7. Tracking the Opposing I/T Organization Drop Sites Phishing Keyloggers Botnet Owners Spammers Botnet Services Malware Distribution Service Data Acquisition Service Data Mining & Enrichment Data Sales Cashing $$$ Malware Writers Identity Collectors Credit Card Users Master Criminals Validation Service (Card Checkers) Card Forums ICQ eCommerce Site Retailers Banks eCurrency Drop Service Wire Transfer Gambling Payment Gateways
16. New Security Concept: “OFFENSE IN DEPTH” ATTACKER FREE TIME Attack Begins System Intrusion Attacker Surveillance Cover-up Complete Access Probe Leap Frog Attacks Complete Target Analysis Time Attack Set-up Discovery / Persistence Maintain foothold Cover-up Starts Attack Forecast Physical Security Containment & eradication System Reaction Damage Identification Recovery Defender discovery Monitoring & Controls Impact Analysis Response Threat Analysis Attack Identified Incident Reporting Need to collapse attacker free time Source: NERC HILF Report, June 2010 (http://www.nerc.com/files/HILF.pdf)
29. Understanding the NetWitness Network Monitoring Platform Automated Malware Analysis and Prioritization Automated Threat Reporting, Alerting and Integration Freeform Analytics for Investigations and Real-time Answers Revolutionary Visualization of Content for Rapid Review
46. Combating Advanced Threats Requires More and Better Information… Highest Value Lowest Value Data Source Description Firewalls, Gateways, etc. IDS Software NetFlow Monitoring SEIM Software Real-time Network Forensics (NetWitness) Overwhelming amounts of data with little context, but can be valuable when used within a SEIM and in conjunction with network forensics. For many organizations, the only indicator of a problem, only for known exploits. Can produce false positives and limited by signature libraries. Network performance management and network behavioral anomaly detection (NBAD) tools. Indicators of changes in traffic flows within a given period, for example, DDOS. Limited by lack of context and content. Correlates IDS and other network and security event data and improves signal to noise ratio. Is valuable to the extent that data sources have useful information and are properly integrated, but lacks event context that can be provides by network forensics. Collects the richest network data. Provides a deeper level of advanced threat identification and situational awareness. Provides context and content to all other data sources and acts as a force multiplier.
Notas do Editor
Security is hard job You are everyone’s friend, or enemy People want to see you or they dread seeing you in the hallway You know what you need to do, but good luck getting it done. Today: Talk about why security sucks and what’s wrong with security today in most organizations Some brief examples of why security teams are failing Maybe it will suck less when we are done
Electronic Criminal Groups: Established Underground Industry (continued examples of successful large scale operations) Organization: Low to High Capability: High Intent: High for financial gain “ Kneber” ZeuS BotNet – information sold to anybody Nation-Sponsored Activities: From Intelligence Gathering to Network-Centric Warfare Organization: High Capability: High Intent: Connected to national policy Operation Aurora, Titan Rain, etc.
OK, back to being the CIO of an organized criminal group…
Build Slide…. SUCKER!!!
Unfortunately, our job is usually not as much fun and doesn’t pay as well. So in the face of all this, what’s your job strategy? Maybe you should go work for the government? They have more money and better resources…and you get to wear a tie to work…
The government has it’s problems too….security sucks there too… Advanced - the adversary can operate in the full spectrum of computer intrusion Persistent - the adversary is driven to accomplish a mission Threat - the adversary is: Organized Funded Motivated Analysts speak of multiple &quot;groups&quot; consisting of dedicated &quot;crews&quot; with various missions
Who is NetWitness? Ask the Industry! Ultimately, we can say whatever we want about the value we will bring to your organization, but that value is best defined by what others in the industry say about us. The best security teams on the planet are using NetWitness: Our customers include: 5 of the Fortune 10 A large number of the Global 1000, including 3 of the Top 10 banks. Over 70% of U.S. Federal Agencies are enterprise customers of NetWitness, and most are planning larger deployments Over 45,000 security experts use NetWitness Investigator Freeware. The Analysts agree too: Forrester says that in 2011 all enterprises should inspect and analyze all network traffic to obtain better visibility and that NetWitness is a cutting edge vendor in this space. Gartner says that current malware threats will require approaches other than signature, and named NetWitness as a technology offering an important solution using forensics, behavioral, and reputational based techniques 451 Group says that “ If you can handle the truth, NetWitness can show it to you.” and that “NetWitness is the last security appliance you will ever need to buy.” The company has received a number of awards: Inc.500 -- #21 overall and #1 in Software and DC area WBJ #3 in Wash DC area SC Mag numerous awards Customer Testimonials ----- Meeting Notes (1/16/11 13:33) ----- The people that know a lot about the high threat environment use us.
NetWitness infrastructure builds a pervasive and complete understanding of what is happening across your network Layer 2 to layer 7 – characteristics of network behavior Real-time knowledge Fused with the knowledge of the global security community Threat and fraud intel Business intelligence Community and reputation-based Cloud-based
Just like every other application, provides completeness and security rigor.
How many people have worked with Zeus? There are many commercial and non-commercial variants of Trojans such as ZeuS that have been developed by eCrime groups for specific targets of interest: Banks, DIB, specific government agencies in U.S. and Europe Numerous signs of collaboration among malware writers, including “best practices” for improving techniques for detection avoidance and resilience (e.g. ZeuS and Waledac collaboration noted in NetWitness “Kneber” report) New features, such as the inclusion of robust Backconnect reverse proxy capabilities Many of these non-commercial variants are invisible to typical security tools
This particular directory contains files harvested by the attackers from my bait PC that I set up and infected; each directory (top listing in graphic for “/”) is associated with one victim.