Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.

Published byLaurel Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written."— Presentation transcript:

1 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Preparing for the Inevitable: How to Fight Advanced Targeted Attacks with Security Intelligence and Big-Data Analytics See everything. Know everything.™ Andrew Brandt Director of Threat Research

2 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Big Data See everything. Know everything.™ Andrew Brandt Director of Threat Research Little attacks

3 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 3 Who I am and what I do Former journalist @SoleraBlog #AusCERT12 #bigdata

4 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 4 Who I am and what I do Former journalist Self-taught security enthusiast @SoleraBlog #AusCERT12 #bigdata

5 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 5 Who I am and what I do Former journalist Self-taught security enthusiast Malware analyst @SoleraBlog #AusCERT12 #bigdata

6 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 6 Who I am and what I do Former journalist Self-taught security enthusiast Malware analyst Network security researcher @SoleraBlog #AusCERT12 #bigdata

7 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 7 Who I am and what I do Former journalist Self-taught security enthusiast Malware analyst Network security researcher If you code, distribute, or use malware for gain, prepare for maximum mockery and humiliation. @SoleraBlog #AusCERT12 #bigdata

8 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 8 What I do A story behind every attack Sometimes, strange stuff just happens @SoleraBlog #AusCERT12 #bigdata

9 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 9 Break computers for fun and profit I couldn’t have said it better myself Yep, you nailed it Little-known “mea culpa” feature of Blackshades RAT @SoleraBlog #AusCERT12 #bigdata

10 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 10 Involved, enthusiastic blog readership @SoleraBlog #AusCERT12 #bigdata

11 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 11 Why so touchy? A little too close to home? @SoleraBlog #AusCERT12 #bigdata

12 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Today’s Persistent, Blended Threats 12 Social engineering Convince victim to do something Visit web page Download file Execute binary Communication Enumerate surface Exploit vulnerability Infiltrate system Maintain connectivity Exploitation Spread to other systems Expand attack footprint Adapt to countermeasures Propagation

13 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 54% 87% $7.2M of breaches involved customized malware (no signature available at the time of exploit) (VzB/USSS) of records stolen were stolen using Highly Sophisticated Attacks was the average cost of a data breach in 2011 (VzB/USSS) (Ponemon) 13 The Challenge of Keeping Pace… @SoleraBlog #AusCERT12 #bigdata

14 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Big Data Landscape – Security Intelligence & Analytics Context-aware and adaptive security will be the only way to securely support the dynamic business and IT infrastructures emerging during the next 10 years. —Neil MacDonald, VP & Fellow GARTNER BIG DATA ANALYTICS LOG MANAGEMENT SECURITY INFORMATION EVENT MANAGEMENT CONTENT FILTERING DATA LEAKAGE PREVENTION INTRUSION PREVENTION SYSTEMS NEXT-GEN FIREWALLS 14 “ ”

15 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 15 What does this stuff look like when it’s happening? @SoleraBlog #AusCERT12 #bigdata

16 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 16 Would this convince you to click?

17 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 17 Reply to the IRS…using LinkedIn?

18 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Are you guys new to this whole trying to convince people thing? 18 Seriously @SoleraBlog #AusCERT12 #bigdata

19 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 19 What about one of these? @SoleraBlog #AusCERT12 #bigdata

20 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 20 Yeah, it’s malicious @SoleraBlog #AusCERT12 #bigdata

21 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 21 Indistinguishable from normal email… @SoleraBlog #AusCERT12 #bigdata

22 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 22 …until it isn’t, anymore. @SoleraBlog #AusCERT12 #bigdata

23 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 23 Jan ‘10AprJul Oct Jan Apr Jul ‘11 Diplomatic Cables Leak “Operation Aurora” Cyber Attacks Accelerate…

24 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. The Malware Problem – Overwhelming Odds 24 “With security researchers now uncovering close to 100,000 new malware samples a day, the time and resources needed to conduct deep, human analysis on every piece of malware has become overwhelming.” - GTISC Emerging Cyber Threats Report 2011

25 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Record everything, 24/7 25 Timely analysis and insight into every packet entering or leaving your network Records, classifies and indexes all packets and flows from L2 – L7 On the wire, file-level visibility of data exfiltration and malware infiltration Actionable intelligence, forensics and situational awareness Unmatched multi-dimensional flow enrichment and big data warehousing Flexible, open and easy-to-use platform

26 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Multiple Levels of Indexing Full fidelity, full payload streaming capture Capable of 10s of Gb/s data storage Support for simultaneous readers and writers Maximum throughput via smart streaming writes and reads Packet Capture and Repository (DSFS) 26 @SoleraBlog #AusCERT12 #bigdata

27 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Multiple Levels of Indexing SoleraDB – middle layer contains the data necessary to find and reconstruct packets, flows, and entire network sessions in perfect fidelity Handles millions of IOPS on a single appliance Used as a “quick rejection” for the Packet Capture and Repository Solera DB Index 27 @SoleraBlog #AusCERT12 #bigdata

28 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Multiple Levels of Indexing Per-attribute quick lookup layer Takes milliseconds to accept/reject hundreds of MBs of capture data Search queries are processed using proprietary algorithm that generates hash values used by the top layer of the search engine to quickly determine which 64MB chunks the data are in Solera DB Bitmask & Hash 28 @SoleraBlog #AusCERT12 #bigdata

29 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Metadata Attribute Mappings 29

30 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. What happens when someone clicks one of these links? 30 So @SoleraBlog #AusCERT12 #bigdata

31 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 31 The victim sees this… @SoleraBlog #AusCERT12 #bigdata

32 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 32 Meanwhile…CVE 2011-3544 Javasploit @SoleraBlog #AusCERT12 #bigdata

33 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Most Dreaded Questions from the CISO Who did this to us – and how? How long has this been going on? What did we lose, and when? Is it over yet? Can we be sure it won’t happen again? 33 @SoleraBlog #AusCERT12 #bigdata

34 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Breaches Happen. Deal With It. 34 @SoleraBlog #AusCERT12 #bigdata

35 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 35 I see what you did there “Classic” Blackhole Exploit Kit behavior, malware payload delivered at the end @SoleraBlog #AusCERT12 #bigdata

36 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 36 Danger, Will Robinson @SoleraBlog #AusCERT12 #bigdata

37 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 37 Your reputation precedes you Look up rep on: ➜ Domain ➜ IP ➜ Any extracted artifact Reputation services: ➜ Virustotal ➜ Clam AV ➜ SORBS ➜ Robtex ➜ SANS ISC ➜ Google SafeBrowse ➜ … @SoleraBlog #AusCERT12 #bigdata

38 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Real-Time Extractor: Malware at the speed of light Delivering file-level alerting and malware analysis—at the network layer—to any enterprise Policy-based: protocol, country, MIME-type, file extension, etc. Continuous detection of all network traffic—analyze, index, alert Alert-triggered analysis—PDF,.js, PE, Flash, JAR, OLE,.apk, etc. Collapse the distributed network—leverage core security infrastructure 38

39 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 39 What’s in your pingback? Exfiltrates sensitive data ➜ “Beacon” packets ➜ Profiling info about infected PC ➜ Geolocation ➜ Stolen passwords ➜ Extracted email addresses ➜ Other documents Receives ➜ Instructions ➜ Links to payloads ➜ Poison pill self-deletion command When malware phones home: @SoleraBlog #AusCERT12 #bigdata

40 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 40 Zbot/Spyeye Target List Partial target list, downloaded by Trojan. Domains include those of banks that service business customers. Targets vary based on the victim’s location in the world. One mistaken click, by the wrong employee, can bankrupt a corporation! @SoleraBlog #AusCERT12 #bigdata

41 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 41 When malware phones home Some RATs or phishing Trojans don’t bother to hide their activity Others try to obfuscate the data with base64 @SoleraBlog #AusCERT12 #bigdata

42 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 42 Revealed, you are by your weird User-Agent @SoleraBlog #AusCERT12 #bigdata

43 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Collecting Decrypted SSL Traffic 100% encrypted traffic decrypted, captured, classified and indexed Protects against SSL-encrypted bot traffic or confidential information leakage Web Browser (SSL Client) Solera DS Appliance Transparent SSL Proxy Common Control/Management Decrypted And Captured Traffic Non-SSL SSL SSL ServerSSL Proxy Session 1Session 2 Internet/WA N Web Servers (SSL Servers) In partnership with… 43

44 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 44 Decrypted SSL Zbot/Cridex Pingback Every 5-60 seconds, the bot sends this SSL- encrypted packet to its CnC server. “I’m still here. Ready for orders.” @SoleraBlog #AusCERT12 #bigdata

45 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 45 One last thing We know where you are, malware guys @SoleraBlog #AusCERT12 #bigdata

46 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. Invest in preparedness, not in prediction — Nassim Taleb, The Black Swan 46 “ ”

47 © 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly prohibited. 47 Thank You Andrew Brandt abrandt@soleranetworks.com blog.soleranetworks.com http://j.mp/bigdata_auscert @SoleraBlog Facebook.com/soleranetworks

Download ppt "© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written."

Similar presentations

Intrusion Prevention anno 2012: Widening the IPS concept.

Intrusion Prevention anno 2012: Widening the IPS concept.
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.

Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Top 5 Modern Malware Trends Data Connectors – September 12, 2013 Frank Salvatore,

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Top 5 Modern Malware Trends Data Connectors – September 12, 2013 Frank Salvatore,
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.

NCS welcome all participants on behalf of Quick Heal Anti Virus and Fortinet Firewall solution.
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.

© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Herbert Bos Erik van der Kouwe Remco Vermeulen Andrei Bacs

Herbert Bos Erik van der Kouwe Remco Vermeulen Andrei Bacs
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Director of Research, SANS Institute

Director of Research, SANS Institute

Similar presentations

Ads by Google