Transcript Continuous Forensic Analytics - Information Systems Security

Continuous Forensic Analytics –
Issues and Answers
April 14, 2015
Start Time: 9am US Pacific
/12 noon US Eastern/ 5pm
London Time
1
T
Sponsored by:
#ISSAWebConf
2
Welcome
Conference Moderator
Matthew Mosley
Director of Product Management, Symantec
NOVA Chapter, ISSA Web Conference Committee
April 14, 2015
Start Time: 9am US Pacific
12pm US Eastern/5pm London Time
3
Speaker Introduction
• Dipto Chakravarty- Altamira, Open Source
Security expert
• Tyrone Wilson- Novetta Cyber Security Senior
Analyst
• Remember to type in your question in the Chat area of your screen. You
may need to click on the double arrows to open this function.
4
Continuous Forensic Analytics
Issues and Answers
Dipto Chakravarty
[email protected]
April 14, 2015
Topics
• CFA – a new toolset emerged to accelerate the IR
process and respond to threats with agility
• Forensics 101
• Analytics 101
• Continuous FA
• Call to action
6
Forensics 101
STEP 1:Preparation
Identifies the
purpose and
resources
STEP 2: Acquisition
Pinpoints the
sources of
evidence
STEP 3: Analysis
Extracts, collects
and analyze
evidence
STEP 4: Reporting
Documents and
presents the
evidence
Cyber Forensics is the practice of analyzing digital information in form of evidence that is legally admissible. As a case in point, Sony’s PlayStation
Network underwent digital and cyber forensics to ensure the ongoing safety of its 53 million users after experiencing a DDoS incident few months ago.
7
Forensics 202
MACHINE
USER
• Network connection
• Registry changes
• File & Processes
• Packed code
• TSL callbacks
• Risky APIs
Behavior
Analysis
Code
Analysis
INSIDE
8
Environmental
• Closed source
• Mixed source
• Open source
Analysis
Memory
Analysis
RUNTIME
• Hidden processes
• Malicious drivers
• Passive shells
Analytics 101
ANALYTICS
ANALYSIS
• What is likely to happen?
• Why did something happen?
• Discovers patterns from
data using ML, clustering,
etc.
• Converts data deluge into
intelligence and provides
visualization
9
Analytics 202
#1 – Eagle et. al.
#2 – Swan et. al.
#3 - ????
A child can master pattern recognition to identify the birds, but a
computer still can’t do it right consistently for simple patterns.
What’s Continuous in CFA
• Extended enterprise drives CFA
• Data Centers without walls need CFA
• Resources – internal vs. external
• Technologies – proprietary vs. open
• Services – insourced vs. outsourced
• Endpoints – de/perimeterized
• Insider threat == Outsider threat
• Continuous vs. layered forensics
11
Threat Stages in CFA
Denial
Disruption
Degradation
Deception
Destruction
• Cyber attack “kill chain” has to be watchlisted
• It has to be quarantined before it can be mitigated
• Targeted attack has distinct stages that must be understood
• Visualization is one of the precursors to continuous forensics.
Steps Needed for CFA
• Use cases for what’s taken, from where, and when
• Capture “just enough” network pcap data
• Anonymize the user & extract metadata
• Gamify to reconstruct user sessions
• Simulate the real-life scenario
• Map SIP, DIP addresses
• Payload information
– Via structured queries
13
Sources:
SandStorm, Altamira 
 www.d3js.org Library
Skills Required for CFA
IA DevOps
• Acquire new skills
Performance
metrics
Policy
automation
• Upgrade current skills
• Invest in training
EFFECTIVENESS
• Implement solutions
instead of tools
Programmatic
Restoration
Machine
learning
Malware
analysis
Visualization
Certification
Secure
Security sw Data mining
design
knowledge
Streaming
analytics
Hacking
Data parsing
RT
data
techniques
with regex
streaming
Scripting
Software
vulnerabilities
Sandbox
System administration
Networking
fundamentals
TIME
Basic skills
14
Desired skills
Innovative skills
Visualize Analytics vs. Analysis
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
Jun
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
17
09:42:30
09:42:35
09:42:35
09:42:38
09:42:38
09:42:39
09:42:39
09:43:39
09:45:42
09:45:47
09:56:02
09:56:03
09:56:03
09:56:03
10:00:03
10:00:10
10:01:02
10:01:07
10:05:02
10:05:05
10:13:05
10:13:05
10:14:09
10:14:09
10:14:09
10:14:09
10:21:30
10:21:30
10:28:40
10:28:41
10:28:41
10:28:45
10:30:47
10:30:47
10:30:47
10:30:47
10:35:28
10:35:31
10:38:51
10:38:52
10:42:35
10:42:38
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
diptoc
ifup: Determining IP information for eth0...
ifup: failed; no link present. Check cable?
network: Bringing up interface eth0: failed
sendmail: sendmail shutdown succeeded
sendmail: sm-client shutdown succeeded
sendmail: sendmail startup succeeded
sendmail: sm-client startup succeeded
vmnet-dhcpd: DHCPINFORM from 172.16.48.128
last message repeated 2 times
vmnet-dhcpd: DHCPINFORM from 172.16.48.128
vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
crond(pam_unix)[30534]: session opened for user root by (uid=0)
crond(pam_unix)[30534]: session closed for user root
crond(pam_unix)[30551]: session opened for user root by (uid=0)
crond(pam_unix)[30551]: session closed for user root
crond(pam_unix)[30567]: session opened for user idabench by (uid=0)
crond(pam_unix)[30567]: session closed for user idabench
portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192
portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring
portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68
portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring
vmnet-dhcpd: DHCPINFORM from 172.16.48.128
vmnet-dhcpd: DHCPINFORM from 172.16.48.128
vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8
vmnet-dhcpd: DHCPINFORM from 172.16.48.128
vmnet-dhcpd: DHCPINFORM from 172.16.48.128
Sources:
Lumify, Altamira, lumify.io
Gephi, gephi.github.io
Zarka de Mexico
Ismael Garcia
Joaquin Guzman…
Mexico City
+52 1 825 5536872
2014-02-10
+52 1 877 1211498
2014-02-22
2014-02-22
303-904-7511
Mazatlan
303-301-5881
Patraca
Emma Coronel
Javier Felix
Source: Lumify, Altamira
CFA – Why Now?
• Reports show over 1300+ breaches from 63,000
incidents in 95 countries annually … and growing!
• Lot of alarms, some containments … few solutions
Forensic incident classification patterns over time
Top 10 types of security incidents that caused breaches
Source: Verizon DBIR 2014 report
16
Details Behind Cyber Forensics
Briefing available from ISSA. Presented on August 14, 2014
17
Summarizing Continuous Forensics Analytics
• Assess looming behind the user activity patterns
• Analyze the data remnants in transient states
• Audit logs to unravel stealth data correlation
• Assert usage of content and patterns in context
• Answer the hard stuff:
•
•
•
•
18
“the known knowns”
 Facts
“the known unknowns”  Questions
“the unknown knowns”  Intuitions
“the unknown unknowns” Exploration
Thank You!
Dipto Chakravarty
On G+, Y!: diptoc On Tw: dipto
www.linkedin.com/in/diptochakravarty
[email protected]
[email protected]
19
Thank You
Dipto Chakravarty
BS, MS, GMP
Altamira, Open Source Security Expert
20
Question and Answer
Dipto Chakravarty
BS, MS, GMP
Altamira, Open Source Security expert
21
Thank you!
Dipto Chakravarty
BS, MD, GMP
Altamira, Open Source Security expert
[email protected]
22
Continuous Forensic Analytics –
Issues and Answers
Tyrone Wilson
Cyber Security Senior Analyst
Novetta
Looking to the Future
Tyrone E. Wilson
Senior Security Analyst
Novetta Solutions
24
What would provide perfect network security
visibility?
•
Start with the ground truth: network traffic
•
Capture ALL PCAP data, store it in infinitely large repository, and make it
instantly available for analysis
•
•
If analysts could ‘see’ everything occurring on their network instantly…
•
•
•
Enable human intelligence to counter attackers in real time
Breaches would inevitably occur
But no business damage would happen
Goal: Get as close to the ideal solution as current technology and real-world
constraints allow
Copyright © 2014, Novetta Solutions, LLC. All rights reserved.
What would be the benefits?
•
Aggregated network phenomena created by advanced threats available
immediately
•
Analysts empowered to execute behavioral network analytics
•
Ability to perform traffic summary roll-ups, intersections, and other advanced
exploratory analysis
•
Enable rapid iteration and pivoting through network data
•
Dramatically accelerate the operational tempo of security teams
Copyright © 2014, Novetta Solutions, LLC. All rights reserved.
Deployment
Internet
PCAP
Archive
Router
Firewall
Legacy
Sensor
Analytics Hub
Batch Ingest Module
Packet Capture
PCAP*
Ingestion and
Pre-Processing Module
Sensor
Metadata
SIEM
PCAP*
Analytics Engine
IDS/IPS
Meta
data
DLP
ATP
Sensor
Analysts
Web Interface
API Interface
PCAP*
Sensor
SIEM
Network
PCAP*
* PCAP is stored at sensors and is instantly retrievable when needed for deeper inspection
Custom Workflows
What about virtualization?
• Today’s virtual taps do not scale as well as network
taps
– Gated by motherboard bus speeds & chip resources
• Room for creative solutions
– Selective packet capture?
– Hardware solutions?
What is Sessionization?
•
Creates sessions out of packets
•
Uses 5-tuple to identify sessions: source IP, source port, destination IP,
destination port, transport protocol
•
Attaches locally unique sensor session ID
•
Configurable sessionization logic parameters:
•
•
•
Maximum time before segmenting long session
Maximum time after TCP session finishes gracefully
Maximum ages of unfinished TCP and ICMP sessions
Network Packets
Copyright © 2014, Novetta Solutions, LLC. All rights reserved.
NIC
Software
Session 1
Session 2
Session 3
…
Session Metadata Extraction
•
Session information
•
•
•
•
•
•
•
Hosts and ports
Volume transferred
Packet counts
Protocol (TCP, UDP, ICMP, etc.)
•
All TCP flags (SYN, ACK, etc.)
Client/server designations
Detected service
•
•
•
HTTP, FTP, SMTP, IRC, etc.
Or first 3 bytes for unknowns
•
DNS Headers
•
•
•
Query and response
Resource Record types
…and more
HTTP Headers
•
•
•
Host, URI, Query string
Method, Cookie, User Agent
…and more
RDP Headers
•
•
•
Host, Product ID, User
cookie
Keyboard layout
…and more
All Sessions Queryable in Columnar
Database
Internet
Router
Firewall
SIEM
IDS/IPS
DLP
1
Sensors
2
4
PCAP Data
Analytics Engine
For preprocessing
1%
of total
PCAP
data
ATP
Networ
k
Security-specific Metadata
For a clean and consolidated view
of the network
Analysis within Analytics Hub
•
Investigative analytics from automated Alerts
•
Exploratory analysis
•
Iterative drill-down and pivot
•
Distillation
•
Tagging
•
PCAP export
Copyright © 2014, Novetta Solutions, LLC. All rights reserved.
Example Analytics
Name
Description
Beacon
Finds beacons from infected hosts to command-and-control servers
outside the enterprise
Distant Admin
Uncovers remote unauthorized ‘admin-like’ access
HTTP(S) Exfiltration
Finds large uploads to remote servers, indicating a potential data
exfiltration
Port Scanners
Finds slow, randomized port scans, part of an attacker’s
reconnaissance and scanning efforts
Protocol Abuse
Finds traffic utilizing backdoor/hidden access paths
RDP Keyboard Layout
Uncovers sessions by un-expected keyboard types
Relay Finder
Retraces an attacker’s path between hosts by finding relays (hops)
Suspicious Admin Toolkits
Finds sessions where the client is using a Remote Administration
Toolkit (RAT) such as Poison Ivy, Radmin, and Gh0st RAT
Two Degrees of Separation
Performs traffic intersections to determine relationships between hosts
Unknown Service
Returns sessions where services are unrecognized
Copyright © 2014, Novetta Solutions, LLC. All rights reserved.
Distillation
•
Process PCAP to extract and decode
embedded content
•
Scripts (python, bash, etc.) follow
common API – allows addition of new
custom scripts
•
Output: extracted content, report, md5
listing, sha1 listing, flow files, optional raw
PCAP
Packet Capture
File Extraction
MZ.Xl8ywFuL5V3CCACLTfyLffiLAf93
JP8QK3X0i00Mwf4CZosEcGYDRxBeX2a
JAbABW4vlXcIIAMzMzMzMzMzMzMzMzM
zMzFWL7IPsKFOL2VaJXfyLQwSLUDwD0
IsD/3J4/xCLUwSL8Il14ItKPItEEXyJ
RdyF9gE5wAAAIXAD4TfAAAAi0YQi8uJ
RdiLRhSJRfSLRhi
Output
Extracted
Files
Copyright © 2014, Novetta Solutions, LLC. All rights reserved.
Report
Summary
• Augmenting automated alerts, dashboards,
visualizations and even machine learning with rapid
queryable access to sessionized raw PCAP will be a
key part of the Continuous Forensics Analytics process
• Helps to … Answer the hard stuff:
•
•
•
•
“the known knowns”  Facts
“the known unknowns” Questions
“the unknown knowns”  Intuitions
“the unknown unknowns” Exploration
Thank You!
Tyrone Wilson
Cyber Security Senior Analyst
Novetta
36
Question and Answer
Tyrone Wilson
Cyber Security Senior Analyst
Novetta
To ask a question, type
your question in the Chat area of your screen.
You may need to click on the double arrows
to open this function.
#ISSAWebConf
37
Thank you!
Tyrone Wilson
Cyber Security Senior Analyst
Novetta
38
Open Panel with Audience Q&A
• Dipto Chakravarty
Altamira Open Source Security Expert
• Tyrone Wilson
Cyber Security Senior Analyst
Novetta
To ask a question,
type your question in
the Chat area of your
screen.
You may need to
click on the double
arrows
to open this function.
#ISSAWebConf
39
Closing Remarks
I would like to thank Dipto and Tyrone for lending their
time and expertise to this ISSA Educational Program.
Thank you to Novetta for sponsoring this webinar.
Thank you Citrix for donating the Webcast service.
#ISSAWebConf
40
CPE Credit
• Within 24 hours of the conclusion of this webcast, you will
receive a link via email to a post Web Conference quiz.
• After the successful completion of the quiz you will be given
an opportunity to PRINT a certificate of attendance to use
for the submission of CPE credits.
• On-Demand Viewers Quiz Link
• http://www.surveygizmo.com/s3/2096089/ISSA-WebConference-April-14-2015-Continuous-ForensicAnalytics-Issues-and-Answers
#ISSAWebConf
41