ports or traffic originating in countries
commonly linked to advanced persistent threats (APTs),
such as China, Russia, and Iran.
✓
Searching for traffic abnormalities: A good Big Data
Security Analytics system can compare traffic on a network at varying points in time to detect abnormalities. A
significant boost in FTP traffic from one day to another,
for example, could be the result of unauthorized data
exfiltration.
✓
Analyzing IP/URL reputation: Sometimes, threats are
carried into the office on mobile devices (see Chapter 2).
When malware calls out to a command-and-control (CnC)
server that’s potentially associated with a botnet or an
APT, the Big Data Security Analytics system can compare
the destination with a blacklist of known malicious sites
and trigger alerts if it finds any matches.
✓
Detecting malware: Better Big Data Security Analytics
solutions continuously compute file hashes and maintain
a database of known-good and known-bad files. When a
known-bad file is detected, that file is quarantined, and
33
IT is alerted. Leading solutions even ship suspicious
or unclassified binaries off to an internal or external
malware-analysis sandbox (a virtual machine configured
to emulate key aspects of the target environment, such
as the operating system and application associated with
the file in question) to attempt to safely “detonate” the
malware and observe its intended effects.
✓
Remediating detected threats: Whether a threat has
been uncovered by the Big Data Security Analytics appliance or by some other network security device, it must
be remediated before more damage is done. Big Data
Security Analytics can help you determine exactly which
hosts have been compromised and what, if any, data has
been breached so that you know exactly where and how
to respond.
Exploring Features
Now that you have a grasp of the components of a typical
Big Data Security Analytics solution and a frame of reference
for how the solution is deployed and how it functions, you’re
ready to explore the basic and advanced features of leading
Big Data Security Analytics products.
For a more comprehensive description of basic and advanced
features, ask for a copy of Big Data Security For Dummies,
courtesy of Solera Networks (a Blue Coat Company) (www.
soleranetworks.com).
Basic features
Following are the basic features that you should expect to
find in even the most rudimentary Big Data Security Analytics
solution:
✓
Customizable dashboard: The dashboard (see Figure
3-3) is the primary interface for monitoring the Big Data
Security Analytics system and investigating threats. The
dashboard is accessed on individual appliances or as
a central management console and can be customized
based on the user’s role in the organization.
34
Figure 3-3: Sample Big Data Security Analytics web-based dashboard.
✓
Rules and alerts: Rules and alerts automate the process
of discovering and responding to advanced threats.
Prebuilt and customizable rules analyze and correlate
your Big Data sources, looking for suspicious traffic and
network abnormalities. When rules fire, alerts are sent to
security analysts via e-mail and/or text messages.
✓
Comprehensive reporting: The reporting feature keeps
information security management and compliance auditors informed by logging statistics and security events
related to the security posture of the organization.
✓
Basic reputation services: These services use basic community threat intelligence to determine when network
traffic is associated with known-bad URLs, IP addresses,
and files. (See Chapter 4 for a list of community-based
threat intelligence feeds.)
Advanced features
The following advanced features are available in leading Big
Data Security Analytics offerings:
✓
Geolocation: Geolocation (see Figure 3-4) enables users
to view the origin, destination, and flow of network traffic. Users can also identify potentially suspicious traffic
involving countries where the organization has no business dealings or countries that are commonly associated
with APTs.
35
Figure 3-4: Geolocation view of external traffic sources.
✓
Root-cause exploration: This feature enables analysts
to quickly identify sessions or files that caused a security event reported by an intrusion prevention system
(IPS), next-generation firewall (NGFW), or other security
device.
✓
Content reconstruction: This feature allows analysts
to extract and reconstruct original documents (such as
Microsoft Word documents and PDFs), image files (such
as JPEGs and GIFs), web pages, e-mails, and chat sessions
so that they can better identify threats and determine
their impact.
✓
Real-time security analytics: Advanced heuristic detection, inferential and exception reporting, and visual data
representations enable security analysts to uncover
advanced threats in real time.
✓
Third-party integration: Third-party integration enables
your Big Data Security Analytics system to share intelligence with your existing network security infrastructure.
✓
Advanced threat intelligence services: These services
use best-of-breed threat intelligence sources to determine when network traffic is associated with known-bad
URLs, IP addresses, files, and e-mail addresses. (See
Chapter 4 for a list of advanced threat intelligence feeds.)
36
Integrating Big Data Security
Analytics into Your Network
Integrating your Big Data Security Analytics solution into your
existing network security infrastructure can yield many benefits, including the following:
✓
Correlating threats with endpoint intelligence (operating
systems, applications, and vulnerability status) to assess
the effect of high-severity security events
✓
Rapidly determining the extent of damage (if any) related
to security breaches
✓
Analyzing suspicious binaries and other file types
through sandbox testing
✓
Collecting digital evidence to help law enforcement investigate network breaches
In the following sections, I discuss how Big Data Security
Analytics can integrate with specific security components.
SIEM integration
Security information and event management (SIEM) systems
seem to have reached critical mass: Almost every large enterprise and government agency has at least one. These tools are
invaluable for aggregating security intelligence from across
an organization and analyzing it to uncover threats that might
otherwise go undiscovered.
A SIEM gains most of its intelligence from log files and
events generated by security and network devices. Log data
is sufficient for responding to basic known threats, but to
investigate advanced threats security analysts must dig much
deeper into the source data pertaining to a suspected attack.
Some Big Data Security Analytics vendors provide application
programming interfaces (APIs) that combine with SIEM vendor
APIs for integration directly into the SIEM’s management
console. This allows security analysts to access raw packets
pertaining to the source and/or destination IP addresses of
suspicious traffic without ever leaving the SIEM’s management
console — a time-saving feature when time is of the essence.
37
IPS and NGFW integration
When an IPS or NGFW generates a high-severity or highimpact intrusion event related to an attack, security analysts
should respond quickly to determine whether the attack was
successful and, if so, what damage was done.
Integrating a Big Data Security Analytics system into an IPS
or NGFW saves security analysts valuable time and effort.
Integration with these systems is similar to SIEM integration
(see the preceding section). Analysts can query the Big Data
Security Analytics database for raw packets related to intrusion events right from the IPS or NGFW console.
Advanced malware analysis
integration
Like Big Data Security Analytics, advanced malware analysis is
a relatively new category of network security technology. These
solutions identify suspicious files through a series of sophisticated algorithms and then attempt to “detonate” embedded malware in the safety of a sandbox present on a physical appliance,
on a customer-supplied server, or in the cloud.
Big Data Security Analytics complements advanced malware
analysis solutions in two ways:
✓
In many cases, analysts can launch Big Data Security
Analytics queries directly from the advanced malware
analysis console, just as they can from IPS, NGFW, and
SIEM interfaces.
✓
Better Big Data Security Analytics solutions allow analysts to redirect suspicious files to advanced malware
analysis appliances (or the cloud) for examination.
Some leading Big Data Security Analytics vendors offer their
own advanced malware analysis solutions. Better vendors let
organizations choose between on-premises and cloud-based
sandbox environments — or a hybrid of the two — depending
on the size of the organization, the sensitivity of inspected
files, and potential privacy laws such as those imposed by
certain European countries.
38
Universal connectors
If you’d like to integrate your Big Data Security Analytics solution into the management console of your network security
device, but the vendors don’t yet support that type of integration, ask your Big Data Security Analytics vendor whether it
offers a universal connector.
This connector lays a simple query interface over the webbased GUI of your device’s console. The connection isn’t
seamless, but it saves analysts valuable time because they
won’t have to switch consoles to launch simple queries.
Online retailer forecasts
sunny days ahead
A large online retailer based in the
United States invested millions of
dollars in best-of-breed network and
endpoint security defenses, including an advanced malware analysis
system designed to detect unknown
threats. Every day around lunchtime
for two weeks, the malware analysis
system triggered alerts related to
the same piece of malware. As the
system was designed only to detect
malware, the security analysts had
no way to investigate the source of
the attacks.
Then the company acquired a Big
Data Security SIA solution from Solera
Networks (A Blue Coat company —
www.soleranetworks.com),
which gave them the tools necessary
for a thorough forensics investigation.
By analyzing network traffic flowing
to and from the internal hosts associated with the attacks, the online
retailer quickly determined that the
associated users were connecting
to a popular local weather website
each day during lunch. Analysts
further concluded that the malware
was being transmitted through malicious code embedded within one of
the weather site’s banner ads. The
retailer’s director of network security
immediately contacted the weather
website, which immediately replaced
the infected banner ad.
By leveraging the powerful forensics capabilities of its new Big Data
Security Analytics solution, the online
retailer never saw that strain of malware again. The system’s innovative
Solera Security Analytics Platform
(formerly Solera DeepSee Platform)
not only protected the retailer’s own
network but also the computers of
thousands of local businesses and
households that connect to the local
weather website each day.
Chapter 4
Exploring Big Data Security
Analytics for Advanced
Threat Protection
In This Chapter
▶Touring Big Data Security Analytics technologies
▶Finding malicious files in your network
O
rganizations are rapidly turning to Big Data Security
Analytics to complement advanced malware analysis
and other security solutions in a coordinated effort to detect
and mitigate advanced threats. In this chapter, I dive into Big
Data Security Analytics, reviewing some of the underlying
technologies so you can gain a feel for how Big Data Security
Analytics can help deliver advanced threat protection.
Understanding the Underlying
Technologies
The best Big Data Security Analytics solutions available today
comprise three categories (or themes) of technologies for
advanced threat protection:
✓
Full security visibility
✓
Threat intelligence
✓
Security analytics
The following sections explore these technologies in detail.
40
Full security visibility
At its core, Big Data Security Analytics provides full security
visibility around the clock. It’s always on and always watching, like a closed-circuit video surveillance system for your
network. This unprecedented visibility enables IT to answer
key questions related to advanced threats, such as these:
✓
Are we under attack?
✓
How did the attacker get in?
✓
Where did the attack originate?
✓
Which systems were compromised?
✓
What, if any, data was exfiltrated?
✓
How was the data exfiltrated?
✓
Which users were affected?
✓
Is the attack over?
✓
How can we be certain this attack won’t happen again?
In the following sections, I review some of the key technologies that enable full security visibility.
Full packet capture
Every good Big Data Security Analytics solution begins with
full packet capture, although some rudimentary products
offer packet sampling due to limitations in throughput,
latency, and/or storage.
Many people liken a Big Data Security Analytics solution to a
closed-circuit video surveillance system that records video at
30 frames per second. But just imagine a system that records
still images once every few seconds. Sure, you save money in
the short run by not storing thousands of hours of recorded
video, but in the end, the organization you’re protecting is far
less secure.
Also, by capturing every packet, flow, application, and file that
traverses your network, you have the means to uncover exactly
what has transpired during a cyberattack so that your organization doesn’t overreact in its response, causing unnecessary
expense and embarrassment. (See the nearby sidebar “Rightsizing your advanced threat response” for further discussion.)
41
Right-sizing your
advanced threat response
Imagine that you’re the director of
network security for a credit-card
processing company that oversees
millions of transactions daily. Further
imagine that your best security analyst just told you she’s certain that
your core databases have been compromised by an advanced threat.
Without a Big Data Security Analytics
system in place, you have no way of
knowing the true extent of the damage.
You don’t know whether the attacker
stole 1,000 credit-card numbers,
or 100,000, or even 100 million — and
because you don’t know which numbers were stolen, you must assume
that all of them were stolen and notify
every potentially affected customer.
A Big Data Security Analytics solution (aside from preventing the
breach in the first place) would have
taken the guesswork out of determining the scope and material impact of
the damage. In other words, with a
Big Data Security Analytics system
in place, you’d know exactly which
credit-card numbers were stolen
so that you could right-size your
company’s response and resolution.
Big Data Security Analytics helps
you avoid treating a small breach
as a huge disaster and allows you
to notify only customers that were
affected instead of worrying every
single one of them.
Deep packet inspection
Beyond full packet capture, leading Big Data Security
Analytics solutions offer deep packet inspection to identify
applications by their vendor-supplied fingerprints (unique
characteristics). Such solutions can categorize applications
into dozens of families and identify more than 1,000 distinct
applications and protocols. For custom applications, users
can create their own application fingerprints.
Big Data Security Analytics appliances also extract various
metadata attributes such as e-mail addresses, website URLs,
instant-messaging usernames, search-engine queries, social
personas, HTTP servers, flow information, and many more —
enabling security analysts to get the context they need to
develop a vivid picture of all suspicious activity.
Indexing on Layers 2–7
Big Data Security Analytics classifies, indexes, and stores
all network traffic in a high-performance database for quick
42
search and retrieval. Each appliance stores rich, detailed
information, including packets, sessions, flows, files, and
applications. Depending on the specifications of the appliance, data can be stored for weeks or sometimes months.
Flexible security policies
Preferred Big Data Security Analytics systems enable users to
configure security policies to help them reduce the network’s
attack surface. Users may want to be alerted, for example,
when an application uses a nonstandard port, when FTP or
SSH transmissions originate from the finance department, or
when a BitTorrent application is used anywhere on the network, causing both security and performance concerns.
Session and application reconstructions
Effective Big Data Security Analytics solutions enable analysts
to view web pages and web-based applications exactly as
users originally saw them. Analysts can review instant messages and e-mails (with attachments) in their original forms,
which can be particularly useful in investigating the sources
of threats.
Physical and virtual security visibility
Advanced threats aren’t confined to physical networks. They
can just as easily emanate from virtual hosts, especially virtualization platforms that serve up virtual desktops. To maintain
complete network visibility, supplement your physical Big
Data Security Analytics appliances with virtual ones. Leading
vendors commonly support VMware ESX, Citrix XenServer,
Microsoft Hyper-V, and KVM.
Threat intelligence
Capturing, indexing, storing, and analyzing your network’s
Big Data are critical steps in uncovering advanced threats.
To be truly successful, however, you need another piece of
the Big Data Security Analytics puzzle: threat intelligence.
High-quality and dynamic threat intelligence helps take the
guesswork out of uncovering advanced threats by identifying
malware-infected files, locating botnet-infected hosts, isolating callback communications, and so on.
43
Intelligence cloud
When shopping for a Big Data Security Analytics solution,
evaluating the capabilities of physical and virtual appliances
is important, but it’s equally important to evaluate the threat
intelligence each vendor provides. Most vendors offer an
intelligence cloud (similar to Blue Coat’s WebPulse) so that
physical and virtual appliances are updated throughout the
day, every day, with updated threat intelligence, including:
✓
IP, URL, and DNS reputation and categorization feeds
✓
Botnet destinations
✓
Callback destinations
✓
Domain age reporters
✓
Known-good and known-bad file hashes (see “Identifying
Advanced Threats within Files,” later in this chapter)
Whitelisting and blacklisting
Whitelists and blacklists are lists of items that are approved
and rejected, respectively, as they pertain to information
security. Sample items may include:
✓
IP addresses
✓
Website URLs
✓
File hashes
✓
Applications
✓
Protocols
Community-based threat intelligence
Some Big Data Security Analytics systems incorporate the
ability to import community-based threat intelligence into the
system. Examples of such intelligence feeds include:
✓
ClamAV
✓
Cuckoo
✓
Google Safe Browsing
✓
Robtex
✓
VirusTotal
44
Advanced threat intelligence
In addition to community-based threat intelligence, some Big
Data Security Analytics systems also incorporate best-of-breed,
advanced threat intelligence services into the system, such as:
✓
Blue Coat’s WebPulse
✓
Bit9
✓
Team Cymru
✓
Webroot
Security analytics
The hardest cyberattacks to detect contain unknown threats
targeting unknown vulnerabilities that communicate with
unknown (not blacklisted) hosts. Detecting these threats
takes a more-concerted effort involving security analytics: the
use of charts and graphs to represent data.
Following are three ways that security analytics can be used
to uncover hidden advanced threats.
Examination of suspicious traffic
Vigilant security professionals must be more than just Big
Data analysts; they must also be Big Data scientists. In other
words, sometimes you need to find answers to questions that
you didn’t even think to ask.
Suppose that you’re comparing yesterday’s network traffic volume with volume from a week ago. You may notice a
significant spike in FTP traffic from a network segment that
typically doesn’t use FTP, or you may stumble across a network flow with China that uses a nonstandard port you’ve
never seen. To reveal such patterns, your Big Data Security
Analytics solution must be equipped with a powerful analytics
engine that allows you to depict your Big Data search queries
in a variety of tables, charts, and graphs.
Relationship graphing
Another method of uncovering hidden threats is relationship
graphing. Here, the Big Data Security Analytics user constructs
search queries. Instead of displaying the data in tabular format,
the solution displays it graphically in relationship maps.
45
If a file stored on an internal file server, for example, turns out
to contain botnet-related malware that originated in Russia,
you can visually depict other users and hosts that accessed
the same file and connected to hosts in Russia.
Review of noncompliant traffic
Most enterprises and government agencies have acceptableuse policies (AUPs) for network resources. Enforcement of
those rules varies, however. Most organizations don’t even
monitor AUP compliance, mainly because they lack the tools
to do so — a mistake that can cost them dearly.
Big Data Security Analytics solves this challenge by providing
tools that allow IT to monitor the network continuously for
AUP compliance. If an AUP rule is violated, IT can determine
the severity, effect, and source of the violation.
Identifying Advanced
Threats within Files
As I explain in Chapter 2, many advanced threats involve
social engineering attacks that trick users into opening files
contaminated with malware. To combat these threats, many
Big Data Security Analytics solutions include a threat-profiler
function that dynamically identifies and investigates suspicious files. Here’s how it works:
1. Preconfigured security policies detect files of interest
within traffic flows, such as executable files from nontrusted web servers, or PDF or JAR files downloaded
from domains less than 30 days old.
2. A real-time extractor reconstructs suspicious files in
near real time.
3. File hashes are computed so that the file can be compared with blacklists and whitelists. If the file appears
on a blacklist, the system generates an alert. If the file
appears on a whitelist, no further action is taken.
4. The file is classified by type and passed to an appropriate handler for deeper analysis.
5. The handler generates a confidence score that rates the
likelihood of the presence of malware in the file. If the
score is below a certain threshold, no further action
46
is taken or the file is placed on a watchlist for future
analysis. If the score is above that threshold (the file is
likely to be malicious), the system moves to Step 6.
6. The file is submitted to a malware detonator (sandbox) either in the cloud or on the premises. If the
file is deemed malicious, an alert is generated, and
the file is placed on a blacklist. If the file is deemed
benign, it’s placed on a whitelist.
When shopping for a Big Data Security Analytics solution,
be sure it either provides robust advanced malware analysis
capability and/or tightly integrates with best-of-breed sand boxing platforms.
Big Data Security Analytics pays
dividends to financial services firm
A large multinational financial services firm headquartered in New York
City was in the headlines recently for
all the wrong reasons: It was victimized by multiple high-profile APTs.
The company’s chief information
security officer (CISO) was familiar
with two sets of network security
technologies designed to detect APTs
and other unknown cyberthreats: Big
Data Security Analytics and advanced
malware analysis solutions. He began
evaluating the latter first.
The company initially purchased a
handful of malware analysis appliances and began rolling them out at
their primary data center. Not fully
realizing the cost and complexity of
a hardware-based malware analysis
architecture within a multinational
corporation, the company began
searching for alternative solutions.
A trusted member of the CISO’s staff
had implemented a Big Data Security
Analytics solution from Solera
Networks (a Blue Coat company —
www.soleranetworks.com) for
a previous employer with great success. Upon learning that Solera now
offers both hardware- and cloud-based
advanced malware analysis solutions — as part of the Solera Big Data
Security Analytics technology — she
recommended Solera to her CISO, who
in turn initiated an onsite evaluation.
Through its built-in file traffic controller capability, the Big Data Security
Analytics Platform (formerly Solera
DeepSee Platform) can direct suspicious files to both the company’s
recently acquired malware analysis
appliances and to its own integrated
sandbox technology.
Since deploying its Solera solution for advanced threat protection,
alongside its Blue Coat solution for
best-of-breed web security, the
company has detected and mitigated
hundreds of APTs — and kept itself
out of the headlines.
Chapter 5
Advanced Threat Protection
Buying Criteria
In This Chapter
▶Knowing what to avoid when evaluating solutions
▶Creating a checklist of important buying criteria
▶Understanding what to look for
Y
ou have many things to consider when you evaluate a
Big Data Security Analytics solution for advanced threat
protection — so many, in fact, that I don’t have enough space
in this book to address them all.
Before highlighting the buying criteria that I feel are most
important, I’d like to point out the product characteristics
that you should avoid like the plague:
✓
Solutions that only sample network packets due to hardware constraints in processing power and/or storage
capacity
✓
Physical appliances that can’t keep pace with today’s
increasing network speeds
✓
Solutions that fail to provide or integrate with advanced
malware analysis (sandbox) solutions
✓
Products that lack comprehensive threat intelligence
updated continuously via the cloud
✓
Offerings that fail to provide insight into VM-to-VM (virtual
machine to virtual machine) traffic within virtualization
platforms
✓
Solutions with little-to-no vendor-supported integration
into your existing security infrastructure and ecosystem
48
Now that you know what to avoid, read on to find out what
attributes you should look for when evaluating Big Data
Security Analytics offerings.
Full Packet Capture
If you’re serious about advanced threat protection, you must
acquire a Big Data Security Analytics solution that offers full
packet capture.
If you purchase a product that merely samples packets, you’ll
have an incomplete picture of the presence of advanced
threats on your network. Also, you certainly won’t be able
to take advantage of collaborating with advanced malware
analysis (sandbox) platforms, as you won’t have fully reconstructed suspicious files to redirect to them.
Multivector Threat Detection
and Correlation
Unfortunately, not all cyberthreats penetrate your network
through the perimeter. Some threats arrive via employeeowned mobile devices and portable media (see Chapter 2).
Even the unknown threats that bypass your perimeter defenses
don’t stick to one medium. Some take the form of e-mail attachments; others are embedded in files that users download from
the Internet.
This complexity means that it’s important to select a multivector solution that can process traffic feeds from all parts
of the network and correlate them against rich threat intelligence as part of the Big Data Security Analytics platform.
Advanced threats often communicate within Secure Sockets
Layer (SSL)-encrypted channels, especially when they’re calling back to the attacker’s server and exfiltrating stolen data.
Leading Big Data Security Analytics vendors offer, or integrate
with, stand-alone SSL decryption appliances (see Figure 5-1)
that decrypt SSL traffic before it’s stored on the Big Data
Security Analytics appliances.
Chapter 5: Advanced Threat Protection Buying Criteria
49
Figure 5-1: Blue Coat’s SSL Visibility Appliance.
Virtual Platform Visibility
If you’re not capturing VM-to-VM traffic, you’re missing a
wealth of Big Data and potentially missing advanced threats.
To remedy this problem, preferred Big Data Security Analytics
vendors offer virtual appliances for popular virtualization
platforms, including VMware ESX, Citrix XenServer, Microsoft
Hyper-V, and KVM.
Virtual appliances offer features identical to those of their
physical counterparts and are limited only by the processing
power, memory, and disk space allocated to the hosting virtual machine. Data captured by virtual appliances is accessible through the central manager console, so security analysts
can query data from both physical and virtual networks from
one central location.
Comprehensive Threat Intelligence
A successful Big Data Security Analytics solution for advanced
threat protection not only needs to capture packets at the
speed of your network but also must include comprehensive,
reliable threat intelligence to help users uncover advanced
threats. (See Chapter 4 for lists of community and advanced
threat intelligence feeds.)
Better Big Data Security Analytics providers incorporate a
threat-detection engine within their solutions to enable automatic blacklisting (alerting) of traffic associated with knownbad IP addresses, URLs, and files. Even if you have an advanced
50
malware analysis solution defending your perimeter, threats
are sometimes hand carried right through the office door.
Vendor-supplied threat intelligence typically is distributed via
the cloud as regular updates throughout the day. When you
evaluate Big Data Security Analytics providers for advanced
threat protection, be sure to inquire about their threat intelligence, including their sources (both private and public) and
the frequency of updates.
File-Based Malware Detection
Advanced malware embedded in files is the leading cause of
APT incursions. Unsuspecting users open e-mail attachments
or click hyperlinks embedded in spear-phishing e-mails, often
out of sheer curiosity, opening up the network to a variety of
advanced threats.
Some vendors offer a threat-profiler capability to detect the
presence of advanced malware in files. These solutions generate hashes (fingerprints) for suspicious files, compare them
with blacklists and whitelists, and integrate with sandbox
technologies for deeper threat analysis. (For details on this
feature, see Chapter 4.)
If you choose a Big Data Security Analytics provider for
advanced threat protection that doesn’t offer a solution for
mitigating advanced threats embedded in files, you may be
opening your network to advanced cyberattacks.
Even the best signature-based security solutions are helpless
when it comes to detecting unknown threats and malware
that target unknown, zero-day vulnerabilities. Files with such
embedded threats sail through traditional perimeter defenses
as though they weren’t even there.
Support for Continuous Monitoring
Networks and systems never stop changing. Cyberthreats
never stop changing either. With your network constantly in
flux, selecting an advanced threat protection solution that
supports continuous monitoring is critical.
51
All enterprises and government agencies must stay vigilant
against APTs and other advanced threats. Big Data Security
Analytics plays an important role in an effective continuous
monitoring strategy by offering the following services:
✓
Around-the-clock quantitative surveillance and inspection of all network activity and traffic to uncover hidden
threats
✓
Timely, targeted, prioritized information that allows
security decision-makers to identify and fix critical security events
✓
Risk mitigation for virtualization, cloud computing, transient mobile devices, and noncompliance with internal
acceptable-use policies
The 2010 Federal Information Security Management Act, commonly referred to as FISMA 2.0, requires continuous monitoring of information systems as part of each federal agency’s
security program. Big Data Security Analytics solutions play
an important role in an effective continuous monitoring strategy (see the nearby sidebar). Be sure to select a solution that
can keep up with the speed of your network while performing
full packet capture within both physical and virtual network
environments.
The origin of continuous monitoring
The U.S. National Institute of Standards
and Technology (NIST) introduced the
term continuous monitoring in NIST
Special Publication 800-37, Revision
1, published in February 2010. At the
time, the term was associated primarily with vulnerability management
and security configuration management controls, rather than advanced
threat protection. Since then, federal
agencies have realized the benefits
that continuous monitoring brings to
the cause of detecting and mitigating
advanced threats.
Although continuous monitoring,
as defined by NIST, pertains to U.S.
federal agency networks, the spirit of
continuous monitoring has caught on
throughout commercial IT organizations as well.
To find out more about NIST’s view
of the role of continuous monitoring,
download NIST Special Publication
800-37 at http://csrc.nist.
gov/publications/nist
pubs/800-137/SP800-137Final.pdf.
52
Extensive Third-Party Integration
Security products need to work together to share intelligence
in the common cause of cyberthreat defense. That concept is
an important criterion for evaluating a solution for advanced
threat protection.
When a Big Data Security Analytics solution integrates
directly into the management console of network security
devices — or at least into the web browser used to connect to
these consoles — security analysts save significant time and
effort in investigating advanced threats.
Also, by integrating with internal and/or external advanced
malware analysis (sandbox) solutions, your Big Data Security
Analytics solution can help identify suspicious files so that
analysts can determine whether advanced malware is present.
(For details on sandboxing and the role of Big Data Security
Analytics, see Chapter 3.)
If you find a so-called Big Data Security Analytics solution
that offers no integration with your network security infrastructure, stay away. It’s clearly not ready for prime time and
doesn’t provide effective advanced threat protection.
Enterprise Performance,
Scalability, and Reliability
For effective advanced threat protection, you need security
appliances that can keep pace with today’s network speeds
and high storage capacities to deliver full security visibility.
If your Big Data Security Analytics appliances can’t keep up
with the speed of your network, rip them out and replace
them. Otherwise, you’re effectively housing a bunch of rackmounted paperweights in your network’s data center.
Leading Big Data Security Analytics vendors offer purposebuilt appliances that can capture all packets, files, and flows
at speeds up to 10 Gbps and store 100TB of data or more on
a single appliance. These appliances are reliable, too, featuring dual, hot-pluggable, redundant power supplies and RAID 5
storage for added fault tolerance.
Ease of Use
An information security product may have every feature
that you could want, but if it’s too difficult to use, you might
as well throw it away. The same is true of Big Data Security
Analytics products for advanced threat protection.
When you’ve drawn up your short list of vendors, put their
products to the test. Specifically, evaluate how easy it is to
perform everyday tasks such as these:
✓
Monitoring the dashboard for security alerts
✓
Generating canned and custom reports to satisfy the
needs of IT management and external security auditors
(see Figure 5-2)
✓
Customizing packet queries based on IP address, date,
and time
✓
Creating sample security policies that correspond to
your network’s acceptable-use policy
Figure 5-2: Sample Big Data Security Analytics report charts.
Also, inspect the quality of each product’s documentation.
Administrator guides always come in handy, regardless of
how easy a product is to use.
53
54
Responsive Customer Support
An often-overlooked buying criterion is the quality of each
vendor’s customer support. You can actually evaluate the
quality of a vendor’s support offerings before you’ve purchased its products.
Unless a vendor refuses to take your call or respond to your
e-mails during the evaluation phase (which should raise a red
flag anyway), evaluating the responsiveness, technical accuracy, and professionalism of a customer-support organization
is both possible and necessary.
Even if you’re not experiencing technical difficulties during
the evaluation phase, make up a few reasons to contact each
vendor’s support department. Ask for help generating a
report, find out the best way to investigate an alert, or seek
advice on creating security policies that correspond to your
acceptable-use policies.
Don’t ask all your questions at the same time, and ask them via
phone and e-mail on different days to address different issues
so you can see how well they respond to each approach.
By the time you finish asking your questions, you’ll have a
pretty good idea of the level of service provided by each
vendor’s customer-support department, which should have
a significant effect on your vendor selection process.
Chapter 6
Ten Best Practices for
Advanced Threat Protection
In This Chapter
▶Figuring out where and how to get started
▶Taking advantage of your vendor’s Big Data Security Analytics expertise
▶Getting the most out of your investment
W
hen you’ve narrowed down your vendor short list and
made your selection, it’s time to start implementing
your Big Data Security Analytics solution as part of a comprehensive advanced threat protection strategy.
But where do you begin? This chapter provides ten best practices that can really help.
Leverage Your Vendor’s Expertise
Although Big Data Security Analytics hasn’t been around
nearly as long as firewalls and intrusion prevention systems
have, it’s been around plenty long enough for vendors to
know the right ways and the wrong ways to implement it for
advanced threat protection.
A great place to start is to ask the vendor’s consulting team
to make sure that your Big Data Security Analytics solution is
installed and configured properly so that you can start detecting advanced threats from day one. Your vendor (or your
reseller, if it’s experienced enough) can help you with important tasks such as these:
56
✓
Selecting the optimal number and type of physical and/or
virtual appliances
✓
Determining where to install your appliances to capture
the most important traffic
✓
Using network TAPs and network packet brokers (NPBs)
to aggregate traffic from multiple network segments and
direct it to your Big Data Security Analytics appliances
✓
Configuring reports that satisfy IT management and the
demands of external security auditors
✓
Leveraging reputation-based blacklists to alert upon
identification of traffic associated with known-bad IP
addresses, known-bad URLs, or malware-infected files
✓
Configuring your Big Data Security Analytics system to
automatically ship suspicious files off to internal and/or
external advanced malware analysis (sandboxing) systems
✓
Establishing whitelists so that files known to be free from
malware are cleared from advanced malware analysis
✓
Constructing security policies that help IT monitor and
enforce your organization’s acceptable-use policies
✓
Ensuring that your Big Data Security Analytics appliances don’t miss hidden threats embedded within Secure
Sockets Layer (SSL)-encrypted communications
✓
Showing you how to identify network anomalies that may
lead to advanced threats
✓
Showing you how to investigate the cause and effects of a
reported cyberattack, discover the extent of damage, and
determine whether the attack is still underway
✓
Preserving digital evidence that law enforcement can use
to prosecute cybercriminals
✓
Integrating your Big Data Security Analytics solution into
your existing security ecosystem for comprehensive
advanced threat protection — from enforcement, to
assurance, and to remediation
Yes, vendors are absolutely motivated by profit, but in my
experience, their professional services consultants are not.
These consultants are highly motivated, well educated, and
fully capable of maximizing your Big Data Security Analytics
investment to perform advanced threat protection tasks that
you never knew were possible.
Chapter 6: Ten Best Practices for Advanced Threat Protection
57
Achieve 20/20 Security Visibility
Some people have compared installing a Big Data Security
Analytics appliance on a network to wearing prescription eyeglasses for the first time. Before, your sight was blurry; now
you have 20/20 vision.
Here are a few tips that can help you achieve perfect security
visibility across all of your network segments, physical and
virtual:
✓Use network packet broker devices (high-end network
TAPs) to aggregate traffic from multiple-switch SPAN
ports into a single Big Data Security Analytics appliance
(or a group of load-balanced appliances). This technique
broadens visibility and also saves money in the long
run because you don’t have to purchase more Big Data
Security Analytics appliances when you run out of available network interfaces.
✓
Acquire one or more stand-alone SSL appliances to
decrypt SSL traffic before the data is stored by your Big
Data Security Analytics appliances. This method ensures
that you won’t miss advanced threats embedded in
encrypted SSL communications.
✓
Install Big Data Security Analytics virtual appliances not
only to view traffic between virtual machines but also to
facilitate rapid deployment to smaller branch offices.
✓
Leverage the threat intelligence provided by your Big
Data Security Analytics provider. Enable blacklists to flag
traffic associated with known-bad IP addresses, knownbad URLs, and malicious files. Without automated threat
intelligence and a threat-profiling engine to leverage it,
searching for advanced threats is like trying to find a
needle in a haystack.
✓
If your Big Data Security Analytics system has only
enough capacity to store network data for a few days,
acquire additional storage modules so that you can
retain data for weeks or months before it’s overwritten.
If it’s configured properly, a Big Data Security Analytics
system can provide unprecedented visibility into advanced
threats, unknown malware, and targeted attacks. Simply put,
you’ll see things that you never could see before.
58
Understand That CRIME Pays
When your Big Data Security Analytics system is up and running, and you’ve achieved complete 20/20 security visibility,
a nifty acronym — CRIME — can help you remember the five
steps of advanced threat protection:
✓
Context: If you don’t know what you’re protecting, how
do you stand a chance of protecting it? Big Data Security
Analytics provides the context you need so that you can
turn complexity into actionable insight, configure your
network security defenses properly, and reduce your network’s surface area of attack.
✓
Root cause: When your network security device triggers
an alert, you must respond quickly to verify the source of
the associated attack.
✓
Impact: After determining the root cause, you need to
gauge the material impact of the attack so that you can
assign IT security resources appropriately and begin
to answer critical post-attack questions. If a Windowsbased exploit targets a Linux host, for example, there’s
no real cause for alarm. But if that same exploit targets
a Windows host and the associated vulnerability hasn’t
yet been patched (or is unknown), the damage could be
severe, requiring immediate attention.
✓
Mitigation: When a threat has been designated as critical, you must mitigate it immediately by configuring host
and/or network security settings to stop the attack and
ensure that it never occurs again. This process may be as
simple as patching the target system (and other systems
like it) or shutting down a port on the firewall.
✓
Eradication: When the attacker’s path has been shut
down for good, the final step is eradicating the threat by
determining whether any other hosts have been compromised and, if so, to what extent. You may find malware
on a host victimized by a phishing attack, for example,
but if the attack took place two weeks ago, the attack
may very well have spread laterally.
Determining which additional hosts have been compromised is a painstaking goal, but it’s one that you can —
and must — achieve through the proper use of your Big
Data Security Analytics system.
59
Discover Your Application
Landscape
The more applications you have running on your network, the
higher the likelihood that you’ll be victimized by an advanced
threat because many applications contain vulnerabilities that
attackers can exploit remotely.
To reduce your network’s surface area of attack, know what
applications are running on your network — whether or not
they’re approved for use on the network. I call this process
knowing your application landscape.
When you know what applications are running, you’re better
equipped to configure your network security defenses to
defend against corresponding vulnerabilities. Then, when you
see an unusual application that has no business being there,
you may identify an attack that’s already in progress.
Applications are sometimes configured to use nonstandard
ports that may already be open on your firewall. It’s important
to use your Big Data Security Analytics solution to discover
and identify unauthorized applications and close any gaps that
could be used by advanced threats. Leading Big Data Security
Analytics solutions have the capability to discover thousands
of applications and protocols so that you can make sure that
only trusted applications are running in your network.
Engage Your CSIRT Team
These days, savvy security analysts know that it’s no longer
a question of whether your network will be victimized by an
advanced threat; it’s a question of when. Although you certainly hope for the best, always plan for the worst.
Part of the planning process is knowing how to respond when
an advanced threat is detected. Large enterprises and government agencies commonly employ a computer security incident response team (CSIRT) that can be called at a moment’s
notice to investigate potential cyberthreats.
60
Comprehensive and efficient incident response is a tenet of
Big Data Security Analytics solutions. As such, sophisticated
incident responders and security analysts rely on Big Data
Security Analytics for quick and thorough resolution of security incidents.
Make sure that each member of the CSIRT team has been thoroughly trained in all the capabilities of your Big Data Security
Analytics solution because when they’re responding to an
advanced threat, time is of the essence.
Plan for Performance
and Scalability
Selecting the right Big Data Security Analytics solution for
advanced threat protection means ensuring that the solution
meets your performance and scalability needs.
Performance relates to the system’s capability to capture,
record, and index packets at the speed of your network and
to display data quickly and accurately in dashboards, reports,
and search queries.
Scalability relates to the system’s capability to aggregate and
record traffic from all physical and virtual network segments
(or at least the segments you most want to monitor) and then
make that data accessible for a certain period, depending on
your requirements. Most Big Data Security Analytics users
design their systems to store network data for one month, but
additional storage can make data accessible for two or three
months, or even more.
Automate Discovery of
File-Embedded Threats
As I discuss throughout this book, most APTs involve advanced
malware embedded in files to exploit vulnerabilities in operating systems and applications. To mitigate these threats, select
a Big Data Security Analytics solution that includes malware
detonation (sandbox) technology or at least can integrate
61
directly with third-party solutions. This technique (see
Chapter 5) is an effective way to uncover advanced threats
embedded in files that don’t appear in your Big Data Security
Analytics system’s whitelists or blacklists.
Even if you’ve purchased a stand-alone sandboxing solution
for detecting advanced threats, it may not be designed to
detect threats embedded in files on mobile computing devices
or USB thumb drives carried into the office by unsuspecting
employees. If you combine this solution with a compatible
Big Data Security Analytics system — using the export facility
in your Big Data Security Analytics solution to automatically
send suspicious files to your sandboxing solution — you’ll
have far more success in detecting advanced threats.
Constantly Monitor Anomalies
Information security analysts can be divided into two types:
those who lean back and those who lean forward. Those who
lean back are simply waiting for security alerts to pop up on
the dashboard so that they can respond to them. Those who
lean forward are actively looking for suspicious traffic and
network anomalies, such as FTP use on a restricted network
segment, a deluge of inbound connection requests from
another country, or a major spike in outbound traffic from a
sensitive database in the middle of the night.
Every IT organization has plenty of lean-back users who are
waiting for blinking red lights to appear on their screens.
There is a difference between no sign of infection and a sign
of no infection. The former represents a lean-back approach,
and the latter represents a lean-forward approach. Be sure
to cultivate a few lean-forward Big Data Security Analytics
users who know how to look for network anomalies and other
advanced threat indicators because they may save your
bacon one day.
Strengthen Your Infrastructure
A good Big Data Security Analytics solution fights advanced
threats and also strengthens your existing network security
infrastructure by simplifying the process of investigating
62
security alerts from IPS, secure e-mail and web gateways, and
next-generation firewall (NGFW) devices.
By leveraging application programming interfaces from both
your Big Data Security Analytics vendor and your securitydevice vendors, you can instantly query traffic captured by
your Big Data Security Analytics appliances right from your
other vendors’ management consoles — reducing query
time from several minutes to just a few seconds by zooming
directly into the data set of an event without trying to comb
through or stitch together disparate data.
This time savings may not seem like much, but security analysts investigate hundreds of cyberattacks on a daily basis,
so it adds up quickly. Integration also helps security analysts
respond to high-priority cyberthreats much faster when time
is of the essence.
For a quick review of how Big Data Security Analytics integrates with network security products, flip back to Chapter 4.
Train for Success
It doesn’t take a degree in rocket science to learn how to use
a Big Data Security Analytics system for comprehensive and
effective advanced threat protection. However, better offerings incorporate several methods for detecting advanced
threats, and they often provide the means to integrate with
your existing security infrastructure to save time and
improve your network’s security posture.
To ensure that you’re getting the most value from your investment, it’s wise to have your Big Data Security Analytics vendor
deliver formal, hands-on training, either on site at your location
or in a classroom environment, to teach your staff how to use
the system for effective advanced threat protection.
Knowledge is power. The more you know, the better chance
you have of staying ahead of your cyberadversaries. After all,
it’s getting rough out there.
Glossary
advanced persistent threat (APT): A sophisticated cyberattack that employs advanced stealth techniques to remain
undetected for extended periods. APTs usually target governments or commercial entities for the purposes of espionage or
long-term reconnaissance.
advanced targeted attack (ATA): See advanced persistent threat.
advanced threat: An unknown cyberthreat that is difficult or
impossible for traditional security tools to detect. They often
target unknown OS and application vulnerabilities.
adware: Software unknowingly installed by users that automatically displays advertisements to generate revenue for its
author.
baiting: A social-engineering attack in which physical media
containing malware is deliberately left in proximity to a targeted organization’s facilities, where it may be found and later
accessed by curious victims.
basic threat: A known cyberthreat that traditional security
tools can easily detect.
Big Data: A collection of data sets so large and complex that it
becomes awkward to work with in traditional database management and analysis tools.
Big Data Security Analytics: A system that captures and
stores an organization’s Big Data sources relevant to information security for the purposes of uncovering cyberthreats by
interpreting data displayed within tables, charts, and graphs.
blended threat: A cyberattack that employs multiple attack
vectors and multiple types of malware to increase the severity
of damage and the speed of contagion.
bot: An infected computer controlled by a remote server for
the purpose of disrupting other computers or stealing data.
See also botnet and command-and-control (CnC) server.
64
botnet: A network of Internet-connected computers with
breached security defenses that a malicious third party may
control. See also bot.
buffer overflow: A cyberthreat that exploits a vulnerability in
an application in a specific way. The hacker intentionally overruns the buffer’s boundary, causing the application to pass
undesirable commands directly to the operating system.
command-and-control (CnC) server: A computer operated by
an attacker to control distributed malware via the Internet.
The attacker’s purpose is to use the CnC server to send commands to compromised computers.
cybercriminal: An attacker who hacks for profit rather than
political gain.
denial of service (DoS) attack: A cyberthreat intended to disrupt or disable a targeted host by flooding it with benign communication requests from a single host.
file hash: The result of an algorithm that maps large files
of variable length to smaller data sets (sometimes called
fingerprints) of a fixed length for the purpose of rapid file
identification.
hacktivist: A hacker who uses computers and computer networks as a means to protest and/or promote political ends.
keylogger: A program that records the keystrokes on a computer, often without the user’s knowledge. Keyloggers are
useful for stealing usernames and passwords.
malnet: A distributed malware network comprised of unique
domains, servers, and websites maintained by cybercriminals
to launch a variety of cyberattacks against Internet users over
extended periods of time.
malware: Malicious software (such as a computer virus,
worm, or Trojan) created to disrupt computer operations,
gather sensitive information, or gain access to private computer systems. See also spyware, Trojan, and worm.
phishing: An attempt to acquire personal information (such as
usernames, passwords, and credit-card details) by masquerading as a trustworthy entity. See also spear phishing and whaling.
Glossary
65
polymorphic threat: Malware that modifies its own code,
making it more difficult for some signature-based antimalware
programs to detect.
remote administration tool (RAT): A program that allows a
remote operator to control a system as though she had physical access to it. RATs are commonly used in APT attacks.
sandboxing: A process that attempts to detonate suspected
malware in the safety of a virtual machine.
spear phishing: A phishing attempt directed toward a specific
organization or person(s) within that organization. See also
phishing and whaling.
spyware: A type of malware that collects information about
users, with or without their knowledge.
SQL injection: A technique used to attack databases through
a website or web-based application. Portions of SQL statements are included in a web form in an attempt to get the
website (or web application) to pass a newly formed rogue
SQL command to the database.
state-sponsored threat: A threat in which attackers are
employed by a nation-state (such as China) to commit espionage
against government and commercial entities for political gain.
Trojan: A type of malware that masquerades as a legitimate
file or helpful application with the ultimate purpose of granting a hacker unauthorized access to a computer.
whaling: An attack directed to senior executives and other
high-profile targets within businesses. See also phishing and
spear phishing.
worm: A form of malware that exploits vulnerabilities in
operating-system or network protocols to propagate copies of
itself on other computers connected to the same network or
to USB mass-storage devices connected to the infected PC.
zero-day threat: A cyberattack on an unknown operatingsystem or application vulnerability. The attack occurs on day
zero of awareness of the vulnerability, when neither a patch
nor a threat-detection signature exists.

Advanced Threat Protection For Dummies®, Blue Coat Systems

Transcription

Similar documents

PDF

business performance management in e-commerce

7. Forum Bid. Ilmu Sistem Informasi_Dr. Wing Wahyu Winarno

Real-Time Analytics: The Key to Keeping Pace with Big

GlynnDevins General Capabilities Booklet

Abuse in close relationships - Upplands

Ignorance Is Sometimes Bliss.

Darktrace Case Study: William Hill plc, Leading Gaming Company

New Transport Models and Smart Use of Transport Infrastructure

Unilever | The Future of SupplierNet