Transcript InfraGard NJ 2007 - New Jersey InfraGard

Accelerating Incident Response With
Network Forensics Techniques
NJ InfraGard
November 2007
Nick Lantuh
President
NetWitness Corporation
Today’s Threat Landscape -Commercial
VISA, MasterCard USA (with cvv2 code)
количество
идентификация
цена в $USD
5-50
есть в продаже
5.0
51-100
есть в продаже
4.5
101-500
есть в продаже
4.0
501-1000
есть в продаже
3.0
1001-5000
есть в продаже
2.0
более 10000
есть в продаже
пишите
 Call for bulk pricing info!
Если Вам нужно более 10000 карт, свяжитесь с нами, для
Вас будет отдельная скидка
Copyright 2007 NetWitness Corporation
Copyright 2007 NetWitness Corporation
2
TJX Hack Basics
• Use of WEP protocol led to the ability of hackers to
target at least one of their sites and gain network access
– WEP has had known problems for years
– Should have been using WPA or VPN in accordance with
standard practices
• Hackers exploited vulnerabilities to place malicious code
on TJX servers and used this platform to achieve desired
goals
Copyright 2007 NetWitness Corporation
Today’s Threat Landscape - USG
Copyright 2007 NetWitness Corporation
China Hack Basics
• Spear phishing attack as entry point due to good network
layer perimeter security
• End user weaknesses permitted initial entry points
• Various techniques used:
– non-HTTP over port 80
– non-DNS over Port 53
– non-SSL over 443
Copyright 2007 NetWitness Corporation
Subsequent Hacker Mechanisms Likely
Used Following Initial Compromise
• Reconnaissance
• Command and control
• Communications
• Data exfiltration
• Clean-up
Copyright 2007 NetWitness Corporation
Insider Threats Are Compelling Too
• Enterprises also face important internal issues:
–
–
–
–
–
Protection of PII, PHI, R&D, classified data
Personnel/HR and Legal problems and concerns
Regulatory and policy compliance
Counterintelligence / counter-competitive
Achieving management control objectives
• Internal actors can include:
–
–
–
–
–
Disgruntled employees
Employees misusing I/T assets
Criminals
Espionage
Compromised technology assets (e.g., bots)
Copyright 2007 NetWitness Corporation
Current State of the Incident Response
• Typical security investments focus on detection of a
specific problem set, known issues, or known threats
– But what about the unknowns like “designer malware”?
– And how do you find problems that are not flagged by your
existing technologies and processes?
• Treating “problems” individually is myopic
– Network traffic contains a common truth and insights about
a variety of interrelated problems
– Network traffic can be recorded once and reused
forensically many times for a variety of mission objectives
• Today’s discussion will focus on using these techniques
to enhance the incident response approach
Copyright 2007 NetWitness Corporation
Copyright 2007 NetWitness Corporation
8
Fully Understanding
Network Traffic
An Effective Approach
•
•
•
NetWitness NextGen provides a “record
once / re-use many times” infrastructure
and the application framework to
achieve Total Network Knowledge
Many current technologies are
antiquated and constrained by a
myopic focus on a singular
problem set – current challenges
require a new generation of
solutions
Protection of corporate data in
motion requires robust and
diverse network monitoring to
cope with threats from many
dimensions
NextGen provides unique
investigative applications – both
interactive and automated, which
leverage a patented high speed
data capture infrastructure, and
an extensible application
development platform
Copyright 2007 NetWitness Corporation
Copyright 2007 NetWitness Corporation
10
Architecture
• Record, decode, and resessionize all network
traffic
• Extract metadata and
model ALL network,
application and user layer
characteristics for
collected traffic
• Roll-up enterprise
metadata as appropriate
• Ensure forensic validity,
chain of custody
Decoder
Decoder
Live Network
Capture
Span Port / Tap
Concentrator
Copyright 2007 NetWitness Corporation
Copyright 2007 NetWitness Corporation
Copyright 2007 NetWitness Corporation
11
NetWitness Investigator (INTERACTIVE)
Know Your Network Like NEVER Before
•
Layer 7 Analytics
–
–
–
•
Full Context
–
–
•
Pure data stored as it occurred
Data presented as the user
experienced (Web, Voice, Files,
Emails, Chats, etc.)
Supports massive data-sets
•
•
•
Infinite freeform analysis paths
Content/Context starting points
Specialized metadata paths,
such as PII
Instantly navigate 100’s of
gigabytes
Scalable to multi-TB data
stores
Decrease time to resolution
•
Analysis that once took days,
now takes minutes
Copyright 2007 NetWitness Corporation
NetWitness Informer (AUTOMATED)
Enterprise Reporting and Alerting
•
•
•
•
•
Copyright 2007 NetWitness Corporation
Copyright 2007 NetWitness Corporation
Informer builds upon
the power of
Investigator and the
NextGen
infrastructure
Automates the review
of huge sets of
captured data
Facilitates Total
Network Knowledge
Ships with 100’s of
rules and canned
reports
Completely
customizable to your
environment and
needs
Session Analysis Benefits
•
•
Typical methods
–
–
Port based identification
example: Port=80 is web traffic
IP based identification
example: IP=216.178.38.116 is
myspace
Port agnostic method
–
–
If packet contains IRC structure in
the payload then it IS IRC traffic
Important because so much traffic is
designed to run over common ports
such as 80, 443, 25, 53, etc.
Copyright 2007 NetWitness Corporation
Technology – Beyond
Signatures to Knowledge
• To face today’s threats and issues, technologies must
provide KNOWLEDGE to address questions that can be
answered from network data:
–
–
–
–
–
–
–
–
Why are employees running non standard traffic over ports?
Does the event need to be flipped to an Incident?
What is the magnitude of this incident?
How was an attack or breach conducted?
Who’s contacting our competitors and how?
Why is our top destination a foreign IP address?
How is specific data leaving our organization?
Who is using Skype to transfer files out of our network?
• Packet headers, logs and high level data do not provide
enough information to answer these questions
Copyright 2007 NetWitness Corporation
Illustrations
Better Business Bureau Phishing
Scam
• Two company execs (President & VP) at NetWitness
received emails claiming that complaints were made against
them and the company
• Email instructed recipients to open Word attachment for
instructions on how to resolve the complaint
(“Document_for_Case.doc”)
• Executives identified emails as suspicious and did not open
• Attachment analyzed using virtual system (VMWare) & open
source tools (Sysinternals, Ollydbg, Hex Workshop, etc)
Copyright 2007 NetWitness Corporation
Suspicious email
Copyright 2007 NetWitness Corporation
Suspicious attachment gets more
suspicious
• An embedded PDF file inside of Word attachment looks
even more fishy
• Alarm bells should be going off at this point
Copyright 2007 NetWitness Corporation
Unsophisticated Delivery Mechanism
Copyright 2007 NetWitness Corporation
More bad karma
• Adobe Reader issues an error
• Malicious code executed in background
• “update443.exe” downloaded from http://64.17.184.98/cs/scripts
Copyright 2007 NetWitness Corporation
Malicious executable “update443.exe”
hosted on a church website in Kentucky
(graceofholland.org)
Copyright 2007 NetWitness Corporation
“update443.exe”
•
•
•
Binary file compressed using Ultimate Packer for Executables / format: WIN32/PE) –
A self-extracting binary compressor favored by malware writers
Evidence of binary compression is a good indicator that it will probably do bad things
to your system
Stepped through uncompressed executable using open source debugger “Ollydbg”
Copyright 2007 NetWitness Corporation
“update443.exe” Analysis
•
Malware makes registry changes to ensure persistence after reboot
– Adds registry keys for new service “UpdateManager”
Copyright 2007 NetWitness Corporation
“update443.exe” Analysis
•
•
Malicious code injected into IEXPLORE.EXE process; runs as “SYSTEM”
vs. user-level
Malicious DLL “update.dll” hooked into running IEXPLORE.EXE process,
and any new instances of IEXPLORE.EXE processes
Copyright 2007 NetWitness Corporation
Beacon Activity
•
Beaconing activity is obvious because of short time
delay (~7 seconds)
• Much harder to detect beacons with large time delays
(i.e. one packet / hour)
• Begins after malware is retrieved, extracted, installed &
running
• A “phone home” to report in with machine name &
logged in user
• DEMONSTRATION
Copyright 2007 NetWitness Corporation
Bad News DNS
• Lots of bad uses for DNS by state-sponsored hackers
and organized crime
• Dynamic DNS
– Used for spear-phishing attacks and obfuscation of other
data exfiltration activities
• Use of DNS as a covert channel
– Hiding of non-DNS traffic in what appears to be DNS
packets
• DEMONSTRATION
Copyright 2007 NetWitness Corporation
Virus/Worm Outbreak
• Zero-Day Incident
– Large enterprise of 40,000 users is experiencing network
degradation.
– Anti-virus & IDS were silent.
– Traffic flow monitors show increased volume from 100's of
hosts.
• DEMONSTRATION
Copyright 2007 NetWitness Corporation
Final Thoughts and Conclusions
Who Needs This Solution?
• CIO / CSO / CISO
– Convergence of network and application layer reporting giving insight
and knowledge into behavior on the network
• Compliance / Risk Officer
– Data Leakage
– Compliance verification
– Non-malicious network waste and abuse is recognized immediately for
comparison to company business rules and policies
• Investigator / General Counsel
–
–
–
–
Insider Threat
eDiscovery
Intensive/Deep Analysis
Reconstruction of malicious attacks, such as SQL injection, IRC bots,
and windows vulnerability exploitation, are identified through quick and
accurate analysis
• Security & Network Operations
– Orders of magnitude increase in speed to analysis: virus outbreaks,
BOTnets, network anomalies, network health insights, etc.
– Advanced Analysis Capabilities for Incident Response Teams permitting
faster identification and resolution of events and problems
Copyright 2007 NetWitness Corporation
Summary
• Today’s threat and compliance landscape requires a new generation
of network monitoring that goes way beyond log files and simple
content review techniques
• NetWitness NextGen provides a powerful record once, re-use many
time infrastructure that permits users to easily and quickly search
across terabytes of data
• NextGen can lower the risks to your information assets by providing
a much higher level of assurance regarding your ability to defend
against threats
• NextGen improves response time and increases the overall
likelihood of problem detection, lowering the potential impact of
problems
Copyright 2007 NetWitness Corporation
Thanks for your time!
For a copy of this presentation, please email me:
[email protected]
(703) 608-3323