Closing the Breach Detection Gap 2016 CONFIDENTIAL
Cyber Weapons Agenda Top Cyber Weapons Today’s Breach Detection Gap Threats: Malware, Risky Behavior, Insiders & Advanced Attacks Top Cyber Weapons Signature vs. Behavior-based Attack Detection LightCyber Magna Behavioral Attack Detection Unfortunately, there is no silver bullet to stop ransomware. If there was, ransomware would have been eliminated years ago. But to reduce the risk of infection, organizations should train employees not to open suspicious email attachments or click on suspicious links. IT administrators should patch vulnerable client and server software such as browsers and browser plugins, and applications and even network devices—which are often overlooked. They should inspect network traffic for malware using sandbox and virus scanning solutions. They should install end point protection like anti-virus software on all systems. And although this isn’t prevention, organizations should back up files and make sure these backups are not accessible to ransomware or that companies can roll back to an earlier version of files.
99% 146 days Breach Detection Gap Most Organizations Focus on Malware and External Attacks But Cannot Detect Attackers in Their Network 99% of post-intrusion attacks such as reconnaissance and lateral movement do not originate from malware. Most Organizations Cannot Find Breaches on Their Own 146 days Is the median length that attackers are present on a victim’s network before detection Long Attack dwell times & inability to detect SOURCE: 2016 LightCyber Cyber Weapons Report, M-Trends 2016 Threat Report, Verizon Data Breach Investigations Report
Most Organizations Focus Only on Malware HACKING TOOLS NETWORKING TOOLS ADMIN UTILITIES REMOTE DESKTOP APPS
Threats Analyzed for Cyber Weapons Research: Targeted Attacks, Insider Attacks, Risky Behavior, and Malware
Recon & Lateral Movement Targeted Attacks Outside the Network Inside the Network Attacker compromises a client or server in the network k Attacker performs reconnaissance and moves laterally to find valuable data l Attacker steals data by uploading or transferring files The next type of attack we are going to discuss is targeted ransomware attacks. Cybercriminals have stepped up their game, using new, advanced attack methods to compromise organizations, rather than individual users. investigations reveal that attackers first exploited a vulnerability, oftentimes a vulnerability in a Jboss servers, and then from there (*2*) using reconnaissance and lateral movement to infect as many machines as possible. They have infiltrated organizations and brought network operations to a standstill. By infecting many machines at once, attackers have extorted more money per attack then by infecting clients one-by-one. Instead of requesting a few hundred dollars from an individual user, ransomware authors have demanded thousands or even millions of dollars in ransom payments from their corporate victims. Intrusion (Seconds – Minutes) Active Breach (Hours - Weeks) Establish Backdoor Recon & Lateral Movement Data Exfiltration
Recon & Lateral Movement Insider Attacks Employee is upset by demotion; decides to steal data and quit job File Server Insider Sensitive Data k Employee accesses many file shares including rarely accessed file shares l Employee uses other user’s credentials and exfiltrates a large volume of data Recon & Lateral Movement Abuse of User Rights Data Exfiltration IT Assets at Risk Databases and file servers are considered the most vulnerable to insider attacks SOURCE: LinkedIn Group - Insider Threat Report sponsored by LightCyber
Risky Behavior Remote desktop access from home High Risk Website Home Desktop Internet User Remote Desktop IT Admin k User credentials for service account shared by multiple admins l Access to high-risk websites Data Breach Incidents Miscellaneous errors, such as misconfiguration, misdelivery, and other errors, accounted for the highest number of data breaches in 2015 ‘With all of the hubris and bravado in the InfoSec world, one proclamation we usually don’t hear is “Our employees NEVER make mistakes.”’ SOURCE: 2016 Verizon: Data Breach Investigations Report
Malware Ransomware Attack Internet Malicious Website User downloads ransomware from a website or opens a malicious email attachment Laptop l Ransomware encrypts data on the local client m Ransomware encrypts data on network drives Infected Email k Infected client contacts command and control server and receives a unique cryptographic key Ransomware can be distributed through many means, including through compromised websites, online malvertising that redirects users to a malicious site, or an email with a malicious attachment. Since users are getting more sophisticated, now instead of sending suspicious executable files, attackers will send Microsoft Office documents with malicious macros. They have also sent executables in zip files and changed the file icon to a PDF icon in the zip to make it look harmless. This is a bit simplified, there are usually a few steps like URL redirects, vulnerability exploits and potentially the download of one or more payloads, but the main message is that the software gets downloaded and then the infected client contacts a command and control server to receive a unique cryptographic key. Then the ransomware begins encrypting data on the local client and on network drives. CryptoFortress attempts to find and encrypt all open network SMB shares (not just mapped drives) --- Server Message Block This network-based file encryption is important to consider, because often times organizations can reformat or replace locked computers. But encrypting all of the data on file shares can potentially be much more damaging. Command & Control File Servers
Cyber Weapons Research Findings Based on Anonymized Alert Data and Network to Process Association (N2PA) Technology
Top Attack Behaviors Reconnaissance was the most common attack behavior Reconnaissance is an iterative process of trial and error as attackers search for valuable assets Reconnaissance includes over 10 behaviors including: Scans Excessive failed logins Failed attempts to access network devices and ports
Cyber Weapons Used in Phases of an Attack
Networking and Hacking Tools Attackers use well-known tools to map the network, probe clients, and monitor activity NCrack, Mimikatz, and Windows Credential Editor can be used to steal user credentials Some tools are native OS utilities
Admin Tools Attackers use a variety of command line shells, including native OS utilities Admin tools are used for lateral movement as well as recon and exfiltration
Remote Desktop Tools Remote desktop tools are: Used for C&C and lateral movement Also indicative of risky user behavior Remote desktop programs are used by attackers, IT administrators, and everyday users. Attackers use them to gain access to new hosts, to move laterally within the internal network, or to remotely control compromised devices from the internet. Attackers can steal or correctly guess user credentials to remote desktop programs, and then delve further into the network, impersonating as a legitimate user while operating unnoticed by all legacy security solutions. Remote desktop apps not only provide an entry point for attackers, but also a way for attackers to streamline management and snooping tasks. TeamViewer easily topped the list of the most common remote desktop tool. In somewhat related news, TeamViewer made headlines in May and June when a large number of TeamViewer customers reported that their computers had been accessed illicitly, meaning that even authorized remote control software can be hijacked by attackers. Purportedly using compromised credentials, intruders logged into victims’ machines and drained their bank and PayPal accounts. Some remote desktop tools, such as TeamViewer, Ammyy Adminn, and LogMeIn, are often used for controlling computers from outside the network because they broker connections through their service—basically command and control. Others, like VNC and Remote Desktop Connection, are used within the LAN for lateral movement. While not necessarily malicious, organizations should monitor all remote desktop connections and enforce multi-factor authentication to prevent unauthorized computer access.
Malware 28% of suspicious processes associated with alerts were either malware or riskware 1% of east-west threats originated from malware While malware tops the list as a favorite way to initially infiltrate an organization, its popularity sinks heavily once a malicious actor has gained a foothold in the network. In fact, the Cyber Weapons study reveals that almost all malware activity was detected in early phases of the attack lifecycle, such as command and control communications between clients and destinations on the Internet. While riskware programs, such as dual purpose admin and hacker tools, were detected during the reconnaissance phase, they rarely appeared during the lateral movement and data exfiltration phases. Goodware Gone Bad Attackers don’t just rely on malware, riskware, and other “attack tools” to do their dirty work. They also leverage ubiquitous apps like web browsers and native OS tools to carry out attacks. In fact, web browsers like Chrome, Internet Explorer, and Firefox accounted for a sizeable amount of command and control activity. Web browsers are not just used for command and control, they’re also linked to data exfiltration. Web browsers as well as FTP, WinSCP, file sharing apps, and even email, were all associated with data exfiltration. Other benign software, in the hands of malicious insiders and external attackers, can become weapons to carry out costly attacks.
Major Findings Attackers often use “benign” apps, native OS tools and web browsers to conduct attacks 70%+ of malware was only detected on a single site, revealing targeted & polymorphic variants Companies that only look for malware will miss attackers that are already in the network However, even organizations that implement multiple layers of security are still getting compromised. Why? First, because attackers have many different ways to distribute ransomware—even instant messaging, or infected USB drives or more. Second is that because ransomware is now so lucrative, cybercriminals are developing new strains continuously, making it hard for signature-based AV to keep up. Plus, ransomware can be difficult to stop. It can use default processes like Windows Explorer. So even if the end point software detect ransomware, it might be difficult to terminate the process without making the system unstable.
Signature vs. Behavior-based Attack Detection
Current Limitations What’s Needed? Known Bad Learned Good Traditional Security Signatures, IoC’s, Packet Signatures, Domains, Sandbox Activity Block, or Miss Necessary, Not Sufficient What’s Needed Learn What is Good [Baseline] Detect What Isn’t [Anomaly] Catch What Slips Through the Cracks of Traditional Security Problems: Too Many False Alarms / False Positives Missed Variants / False Negatives Only Detect Malware-Based Attacks Agents & Signatures Benefits: Eliminates Zero-Day Exploit Dilemma Hundreds of Opportunities to Detect Applicable to All Techniques & Stages Agentless & Signature-less
Behavioral Attack Detection: Optimal Data Context
LightCyber Magna Platform Using Behavioral Analytics to Find Attacks & Malware on Your Network
Behavioral Attack Detection About LightCyber Magna Platform Overview Network-Centric Detection Agentless & Signature-less Post-Intrusion: NTA/UEBA Operations Overview US HQ - CA EMEA HQ - Amsterdam IL HQ - Ramat Gan Customers World-Wide Behavioral Attack Detection Differentiation Most Accurate & Efficient: Proven & Measured Success Broadest Context: Network + Endpoint + User Broadest Attack Coverage with Integrated Remediation Verticals Served Finance & Insurance Public Sector Retail, Healthcare, Legal Service Providers Media, Technology, & More MAGNA LightCyber was founded by cyber warfare experts to help security analysts answer one question: would you know if an active attack was underway in your network? LightCyber was founded in 2012 and maintains offices throughout the world, including U.S. headquarters here in Los Altos, California and R&D headquarters in Ramat Gan, Israel. LightCyber Magna is part of an emerging category of products that we call Behavioral Attack Detection solutions that focus on: 1) Reducing Attack Dwell Time and the Related Damage, and do this in large part by 2) Increasing the Efficiency of IT Security Operations. We will go into that in detail during the remainder of this presentation. We serve a wide variety of verticals, including finance, healthcare, and government and LightCyber is recognized for providing attack detection alerts that are highly accurate and actionable. And we actually have published accuracy metrics to stand by those claims. NTA = Network Traffic Analytics UEBA = User & Entity Behavior Analytics
Profiling, Detection, Investigation, & Remediation Behavioral Profiling - Network-Centric Endpoint and User Profiling Attack Detection - Anomalous Attack Behavior Across the Attack Lifecycle Automated Investigation - Network, User, & Process Association + Cloud Integrated Remediation - Block Attackers with NGFW, NAC, or Lock Accounts with AD
Evolving IT Security Investment Needs SIEM Damage Breach Detection Gap Stateful FW IPS / IDS Network AV Sandboxing Security Expenditure Intrusion Attempt Phase (Seconds – Minutes) Active Attack Phase (Weeks – Months) Incident Response (Weeks – Months) Now, if all defenses were 100% safe, if there were no insider threats, if you didn’t have to worry about social engineering or remote access threats, then the perimeter defenses we have today would be good enough. But history and news headlines show us that these defenses are not failsafe. Attackers do get through. Then, what do they do? Most organizations can’t answer this question because they don’t have any tools to monitor this activity—the reconnaissance and the lateral movement and the fata exfiltration which can take days or weeks or months. Lockheed Martin: Cyber Kill Chain
LightCyber Magna Platform MAGNADETECTOR & MAGNAPROBE for AWS IaaS Cloud Endpoints MAGNAPATHFINDER HQ / DC Core Switch TAP / SPAN MAGNADETECTOR MAGNAMASTER Email & Reports SIEM Remediation Remote Office MAGNAPROBE TAP / SPAN Switch Network Traffic MAGNA UI Confidintial
LightCyber Magna Security Use Cases LightCyber Magna provides accurate and efficient security visibility into attacks and attackers in your network. Security Visibility Encompasses: Malware Risky Behaviors Insider Attacks Targeted Attacks LOWER RELATIVE RISK HIGHER
LightCyber Delivers Unbeatably Accurate Results Most IT security teams can’t keep up with the deluge of security alerts 62% ACROSS ALL ALERTS 99% ACROSS MAGNA’S AUTOMATED “CONFIRMED ATTACK” CATEGORY LIGHTCYBER ACCURACY Source: http://lightcyber.com/lower-security-alerts-metrics/
Malware Example Magna Detects: Active Command & Control channel Malware Infection No signs of internal spreading Likely opportunistic, not (yet) targeted Detection Pattern: C&C Malware (No East-West)
Risky Behavior Example Magna Detects: RDP to > 20 Workstations Likely non-malicious Internal activity since there is no association with other malicious findings Detection Pattern: Credential Abuse Not Linked to Exfil or Other
Insider Attack Example Magna Detects: Suspicious access to file shares Exfiltration This Correlation indicates likely Insider Attack Detection Pattern: Credential Abuse Linked to Exfil or Other Findings
Targeted Attack Example Magna Detects: Anomalous file with known Threat Intelligence Recon Lateral Movement Exfiltration This Correlation Indicates Targeted Attack Detection Pattern: Multiple Correlated Findings North-South + East-West
User, Entity; Network + Endpoint Magna Detects: Anomalous Network Activity Anomalous and Malicious Processes on the Endpoint Anomalous User Activity Magna Correlates: User Process Entity Endpoint Network
Demo
LightCyber Ecosystem Integration MAGNAPATHFINDER Endpoints HQ / DC Network Packet Broker MAGNADETECTOR MAGNAMASTER Core Switch SIEM Remediation IAM & Policy Mgmt MAGNA UI Confidintial
Magna in the Security Ecosystem: Integrated Remediation Magna Enables You To Terminate Malicious Files (MFT) Block Malicious Domains with NGFW Isolate Infected Machines With NGFW Isolate Infected Machines with NAC Lock Compromised Active Directory Reset Compromised AD Passwords X AD AD Re do slide 6 diagram – but show our remediations Knock The Attacker Back Out Of Your Network
Thank You Ask about our free attack simulation offer! Find out if LightCyber is better than your existing security infrastructure at detecting attacks